A world that is evolving from one where strength is measured predominantly in military terms to a world in which different kinds of power and threats co-exist, helps to identify opportunities for transatlantic cooperation and constitutes an imperative for action in cyber security, writes Amanda Sellers and Tobias Felix Franke.
“The past 65 years have shown that when Americans and Europeans devote their energies to common purpose, there is almost nothing that we are unable to accomplish.”
In April 2007, Estonia, the first country to have introduced online voting, was paralysed by an onslaught of cyber attacks that brought to a halt public and private sector communications networks. For three weeks governmental offices, banks, media corporations and private households were denied access to information from the outside world. In the same year, Germany’s vice intel chief Hans Remberg publicly denounced the targeting of Chancellor Angela Merkel’s computer. Simultaneously, US Secretary of Defence Robert Gates also fell prey to cyber operatives, and the Pentagon’s computers lost several terabytes of sensitive information. Citizens across the Atlantic thus had a common challenge to face: cyber security.
Although experts agree that “it is beyond doubt that the US and EU must work together in this field,”2 there remains, several years down the line, “no organised transatlantic response”3 to this issue. This is even more alarming as a 2010 study found that for any organisation or entity a mere €86 million, 750 men and two years of preparation would suffice to compromise Europe’s infrastructure via hacker attack.4 The possibility for collateral damage is extensive, especially since some tools such as worms can spread globally in minutes once launched into cyberspace.5
Borders indeed cease to hold significance in cyberspace, and the need arises for new forms of cooperation. As the 21st century enters into its formative years, the transatlantic relationship is thus faced with both an evolving global dynamic and a set of intangible security challenges that reach beyond conventional threats. Sprouting from the multipolar model, a ‘heteropolar’ environment has entered into force: rather than developing separate hard and soft power realms independently, regional powers contend for influence simultaneously across diverse means of comparative advantage, be it in the defence, economic, energy sectors, or others. The endurance of the cross-pond bond is precisely predicated on the question of whether Europe and North America will follow a trajectory that drifts toward heightened competition over niche capabilities and resources – or not.
In a world that is evolving from multipolar to heteropolar,6 i.e. from a world where strength is measured predominantly in military terms to a world in which different kinds of power and threats – kinetic, economic, environmental or cyber – co-exist, North America and Europe can best respond through joint efforts to engender comparative advantage in cyber excellence. Europe and North America can bring new pragmatic vitality to their relationship by seizing upon the opportunities and by understanding the constraints imposed by threats in a heteropolar world. With the will to develop cross-sector cooperation, nations’ efforts to respond to cyber threats can be combined to create a resilient, transatlantic cyber security strategy.
Hence, if counterbalancing scales register a weighty new type of threat that targets international interdependencies, what explains the still limited level of teamwork between the two partners? Furthermore, what hurdles need to be overcome in order to foster cooperation, and what would effective transatlantic collaboration look like? Convinced of the advantages of enhanced cooperation between North America and Europe7 in the field of cyber security, the authors seek to provide an answer to these questions.
All beginnings are difficult
Transatlantic cooperation is not unheard of in cyber security. Firstly, the harmonisation of cyber crime legislation has been initiated by the Council of Europe Convention on Cyber Crime. This document conveys a common commitment to punish perpetrators and to deter the threat. Interestingly, the US has signed and ratified the convention, which would thus render it a promising transatlantic tool. However a number of EU member states, for example Austria, Poland, Sweden and the UK, have not ratified the convention.8 This reflects the well-known problem that “the EU” is itself a rather heterogeneous power, within which different views on security are hard to reconcile.
Secondly, the Cooperative Cyber Defence Centre of Excellence (CCDCOE), established in Tallinn in 20069 to enhance NATO’s cyber defence capability, is a further step to link partners on both sides of the Atlantic. Yet, the centre is only sponsored by certain NATO Allies (Estonia, Germany, Italy, Latvia, Lithuania, Slovakia, Hungary and Spain, while Turkey and the United States are in the process of joining).10 Moreover, the Crete-based European Network and Information Security Agency (ENISA), initiated by the EU, can be regarded as somewhat of a duplication of such efforts. In November of this year the 27 EU member states and Iceland, Norway and Switzerland held a joint cyber security exercise in which a hacker attack was simulated. Despite the fact that the EU has identified cyber security as a threat to be addressed together with the US, Washington was not involved in the exercise.11 Far from interpreting these events as disharmony between Europe and America, it mirrors the lack of political consensus on whether NATO or the EU should take a leading role in the cooperative defence effort.
Thirdly, a cyber defence capability under the Emerging Security Challenges Division at NATO became operational in August 2010, to manage and execute the functions of the NATO Cyber Defence Coordination Centre. Its goal is to further develop mechanisms for assisting those Allies who seek NATO support for the protection of their communication systems, including through the dispatch of Rapid Reinforcement Teams (RRTs). Despite recent such initiatives, the NATO nations themselves continue to individually bear the main responsibility for the safety and security of their communications systems.12 This highlights the ongoing debate on both sides of the Atlantic on whether cyber security should predominantly remain in the realm of national capitals, or whether a transfer to the supranational level would be beneficial.
In sum, differences between states and a lack of political consensus on in which forum (NATO or EU) – or whether at all – on the international stage cyber security should be addressed. If we follow the logic of the evolving heteropolar world, then states within a given region will increasingly cooperate to exploit their common comparative advantage in a given sector. Russia and its vicinity, for example, can be expected to form a regional pole in energy matters – energy being its abundant natural resource.13 In an increasingly interconnected heteropolar world, the poles which have specialised in a certain sector will be able to trade their advantage for other poles’ expertise and thus ensure their welfare. In this respect, a member of the European Parliament stated that “at the moment both the US and the EU are leading globally in IT knowledge. However, to protect this comparative advantage – particularly vis-à-vis emerging powers – they would soon need to form a pole of technological excellence.”14 Given these considerations, it would be regrettable if the opportunities for a transatlantic comparative advantage in cyber security were overlooked.
Growing with the job
The necessity for deep transatlantic cooperation is further highlighted by three developments: hurdles to cooperation, shared challenges and common positions.
The overarching hurdle holding back cooperation is the lack of a commonly recognised definition of cyber defence, and as a consequence governments in North America and Europe vary widely in the avenues they have identified to prepare for adequate response. Nonetheless, both Brussels and Washington have deplored the lack of such a definition. According to Maeve Dion, Programme Manager at the Centre for Infrastructure Protection at the George Mason School of Law, “in one country, cyber defence may be primarily a military effort to guard against and respond to cyber attacks; in another country, cyber defence may incorporate prevention and response efforts to mitigate cyber damage caused by natural disasters or accidents”15 Russian Permanent Representative to NATO, Dmitry Rogozin, cuts to the heart of this dilemma, asking, “does it mean that Article 5 of the Washington Treaty will be used to fight cyber crimes? And that NATO is now ready to bomb hackers’ offices?”16 In effect, there is no common approach to the legal framework, and each country has independently embarked on the development of cyber defence mechanisms.
Two main challenges are simultaneously faced across the Atlantic and can be best overcome if the two sides fuse their efforts. Firstly, the disconnect between public and private sector security policies makes for ill-informed leaders and an across-the-board lack of accountability for the task of preventing against cyber attack.17 In this regard it is important to recall that “more than 90 per cent of the physical infrastructure of the Web is owned by private industry.”18 The public-private disconnect fuels uncertainty about how to both assess the damage and coordinate the response to a crippling attack. Secondly, civil liberties in the mature democracies of Europe and North America prevent against public sector security screening. There is tension between the need to defend against the full spectrum of cyber incidents on one hand, and the responsibility to uphold the freedom of information and expression. Some countries, in which authoritarian structures present less of an obligation to ensure the latter, individual freedoms bear less weight in state cyber defence strategy. Whereas civil liberties will always bind North American and European nations’ defensive options, the impact of such a restriction can be diffused when pitted against the added value (read: ‘economies of scale’) of a common security commitment among sovereign democracies to respond to cyber attack. Governments in liberal market economies are thus limited in their capacity to oblige private companies, which hold most of the endangered infrastructure, to cooperate with state-led cyber security agencies and to invest considerable amounts into their cyber security.19
On a number of issues, though, experts in North America and in Europe hold common positions, many of which so far have not prominently figured in the discussions on cyber security. Firstly, experts on both sides of the Atlantic see cyber security as the future fifth realm of defence, besides land, sea, air and space.20 Secondly, both NATO and the EU have identified transatlantic cooperation in this field as imperative.21 NATO attaches considerable importance to it in its new Strategic Concept, building on the Alliance’s 2002 Cyber Defence Programme.22 The EU has also done so in its brainstorming sessions after the adoption of the 2008 report on the implementation of the European Security Strategy, which names cyber security as a threat.23 Thirdly, only a Europe-North America-tandem has the political power to launch a credible international initiative for a regulatory framework delineating responsibilities, obligations and infringements in cyber security. Fourthly, North America and Europe do not perceive of each other as adversaries in this field. Hence, far from entering into a cyber security arms race, they are natural allies. As Ronald De Bruin of Security & Defence Agenda has pointed out, “we share the same interests, to protect our economies and our security – security is not a matter of competition, but a matter of cooperation.”24 Fifthly, the example of the Stuxnet virus, which has recently infected 30,000 industrial control systems in Iran and hence prevented the commissioning of a new power plant, demonstrates that the protection of core assets is equally a question of effective cooperation on cyber security matters.25 Finally, an index of Overall Cyber War Strength, compiled by former Assistant Secretary of State for Political-Military Affairs Richard Clarke, ranks the US sixth behind North Korea, Iran, China and Russia. While Washington is first in offensive cyber capabilities, the US ranks last in cyber defence, which is predicated on the country’s dependency on information communications technology.26 In other words, North Korea has so few systems reliant on the internet that Pyongyang can pull the plug at any moment without causing major damage. Western countries on the other hand face the dilemma that their investments in cyber security do not grow at the same pace as their dependence on cyber systems.27
All the above – legal discord, a lack of private-public security policy coordination, but a number of unifying factors – amass to advance the imperative for closer cooperation in a heteropolar world.
Taking back the initiative: a common way forward
While some first steps have been taken, a number of hurdles, challenges and common positions create a pressure for further cooperation. Moreover the emergence of a heteropolar world demands specialisation to guard the comparative advantage North America and Europe hold in information technologies. Bearing in mind the above, what concrete steps can be taken in the future?
A joint NATO-EU transatlantic cyber security body could bring the two partners together. Indeed, given that both NATO and the EU have launched ambitious programmes in this area, synergies are best exploited by close cooperation through a transatlantic NATO-EU consultative body. It could coordinate efforts and meet in the formation of the member nations’ ‘cyber czars,’ or ministers in charge of cyber security (which vary from country to country), to take legally binding decisions. Implied in this recommendation is a genuine effort by the two sides to overcome residual divisions (e.g. on the issue of Cyprus), impelled by the urgent need to address the transnational spectrum of cyber threats to critical infrastructures.
This cyber security body would function equally as a forum for discussion, necessary to prepare a UN resolution on cyber security, something Russia has also lobbied for in the past. In a time where as many as 120 governments are already pursuing information warfare programs28 and US National Intelligence Director Mike McConnell rated the problem equal in significance to the potential development of nuclear weapons by Iran,29 a cross-cutting global initiative is critical.
Above all, coordinated public dialogue about cyber threats is needed, to aid individuals in understanding the risk they expose themselves and their peers to in engaging in illicit online activity, as well as to incite exchange with multinational corporations on protecting their clients against risk. As most cyber attacks leave no marks, without a strong vision, the lack of urgency erodes the potential to create more resilient transnational infrastructure. The establishment of a coordinated transatlantic cyber security body would carry the weight needed to convince diverse actors to come the table, ready to develop a commitment to cyber security. A joint lessons learned exercise, the consultations in above framework should then be bundled in a comprehensive transatlantic cyber security strategy which establishes both the legal basis and guidelines for the cyber security body, including its powers to act in the event of a cyber attack. It would provide an institutionalised, regular forum for discussion and preventative activities.
In sum, the emerging heteropolar world helps to identify opportunities for transatlantic cooperation in cyber security but also constitutes an imperative for action. It is up to us to seize this chance, to ‘excel’ multilaterally – to create a new interface for transatlantic cooperation.