Could Europe ever go to war over a cyber attack? We know that governments around the world are investing in building up their offensive cyber capabilities, including cultivating links with deniable proxies such as hacker groups. Which begs the question: what constitutes an act of aggression in cyberspace?

Earlier this month, it was reported that the North Korean government – through a network of hackers and other cyberactors – is believed to have stolen over $100 million from banks and other institutions globally since 2014 (not to mention making failed attempts to steal over $1 billion). Do such financial raids constitute an act of aggression by a rogue state? What is the appropriate response, and how can we prevent such attacks from happening?

In June 2018, the European Parliament voted in favour of a resolution calling for a tougher EU response to cyber defence. The resolution called for the “development of European offensive and defensive capacities” (though with the caveat that “any offensive use of cyber capabilities should be based on international law”). In other words, MEPs believe the EU should be able to kick back, hoping that a more robust offensive cyber capability will act as a deterrent, making rogue states think twice before sanctioning cyberattacks on European networks.

On 25 June, six EU Member States – Lithuania (which is playing a leading role in the development of the new initiative), Estonia, Croatia, Romania, Spain and the Netherlands – signed a Declaration of Intent for the development of an EU Cyber Rapid Response Force (with more countries expected to join the initiative later). The new cyber force is therefore not (yet) EU-wide, and its mission is purely defensive. However, the potential is there for it to be developed into a full EU Cyber Force with both defensive and deterrence capabilities.

Curious to know more about the new EU Cyber Rapid Response Force (and Europe’s response to cybersecurity more generally)? We’ve put together some facts and figures in the infographic below (click for a bigger version).

What do our readers think? We had a comment from Nico, who argues that the cross-border nature of cyber intrusions means that a response from individual Member States is inadequate. He thinks cybersecurity should be “Europeanised”, which is perhaps what the EU Cyber Rapid Response Force represents.

In an earlier debate, we put Nico’s comment to Heli Tiirmaa-Klaar, who was then the Cyber Security Policy Advisor for the European External Action Service and was recently appointed Estonia’s Ambassador at Large for Cyber Security. She told us that cyber defence should happen at the national level, and that the European level would best be restricted to awareness raising or encouraging Member States to do more:

The “Europeanisation” of cybersecurity is something which people would think will work, but I’ve also been a cybersecurity practitioner and I know that cyberthreats are closer to forest fires. It’s very difficult for Brussels to put down a forest fire in Madrid, you need to do it locally.

Cyber threats need to be tackled at the national level first. If there is a virus in your networks, it takes a long time before somebody from Madrid can reach somebody in Brussels, so the operational incident response has to happen locally. And people also have understand that each organisation needs to deal with cyber-threats. The top-down approach is justified in terms of awareness raising, or when it is EU-wide legislation that asks individual Member States to do more… But every country has to set up a computer emergency response team or a cyber incident response team, which is like the cyber “fire brigade” that helps to deal with cyber issues at the local level.

So, who is right? Nico or Heli Tiirmaa-Klaar?

To get a reaction, we put both comments to Edvinas Kerza, Lithuanian Vice-Minister of National Defence. Given that his country is leading the effort to take a more European approach to cyber response, how would he respond?

For another perspective, we also put Nico’s comment to Kate Charlet, Program Director of Technology and International Affairs at the Carnegie Endowment for International Peace. Did she think Nico or Heli Tiirmaa-Klaar had the right approach?

Both Nico and Heli Tiirmaa-Klaar are partially right. There will be major components of cybersecurity that remain national in nature. First, sensitive matters like offensive cyber operations or foreign intelligence (e.g., to attribute cyber-attacks) are difficult to share. Second, many nations don’t want to tell others about their vulnerabilities and dependencies. Finally, nations want to preserve national decision-making about when and how to respond to a cyber-attack.

However, there is a very valuable potential role for EU assets in building capacity and responding to crisis. In the United States, our National Guard and Reserve units are integrated into national missions for their “day jobs.” But in a crisis, they can be called up to “coordinate, train, advise, assist” the states. This role has to be carefully defined, though; it just doesn’t always make sense for a team to parachute down to get “hands on keyboard” at a location where they don’t understand the networks. It’s important that the EU be clear, though, about what aspects of cybersecurity are to be left to member states and which are conducive to a European approach.

Next up, we had a comment from S.K., who thinks the EU definitely needs to invest in a dedicated cyberforce with the ability to respond to threats. However, he’s worried about what it would mean in practice, including the implications that the force could be used offensively and not just for cyber defence.

The announced mission of the new EU Cyber Rapid Response Force is purely about responding to cyber intrusions, with no official offensive capability. However, isn’t there a risk that it might be viewed a provocative by other states (particularly Russia)? Will the new force be purely defensive, and (just as importantly) will it be seen as being purely defensive? Or will it be another step towards “weaponising” cyberspace?

Finally, how would Kate Charlet from the Carnegie Endowment for International Peace respond?

It’s hard for me to imagine how an ‘EU cyberforce’ would work in practice, because nations vary so widely in terms of national readiness and capability, and because decision-making needs to happen so quickly in cyberspace. If such a force had a defensive mission (say, to help European critical infrastructure in a crisis), then some of those concerns would be easier, but still complex.

The best way to protect from cyber threats without encouraging a cyber arms race is to build resilience across the EU to quickly recover after a cyber attack; stand together with partners and allies to “call out” and impose costs on bad behaviour; and to help build norms of responsible behaviour in cyberspace.

On 6 November 2018, our sister think tank, Friends of Europe, is holding an event in Brussels on developing EU cyber resilience, as part of their Peace, Security and Defence Programme.

Should the EU create a European Cyber Force? Could it be viewed as provocative by Russia? Let us know your thoughts and comments in the form below and we’ll take them to policymakers and experts for their reactions!

IMAGE CREDITS: Public Domain – Army National Guard photo

56 comments Post a commentcomment

What do YOU think?

  1. avatar
    EU Reform- Proactive

    Kate Charlet comes closest!

    When “security” is mentioned by the Pan European DE/EU- let’s first check who is mandated to speak with full, borrowed or no authority! Fundamental is “The 2009 Lisbon Treaty”:

    Defense & Security remains a National Competence. There is also Interpol & Europol.

    The 1999 “founded” CSDP is rapidly evolving to make the EU- besides a political & economic superpower- a military superpower as well. The more one talks about it- the more it appears to be or will be the next EU competence- while preparing for war.

    There is another (Pan) “European Movement International” (plenty of “pan’s” around)

    The present NATO exercise “Trident Juncture” in Norway begs many questions.

    While habitually trying to get their pan-European noses in front to regulate- but failing dismally on implementation- is a well documented fact by the latest “Merkel Asylum Crises” which eventually exposed her “provincial” leadership qualities.

    After an “US (military) cyber force now an “EU copy cat ??? cyber force”?

    If we look at money/bank internet security, surely it is the Banks responsibility (& partly ours) to keep our funds safe while being handled by them under their “guardianship”. Basically, let them be responsible to replace our funds- when stolen/hacked out of their system- within 7 days. They can implement whatever they wish & are free to insure against such risks!

    Surely, US Silicon Valley innovators should easily beat any wiz kid Russian, Chinese, Korean or any criminal genius hacker? Do it!

    Simply, all Nations should demand that the Global Banking sector must take full responsibility! National “KEYPOINTS” must be secured by “Nations”- not the EU!
    What role is left for the EU? Save the Banks & keep the EP busy?

  2. avatar

    Very good Idea…and i Wonder why it should bé considéréd as a provocation….to propose Ukraine to joint NATO Was a provocation

    • avatar

      You’re right, heaven forbid a sovereign nation determines whether or not it wants to join NATO if our pals in the Kremlin disagree.

    • avatar

      That Was thé deal with Moscow at peretroiska Time… forgot

    • avatar

      Olivier not true acording to Gorbatchev…

    • avatar

      Olivier – I know that’s a trope that’s pushed around by RT and Sputnik, but there’s no evidence for it.

    • avatar

      It s obvious that russians After freing ex ussr nations don t want NATO at théir border and Ask for neutrality of Ukraine..this IS a fact .of course négociation were secret but it s one of reasons of russians non intervention After Berlin Wall collapses. Us and EU proposais to Ukraine were a stupid provocation

    • avatar

      Again, I have to ask, why should Russia have a say in Ukraine’s sovereign affairs? Good riddance to the concept of a ‘Soviet bloc.’ It’s funny to see those who decry American and European ‘neo-imperialism’ grant credence to the Kremlin’s nostalgia for their empire.

    • avatar

      Who cares what Russia asks after their novososiya project and Crimea annexing

  3. avatar

    We can put Russia in it’s place by going green energy. Then they can make their biggest income from GMO free produce and defence weapons.

    • avatar

      You just described the USA, and they will get EU in war with Russia making sure that never happens :)))

    • avatar

      well green energy will get rid of all the energy sharks fleecing one half of humanity and killing the other half.

  4. avatar

    The idea of the internet was for it to be a tool to cut through borders and walls; instead, the beloved internet is/has becoming simply a digitised status quo, there to reflect the physical geographies we already live in. Sigh!

  5. avatar

    Last time I checked NSA was the one who hacked Merkel, and spied on EU politicians, and was monitoring all EU communications, so let’s thank the Russians for getting rid of ISIS in Syria, and instead of focusing on imaginary threats, deal with the real ones, that come from “the other side” of the ocean.

  6. avatar

    IT should…no matter what Russia will think about it

  7. avatar

    The real question is why isn’t this a thing already…

  8. avatar

    EU is late to the cyber party :P

  9. avatar

    Yes, if its possible to take contact within seconds, if you’re being hacked.

  10. avatar

    Yes, cyber-op cooperation and planning are definitely required in EU level.

    EU would benefit greatly by sharing the know-how, experiences and practices. Many of individual nations alone could not compete with bigger players and successful (covert) attack of one member state would become an attack vector to all EU due to many inter-connected cross-border systems.

    Some actively developed offensive toolset is also clearly required to provide needed know-how and feedback for effective defense. It is much more effective to develop them together.

    Also, having declared offensive capabilities could act as a deterrent for aggressive national players just like with the conventional armed forces. This forces the attacks to be kept even more in deniable space and hence helps limit the scope and severity of possible attacks, or preventing them.

    Would that hacking-friendly EU neighbor see this as provocative? Publicly, of course RT would serve it this way but EU cannot let Russia define our defense! Russia would definitely prefer to target EU member states individually and keep EU-level worst case response in “We are deeply concerned..”-statements.

  11. avatar

    Pfff… EU council ( germany for strict) is made pact with Gazprom about building Nordstreem2 and buying russian gaz – so they actually are funding russian military…

  12. avatar

    Should I stop drinking vodka? Or would such a move be viewed as a provocation by Russia?

  13. avatar

    yes!!!! ….and a true EU Defense Force !!!!! Now!!!!
    #OneEurope #OnePeople #ManyCultures #OneLove

    • avatar

      Unless you are French the EU defence force is called NATO – why create another bureaucracy?

    • avatar

      Chris …and your rational?

    • avatar

      NATO is a tool of the US.
      27 different military structures…27 different wasteful budgets….27 different everything. We do not need the US. If we can not stand on our own feet, defend and provide for our own collective security in a most uncertain world, we will not stand at all. An United European Defense Force, is more effective that 27 squabbling militaries that are only concerned about their soon to be outdated Nation-States and their own interests.
      #OneEurope #OnePeople #ManyCultures #OneLove

    • avatar

      Geoffrey I beg you check Russia’s and EU’s (without US) military capabilities and strength. I really beg you. BTW who’s the biggest NATO sponsor and so compansates lame military budgets of other members? Let me guess – it’s Germany. :D

    • avatar

      Marius Budgets rarely translates into capabilities and effective translation into willpower. Strength is different IMHO, without willpower.
      Germany lacks the willpower, mainly due to historical significance and reason.

      Otherwise, I do agree with you, also noting that one European Cultural Region should not bare the brunt of monetary and material resources for the Defense of our Union. I believe that we can do better.

      All the money and weaponry, brings nothing, without sheer willpower and unity, amongst the diverse interests of individual ‘Nation-States’. But of course, in the time of dire need, such is subject to change.

    • avatar

      Geoffrey ‘Nation-States’ have no unity in many crucial positions (e.g. monetary policy, trade, immigration, etc.), military as well. And there’s no sign that it can change in near future. At present moment only US has effective budget converted to willpower.

    • avatar

      Marius True….and unfortunate.

  14. avatar

    Yes but it must not be involved in massutvailens like some today

  15. avatar

    Better scare Your empty life. Everyone can say “I scare Russia”. What is realy going on, doesn’t matter nobody…

  16. avatar

    Again “Provocation”, “Russia”. This country is full of idiots, they can’t normaly rule their own country. I’m not using permanent anti-virus soft already 20 years, my life have no viruses. Better think about this.

  17. avatar

    Make everything politically incorrect, its the only way to win

  18. avatar

    It should be done long time ago.

  19. avatar

    – OK Google, is my PC safe from Russian hackers?
    – Da

  20. avatar

    It should have been done long ago, but our leaders are weak and cowards and not doing enough to protect their citizens from Russian/extremists’ cyber war.

  21. avatar

    comment ça ? c’est pas déjà fait ?! qu’est-ce qu’on est lent…

  22. avatar

    O I thought it’s rhetoric… Of course it should.

  23. avatar
    Giacomo Delinavelli

    I see this debate is dated 2018… but still very relevant! I recently wrote a blog post on the European law blog arguing that, in light of all cybersecurity legislation the EU has recently passed, a specific cybersecurity competence should be conferred to the EU by the Member States.
    As cybersecurity becomes an increasingly relevant topic for our lives, it is important that the EU and MS have specific agreed roles, thus to better cooperate internally and on the global stage.

Your email will not be published

Leave a Reply

Your email address will not be published.

Notify me of new comments. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use this website, you consent to the use of cookies on your device as described in our Privacy Policy unless you have disabled them. You can change your cookie settings at any time but parts of our site will not function correctly without them.