Could Europe ever go to war over a cyber attack? We know that governments around the world are investing in building up their offensive cyber capabilities, including cultivating links with deniable proxies such as hacker groups. Which begs the question: what constitutes an act of aggression in cyberspace?
Earlier this month, it was reported that the North Korean government – through a network of hackers and other cyberactors – is believed to have stolen over $100 million from banks and other institutions globally since 2014 (not to mention making failed attempts to steal over $1 billion). Do such financial raids constitute an act of aggression by a rogue state? What is the appropriate response, and how can we prevent such attacks from happening?
In June 2018, the European Parliament voted in favour of a resolution calling for a tougher EU response to cyber defence. The resolution called for the “development of European offensive and defensive capacities” (though with the caveat that “any offensive use of cyber capabilities should be based on international law”). In other words, MEPs believe the EU should be able to kick back, hoping that a more robust offensive cyber capability will act as a deterrent, making rogue states think twice before sanctioning cyberattacks on European networks.
On 25 June, six EU Member States – Lithuania (which is playing a leading role in the development of the new initiative), Estonia, Croatia, Romania, Spain and the Netherlands – signed a Declaration of Intent for the development of an EU Cyber Rapid Response Force (with more countries expected to join the initiative later). The new cyber force is therefore not (yet) EU-wide, and its mission is purely defensive. However, the potential is there for it to be developed into a full EU Cyber Force with both defensive and deterrence capabilities.
Curious to know more about the new EU Cyber Rapid Response Force (and Europe’s response to cybersecurity more generally)? We’ve put together some facts and figures in the infographic below (click for a bigger version).
What do our readers think? We had a comment from Nico, who argues that the cross-border nature of cyber intrusions means that a response from individual Member States is inadequate. He thinks cybersecurity should be “Europeanised”, which is perhaps what the EU Cyber Rapid Response Force represents.
In an earlier debate, we put Nico’s comment to Heli Tiirmaa-Klaar, who was then the Cyber Security Policy Advisor for the European External Action Service and was recently appointed Estonia’s Ambassador at Large for Cyber Security. She told us that cyber defence should happen at the national level, and that the European level would best be restricted to awareness raising or encouraging Member States to do more:
The “Europeanisation” of cybersecurity is something which people would think will work, but I’ve also been a cybersecurity practitioner and I know that cyberthreats are closer to forest fires. It’s very difficult for Brussels to put down a forest fire in Madrid, you need to do it locally.
Cyber threats need to be tackled at the national level first. If there is a virus in your networks, it takes a long time before somebody from Madrid can reach somebody in Brussels, so the operational incident response has to happen locally. And people also have understand that each organisation needs to deal with cyber-threats. The top-down approach is justified in terms of awareness raising, or when it is EU-wide legislation that asks individual Member States to do more… But every country has to set up a computer emergency response team or a cyber incident response team, which is like the cyber “fire brigade” that helps to deal with cyber issues at the local level.
So, who is right? Nico or Heli Tiirmaa-Klaar?
To get a reaction, we put both comments to Edvinas Kerza, Lithuanian Vice-Minister of National Defence. Given that his country is leading the effort to take a more European approach to cyber response, how would he respond?
For another perspective, we also put Nico’s comment to Kate Charlet, Program Director of Technology and International Affairs at the Carnegie Endowment for International Peace. Did she think Nico or Heli Tiirmaa-Klaar had the right approach?
Both Nico and Heli Tiirmaa-Klaar are partially right. There will be major components of cybersecurity that remain national in nature. First, sensitive matters like offensive cyber operations or foreign intelligence (e.g., to attribute cyber-attacks) are difficult to share. Second, many nations don’t want to tell others about their vulnerabilities and dependencies. Finally, nations want to preserve national decision-making about when and how to respond to a cyber-attack.
However, there is a very valuable potential role for EU assets in building capacity and responding to crisis. In the United States, our National Guard and Reserve units are integrated into national missions for their “day jobs.” But in a crisis, they can be called up to “coordinate, train, advise, assist” the states. This role has to be carefully defined, though; it just doesn’t always make sense for a team to parachute down to get “hands on keyboard” at a location where they don’t understand the networks. It’s important that the EU be clear, though, about what aspects of cybersecurity are to be left to member states and which are conducive to a European approach.
Next up, we had a comment from S.K., who thinks the EU definitely needs to invest in a dedicated cyberforce with the ability to respond to threats. However, he’s worried about what it would mean in practice, including the implications that the force could be used offensively and not just for cyber defence.
The announced mission of the new EU Cyber Rapid Response Force is purely about responding to cyber intrusions, with no official offensive capability. However, isn’t there a risk that it might be viewed a provocative by other states (particularly Russia)? Will the new force be purely defensive, and (just as importantly) will it be seen as being purely defensive? Or will it be another step towards “weaponising” cyberspace?
Finally, how would Kate Charlet from the Carnegie Endowment for International Peace respond?
It’s hard for me to imagine how an ‘EU cyberforce’ would work in practice, because nations vary so widely in terms of national readiness and capability, and because decision-making needs to happen so quickly in cyberspace. If such a force had a defensive mission (say, to help European critical infrastructure in a crisis), then some of those concerns would be easier, but still complex.
The best way to protect from cyber threats without encouraging a cyber arms race is to build resilience across the EU to quickly recover after a cyber attack; stand together with partners and allies to “call out” and impose costs on bad behaviour; and to help build norms of responsible behaviour in cyberspace.
On 6 November 2018, our sister think tank, Friends of Europe, is holding an event in Brussels on developing EU cyber resilience, as part of their Peace, Security and Defence Programme.
Should the EU create a European Cyber Force? Could it be viewed as provocative by Russia? Let us know your thoughts and comments in the form below and we’ll take them to policymakers and experts for their reactions!