Could you introduce the 2013 European Union (EU) Cybersecurity Strategy and explain how this has changed the European cybersecurity policy landscape over the past couple of years?
The 2013 Strategy was the first overarching framework for cybersecurity in the EU and was a manifestation of the holistic approach to cybersecurity that the European External Action Service (EEAS) had been advocating. It was a joint undertaking by the High Representative of the EU for Foreign Affairs and Security Policy and the European Commission. Within this strategy we were very clear on the direction of travel for cybersecurity and our overall policy objectives for Europe. The Strategy set out five important priorities:
Since 2013, we have been working hard to uphold these priorities on an international level.
How great an issue is cybercrime in the EU, and how does it need to be tackled?
Cybercriminality is a very common phenomenon unfortunately – we are all confronted with it. Within the EU, in fact, more than one in 10 netizens have already been targeted by online fraud. It has been estimated that the cost of cybercrime globally could be as much as €400 billion per year. Cybercrime also knows no borders, and we need to be better equipped to deal with this truly international problem. However, there are certain territories or countries where cybercrime is thriving particularly well because of missing or weak state structures.
The EU has always promoted the Budapest Conventions on Cybercrime, which have been in force since 2004 and offer a legal framework to combat this type of criminality through international cooperation. It is a Council of Europe framework, but it is open to any country that wants to join our efforts. The EU also engages increasingly in capacity building to deal with cybercrime, particularly in countries where cybercriminals are based and active. For example, EEAS, together with the Commission, promotes legal solutions in line with international standards, offers training and develops infrastructure so that countries with a large cybercriminal community are better equipped to tackle the problem.
To ensure security within cyberspace we mainly need more cooperation with the private sector, but also cooperation between different agencies such as law enforcement. Within the EU, we have made some progress by establishing the European Cybercrime Centre, which is attached to Europol in The Hague. The Centre has been working since 2013 to improve the law enforcement response to cybercrime within the EU.
What specific challenges exist concerning cybersecurity policy, particularly with the expectation that the number of netizens will double in the next five years and that many new users will be from developing countries?
Probably the most significant challenge is the borderless nature of cyberspace, meaning that we need a common understanding internationally of how threats should be dealt with. This borderless environment can, to some extent, challenge principles such as state sovereignty and make it difficult to create national government policy.
As the number of internet users explodes, we need to build an infrastructure to offer training and education, not only to law enforcers and policy makers but also to ordinary citizens. People need to know how to behave and have effective ‘cyber hygiene’. Most of this good internet practice is common sense, such as changing your password regularly, but not all of it is obvious and therefore people need encouragement, education and standards. This expertise has to be developed worldwide, not only in developed countries, in order to ensure cyber resilience.
An important direction for EEAS’ efforts is also technical assistance for cyber incident responses and readiness in developing countries, and we have special sources of funding dedicated to such development. A few years ago we made initial steps by starting a pilot project in the Balkans dedicated to developing computer emergency response teams. Now these programmes for enhancing cybersecurity and combating cybercrime are being rolled out primarily to Africa, but also Latin America, so that we can offer more education and more training. The training is especially targeted towards law enforcement agencies so that they are able to more efficiently tackle cybercrime.
Are additional difficulties created on a policy level due to cyberspace being controlled largely by the private sector?
Because cyberspace is different in the sense that most of the IT infrastructure worldwide is in private hands, we cannot hope to ‘govern’ it without the inclusion of industry. At any conference or major cybersecurity forum, it’s always the private sector that’s very much active and vocal, as they inevitably drive forwards developments that are mostly guided by our citizens’ demands. In the EU the idea of a multistakeholder model of governance – including industry, netizens, NGOs and civil society – has always been promoted in relation to cyberspace for this reason. Non-cyber conflicts typically take place between governments whereas cyber conflicts involve multiple borderless sectors; we need to acknowledge new governance measures to tackle these.
It would be a huge mistake to limit the right to freedom of expression in the name of cybersecurity
What has been the nature of EEAS’ work building confidence between nations on cybersecurity and establishing international cyber laws?
Our mandate is external, and we have predominantly focused on supporting the development of norms of state behaviour in cyberspace, and confidence building measures and transparency. These efforts haven’t taken place in isolation – we closely follow the work of the UN Group of Governmental Experts, which includes several EU Member States such as Estonia, Germany, France, UK and Spain. Collectively, the EU strongly supports the results of the Group’s 2013 report, which maintains that current international laws – the law of armed conflict and international humanitarian laws – apply to cyberspace as much as they apply to physical space. We don’t need to draft special laws to govern cyberspace, we have to apply the existing body of international law to cyberspace.
In addition, we have also engaged in the development of confidence building measures, in particular with participating states of the Organization for Security and Co-operation in Europe (OSCE). OSCE adopted the first set of cyber confidence building measures in 2013, and the EU is similarly supporting work in the Association of Southeast Asian Nations (ASEAN) at the ASEAN Regional Forum.
Do you have concerns that upholding existing international laws while implementing cybersecurity measures will result in some of the greatest benefits of the internet in terms of freedom of speech being lost?
Translating these existing international laws is difficult to a certain extent, but doable. Some of the laws on armed conflict date back to the late 19th or early 20th Century, but they still apply even though the nature of warfare has changed dramatically. Those conventions, which are supposed to be upheld by all UN members, are based on unchanging principles, such as principle of proportionality in a conflict situation or protection of human rights.
Freedom of speech is one of these very fundamental values. Some countries still believe that governments should play a bigger role in governing the internet, and there have been ideas to draft a special convention for cyberspace. EEAS and the EU have always opposed this, because we understand that cyberspace is a part of our societies for which we need to agree on how to implement already existing international law. We also fear that for some governments a new convention would have the aim of increasing government control and legitimising some level of censorship.
It would be a huge mistake to limit the right to freedom of expression in the name of cybersecurity. In Europe, we very much believe in open and democratic societies, and we need to uphold human rights and fundamental freedoms. Some governments globally don’t agree with that, but EEAS and Europe are very much campaigning for open, collaborative internet governance to ensure that freedom of speech is not lost and that the internet continues to be an open, innovation friendly and flexible platform that has served our societies so well since its inception.
The EU Member States adopted the Council Conclusions on Cyber Diplomacy earlier this year. Has this changed the stance of EEAS on cybersecurity? What are the Service’s main goals in this arena in the next few years?
The Council Conclusions are useful because they provide a common script for all the Member States and highlight our positions on protection of human rights online, norms of state behaviour in cyberspace, internet governance and capacity building. We have made a lot of progress with discussing cybersecurity and internet governance with partners worldwide. And we haven’t just started talking to the like-minded with whom we would be in general promoting the same approach, such as the US and other Organisation for Economic Co-operation and Development (OECD) members. We have had a number of dedicated meetings on cybersecurity and internet governance with China and India, among others. These exchanges will continue and EEAS will certainly introduce cyber issues into bilateral dialogues with a lot of other countries and organisations, too. We want to preserve our very active role in promoting an open, free and secure multistakeholder governed internet and cyberspace as this increasingly important area of policy rapidly develops.