At the June Summit, which will take place after the UK Referendum, the High Representative of the Union for Foreign Affairs and Security Policy, Federica Mogherini, will present the results of her global review of external strategy. As part of the review process, the Human Security Study Group, at the LSE, which is convened by Mary Kaldor and Javier Solana, has presented a report entitled From Hybrid Peace to Human Security: Rethinking the EU Strategy Towards Conflict together with twelve background research papers .
Conflicts are at the sharp end of contemporary crises. Refugees, extremist ideologies, criminality and predation are all produced in conflict. Contemporary conflicts are sometimes known as ‘hybrid wars’ or ‘new wars’ in which classic distinctions between public and private, government/regular and rebel/irregular, and internal and external break down. They are best understood not as legitimate contests of wills (the twentieth century idea of war) but as a degenerate social condition in which armed groups mobilise sectarian and fundamentalist sentiments and construct a predatory economy through which they enrich. Identifying ways to address violent conflict could open up strategies for dealing with broader issues.
In this special openDemocracy series, the Human Security Study Group outlines the main conclusions of our report in our introductory essay together with six essays based on some of the background papers. These essays include: an analysis of the conceptual premises of the Global Review (Sabine Selchow); three essays on specific conflict zones – Syria (Rim Turkmani), Ukraine (Tymofiy Mylovanov), the Horn of Africa (Alex de Waal); the importance of the EU’s justice instrument (Iavor Rangelov); and how EU cyber security policy is human rights focused rather than state focused (Genevieve Schmeder and Emmanuel Darmois).
EU officials propose a joint EU Cyber Security Strategy, Brussels, February, 2013. Yves Logghe /Press Association. All rights reserved.
The increasing digitalisation of our societies creates new vulnerabilities both to accidents and to intentional threats. Malevolent individuals and organisations may, without any physical presence, infiltrate all possible networks, including the most sensitive ones, modify the behaviour of applications and compromise data.
Every individual as well as governmental, non-governmental and business organisation may be targeted. Hence the growing concern of cyber threats, whose characteristics relate them more to human security than to traditional security approaches: they transcend international boundaries, mostly concern civil societies, are in essence asymmetrical and have a crucial human rights dimension.
We focus here on EU policies in the field and their specificities. They end up in shaping a distinctive EU approach to cyber security that does reject the kind of technological determinism and mass surveillance that tends to characterise the approaches of most other national and international actors.
Cyber security: its nature, actors and real threats
Cybersecurity has to do with the prevention, detection, mitigation and response to destructive or malevolent practices developed in cyberspace, which affect computer systems and their associated data. These practices range from the least damaging, which disrupt nonessential services or are mainly a (costly) nuisance, to the potentially catastrophic (sabotage of critical infrastructures; accidents or disasters causing bloodshed). They have become mainstream, extremely frequent and have growing negative economic, societal and security consequences.
The gradual emergence of cyberspace since the end of the 70's has gone together with some ‘enabling factors’, such as anonymity, impunity and cost reduction. Another crucial factor for the development of cyber threats is the proliferation of vulnerabilities, both technical and human. Today's cyber systems have complex architectures that are highly interdependent and hard to test exhaustively, which use vulnerable end-user devices (e.g. smartphones). The ‘human factor’ is even more crucial since most often it is people, either through lack of attention or ignorance, who are the weak link. The ‘human factor’ is even more crucial since most often it is people, either through lack of attention or ignorance, who are the weak link.
All these vulnerabilities have created opportunities for organised criminals with a financial motivation, which also use cyberspace for their traditional activities. Theft and illegal trade of sensitive data (personal data, intellectual property, R&D, business-strategic data, etc.), money extortion and laundering, sexual abuse, etc. are a very fast growing segment of cyber criminality, which has become a true industry, constantly seeking to improve both its division of labour and its technology.
Targeted companies and legal actors are in a difficult defensive position. They are generally reluctant to communicate their problems, for fear of loss of reputation or of negative reactions from customers or stakeholders. Furthermore, effective cybersecurity requires huge investments, and securing just a link in the chain is not enough. Yet, it seems that the cost of poor cybersecurity is still considered as bearable and that arbitration against cybersecurity spending persists.
Yet the worst may be still to come with the emergence of ‘sabotage’ as a new frontier for cyber criminality, in particular with the emergence of Intelligent Transport Systems, eHealth, smart grids or the Internet of Things. Indeed, technically, it is already feasible and possible (or it will be soon) to get control of some connected objects, or to disrupt elements of electricity distribution networks, water treatment plants, emergency services, and so forth.
Moreover, terrorists and jihadist organizations have swiftly recognized the benefits of using the Internet as a part of their arsenal. So far, however, despite scenarios in which sophisticated cyber-terrorists break into critical infrastructures, they have not inflicted the kind of damage that would qualify them as cyber-terrorism.
The role of governance, state actors, and transparency
States are mobilizing important resources for their cyber security activities that are both military and civilian, defensive and offensive.
In the military field, most states develop capabilities to back traditional military operations. A number of them – including several European countries – consider that offensive defence is not enough. Preparing for aggressive cyber-war which, unlike conventional war, is not subject to any rule or control, they include pre-emptive digital strikes in their global panoply. They are behind the most sophisticated cyber threats, which involve a wide range of actions, from disinformation, vandalism, economic cyber criminality, espionage, to sabotage.
Involved military and intelligence services often hide their aggressive and malicious actions behind other malevolent actors. Beyond the potentially lower costs, the main advantage of leaving the attacks to informal cyber-gangs is that states can deny their responsibility. Beyond the potentially lower costs, the main advantage of leaving the attacks to informal cyber-gangs is that states can deny their responsibility.
In the economic domain, all governments consider as their obligation to have capabilities to defend their domestic infrastructures and economy. Though this defensive approach is well in line with the protection role expected from the nation-state, it is mostly fulfilled by the private sector itself.
When it comes to the political dimension, the situation is different. While it is difficult to find nation-states that have a genuine policy of using their cyber capabilities to defend their civil society, it is extremely easy to find examples of states that are using their cyber capabilities to push their political agendas against civil societies, very often starting with their own. The life of active participants in civil society is thus becoming difficult, due to government pressure – generally justified in the name of the fight against terrorism – against the use by the public of protective technologies such as encryption and the lack of a basic regulation of cyberspace.
The activity of civil societies in cyberspace is largely relying on the ‘openness’ of the Internet, which relies not only on the possibility of deploying new applications and services in a simple way and on the availability of cheap or free resources that can be easily assembled and set up, but also on the ‘open’ and transparent governance of Internet.
As some actions (such as whistleblowing for instance) are considered as illegitimate by existing powers, the supporting actors may need to be protected against nation-states, the most active enemies of civil societies in cyberspace. In most countries, however, governments and government agencies systematically attempt to delegitimise the right to use technologies such as encryption, supposedly because this would undermine the state's security. From this standpoint, the EU is developing a different approach that is addressed in the next sections.
The EU’s approach to cyber security
The first overarching approach to cyber security in the EU was the European Cyber Security Strategy, presented in February 2013, which announced 3 basic principles: the same core values, laws and norms that apply in the physical world apply also in the cyber domain; the Internet is a public or collective good that should be available and accessible to all; the governance model for Internet should be democratic and cyber security policy should be a shared and multi-stakeholder responsibility. Europe’s is crucially different from the concept defined in the US after the terrorist attacks on September 11, 2001.
The Strategy also defined five strategic priorities, which included establishing a coherent international cyberspace policy in order to promote core EU values (EU “cyber diplomacy”). Europe has in effect an ambition to be a normative global actor, capable of creating an effective and constructive culture of cybersecurity within and beyond the EU.
EU cyber security policy diverges both from policies pursued in EU member states and from policies that are being developed in the rest of the world in many important respects, in particular the nature of “cyber power”, the governance model and respect for fundamental rights.
The EU, in conformity with its core norms and values, doesn’t develop the kind of hard and offensive cyber power concept pursued by those states that approach the issue through the logic of national security and superiority. The EU approach is basically legalistic and protective. It focuses on soft power capabilities, i.e. building capacities that enable detection, response and recovery from sophisticated cyber threats.
In the defence/military field, the EU is solely engaged in cyber self-protection and assured access to cyber space to enable its operations and missions. Offensive capabilities, when they exist, are not developed or deployed under the EU banner.
Europe’s is crucially different from the concept defined in the US after the terrorist attacks on September 11, 2001, and with approaches carried on by other crucial state players, such as the Russian Federation, the People’s Republic of China, all widely suspected of sponsoring various forms of cyber attacks for political purposes, together with the majority of individual EU member states, which do allocate significant budgets and personnel to developing cyber-offensive capabilities.
EU-US summit on cyber attacks, cyber crime, and terrorism, Lisbon, 2010. Virginia Mayo /Press Association. All rights reserved.
Governance models broadly oppose multi-stakeholder to governmental models. On one side, a number of non-European countries, such as the US, Japan, Canada and Australia, share with the EU the vision of multi-stakeholder governance. They consider that traditional top-down state-centred models are ill suited to global, decentralised, publicly shared but largely privately developed communication networks. They do not agree, however, on the list of relevant stakeholders. While the EU recommends the inclusion of all players – from citizens to governments – the US argues for a predominantly non-governmental model with the strong participation of the business sector.
On the other side, the multi-stakeholder approach is highly contested by a number of countries, such as Russia, China, Iran and India, which defend both a centralised and intergovernmental approach. Arguing that western countries are holding too much power over the management of the Internet and that they themselves are under-represented in the actual global Internet governance institutions, they plead in favour of much more governmental involvement in cyberspace, and they want the Internet to be governed at the international level by inter-governmental organisations.
The EU, given its unique features, has in theory the potential to be a model for other regions of the world, since it is a remarkable full-sized “institutional laboratory”, which must constantly find compromises and trade-offs between contradictory actors, principles, instruments and interests. The EU is also building a consistent and comprehensive governance model, with a decentralized structure in which different agencies and institutions are responsible for different aspects of the digital world, and political and legal control is exercised by two major institutional players: the EU Parliament and the European Court of Justice, which play an essential role in avoiding the capture of the regulatory game by economic lobbies, political leaders or technological experts, thereby ensuring a balance between cyber security, public interest and other legitimate economic, commercial or regional interests, and the defence of citizens’ rights and freedoms.
Fundamental rights’ protection
The EU’s declared ambition is to make its digital environment not only the most secure, but also the most respectful of the citizens’ fundamental rights in the world. In the cyber domain, the main difference between the EU and other approaches is the attention paid to respect for civil liberties and the rule of law including international law, and to the promotion and defence of fundamental rights. While the EU, which cannot depart from the principles of the European Charter of Human Rights, is preoccupied with balancing cyber security with the protection of such rights, individual countries – both outside and inside Europe – are more ready to accept derogations for reasons of national security.
Indeed, to a large extent, EU cybersecurity policy has been a reactive rather than a proactive policy. Normative texts set up by the EU in the field of cybersecurity have often appeared as reactions to external circumstances. The successive revelations of US surveillance activities concerning European citizens, for instance, had an undisputable norm-productive effect. It brought the issue of rights and democracy under closer scrutiny, and increased pressure within the EU to ensure respect for European citizens’ rights online, both domestically and abroad.
The digitalisation of our societies creates new forms of vulnerability and new potential threats, as ill-intentioned people can relatively easily gain access both to sensitive information and to the operation of crucial services. Critical infrastructure systems are complex and therefore bound to contain weaknesses that might be exploited. Malevolent actors – which include states as well as criminals and terrorists – can at least in theory approach targets that would otherwise be utterly unassailable, such as power grids or air traffic control systems, that might be attacked to inflict human or material destruction. So far such cyber attacks have not killed people, but this could come in a relatively near future. In Europe, where governments tend to play on emotional reactions to terrorist threats to support traditional national security approaches, some uncertainty remains over Member State buy-in for such a common EU approach.
Such threats are addressed by cyber security policies whose effective implementation depends not only on state actions, but also on public-private cooperation and on coordination between policy areas and international institutions, especially the EU. In recent years, the EU has been working to implement a consistent, balanced and overarching cyber security strategy, built on internal resilience and its core values. The EU’s declared ambition is to make its digital environment not only the most secure, but also the most respectful of the citizens’ fundamental rights in the world. This is a real challenge, given the difficulty of finding a satisfactory and sustainable balance between security, freedom and protection of citizens’ fundamental rights.
The EU objective of developing a cyber ‘soft’ power privileging defence, resilience and civil society sharply contrasts with national cybersecurity policies developed both inside and outside Europe. In Europe, where governments tend to play on emotional reactions to terrorist threats to support traditional national security approaches, some uncertainty remains over Member State buy-in for such a common EU approach. In the rest of the world, major cyber players have different concepts, cultures and logics on these matters, particularly regarding norms for cyber security behaviour.
How to find compromises capable of satisfying these opposite exigencies (security and rights protection), which are complementary imperatives laying at the root basis of democratic systems? It is certainly wrong to regard the negative impact of communication technologies as uncontrollable, but also to imagine that one can bring them completely under control. Too much security kills security, and some policy responses to cyber threats are just as worrying in the long term as the evils to which they pretend remedy.