Please note: Below you will find the introduction to DGAP Policy Brief No. 8. To read the entire text, including footnotes and citations, download the full PDF here.
Key points: |
---|
|
|
|
|
The European Union lacks a doctrine in cyberspace, concluded Thierry Breton, EU Commissioner for Internal Market, in 2021. The EU’s current cyber strategy from December 2020 neglects to develop such a doctrine; instead, it engages in traditional deterrence thinking, which aims to deter attacks through denial and punishment. This strategy ignores the fact that measures of denial and punishment have been largely unsuccessful in deterring malicious international behavior below the threshold of armed conflict. While the EU’s focus on the gradual increasing of resilience and reducing the incentive for attack through sanctions and verbal condemnations is necessary, it is insufficient for fending off cyber operations. In December 2021, a cyber operation targeting the Belgian Ministry of Defense compelled segments of its network – e.g., its mail system – to be taken offline for days. In January 2022, Germany’s domestic intelligence service, the Bundesamt für Verfassungsschutz, revealed that APT27, a Chinese hacking group, had been stealing intellectual property from German pharmaceutical and technology companies. Both of these incidents show that adversaries are not deterred from conducting operations despite potential punitive measures.
On December 16, 2020, the EU presented its new strategy for cybersecurity. On the one hand, this strategy attempts to achieve denial through regulation of the EU market, which promotes resilience of devices, networks, and actors on EU territory. On the other, it attempts to do so through capacity-building abroad. Punishment may be applied if a hostile state disregards norms of responsible state behavior by, for example, attacking national critical infrastructure or undermining democratic processes. In this case, the EU strategy recommends the use of the EU Cyber Diplomacy Toolbox. |
For its part, the United States has recognized that old deterrence thinking needs updating and has consequently changed its own doctrine and strategy for cyberspace. The current US strategy of defending forward emerges from a doctrine that considers traditional deterrence thinking as not appropriate for fending off attacks below the threshold of armed conflict. In other words, despite attempts to focus on denial and punishment, the United States continued to be hit by attacks such as the Sony Pictures hack and Office of Personal Management hack. The new US strategy of defending forward also emerges from the doctrine of persistent engagement. Persistent engagement rests on the belief that states like China, Russia, Iran, and North Korea engage in persistent opportunism in cyberspace and need to be countered constantly, rather than only in the event of a major attack. The idea is to change the behavior of the adversary by engaging them globally, close to the source of malicious behavior. This means breaking into foreign systems, sometimes on allied territory. Resilience and defense are also part of the US posture, but they are mentioned only marginally.
EU member states have mostly restrained themselves from taking an overtly offensive cyber posture or using their offensive capabilities because they fear further propelling the digital arms race. The experience of the United States confirms these fears since the bold US narrative is likely to incite the further militarization of cyberspace. If all countries, including China, engaged in this kind of offensive thinking, it would raise concerns not only in the United States but also across the globe. Furthermore, trying to shape the behavior of actors may not be as effective as planned – both state and non-state adversaries keep on compromising US networks successfully and at a large scale, as demonstrated by the SolarWinds hack and the Colonial Pipeline ransomware attack.
The primary lesson for the EU to learn from the US experience is that it is futile to significantly alter the behavior of adversaries through cyberspace. And yet, the EU’s current defensive approach of trying to dissuade adversaries from attacking is futile too. Rather than trying to shape adversary behavior, the EU should shape the substance of cyberspace itself, which would, in turn, raise the cost for malicious actors to engage in offensive behavior. The EU doctrine should explain why it is important to tilt the offense-defense balance to the defender’s advantage. It should highlight why it is crucial to strengthen the defender in each dyadic relationship with an attacker. This doctrinal thinking can be summed up as defense superiority in cyberspace.
Acting upon this doctrine, the EU should follow what this policy brief defines as a strategy to secure the cyber domain that focuses on the following:
- Making cyber operations less significant, i.e., reducing the propagation of malware across companies, ministries, and individuals, for example through information sharing
- Decimating the disruptive effects of cyber operations through redundancy
- Limiting the depth of intrusions with tools such as multifactor authentication
This proposed strategy does include some elements of persistent engagement, such as limited cyber operations to disrupt operations. However, those offensive cyber operations are not a priority here, and they are not meant to change adversary behavior or gain relative advantages compared to hostile states. Moreover, this strategy differentiates itself from US posture in cyberspace, which encourages malware to be implanted in the critical national infrastructure of an enemy, creating a deterrence mechanism by holding it at risk to discourage attacks above the threshold of armed conflict. The strategy of securing the cyber domain does not subscribe to implanting malware for such a deterrent purpose.