Just a few days ago, European Commission President Jean-Claude Juncker presented his 2018 State of the Union speech with the title “The Hour of European Sovereignty”. In the speech, he argues that the time has come for the EU “to become more autonomous and live up to our global responsibilities”. The question is how to make this ambition become a reality, how to achieve strategic autonomy. Especially in the context of cybersecurity, strategic autonomy is becoming a widely discussed topic.
The growing interest in the link between “digital” or “cyber” and strategic autonomy is driven by the increased dependency on transformative digital technologies throughout the economy and society, combined with the explosive growth of cyberthreats and incidents. The political context of rising international tensions in the relationships of the West with China and Russia, as well as increasing transatlantic strains, exacerbate the situation. After tense NATO and G7 Summits in May 2018 German Chancellor Angela Merkel said: “We Europeans must really take our fate into our own hands”.
While in the past strategic autonomy was mostly discussed in relation to security, defence or foreign policy, recently it is seen to concern economy and society at large. The US is stepping up restrictions of Chinese foreign direct investment (FDI) in key technologies justified by the reasoning of America otherwise having no economic future. Areas in the spotlight include semiconductors, telecommunications, robotics, and AI. Likewise, Germany, the UK as well as China are stepping up such measures.
The 2017 French Defence and National Security Strategic Review extensively discussed threats in cyberspace and declared that strategic autonomy as a key objective due to it decisive impact on French sovereignty. In June 2018, EU Member States discussed the post-Brexit exclusion of the UK as a full member of the Galileo satellite system because of the risk of a “loss of strategic autonomy”. The EU cybersecurity strategy aims to “build greater resilience and strategic autonomy” with the strategic interest that “the EU retains and develops the essential capacities to secure its digital economy, society and democracy”.
These developments raise many questions, three of which I will address in this blog post: what is strategic autonomy, what is the impact of cybersecurity on strategic autonomy, and what are the policy implications?
Strategic autonomy is an ambiguous concept. Policy documents tend to not define it but rather vaguely refer to capabilities and the need to protect sovereignty. Sovereignty – a central concept in international relations – is about internal and external legitimacy, recognition, authority and territory. Strategic autonomy and sovereignty, however are not the same. Rather, strategic autonomy is a means to realise sovereignty. Traditionally, in the Westphalian model sovereignty was a matter of states as the units of the international system. Yet, today, strategic autonomy can involve either a state or a collective of states such as NATO or the EU. For instance, France’s Home Affairs Minister Gérard Collomb speaks of “Franco-European strategic autonomy”.
To bring more clarity to the concept I propose the following definition: “Strategic autonomy is the ability, in terms of capacity and capabilities, to decide and act upon essential aspects of one’s longer-term future in the economy, society and their institutions.”[i] While this definition is non-normative, identifying “essential aspects” is of course a subjective matter.
There is no doubt that cybersecurity threats undermine strategic autonomy. Malware and DDOS attacks put critical infrastructures from energy networks to industrial control and defence systems at serious risk. Cyber theft of intellectual property together with financial theft through hacking and ransomware comes at a cost of hundreds of billions of dollars annually. Evidence is growing of organised mis-information campaigns in social networks and hacking of electoral systems. States are worried that their very sovereignty is at stake.
In ‘The Virtual Weapon’ Lucas Kello shows that cyber aggression has three types of impact. Firstly, it unsettles the power balance between states. ‘Cyber’ is a new offensive technology that puts the defensive side at a disadvantage. Secondly, it enables states to reject accepted inter-state behaviour by systematic and permanent harmful use of cyber intrusions and disruptions. Thirdly, the international state-based system itself gets challenged due to the entry of non-state actors, notably malevolent ones. Some argue that global tech companies challenge state supremacy too. In a nutshell, Kello argues that there is a “sovereignty gap”.
“Cyber” has become a critical disruptor for the economy, society as well as the internal and external governance of states. However, it is also becoming a key force in defending these, and, more generally, mastery of digital technologies is an essential capability for future competitiveness, to protect society’s values, and indeed, to overcome the “sovereignty gap”.
What are the policy implications of the increasing importance of “cyber”? Confronted by novel cybersecurity threats and dilemmas what should governments do? Can strategic autonomy be preserved in an era of rapid technological change? While it is tempting to increase within-state capacities or look for agreements between states, the nature of the challenge might require thinking outside the box. Here are three strategies.
First, governments could – as most of them already do – invest in better response mechanisms to handle cyber incidents and in hardening critical systems. Some cybersecurity experts argue that digital systems are now so complex that hardening them and preventing sophisticated attacks is impossible. Rather, the focus should be on rapid detection and defence to maintain an acceptable level of resilience.
Second, as only the US and China may be able to control the development of their own key technologies, other states may have no choice but to take part in alliances and promote common international governance even if national security and sovereignty concerns continue to clash. In ‘Digital DNA’, Cowhey and Aronson advance options for private-public cooperation for governance in the digital age, drawing lessons from existing mechanisms such as in international financial transactions (SWIFT). Can mutually-recognised IT security certification (for which in the EU a law is under negotiation) be extended to global supply chains, involving, for example, also China and the US and neutral third-party inspection regimes? In international cyberspace this would be rather new territory.
Countries also promote international norms and values in cyberspace such as in the UN context or the London process. Optimists hope that this will establish global cyber peace. Pessimists would say that such efforts do no more than buy (or waste) time. Realists may argue that all we can hope for is surviving a situation of a permanent cyber disruptions that do not escalate into full-scale war yet cumulatively are still highly damaging, what Kello calls ‘unpeace’.
Third, a radically different strategy would be to reduce state-centric control. How? One route is to promote open source technologies. A collective of non-state actors, the global open source and internet community, would then play a major role. A complementary, more experimental option is distributed security control (e.g., cybersecurity start-up Xage uses blockchain for distributed authentication of industrial control systems). Yet another option is to rely on truly global tech companies for cyber-defence. Governments can be supportive through R&D programmes, public procurement and legislation. However, why would governments relinquish even a degree of sovereignty? Or, will they have no choice in the future?
While there remain lots of unknowns, the disruptiveness of “cyber” knows no bounds. We urgently need to advance the policy debate about its implications, informed and supported by academic research. The clock is ticking.
[i] This definition takes inspiration from IFRI – (Institut Français des Relations Internationals) which – in the narrower context of security and defence – identifies capacity and capabilities for political, operation, and industrial dimensions of strategic autonomy.
Paul Timmers is a visiting research fellow at Oxford University where he studies cybersecurity policy and digital transformation. Until 2017 he was Director at the European Commission for Digital Society, Trust & Cybersecurity, responsible for policy, legislation and innovation in cybersecurity, digital privacy, digital health & ageing, e‑government, and smart cities/mobility/energy and in that function also member of management board of ENISA. He was responsible for European cybersecurity legislation, including the Network and Information Security (NIS) Directive, the Regulation on electronic identity and trust services (eIDAS) and the ENISA Regulation. He was also co-responsible for significant parts of the EU’s research and innovation programmes in several fields. His current research interests include cybersecurity industrial and trade policy, digital sovereignty, cybersecurity international business models as well as digital transformation.