of trust in its role as the guardian of cyberspace. That, combined with a desire toproject strength in cyber space, makesFrance a formidable global cyber power.ANSSI, its cyber security hub, doubled itsstaff in 2011. 13Establishing credible,internationallyrecognizable definitions forgradations of attack andpotential targets such ascritical infrastructure willfacilitate responses thatcan be coordinated withinand across governments.Germany is a different type of cybersecurity partner from the UK or Francebut is attuned to the position of manyEuropean states, particularly those inCentral Europe. Berlin does not view cybersecurity through the prism of nationalsecurity as much as the UK or France do,though it opened a Cyber Defense Centerin June 2011. 14 Germany’s historical,cohesive policymaking between industryand government makes coordination oncyber security easier for the Germans thanfor others, including the US. Germanyalso boasts a deep reserve of savvyhacker communities such as the ChaosComputer Club (CCC), which has playeda role in identifying and mitigating pastthreats. But Germany maintains strictlegal barriers on cooperation betweenintelligence-sharing and limited tolerancefor domestic surveillance on the generalpublic. Even the use of cyber weapons isviewed with great ambivalence. 15 For thisreason, cyber and information securityplays a larger role in domestic politicsin Germany than in the UK or France andwill constrain Berlin’s ability to monitornefarious online activity and coordinatepreventive action with the private sector.Beyond this, a la carte coalitions ofEuropean states can provide the US withimportant international allies and resources.Some states, such as the Netherlands andSweden, have identified Internet freedom asan international priority. 16Recommendations for 2013US and European cooperation oncyber security and e-governance morebroadly will inevitably intensify in 2013as both sides of the Atlantic look tobuild domestic legislation to governthis space. Simultaneous internationalconsultation, especially with each other,will provide the US and Europe a soundbasis for developing cyber security normsand provide both with a blueprint onhow to engage other actors bilaterallyand multilaterally.1. Coordinate with Europebilaterally and multilaterally onlanguage for cyber security policy:Terminology often poses the first problemfor lawmakers in the US and Europe. Thisis not a theoretical exercise. Establishingcredible, internationally recognizabledefinitions for gradations of attackand potential targets such as criticalinfrastructure will facilitate responsesthat can be coordinated both within andacross governments. It will also start toprovide a firmer basis for the applicationof domestic and international law as wellas treaty obligation.a) Devise commonly understoodcategorizations for cyber attack in conflictvs. cyber attack as conflict: The UN reporton cyber security in 2010 led to theestablishment of some key applicationsof international law in the case thatcyber offensives are coupled with kineticattack and states generally recognize theapplication of the Law of Armed Conflictto cyber attacks in war situations. TheUS and Europe agree that armed assaultcan be committed through cyber means.Ambiguity remains, however, regardingthe threshold at which a cyber attack,by itself, reaches a degree to which itcould be regarded as an act of militaryaggression. Although the 2010 NATOStrategic Concept hinted that ArticleIV consultations and even Article Vinvocation could apply in the event of amassive cyber attack, the US and Europemaintain a strategic ambiguity regardingthe threshold of its invocation. 17 Whilethis ambiguity has its advantages, itcan diminish the potential for credibledeterrence and prevent the developmentof rational behavior among states,addressing salient policy questions suchas state culpability and proportionalresponse with potential adversaries.b) Consult on how to commonly definecritical infrastructure and pursue anuanced approach to its regulation: TheUS’s 2003 National Security Strategy toSecure Cyberspace includes a robustdefinition of critical infrastructure. 18However, in some policy areas, the USdefinition of when such infrastructure hasbeen breached is under debate.Europe is engaging in a similar debate.The EU’s current definition of criticalinfrastructure is limited to the energy andtransport sectors. 19 Some have criticizedthis narrow definition, calling for theinclusion of telecommunication and ISPinfrastructure, financial services, health,food and water supply systems, andnuclear research and industry. 20Cyber space has become a public good,one susceptible to government regulationand protection. Although 80 to 90 percentof the critical infrastructure in the US andEurope is in private hands, governmentsstill must assess if compliance withtheir standards can remain voluntary ormandatory. This is not the same for allsectors, as incentives differ. For example,most analysts agree that the financialsector is the best prepared to protectagainst cyber incidents, as it is subject toa high volume of low-level phishing, crimeand fraud daily. Given the synchronousdevelopment of standards in this areaon both sides of the Atlantic, the USand EU should hold joint discussionswith trans-Atlantic industry on commondefinitions of critical infrastructure andinteroperable standards, with provisionsand time frames for both mandatoryand voluntary protection and disclosureof breaches.Finally, liability and insurance shouldplay a greater role in a frank assessmentof risk in the trans-Atlantic dialogue onpublic-private partnerships. The threat ofcyber attack and associated losses mustbe accurately priced. Discussions shouldconsider to what degree—in sectorslike electricity and water—the risk is4 6Cyber Security
socialized, i.e. there is a tacit expectationthat the government will cover the cost ofthe fallout from an attack.c) Inculcate a multi-stakeholdergovernance approach: The governancerole once dominated by state actorsis shared by the private sector online.A multi-stakeholder environmentmakes treaty enforcement difficult. Thedecentralized governance of the Internetmeans that governments are but oneactor at the table determining the law ofthe cyber frontier.The culture of shared governancebetween US and EU authorities on theone hand and the ecosystem of industry,NGOs and hacker communities on theother should be improved, particularlyat the multilateral level. While the USand most European member states havewell-worn consultation with the privatesector, universities and NGOs relevant tocyber security policy, NATO and the EU,in particular, remain weak in these areas.Many of the major private-sector entitiessusceptible to attack are essentiallytrans-Atlantic in nature. And while theUS and Europe will never develop thekind of quasi-paramilitary relationshipwith their hacker communities that someauthoritarian governments have, it isimportant for both to be aware of thehuman capital that could be of use in acyber attack. In particular, the US shouldencourage the EU to take stock at both thenational and European levels and reachout to these informal networks for theirown defense and resilience purposes.The setting and enforcing of high “cyberhygiene” standards is paramount. Sincedue diligence and avoiding individualhuman error play such an important rolein protecting against attack, efforts toraise threat awareness must penetrate tothe most grassroots level of businessesand local communities.The US and EU should work togetherwith the private sector across the boardto negotiate appropriate intermediaryroles for industry, focusing on disclosureand data protection. These discussionsshould be nuanced and recognizedifferences across sectors. A mix ofcompulsory and voluntary protocols andbest practices, including clearly definedbenchmarks, could lower liability risk andcreate an active two-way partnership.2. Maintain an open, inclusive anduser-responsible environment forshaping governance norms:The playing field of Internet governanceis shifting rapidly. Europe is increasinglyrecognizing that maintaining a multistakeholdermodel for Internetgovernance centered at the InternetCorporation for Assigned Names andNumbers (ICANN) will yield more open,transparent and democratic outcomesthan alternative models centered atthe UN. Since its inception, ICANN hasbeen a custodian of IP numbers, theDNA of the Web. It has continued to be arespectable steward, taking advantage ofthe relatively open and entrenched legaltradition in the US and well-establishednorms for its activity. The US andEurope should promote an active role byICANN’s Government Advisory Council(GAC) and look for ways to get vestedstate, civil society and private-sectoractors involved.The US should continue to make thecase that an outcome-centric model fordomain issuance remains best servedby ICANN’s current governance andoversight structure. That said, the USand Europe should jointly bolster theconsultative role of the GAC and theUN’s Internet Governance Forum (IGF),especially to include non-state actorsfrom underrepresented and repressivestates as well as looking to the normativeshaping role that the Council of Europe,OECD and OSCE can play.3. Recast the discussionon attribution:The US and Europe should shift awayfrom attribution at the granular level andinstead reframe informal internationaldiscussions about states’ responsibilityfor massive cyber attacks conductedby non-state actors originating fromtheir sovereign territory. The challengesof attribution make attempts atestablishing the source of an attack oflittle value when shaping policy. The EU,in particular, has been slow to accept itsrole in defending against state-based or-sponsored attacks.While attribution continues to beproblematic, especially given thecircuitous nature of botnets used todeploy attacks, monitoring of ISPs andpacket sniffing is standard in manycountries from whose territory cyberincidents. In Russia, for instance, SORMlegislation already gives the statesweeping authority to monitor onlineactivity. When an attack occurs, a state’srelation to it usually falls into one ofthree broad categories: ignorance or apermissive environment, an abettingenvironment or active participation. 21Together the US and Europe should openup discussions on norms centered aroundgradations of responsibility. States thatallow their cyber territory to be usedas a safe haven for malicious activities(cyber crime, espionage or attack) shouldbe held accountable in the same waythey are expected to prevent physicalterritory from serving as a safe haven forterrorists. 22 Given the available regulatoryand law enforcement instruments withwhich to police it, cyber space cannotbe seen as a vacuum for which states arenot responsible.At the same time, the US and Europeshould make clear that they will notaccept the pretense of action againstcyber attackers and criminals as ajustification for crackdowns on Internetfreedom. 23 As is often the case withanti-terrorism policy, regimes inChina and Russia, among others, havetried to equate criminal activity—online property theft, disruption anddestruction—with political speech andgovernment opposition.4. Encourage the EU and memberstates to develop cohesive cyberpolicy coordination and clearinternational representation:In recent years, responsibility for USpolicy in the three areas outlined here hasbecome more clearly defined. Classicalcyber offensive and military defensivecapability is centered at the Pentagon.Cyber Security 4 7
- Page 3: Field Manual to EuropeIntroduction
- Page 6: multilateral channels. Europeanshav
- Page 9 and 10: JuneBritish presidency of UNSCJune
- Page 12 and 13: US-EU Investment vs. Global Nationa
- Page 14 and 15: economic conditions in the eurozone
- Page 17 and 18: MEMO ONTHE EUROZONE CRISISThe State
- Page 19 and 20: attitude toward moral hazard. Withw
- Page 21 and 22: Greece: 2010 Bailout BreakdownGreec
- Page 23 and 24: the deficit from 4.5 percent to thr
- Page 27 and 28: NATO thus faces an uncertain future
- Page 29 and 30: 1. Consider NATO’s defensespendin
- Page 31 and 32: of-area operations and worldwidepar
- Page 33 and 34: concurrent terrorist attack in Beng
- Page 35: 2. Strengthen regionalpartnerships
- Page 38 and 39: MEMO ONCOUNTERTERRORISM ANDHOMELAND
- Page 40 and 41: home affairs (JHA), particularly in
- Page 43 and 44: Status of EU Countries in the US Vi
- Page 45: offensive capability centered at NA
- Page 49 and 50: such technology, such as deep packe
- Page 51 and 52: MEMO ONENERGY & CLIMATE CHANGEThe S
- Page 54 and 55: identifying the agents most qualifi
- Page 56 and 57: MEMO ONTURKEYThe State of PlayTurke
- Page 58 and 59: as a rising regional and internatio
- Page 60 and 61: CASE STUDY: TURKEY’S ENERGY ROLE:
- Page 62 and 63: 22%12%Turkey’s Main Trading Partn
- Page 64 and 65: MEMO ONRUSSIAThe State of PlayIn Pr
- Page 66 and 67: EU-Russia security apparatus. Themo
- Page 68 and 69: greater market access for US busine
- Page 70 and 71: MEMO ONCHINAThe State of PlayIn 201
- Page 72 and 73: But China’s competitive meridian
- Page 74 and 75: in millions of USDUS-China Bilatera
- Page 76 and 77: 7 6Acknowledgements
- Page 78 and 79: CITATIONSINTRODUCTION1See “Confid
- Page 80 and 81: 20Castle, S. (17 September, 2011).
- Page 82 and 83: ARAB UPRISING1Koch, C. (summer 2011
- Page 84 and 85: COUNTERTERRORISM & HOMELAND SECURIT
- Page 86 and 87: 21Healey, J. (January 2012). Beyond
- Page 88 and 89: 20Berlemont, I. (25 July, 2012). Fr
- Page 90 and 91: 24Putin, V. (6 September, 2012). An
- Page 92: Bertelsmann Foundation1101 New York