On 19 June 2017, the Council of the European Union adopted the draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (‘ Cyber Diplomacy Toolbox’). Once approved, the Cyber Diplomacy Toolbox will provide a way of coordinating a response of EU member states to malicious cyber activities at the EU level.
On 14 March 2017, the European External Action Service (EEAS) and the Commission presented a joint issues paper on a joint EU diplomatic response to cyber operations. The paper was then examined in more detail by the Horizontal Working Party on Cyber Issues (HWCPI) at the invitation of the Political and Security Committee (PSC). The Maltese EU Presidency prepared the draft Council Conclusions, the text of which was further streamlined according to member states’ comments and finally adopted by the EU Council.
The toolbox should include diplomatic measures within the EU Common Foreign and Security Policy which could be used against malicious operations directed against member states in cyberspace. The Council Conclusions do not give a clear understanding of what kind of measures this toolkit will include in practice, but it does say that the measures can be, if necessary, ‘restrictive’. It is also stated that a response would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity. The terminology used suggests that these diplomatic tools can be anything between making condemnatory statements, to something more coercive such as imposing sanctions.
Neither does the statement address either when the toolbox will be used, but it does clearly state the importance of EU member states unifying their diplomatic response against malicious cyber activities. In the statement, common diplomatic efforts are seen above all as a way to strengthen the security of European countries, and that ‘clearly signalling the likely consequences of a joint EU diplomatic response to such malicious cyber activities influences the behaviour of potential aggressors in cyberspace, thus reinforcing the security of the EU and its member states.’
Interestingly, the EU stresses that not all measures of a joint EU diplomatic response require attribution to a state or a non-state actor. It reminds us that attribution remains a sovereign political decision based on all-source intelligence, and should be established in accordance with international law of state responsibility.
Attribution is one of the fundamental and well-discussed questions relating to cyberspace. Even when the responsible actor can be identified, the evidence on which the actual attribution is made is not generally public information and the use of diplomatic measures without proven attribution can certainly raise challenging questions. The toolbox leaves it open to select the appropriate and proportionate measure that suits the situation at hand. The nature of diplomatic measures is such that they can be seen working effectively only when used against state actors.
What does it mean?
When viewed from the perspective of international law, the responsive measures would mostly amount to retorsion, which is the ‘taking of measures that are lawful, albeit “unfriendly”’ (Tallinn Manual 2.0, rule 20, commentary 4.). Every state has a right to engage in retorsion, even when the original malicious cyber activity does not reach the threshold of an internationally wrongful act, or cannot be attributed to another state. However, retorsion has limited use because, unlike countermeasures, it has to stay strictly within the limits of international law. Retorsion can employ other than cyber means; however, in cyberspace, the only example given by the Tallinn Manual is ‘employing a cyber access list to prevent communications from another [s]tate’.
Theoretically, the responsive measures could also reach the level of countermeasures, which are actions that would otherwise be unlawful but for the fact that they are a response to an internationally wrongful act attributable to another state. However, there are two major obstacles to marking a response as a countermeasure: first, the original malicious cyber activity has to be attributed to a state, not merely to a non-state actor operating from the state’s territory; and second, only the state affected by the malicious cyber activity has the right to resort to countermeasures, which limits the possibility of other EU member states helping the affected state, since their response must not reach the level of countermeasures.
Hypothetically, the response measures could be used under a plea of necessity. However, this would require that the original malicious cyber activity presents a ‘grave and imminent peril’ to an ‘essential interest’, and the responsive measure is the ‘sole means of safeguarding it’ (Tallinn Manual 2.0, rule 26).
The EU defers to existing international efforts, in particular the UN GGE 2015 report and the 2016-2017 UN GGE discussions, and the OSCE confidence-building measures. This is a good starting point, since these are among the few common grounds on what constitutes international law. Nevertheless, the failure of the 2016-2017 UN GGE should correct some of the overly optimistic predictions of future developments of international law related to cyberspace.
In practice, the most significant measures discussed by the document are ‘restrictive measures’ (paragraph 5), which in EU jargon means sanctions. These can target governments, entities, groups, organisations and individuals.
A way ahead
EU sees that a common and comprehensive approach for cyber diplomacy could contribute to conflict prevention, the mitigation of cybersecurity threats and greater stability in international relations. The framework is also expected to encourage cooperation, facilitate mitigation of immediate and long-term threats, and influence the behaviour of potential aggressors in the long term. How powerful this framework will be in terms of reaching these goals, will only become apparent if and when they are put into action.
Katriina Härmä and Tomáš Minárik
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.