Maintaining the Euro-Atlantic Alliance’s High Ground in Cyber-space and Beyond by Antall József Tudásközpont

ANTALL JÓZSEF RESEARCH CENTRE

MAINTAINING THE EURO-ATLANTIC ALLIANCE’S HIGH GROUND IN CYBER-SPACE AND BEYOND ZSOLT CSEPREGI

2 Czuczor Street, 1093 Budapest +36 20 310 8776 ajtk@ajtk.hu | www.ajtk.hu/en

ANTALL JÓZSEF RESEARCH CENTRE

AJRC-Analyses Series of the Antall József Knowledge Centre

Publisher-in-Chief: Péter Antall Managing editor: Péter Dobrowiecki Editorial office: Antall József Knowledge Centre H-1093 Budapest, Czuczor street 2

Contact: H-1093 Budapest, Czuczor street 2 Phone: +36 20 310-87-76 E-mail: ajtk@ajtk.hu Web: ajtk.hu/en

2 Czuczor Street, 1093 Budapest +36 20 310 8776 ajtk@ajtk.hu | www.ajtk.hu/en

MAINTAINING THE EURO-ATLANTIC ALLIANCE’S HIGH GROUND IN CYBER-SPACE AND BEYOND ZSOLT CSEPREGI

EXECUTIVE SUMMARY The Western alliance, EU and NATO members and their global partners have been under a tenacious low-level assault in cyber-space with larger scale attacks oftentimes pointing towards the potential for further escalation. These attacks aim to undermine political, economic and security systems of our nations in order to facilitate the emergence of revisionist powers and terrorist actors across the globe, undermining the rules-based world order through persistent political interference, attacks against critical infrastructure, industrial espionage, manipulations, propaganda/misinformation campaigns. A number of debates are limiting the ability of the Euro-Atlantic alliance to move swiftly forward in developing robust strategies for cyber competition. Firstly, a persistent narrative has been questioning the approach of Western states, as they insist on a rules-based approach on a global level and in parallel safeguarding the democratic achievements on the domestic level. It is crucial to reassure the members of the Euro-Atlantic alliance, including the Central European states that exactly these are the achievements which provide an overwhelming strategic advantage in the ongoing contest in cyber-space over the competitors which utilise (gaining solely tactical advantage) unmitigated state oversight and oppression over their population and aggressive behaviour vis-à-vis other states. Secondly, the legal and culture oriented approaches to cybersecurity oversight and cooperative frameworks are debated by the members of the EuroAtlantic alliance. The dichotomy is however a false one, institutional cultural alignment and legal frameworks are equally important to align for maximum efficiency and cohesion. Thirdly, cyber-space is naturally one of the most technology intensive areas of global competition. Robust investment has to be made in order to secure the aforementioned structural strategic advantage of the Euro-Atlantic community. New EU recovery schemes provide an important opportunity to Central European states in 2021 and beyond to develop cyber-security and national economies in a combined way.

1. CYBER-SECURITY IN AN ERA OF GREAT POWER COMPETITION The beginning of the third decade of the century can be characterised by ever more intense competition between the great powers. The only question is the exact structure of this competition. One can argue, following Dr. Fareed Zakaria’s argument, that we are living again in a bipolar word order, where the US-China competition is a defining factor and where

Antall József Knowledge Centre of Political and Social Sciences

the rest of the nations have to manoeuvre in this structure.1 Other thinkers point out that while the “unipolar moment” is over, we are experiencing an age of multipolarity.2 Second tier powers, such as the Russian Federation, India, Japan and the European powers, or the European Union itself do have a level of influence over the world order which justifies characterising it a multipolar one.3 What is sure, is that the underlying rules-based world order built by the US and the Euro-Atlantic alliance has been eroded.4 This has come to the detriment of Central European countries, reliant on a conduct in which unmitigated power is not the sole factor in international relations. This would leave Central Europe in an insecure and hostile environment, similar to the oppression endured in most of the twentieth century. Regardless of the exact details of the nature and structure of the global competition, one area which came to the fore is competition in and over cyber-space. Furthermore, we must stress that the actors are intertwined based on their existing and in some cases emerging alliances. Cyber-space is not contested between atomised actors, but in the case of Hungary and other Central European nations anchored in the Euro-Atlantic security community. While this issue might seem like a concern solely for the great powers, it is important to highlight that the small and middle size powers are equally threatened by the competition over cyber-space. Therefore, Hungary and Central Europe had to contextualise competition in cyber-space as a key pillar of the global systemic rivalry and adjust its security and foreign policy accordingly.

2. THE COMPETITION OVER CYBER-SPACE The threat emanating from cyber-space is unique as it is of dual nature, a technology and a non-geographical operational domain as well.5 Historically technologies for war making (weapons, logistical equipment etc.) and domains (land, maritime, air and space) were separate categories. Cyber-space brings together both the threats and the opportunities inherent in dual use technologies and dual use domains. It is of great benefit to our civilisation due to the connectivity and economic enabling factors it provides to the global economy, but it is also a battleground between alliances, states, state agencies, private companies, criminal/terrorist organisations and lone-wolf actors. This multilevel and multipurpose nature of cyber-space means that middle and small sized powers such as Hungary and other Central European states find themselves in a complex threat environment. They are reliant

1 Richard McGregor: Fareed Zakaria on Australia’s “opportunity” between the US and China. Lowy Institute. The Interpreter. 27 November 2020. <https://www.lowyinstitute.org/the-interpreter/fareed-zakaria-australia-sopportunity-between-us-and-china > Accessed: 22 December 2020.

Baiyi Wu: Rethinking the Driving Forces and Conditions Affecting the Evolution of the International Order. China–CEE Institute. Working Paper 2020 No 17. 30 April 2020. <https://china-cee.eu/wp-content/ uploads/2020/04/Working_paper-202017-by-Wu-Baiyi.pdf > Accessed: 22 December 2020. 2

Henry Kissinger: World Order. London, Penguin Books, 2014. 365.

Matthew Kroenig–Jeffrey Cimmino: Global Strategy 2021: An Allied Strategy for China. Atlantic Council. <https://www.atlanticcouncil.org/wp-content/uploads/2020/12/Global-Strategy-2021-An-Allied-Strategy-forChina.pdf > Accessed: 22 December 2020. 4

Lillian Ablon et al.: Operationalizing Cyberspace as a Military Domain. Santa Monica, CA: RAND Corporation, 2019. <https://www.rand.org/pubs/perspectives/PE329.html > Accessed: 28 December 2020. 5

Antall József Knowledge Centre of Political and Social Sciences

on it for economic and societal well-being and with the non-geographic nature of the domain, as traditional geographic considerations can be applied in a limited (but not negligible) way, the threats always have to be considered to be on the borders of the country, if not already inside them. Hungarian foreign and security experts did identify in 2020 cyber-space as the second most pressing non-military threat after terrorism.6 Three main areas of cyber-defence have to be analysed in order to outline policies for Central European states in particular. First, the level and focus of international cooperation, secondly, the debate between a legal and a practice/culture oriented approach, thirdly the importance of technological investments.

2.1 INTERNATIONAL COOPERATION A paradox lies in connection to international cyber-security cooperation, especially among NATO member states. Defence in cyber-space is first and foremost the responsibility of each sovereign state, but no state can hope to fulfil this task independently, furthermore, an attack on a member state can have deep damaging effect on the level of the whole alliance.7 The only autonomous solution would be to hypothetically shut down domestic cyber-space from foreign influence, which is not an option for the highly interconnected globalised Central European states. One could argue that cyber-space is similar in this sense to other military domains in which setting up defence is a national responsibility, built on which international alliances can aid this effort. No military domain is however also a military technology in itself, serving also as an instrumental pillar of global economy. From the perspective of Central European states threats emanating from cyber-space are twice asymmetric in nature. On the one hand, the main actors of the global competition are non-Western great powers, such as Russia and China, employing resources which cannot be matched by middle or small European states. One such well-documented and analysed example was the sustained Russian cyber-attacks on Estonian targets in 2007.8 A particularly worrisome prospect is a cyber-attack on nuclear installations between great powers, on which middle and small sized states do not have any influence on. They can solely work to maintain and strengthen a rules-based international order which can provide controlling and mitigating solutions.9 On the other end of the spectrum, states must cope with the challenge presented by criminal and terrorist groups in cyberspace, agile actors operating under the radar. To complicate matters even further, great states

6 Alex Etl: The perception of the Hungarian security community. Institute for Strategic and Defense Studies. ISDS Analyses 2020/27. 5.

Franklin D. Kramer–Lauren Speranza–Conor Rodihan: NATO needs continuous responses in cyberspace. Atlantic Council. 9 December 2020. <https://www.atlanticcouncil.org/blogs/new-atlanticist/nato-needscontinuous-responses-in-cyberspace > 28 December 2020. 7

Stephen Herzog: Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security. 2011/2. 49-60. 8

9 Beyza Unal–Yasmin Afina: How to Deter Cyberattacks on Nuclear Weapons Systems. Chatham House. Explainer. 18 December 2020. <https://www.chathamhouse.org/2020/12/how-deter-cyberattacks-nuclearweapons-systems?utm_source=linkedin.com&utm_medium=organic-social&utm_campaign=internationalsecurity-analysis&utm_content=cyberattacks-nuclear-survey > Accessed: 28 December 2020.

Antall József Knowledge Centre of Political and Social Sciences

employ the later groups to cover their tracks in cyber-operations conducted on their behalf.10 Two approaches present themselves after we exclude the possibility of self-reliance in the contest in and over cyber-space. The first is a wide international framework to set standards on cyber-security. This problem is similar to defining terrorism, as political interests make it impossible to settle a truly global standard on cyber-security. The United Nations can be a platform for meaningful exchange, but it will not govern cyber-space as views even among the permanent members of the Security Council differ greatly. This also means that cyber-space presents a so-called “grey-zone” in interstate conflicts, staying below the level of war, but nevertheless presenting great threat to the attacked, especially when combined with other asymmetric methods.11 Cyber-attacks can provide meaningful gains in international competition through intelligence operations aiming at sabotage, espionage including intellectual theft, staying under the level of formal war making. Even though global understanding is nigh impossible, likeminded states do work together and coordinate on these issues. Traditional organisations such as EU and NATO are natural platforms which extended their cooperation to cyber-security, but it is worthwhile to explore alternatives with more limited ambitions. One is an extended Atlantic-Pacific partnership in cyber-security, based on the coordination of the US between likeminded states in the two regions.12 Another important proposal is the Council of Europe which has an evolved framework for handling cyber-security, such as the Budapest Convention,13 a platform less exposed to the theatrics of diplomacy than NATO-Russia brawl or US-China debates.

2.2 LEGAL VS CULTURAL ALIGNMENT An important issue connected to the nature of international cooperation on cyber-security is the relative importance of domestic legal environments and international alignment of these frameworks versus the practice and culture oriented approach. These issues are especially vital when we consider intelligence cooperation and coordination in cyberspace among allies. Countries such as Germany, highlight the importance of legal limits on operations in cyber-space even conducted by their own national agencies, due to a high degree of suspicion stemming from historical experience of state interference in citizens’ life. A particular concern is the fast pace development of intelligence practices in cyber-space compared to “civilian” oversight.14 Countries lacking negative historical memory with domestic intelligence agencies and especially practitioners themselves

Anushka Kaushik: Attribution in cyberspace: Beyond the “whodunnit”. GLOBSEC. Cyber Resilience Programme Policy Paper May 2018. <https://www.globsec.org/wp-content/uploads/2018/05/GLOBSEC-cyber-attribution.pdf > Accessed: 28 December 2020. 10

11 Lindsey R. Sheppard: Warning for the Gray Zone. Center for Strategic and International Studies. Report. 13 August 2020. <https://www.csis.org/analysis/warning-gray-zone > Accessed: 28 December 2020.

Lyle J. Morris et al.: Gaining Competitive Advantage in the Gray Zone. Santa Monica CA, RAND Corporation, 2019. 176. 12

Convention on Cybercrime. Council of Europe. 2001. <https://www.coe.int/en/web/conventions/full-list/-/ conventions/treaty/185 > Accessed: 28 December 2020.

Kilian Vieth–Charlotte Dietrich: New hacking powers for German intelligence agencies. About Intel. 27 October 2020. <https://aboutintel.eu/germany-hacking-reform/ > Accessed: 28 December 2020. 14

Antall József Knowledge Centre of Political and Social Sciences

highlight, compared to the legal framework, the importance of the alignment between cultures dominating intelligence and monitoring agencies involved in cyber-defence.15 This second view emphasises that legal binding can achieve only as much, cyber-security is dependent as much on personal connections between practitioners in allied and partner states. Significant gaps between legal frameworks even among close allies such as the aforementioned Germany and the United Kingdom can be bridged effectively by peer-to-peer consultation and joint work. Therefore, the dilemma is an artificial one, legal guiding principles are key in democratic countries on the domestic level and give invaluable base for international cooperation in a rules-based order. Especially for Central European countries, common EU regulation provides instrumental platform for cooperation, top-down guidance which no member state can achieve on their own.16 The new EU Cybersecurity Strategy serves exactly to provide a framework for intra-EU cooperation to secure cyberspace, enable partnerships with likeminded global partners and contribute to a rules-based order approach to cyber-space.17 Legal frameworks are necessary, but not sufficient for an effective allied response to cyber-threats, practitioners’ work culture has to be aligned through joint workshops and coordination in order to optimise real life conduct.

2.3 INVESTMENT IN TECHNOLOGY Notwithstanding legal oversight and cultural alignment between practitioners, it is important to highlight that cyber-space remains a technology, which cannot be monitored by the law itself, but solely with technological instruments.18 These technologies involved in cyberactivity, both civilian and military are by nature expensive, as they are on the forefront of scientific progress. This is true, even though cyber-space is highly asymmetric, relatively cheap solutions can enable successful attacks, meanwhile all-encompassing defensive infrastructure remains costly. As cyber-defence is a national responsibility, investment in cyber is also first and foremost the obligation of each country. Domestic programs initiated by the governments, academic institutions, and private-public partnerships, must create the necessary background for international cooperation and serve as assets which can be utilised in order to avoid the charge of being a free rider among allies. Turning to the international aspect of investment, three areas should be highlighted in the case of Central European states. The first is the NATO alliance, second is the European Union, and

Prof Sir David Bruce Omand: Foreign and Security Policy Conference 2020: Intelligence and National Security beyond Industry 4.0. Antall József Knowledge Centre. 26 November 2020. <https://www.youtube.com/ watch?v=Yln8NmRWm7c > Accessed: 28 December 2020.

Tikos Anita–Krasznay Csaba: Cybersecurity in the V4 countries – a cross-border case study. In: Nemeslaki, András et al.: Central and Eastern European eDem and eGov Days 2019. Vienna, Austrian Computer Society, 2019. 163-174. 16

European Commission: The EU’s Cybersecurity Strategy for the Digital Decade. 16 December 2020. <https:// ec.europa.eu/digital-single-market/en/news/eus-cybersecurity-strategy-digital-decade > Accessed: 28 December 2020.

Kilian Vieth–Dr. Thorsten Wetzling: Data-driven Intelligence Oversight. Recommendations for a System Update. Stiftung Neue Verantwortung. 28 November 2019. <https://www.stiftung-nv.de/de/publikation/datadriven-intelligence-oversight-recommendations-system-update > Accessed: 28 December 2020.

Antall József Knowledge Centre of Political and Social Sciences

third, private investment including multinational companies. Regarding NATO, which is the unquestionable pillar of Central European countries’ security in all domains including cyber-space, bold steps are needed to truly equip the alliance with the necessary assets to secure member states on a common level. Such bold suggestion was made by the Atlantic Council when it recommended the dedication of .2 percent of the member states’ GDP to cyber-security and digital defence modernization, in effect tripling the available funds for the task.19 As the grey-zone activities enabled by cyber-space will remain the dominant type of challenges the alliance will have to face in the mid-term it is logical to focus more investment in this area. It is also an important factor for Central European states that cybersecurity investment, as a dual use technology, may very well have a multiplicator effect on generating civilian income for their countries’ economy. The European Union will embark on an ambitious quest to remedy the economic effects of the COVID-19 pandemic in the next seven years, supporting its new Cybersecurity Strategy. In effect this will mean the front loaded allocation of funds through a number of frameworks, including the Multiannual Financial Framework, Digital Europe Programe, Horizon Europe and the Recovery Plan.20 Central European member states are well advised to make full use of these funds and coordinate investments in digitalization so that it supports not only the civilian economy, but also enhancing national security in cyber-space. Finally, post-Socialist economies such as Hungary are still struggling to overcome structural difficulties, inheritances of their previous heavy industry focused economies, transforming into more high-tech and service oriented economic structures. Hungary has embarked on the “Invented in Hungary” economic program, underlining the importance of domestic research and development capabilities. This scheme is supported by billions of Hungarian forints aimed at convincing multinational companies in bringing their headquarters to Hungary in order to contribute to the local R&D eco-system. While these programs are highly successful in such fields, as automotive industry, their extension to digital technologies, including cyber-security should be a strategic priority for Central European states. Successful examples point toward a multi-layered approach, also focusing on regions,21 such as the Polish model of building up Krakow as a public-private-academic trilateral cyber-security hub, should guide other Central European countries planning process.

3. POLICY RECOMMENDATIONS FOR CENTRAL EUROPEAN STATES Central European countries including Hungary are part of an ongoing systemic rivalry on the global level, in which they have limited means to influence the overall outcome, but at the same time cannot exclude themselves from the contest’s negative effects. One of the operational domains of the rivalry between the great powers and their allies and also

Safa Shahwan Edwards et al.: Supersize Cyber. Atlantic Council. 14 October 2020. <https://www. atlanticcouncil.org/content-series/nato20-2020/supersize-cyber/ > Accessed: 28 December 2020. 19

European Commission 2020

Milda Kaklaiskaité: Multi-level Governance in Cybersecurity: What Role for the European Regions? The Kosciusko Institute. European Cybersecurity Journal 2020/1. <https://cybersecforum.eu/wp-content/ uploads/2020/08/ECJ-VOLUME-6-2020-ISSUE-1.pdf > Accessed: 28 December 2020. 21

Antall József Knowledge Centre of Political and Social Sciences

sub-state actors is the cyber-space. Cyber-security became more important in recent years and is projected to become even more vital, especially since it is the backbone of our digital global economy. Central European states have to focus on three crucial processes in the ongoing context to mitigate the damage and potentially thrive in the current threat environment. Firstly, they have to deeply internalise that the Western alliance and likeminded Democratic nations do have the strategic advantage in cyber-space, even though their self-imposed limitations in their political conduct and commitment to the rules-based world order provide tactical disadvantages. International cooperation can only be truly successful between these likeminded countries, in the frameworks of NATO, EU and potentially Central European platforms and Atlantic-Pacific partnerships. Other frameworks, such as the Council of Europe are important for setting certain guidelines and toolboxes for cyber-security in order to maintain the rule based order in cyber-space as much as possible. Secondly, constant update to the legal guiding principles on regulating cyber-space is needed on domestic and international level, but it cannot act as a substitute for a deep cooperative network of practitioners between likeminded states. Therefore, during the COVID-19 pandemic online meetings have to substitute real life meetings which must continue as soon as possible between intelligence professionals, academicians and politicians in order to make cooperation more fluid and smooth out legal disagreements. Differences even between close allies in legal environment of cyber-security will not align completely, therefore mitigating platforms have to be maintained that are built on human relations. Central European countries must insist on their place at the (virtual) tables and initiate their own working meetings etc. in order to stay in the loop. Finally, as cybersecurity is a technological field, Central European states have to invest even in times when the scope of available funds is reduced, such as an economic crisis. These funds invested will not only signal to the larger (cyber)powers their commitment and seriousness, but also generate civilian income and contribute to a favourable technological-industrial eco-system as well. Cyber-attacks against Central European countries can endanger the whole EuroAtlantic community, regardless of whether they are attacked as frontline states or serve as a proxy battleground. Cyber-security therefore remains not only a national obligation to the countries in the region, but also a key factor in the stability of the rules-based world order for which the Western alliance and likeminded states worked for in the last decades.

Antall József Knowledge Centre of Political and Social Sciences