Cybersecurity and Civil Liberties: A Task for the European Union

The European Union adopted its cybersecurity-strategy in June 2013. The EU coordinates the national policies of its 28 member states and manages the largest single market in the world. Decisions taken in the EU have a high relevance for the rest of the world. Implementation of the EU cybersecurity strategy brings together very different understandings of the appropriate balance between state and society, security and freedom, and between policy decisions shaped intergovernmentally and by parliaments. 

How these views are brought together and which long-term decisions are taken here will decisively influence the new order of cyberspace for years to come. The following questions arise in this regard: How much freedom should the Internet guarantee, what security precautions against crime and terrorism need to exist, and where should the line be drawn between national self-determination and the global sphere? Will there even be a worldwide Internet in the future, or will the emergent trend of web fragmentation continue, bringing greater national control over access and content?

To preserve a balance between a secure Internet and civil liberties, the EU must not stop at simply implementing its cybersecurity strategy, but rather adopt a comprehensive strategy for cyberspace via the community method.

Protection against industrial espionage is an important location factor. Electronic commerce accounts for around four percent of total trade throughout the EU, and is rapidly growing. The Internet also makes a considerable contribution to GDP growth. Estimates suggest that consumers could save a total of more than 200 billion euros through greater use of electronic commerce. But this requires a high degree of trust in online security. Thus around half of all EU countries have adopted national cybersecurity strategies. More than 30 countries now have cyber units within their armed forces. Cyberattacks have become part and parcel of strategic calculations in new computerized conflicts, both between non-state and state actors, and between states.

Security problems are without doubt a major challenge for Internet regulation. However, emphasizing the security aspect and neglecting the idea of cyberspace as a global public good may pose a danger to basic rights and therefore to democracy. Security should not be regarded as a policy topic that is somehow above democracy. How and by what means “critical infrastructures” (energy, transport, health) should be protected, and how private information should be treated while maintaining this protection, are not questions that should be deliberated and decided only by expert committees. These are matters for the European Parliament and national parliaments.

Private self-regulation is one instrument. But when it comes to questions of informational self-determination, freedom, and fundamental democratic rights, the only democratically acceptable solution is one which is shaped in accordance with the rule of law and therefore by parliament. Yet so far calls for parliamentary oversight and legally binding cyber policy arrangements have not been heard either at international or European level.

A comprehensive EU strategy for cyberspace should operate on three regulatory levels:

Global

The existing mode of regulation for the Internet does not sufficiently involve the emerging powers Brazil, India, China and Russia, and is too one-sided in its bias toward the United States. Use of the term multistakeholder governance obscures the fact that U.S. interests and U.S. businesses are de facto the main agenda-setters, and financially weaker interests have little chance of asserting themselves in institutions such as the ICANN (Internet Corporation for Assigned Names and Numbers) or IFG (Freedom of Information Law in Germany). Whereas, for a long time, the United States and Europe pulled together to defend the existing model, recent revelations about U.S. surveillance practices have produced increasing European skepticism toward this model. Only a coalition of liberal states will be able to preserve a free and open Internet.

Transatlantic

The EU and U.S. are strongly divergent with regard to their respective cybersecurity policies. While the Americans are increasingly relying on deterrence, the Europeans are pursuing a more police-based approach, aimed at building up resistance. This difference is reflected in the different tasks and competencies assigned to the respective intelligence services, and a corresponding different treatment of fundamental civil rights such as the right to informational self-determination. To stop these differences turning into a massive conflict, both sides need to be much more willing to make concessions to each other. A key condition for successful cyber dialogue is that both sides should acknowledge as fact the domestic political limitations to the transatlantic willingness to compromise. Because of its role as a global enforcer, the United States cannot reduce its emphasis on the security aspects and hence the deterrent dimension of cyber policy, either now or in the future. It is equally true that the EU will continue to focus on combating cybercrime and that data protection issues will remain of paramount importance. Only if both sides respect these limits to cooperation it will be possible to clear the way for mutually beneficial collaboration in global cyber policy.

Transnational

EU cyber policy is faced with a whole host of new transnational conflicts that urgently need to be addressed. Much trust has also been destroyed within society. The revelations have made citizens aware of the flip side of computerization. Many citizens are in danger of losing trust in the security of the Internet, and are responding with growing skepticism and increasing demands for renationalization of communication structures. In connection with TTIP, there are already calls for supranational legal instruments and independent dispute settlement bodies. The European negotiating position includes the demand for public-private dispute resolution mechanisms and hence for a transfer of the community principle into a legal concept which is alien to international policymaking. Not only the European member countries but also the United States and other liberal countries would therefore need to embrace the idea of supranational legal norms in future – whether for data protection or legal recourse against the use of data.

The EU cybersecurity strategy aims to step up cooperation between member states over the years ahead in the area of security technologies, yet a comprehensive EU strategy for cyberspace should include stronger legal and policy obligations with respect to exporters of information and communication technology. Authoritarian states are increasingly censoring, monitoring and controlling the Internet with the aid of technology provided by European and North American companies such as Area in Italy, Ultimaco in Germany and Blue Coat Systems in the United States. These technologies have been used in authoritarian countries such as Syria, Libya, Bahrain, Tunisia, Iran and Belarus, and it can be assumed that such technologies are used by many other authoritarian regimes as well. This state of affairs is neither in the strategic interests of Europe nor in accord with the goals of a Common Foreign and Security Policy (CFSP) aimed at preventing threats to international security and ensuring non-proliferation. European harmonization of national arms export policies would be necessary here, and this would need to extend to technology systems that are capable of harming the fundamental rights or facilitating the blanket surveillance of Internet users. Existing controls implemented in the EU Code of Conduct and dual-use approval process are as yet insufficient. The European Parliament and national parliaments should be comprehensively informed and involved in export decisions. Other sensitive matters are also discussed in secrecy by European Parliament and Bundestag committees.