Cyber diplomacy and shifting geopolitical landscapes
[Check against delivery]
Ladies and Gentleman,
It is an honour to open the second edition of the EU Cyber Forum, the first in my mandate.
The EU Cyber Forum is a unique platform to showcase the European Union’s efforts in the area of cyber and digital policies. But also to learn from best practices of our partners, participating in this event.
I want to thank all the organisations involved. I know this has been truly a European team effort.
This morning I would like to talk about cyber issues from a geo-political perspective.
We need to look at what is going on around us – and prepare ourselves accordingly. Today’s arena is essentially characterised by five features:
- There is unprecedented competition between states. This is a world of power politics.
- We live in a multi-polar world, but without effective multilateralism. We see rising powers demanding a greater say and a US withdrawal from the multilateral system it helped to build. The strategic competition between the US and China is having a paralysing effect: in the UN Security Council, the G20, the WTO, the WHO and elsewhere. There are more disagreements and vetoes.
- We live in a world where interdependence is becoming more and more conflictual and where soft power is weaponised: trade, technology, data, information are now instruments of political competition.
- We see a broader trend where some countries seem to follow a logic of empires. They only recognise the sovereignty of states and not the sovereignty of the people. They think and argue in terms of historical rights and zones of influence, not agreed rules and local consent.
- Finally, the world risks becoming less free and more unequal. Democracy and human rights – our political model – are contested. Some are not shy in exploiting these dynamics. In the digital domain and elsewhere, there is a real battle of narratives going on.
In short, our security environment is getting worse. Everywhere we look, we see rivalries, especially between the US and China, with technology as a major fault line and cyber as the new domain.
The pressure on Europe to choose sides is growing. As EU we should follow our own approach and avoid being instrumentalised by one or the other. We should continue to stand for multilateral solutions and search common ground.
This very much applies to the cyber world as well. We know the world is becoming more digital, but also more state-driven.
So the key questions will be: how and who and will govern these digital networks? Who will set the global rules and standards?
And linked to this: can Europe remain a technological norm-setter if it is not also a technological leader?
This is the wider context in which Europe should define its approach to cyber issues.
The two core questions are: how can we use the enormous benefits of our digital age in terms of growth, knowledge and freedom? But also how can we protect our model of society from cyber threats - and support others to do so as well?
Cyber issues are geopolitical and have a strong security dimension. Both state and non-state actors are using cyberspace and the Internet for manipulation, disruption, fraud, extortion, data-theft or money-laundering.
Everyone will remember cyber-attacks like WannaCry, which affected over 200.000 computers in 150 countries world-wide and cost an estimated $4 billion. Or they have heard about the staggering problem of cyber-enabled theft of commercially sensitive data of companies.
The Internet has also become an arena for geopolitical battles and the spread of disinformation. Some states are increasingly using it to limit civil liberties and advance their ideological goals.
At various stages in the coronavirus pandemic, we have seen on Facebook and other social media, disinformation campaigns, with examples from China, Russia and others. As part of the battle of narratives, some tried to portray themselves as the saviours of a Europe in need, while denigrating our democratic system as failing its own citizens.
But cyber threats go beyond disinformation campaigns. Cyber-attack can leave a country crippled within seconds. Think of the electricity blackouts in Ukraine in 2015 and 2016 or the attacks that stopped people from accessing their own money in Estonia in 2007.
We see governments and political systems being destabilised through cyber-attacks and electoral interference. The case of the 2016 US elections is the one that is most talked about – and there are indications it may happen again.
But we know about this threat in Europe too: there have been cyber-attacks against the Macron campaign, the German Bundestag and other parliaments and ministries across Europe. Even the EU institutions are not exempt. This unfortunately is today's reality.
Ladies and Gentlemen,
In recent years, the European Union has put a strong emphasis on strengthening our cyber resilience. We have adopted the Directive on security of Network and Information Systems (NIS Directive) and the Cybersecurity Act.
We are also working on the cyber defence front as part of the EU’s Common Security and Defence Policy (CSDP). Our Member States, working together under PESCO – or permanent structured cooperation – have established four cyber projects, including Rapid Response Teams to help countering cyber attacks.
The EU is also at the forefront in tackling the security challenges posed by the deployment of 5G networks. This year we adopted the joint toolbox of mitigating measures agreed by EU Member States to enable them to address the security risks related to 5G.
On other emerging technologies, we are working on establishing a European approach, for instance on Artificial Intelligence and Robotics, to deal with the technological, ethical, legal and socio-economic aspects.
Beyond strengthening our own cyber resilience, it is in the European DNA to prioritise cooperation and dialogue. We will always stand for international law and the work in the United Nations on norms of responsible state behaviour.
We are guided by our values and fundamental rights, such as freedom of expression and the right to privacy or the protection of personal data.
However, some actors are undermining this important work, not just of the EU, but also the achievements of the international community. They keep exploiting cyberspace without accountability. This is unacceptable.
Since 2017, the EU has a comprehensive cyber diplomacy toolbox. Its aim is to prevent, deter and respond to malicious behaviour in cyberspace. One of its tools is the EU autonomous cyber-sanctions regime, adopted in 2019.
This makes it possible to apply restrictive measures to persons and entities involved in significant cyber-attacks that threaten the EU or its member states, regardless of nationality or location of the perpetrator.
A few weeks ago, on 30 July, we decided to make use of this sanction regime for the first time. This was an important moment: we imposed travel bans and assets freezes against six individuals as well as assets freezes against three entities.
These individuals and entities have been involved in cyber-attacks known as WannaCry, NotPetya and Operation Cloud Hopper targeted against companies located in the EU. Or the attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.
These targeted measures will ensure that those individuals and entities are held accountable for their actions. They send a message to the world that we have the tools to protect ourselves, and the resolve to use them.
Ladies and Gentlemen,
We know we are not alone in this. We have many like-minded partners with whom we cooperate. And we are cooperating in concrete ways, investing significantly in capacity building on cyber resilience and cybercrime.
Just to give two concrete examples: in April 2019, Sri Lanka suffered serious terrorist attacks (known as “2019 Sri Lanka Easter bombings”). More than 250 people were killed and hundreds injured.
It was a national emergency where electronic evidence was needed instantly from a range of service providers. On the basis of Budapest Convention on Cybercrime, there was immediate international assistance from a number of countries. And Sri Lanka was able to successfully gather the necessary electronic evidence to pursue investigations.
Another example is the recent Memorandum of Understanding we have signed with the Dominican Republic. We will help develop their national cyber resilience, and strengthen their Computer Security Incident Response Team. These act as “cyber firefighters” to detect and recover from cyber incidents.
We want everyone to reap the benefits that the Internet and the use of technologies provide. At the same time we need effective answers to fast-changing cyber threats. Achieving both objectives will be at the heart of our new EU Cybersecurity Strategy that is foreseen this autumn.
We know we count on the support of our global partners. And they can count on us.
Only by acting together can we safeguard the open, secure and safe cyberspace that all of us want and need.
I wish you a very successful conference.
Thank you very much.