This article enquires whether international relations can be used as a conceptual framework to delineate international and European legal responses that can address the geo-political tensions that have been translated into cyber-threats in the Mediterranean region. It argues that international relations—and in particular the multi-stakeholder model—can offer the appropriate conceptual framework within which the Mediterranean states can delineate international legal instruments for preventing and reacting to cyber-threats. The focus will be on the cyber-related policies of the European Union (EU).
I. Geo-political tensions translated into cyber-threats in the Mediterranean region: an introduction
Although global digitalization offers a number of economic and social opportunities, it has also created new vulnerabilities to cyber-attacks. Cyber-threats—e.g. disinformation campaigns and attacks to critical infrastructure—are in the news every day. In addition, there are instances where cyber-threats represent the translation in the cyberspace of pre-existing geo-political tensions, as in the Mediterranean region. For instance, since 2011, Syria’s civil war has been a driver of state-supported cyber-activity affecting commercial entities.
Russia has used cyber techniques, such as Global Navigation Satellite System (GNSS) interference, to prevent adversaries from challenging its dominating position on the Syrian mainland and in the coastal waters of Syria, Lebanon, Cyprus, and the Mediterranean sea. GNSS interference in the region has, in turn, threatened the safety of commercial vessels by severely disrupting their electronic navigation systems. Commercial vessels of all sizes even had their maritime radar systems denied. Commercial vessels are also increasingly becoming the intended targets of such electronic warfare activity, with states using these techniques against vessels flagged from their rivals for symbolic targeting or diplomatic signaling.
Cyber operations also include significant espionage operations, with states collecting large volumes of information or intelligence from target organizations and companies operating on behalf of adversary states. Russia has long been a highly active and sophisticated player in this domain, targeting both state and non-state organizations operating in the Middle East, Europe, and the Mediterranean region for intelligence relating to adversary states’ diplomatic and foreign policy positions as well as military capabilities.
II. Preventing and reacting to cyber-threats: which challenges to law-and policymaking?
While the consequences of cyberattacks are clear, less clear is how to handle this problem at the regulatory level. Overall, the approach appears rather fragmented at the international and the European level. A notable lack of relevant detailed and comprehensive public data about cyber incidents that States, companies, and individuals fall victim to exists. Additionally, there is a lack of unified legal and political terminology about cyber-space-related issues.
At the national level, national centers for cybersecurity develop data and statistics on cyber-incidents—usually done to national institutions—but they are generally not comprehensive and detailed; at the EU level, ENISA prepares each year a Threat Landscape Report, making it very clear that it is “based on open source material…[and on] cyberthreat related information found in the public domain.” Moreover, we can rely on reports and data published by private companies and institutions.
The absence of clear and comprehensive data poses a significant problem to understanding how to regulate this phenomenon in the most efficient way.
On the other hand, there is a deficiency in common vocabulary about cyber-space-related concepts, including cyber-security, at the international, European, and national level. According to the EU, “[c]ybersecurity commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure.”
On the other hand, at the national level, (EU member) states have adopted different definitions; in Greece, for example, “[t]he term ‘cyber security’ refers to all the appropriate actions and measures that must be taken in order to ensure the protection of cyberspace from…threats that are directly linked to cyberspace itself and which can cause damage to inter-dependable information and communication technology (ICT) systems.”. In Estonia, “cybersecurity does not mean protecting technological solutions; it means protecting digital society and the way of life as a whole.”
This is also true for the other Mediterranean countries, although some countries such as Algeria and Tunisia have not established yet an officially recognized agency responsible for implementing a national cybersecurity strategies and policies. In Turkey, for example, “[c]yber security [means the] [p]rotection of information systems forming cyber space from attacks, assuring confidentiality, integrity[,] and availability of information/data processed in this environment, detection of attacks and cyber security incidents, activation of counter-response mechanisms and recovering systems to conditions prior the cyber security incident.”
A harmonized vocabulary on cybersecurity is non-existent at the international, European, and national levels. An effort towards harmonization in this regard would be a substantial first step towards more synchronized policies and regulations on the topics at hand.
Altogether, developing effective cybersecurity is challenging not only due to incoming threats from the cyberspace and their consequences, but also due to inconsistencies in defined legal terms, and crafting an appropriate response. The peculiarity of cyber-space and its relevant threats have required the development of new legal and political instruments.
And indeed, States and international and regional organizations are increasingly seeking to implement new policies and instruments. According to the 2018 Global Cybersecurity Index (GCI), released by ITU, the majority of 193 ITU countries (58%) have adopted a national cybersecurity strategy.
The different initiatives and documents adopted at the different levels of regulations by several actors create a rather fragmented scenario; in this respect, international relations (IR) studies offers an important perspective in proposing the theoretical framework under which the different legal and political instruments can be evaluated.
III. International relations—and in particular the multi-stakeholder model—as a conceptual framework of reference for cybersecurity
New approaches are required because of the cyber implications of emerging threats. Scientists from all kinds of disciplines have actively engaged in developing new tools and theories: social scientists, for example, have dealt with the interaction of people on social network sites; criminologists have researched on the new forms of cybercrime; lawyers have investigated the applicability of privacy and security legal standards; economists have dealt with cybersecurity-related issues on information asymmetries and externalities; and IR scholars have developed different theories on the behavior of states in the cyberspace and on cybersecurity-related issues.
Cybersecurity is marked by significant fragmentation among actors and regulations at all levels. Alongside the regulatory efforts of States, manifold international and regional organizations, fora and non-governmental organizations dealing with cybersecurity topics, such as the Council of Europe, the G7 and the G20 platforms, the United Nations, the Organisation for Economic Cooperation and Development (OECD), the Organisation for Security and Cooperation in Europe (OSCE) and the North Atlantic Treaty Organization (NATO).
Some IR scholars have explained the fragmentation as a result of the multi-stakeholder approach of cyber-security policy, where any entity with a relevant expertise (technical, socio-economical, legislative, and/or political) may contribute. Valeriano & Maness assessed the multi-stakeholder model in the development of cybersecurity policies, where States, institutions, corporations and individuals work together. De la Chapelle and Mueller Further have asserted the multi-stakeholder model can be understood as “the opening of state-based international organizations to participation by `stakeholders´ besides governments.”
The main rational of the multi-stakeholder governance model is that states alone cannot solve the problems related to the cyberspace; additional actors, such as technical corporations, internet end-users, and other non-state actors should also be involved in the creation of the relevant policies. The term “multi-stakeholder” was first used in an international cyber context to describe the establishment of the Internet Corporation of Assigned Names and Numbers (ICANN) in 1998 as a private, not-for-profit organization. Markus Kummer, executive coordinator for the Internet Governance Forum (IGF) secretariat, described multi-stakeholder governance as a vehicle “for policy dialogue where all stakeholders took part on an equal footing.”
Over the past decade, the multi-stakeholder model has been used to describe the governance of cyber space. Based on a neo-liberal approach, the multi-stakeholder model requires that power is spread equally among the relevant parties. On the other hand, other IR scholars have underlined the shortcomings of such an approach: indeed, the multi-stakeholder model might work well in the field of technical cooperation, but it is not a satisfactory solution when it comes to describe the regulation of topics such as privacy – where not all `stakeholders` are equal, and States tend to play the principal regulatory role. Moreover, there have been a number of concerns about the legitimacy of this model on who decides which actors are included in the “stakeholder” definition, as well as the “who controls who” question.
Despite the above-mentioned criticisms, the multi-stakeholder approach developed by IR scholars can be very useful in explaining the current cyber-security regulatory framework of the EU.
IV. Testing the IR multi-stakeholder model within the European Union context
International law does not offer to date a unique instrument dealing with cybersecurity and cybercrime. The only binding instrument that has been drafted on cybercrime is the Convention on Cybercrime of the Council of Europe (the so-called Budapest Convention). Even though the Convention does not mention expressly the term ´stakeholder,´ the call to action included in its Preamble for “[…] co-operation between States and private industry in combating cybercrime […]”, which can be interpreted as a call for adopting a multi-stakeholder approach in implementing the Convention.
There are also a number of multilateral initiatives addressing cybercrime and cybersecurity issues at the international level, like the work of the G7 Cyber Expert Group, the Council of Europe, the G20, the United Nations, the OECD, OSCE and NATO. There are also key private codification initiatives such as the Tallinn Manual, which deals with international law applicable in case of cyber war.
Overall, the existing international legal framework is rather fragmented; however, the multi-stake-holder approach as described in the previous paragraph is in place each time the cybersecurity issue needs to be tackled.
And what about the EU regulatory framework? At the EU level, in contrast, there exists a rather robust set of regulations dealing with cybersecurity.
At the EU level, different players and institutions are involved in addressing cybersecurity: the European Parliament and the Council; the European Commission; EU agencies, like the EU Network and Information Security Agency (ENISA), the Europol’s European Cybercrime Centre (EC3), the Computer Emergency Response Team (CERT-EU), and the European Defence Agency (EDA). It is worth recalling that in 2018, ENISA, EDA EUROPOL-EC3 and CERT-EU signed a Memorandum of Understanding, which aims to promote cooperation and coordination among them in the field of cybersecurity and cyberdefence.
In relation to the EU framework on cybersecurity within the internal market, authorities have adopted a series of legal acts in order to protect electronic communications networks: the 2016 Directive on Security of Network and Information Systems (NIS Directive); the 2016 General Data Protection Regulation (GDPR); the 2018 Directive establishing the European Electronic Communications Code; and the 2019 Cybersecurity Act.
In the field of cyber-defence, the Foreign Affairs Council developed the Joint EU Diplomatic Response to Malicious Cyber Activities in 2017 (the so-called cyber diplomacy toolbox). The toolbox allows the EU and member states to implement a diplomatic response to malicious cyber activities through the means of the Common Foreign and Security Policy. These can include preventive (e.g. awareness-raising, capacity-building), cooperative, stability, and restrictive measures (e.g. travel bans, arms embargoes, freezing funds). In regards to the particular role of stakeholders, the Council “promotes the sharing of responsibilities among relevant stakeholders, including through cooperation between the public and private sectors as well as research and academic institutions on cyber issues[.]”
The EU is also committed in several cyber-dialogues with international organisations, such as the United Nations, the Council of Europe, NATO, and with partners such as the United States, Canada, and Japan, to name a few.
The EU’s approach in the Mediterranean in terms of cybersecurity has mainly been based on the priorities adopted in 2015 for the mid-term review of the European Neighborhood Policy (ENP), which reinforced its security dimension, reflecting the priorities of the EU’s 2016 Global Strategy on Foreign and Security Policy (EUGS).
In the last years, The EU has launched a number of programmes and actions in cooperation with Mediterranean countries. For example, the EU/MENA Counter-Terrorism Training Partnership 2 (CEPOL CT 2), or the CyberSouth” (“Cooperation on cybercrime in the Southern Neighbourhood”), a joint project of the EU and the Council of Europe, with a focus on the partnership with Algeria, Jordan, Lebanon, Morocco and Tunisia.
To date there is no unique legal framework for understanding cybersecurity; rather, cybersecurity issues have been dealt with in several fora at the international and European levels. Accordingly, the EU regulations and policies adopted to date exemplify how a multi-stakeholder approach, as theorized in IR studies, seems the best way to cope with these cybersecurity issues.
It is true that the EU instruments and policies do not seem to “fit” perfectly in the IR multi-stakeholder model—since the equal participation of all stakeholders is not always possible. However, the EU regulations offer a quite convincing and promising scenario on how to exercise the regulatory governance in cybersecurity issues.
It has been rightly argued that “[t]his form of [multi-stakeholder] governance is […] more suited to the EU, which is able to deal with multiple stakeholders, encourage cooperation, and develop standards and good practices.”
And actually, this kind of modus operandi has already started at the international level, when the UN hosted the first intersessional consultation session between UN member states and non-governmental actors interested in peace and security in cyberspace from December 2-4, 2019. Non-governmental actors highly participated in the meeting, the first one in its kind; this testifies the high level of interest in the topics and in being part of the decision- and policy-making process by non-state “stakeholders.” Given the success of the UN intersessional consultation session, the question of the multi-stakeholder governance will likely become an increasingly pressing issue for states, as well as for the EU. As the NATO Secretary General Jens Stoltenberg recalled at the Cyber Defence Pledge Conference in London on May 23, 2019, “[i]t takes just a ‘click’ to send a cyber virus spreading across the globe. But it takes a global effort to stop it from inflicting chaos.”