Virtual Neighbors: Russia and the EU in Cyberspace.

• Author: Barrinha, Andre
• Position: COMMENTARY - Essay

Introduction

The European Union (EU) is fast emerging as a central cybersecurity actor in international relations. The last few years have witnessed the development of a raft of legislation, communications and strategic documents that deal directly with this field. Much of this activism comes in response to Russia's cyberspace activities. That means that not only the EU is often placed in a reactive position, but also member states are often divided on how to engage with Moscow. As will be argued in this commentary, when it comes to cyberspace, Russia needs to be approached from three (albeit inter-related) distinct angles: as a cyber-crime hub, as a regional neighbor and as an emerging power, each of which demands a set of different answers, that range from deterrence to selective engagement. Only a multifaceted approach that includes, but goes beyond the EU's understanding of cybersecurity, can offer the possibility of an effective engagement with Moscow.

In terms of structure, this commentary will start by offering an overview of the EU's activities in cyberspace, followed by an assessment of how Russia fits into the EU's overall approach to cybersecurity and cyber diplomacy. The final part of the commentary explores the different ways in which the EU can deal with Russia when it comes to cyberspace.

Protecting the Digital: The EU in Cyberspace

The EU's approach to cybersecurity gained momentum (1) over a decade ago with the creation and development of a series of institutions, policies and initiatives that addressed the protection of critical information and cybercrime. (2) Surprisingly however, cyberspace was to be absent from the 2003 European Security Strategy, in a clear indication that cybersecurity was not a security priority for the EU at the time. That would change in the following years, with the EU approving a number of relevant documents, including the 2006 EU Strategy for a Secure Information Society.

In 2008, cybersecurity was included --even if only briefly--amongst the global challenges and key threats of the Report on the Implementation of the European Security Strategy, which was an all-but-in-name revised security strategy. The motivation was clear even if not directly acknowledged: Estonia. In 2007, the Baltic country was at the receiving end of a series of cyber-attacks that severely impacted on the normal functioning of this highly digitalized society, with attacks targeting banks, government websites and other services. (3) The attack, attributed to Russian hackers, was not particularly sophisticated but the message was clear: information warfare was a real possibility, (4) and Russia was a reason for concern in this field. In April 2008, Georgia engaged in a limited confrontation with Russia over the territories of South Ossetia and Abkhazia. According to the Tbilisi authorities, the Russian offensive includes cyber-attacks similar to the Estonian ones, which included the defacement of governmental websites and distributed denial of service attacks. (5) These two cyber-conflicts would be taken into full consideration in the 2008 implementation report. (6)

More measures followed since, but it would take five years for the EU to have its first cybersecurity strategy. Eventually, in January 2013, DG Home Affairs Commissioner, Cecilia Malmstrom, High-Representative, Catherine Ashton, and DG Connect Commissioner, Neelie Kroes, drafted a rather encompassing strategic document that approached cybersecurity (7) from three main pillars of action: network and information security, law enforcement, and defense, each with its own set of policy priorities and institutions, such as the European Network and Information Security Agency (ENISA) and Europol's European Cybercrime Centre (EC3). In addition to the cybersecurity strategy the EU approved a directive on attacks against information systems, (8) and presented a proposal for a directive on security of network and information systems (the so-called NIS Directive), which came into force very recently, and can be seen as the first concrete piece of EU legislation on cybersecurity. (9)

In terms of the international dimension of cyberspace, in November 2014, the EU approved the Cyber Defense Policy Framework, which addresses the global focus of the EU's activities in this field, with a particular concern for CSDP operations and relations with NATO. A few months later, in February 2015, the Council would approve some additional guidelines on EU cyber diplomacy (10) in order to promote a common approach and to more clearly define the role of the European External Action Service (EEAS) in this regard. In reality, at the time EEAS was only giving its first steps and the investment in cyber was limited, with no more than a handful of fonctionnaires dedicated to cyber-related tasks.

During this period, the EU started to consistently include a cyber-component in its bilateral relations with strategic partners. Until then, the main exception was the U.S., with whom the EU had maintained a dialogue on critical infrastructure protection since 2000. But even in this case, a working group more directly focused on cybersecurity and cybercrime was created in 2010, and most recently, in 2014, an EU-US. Cyber Dialogue was officially established to specifically address foreign policy issues related to cyberspace.

Nowadays, the EU also maintains cyber dialogues with Japan, South Korea and India and cyber is being integrated into enlargement and neighborhood relations, as is the case of the Western Balkans. For instance, the European Commission has recently adopted six flagship initiatives for the Western Balkans, (11) which include the development of cyber capabilities and the intensification of cooperation in order to address issues related to cybersecurity and cyber-crime. Also on a cyber-related front, the EU approved in June 2015 (12) an Action Plan on Strategic Communication to specifically address Russia's "disinformation campaigns." A task force--East Strat-Com--was set up within the EEAS to report and analyze "disinformation narratives" and to work with eastern partners in terms of both developing "communication products and campaigns focused on better explaining EU policies" and to support "strengthening the media environment in the Eastern Partnership region." (13) The most visible outcome of this taskforce is its two weekly newsletters, the Disinformation Review and the Disinformation Digest that offer the latest trends in Russian trolling and regular fact-checking on Russian media. (14)

Consolidating Cyberspace in the European Union

In 2016, the EU Global Strategy placed cyber very much at the center of the EU's foreign policy, (15) in what was a sign of the progressive consolidations of cyberspace as a security and strategic priority within the EU. Among other aspects, the document presents the EU as a "forward-looking cyber player" that intends to protect its "critical assets and values in the digital world, notably by promoting a free and secure global Internet." (16) It wants to do so by "weaving cyber issues across all policy areas," (17) in what can only be interpreted as an ambitious statement of intent.

Another cyber-related aspect mentioned in the strategy--hybrid threats--has also received close attention from Brussels. A joint framework from April 2016 (18) set the main lines of action for the EU in...