Yesterday, the Council of the European Union, which represents the heads of state and government of the European Union, launched an initiative it hopes will strengthen the bloc’s ability to deter and respond to cyber threats. The Council seeks to develop what it is calling a “Cyber Diplomatic Toolbox”— a framework for joint EU diplomatic responses to malicious cyber activities.
Although it is unclear what sorts of tools the toolbox will contain, the Council’s statement refers to the European Union taking measures “within the Common Foreign and Security Policy,” including “restrictive measures,” in response to cyber operations directed against it. In addition to common diplomatic tools like making condemning statements, summoning ambassadors, or declaring diplomats persona non grata, this more forceful language opens the possibility that the European Union might impose sanctions on an adversary attacking its member states in cyberspace.
The Council clearly perceives the toolbox as a deterrent. Its statement stresses that “signaling the likely consequences of a joint EU diplomatic response to such malicious cyber activities influences the behavior of potential aggressors in cyberspace thus reinforcing the security of the EU and its Member States.” As member states invest in developing defensive and offensive cyber capabilities both for their own protection and within NATO, the proposed toolbox is an attempt to balance their emerging hard power capabilities with collective soft-power measures. It is also likely to be most effective in deterring state actors, which tend to be more susceptible to diplomatic measures. It is hard to think of non-state actors that would be seriously deterred by the prospect of diplomatic retaliation.
How and when the toolbox will be used is still an open question. The Council’s statement makes clear that a decision on publicly attributing a cyber operation rests with the victim state, but caveats that by noting that a determination of attribution is not required for the toolbox to be used:
The EU reminds that attribution to a State or a non-State actor remains a sovereign political decision based on all-source intelligence and should be established in accordance with international law of State responsibility. In that regard, the EU stresses that not all measures of a joint EU diplomatic response to malicious cyber activities require attribution to a State or a non-State actor.
It is hard to imagine how diplomatic responses like sanctions would work in practice without (public) attribution. Yet, measures like diplomatic demarches can be taken without presenting any evidence, to show that certain malicious behavior is being detected and should end. Such diplomatic signaling is a useful instrument to make malicious cyber operations less anonymous and risk-free while bringing little danger of immediate escalation. It is also thinkable that the EU added this attribution formula to express some flexibility which would contribute to the toolbox’s deterrent effect. In other words, the European Union leaves the door wide open on how it will use its ability to demarche, sanction, and deem persona non grata actors linked to a state-sponsored cyber operation.
Acknowledging the use of diplomacy to deter and retaliate against malicious cyber activities is a valuable development. However, a number of unanswered questions remain, particularly on how this new toolbox will be used and what tools it will contain. More importantly, will it be effective when malicious actors eventually try to test the EU’s cyber defenses and resolve?