Three Priorities for Cyber Diplomacy Under the 2016 German OSCE Chairmanship

Dr Annegret Bendiek is Senior Associate and Head of Project at the German Institute for International and Security Affairs (SWP). Christoph Berlich und Tobias Metzger are Project Staff on “The challenges of digitalization for German Foreign and Security Policy”, a project funded by the German Federal Foreign Office. The SWP advises the German Parliament and the German Government in all matters of foreign and security policy.

German policymakers in their Digital Agenda of 2014 understand cyberspace as an “open, safe and free space.” However, Internet freedom and the innovation potential that depends on it are being threatened by increasing governmental control. When Germany assumes the annual chairmanship of the Organization for Security and Co-operation in Europe (OSCE) in 2016, its approach—strengthened by its non-militarily driven national cybersecurity strategy—should be to establish confidence and security building measures (CSBMs), which incorporate cybersecurity in all three of OSCE’s areas of focus (called “baskets” in OSCE parlance) for the first time: security, economic cooperation, and exchange on culture and human rights. The fifty-seven OSCE member states, which include the USA, Russia, Canada and the European states, reached agreement in 2013 on an initial package of eleven cybersecurity CSBMs. Although important, the CSBMs only focused on politico-military trust-building and paid no attention to economic cooperation or human rights.

Harness Germany’s experience to benefit the OSCE

Germany can lead this effort because, first, it has strong political and economic ties to both the West and the East, and its diplomatic efforts as a mediator are respected. Second, Germany is a cybersecurity leader, known for setting high technical and regulatory standards in areas like data security and privacy. Third, Germany has been successfully engaged in bodies of norms- and rules-setting for cyberspace, including the United Nations Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). Germany can build upon this wealth of experience.

First Basket: Security

The 2013 cyber CSBMs are voluntary and do not bind OSCE member states to take  concrete action. Member states agreed to use the OSCE as a platform to continuously exchange information related to cyber incidents and to improve their ability to protect their networks. But cooperation thus far has been lackluster, largely due to the lack of trust amongst participants, the complex and technical nature of cyber incidents and disagreement over terminology. There is, for example, no generally accepted definition of the term “information security.” In China and Russia, information security includes efforts to block foreign propaganda and the political aspirations of dissidents, whereas in the West it refers to the protection of systems and the data therein. To prevent cooperation on critical infrastructure protection from being torpedoed by a lack of understanding of technological issues or by terminological differences, the German chairmanship should work to ensure that scientists—computer scientists above all—are included in all aspects of cyber diplomacy, not just in the security dimension. Scientific exchange can help diffuse diplomatic tensions, as demonstrated by the Pugwash Conferences, which since the 1950s have brought together leading physicists from around the world to discuss nuclear security. The group was awarded the Nobel Peace Prize in 1995 for its ground-breaking contribution to disarmament and non-proliferation.

Second Basket: Economic Cooperation

This past summer, Germany passed its IT Security Act, which mandates high security standards for the protection of critical infrastructure. The predominantly private owners and operators of critical infrastructure are now required to report computer security incidents. Such reporting and information sharing is intended to help thwart future attacks. It strengthens the cooperation between the public and private sector to ensure the safety of a wide range of critical infrastructure, including the finance, transport and energy sectors, and underlines the importance of Germany’s industry as a critical asset.

The IT Security Act makes Germany one of the few, if not the only, OSCE member state with a strong legislative framework and Germany’s approach has become a point of reference in current negotiations over the EU’s Network and Information Security (NIS) Directive. Similarly, Germany’s Federal Office for Information Security (BSI) has become a model of technical expertise on IT security standards for many OSCE partners. The German chairmanship can contribute to the development of these kinds of institutional capacities in OSCE partner countries to safeguard economic growth. This opens a new horizon of capacity-building within the context of OSCE economic cooperation.

Third Basket: Human Rights

The OSCE promotes human rights as part of its third basket. In many instances, however, member states continue to severely restrict free speech on the Internet. This stands in contradiction to Germany’s policy to protect the freedom of cyberspace, and Germany should, therefore, work ardently to improve the situation in the most severely affected countries. Suitable institutions for this purpose include the OSCE’s Office for Democratic Institutions and Human Rights (ODIHR), which assesses the compatibility of proposed legislation in member states with rule-of-law principles, or the OSCE Representative on Freedom of the Media, who provides early-warning of repression against journalists. Germany should take measures to ensure that these bodies receive more resources and focus on digital human rights issues, such as censorship, network surveillance and abuses of copyright law.

Cyberspace was created by human beings and encompasses all aspects of human society. Concentrating on military aspects alone means limiting oneself to a one-dimensional focus on isolation, distrust and power politics between states. This impedes cooperation among representatives of civil society who advocate Internet freedom. For this reason, new sets of CSBMs must be designed to take into account all three OSCE baskets. Germany has the unique opportunity in 2016 to create an international framework for this purpose. The economic benefits of such an approach may be powerful enough to win over some of those who stand in opposition to Internet freedom