German policy makers understand cyber space as a ‘space of freedom, security and justice’, but today, internet freedom and the innovation potential that depends on it are being threatened by increasing governmental control. When Germany assumes the chairmanship of the Organization for Security and Co-operation in Europe (OSCE) in 2016, its approach, according to its own non-militarily driven cybersecurity strategy, should be to establish confidence and security building measures (CSBMs) for improving cybersecurity in all three dimensions of OSCE cooperation (the three ‘baskets’) for the first time: security, economic cooperation and cultural exchange and human rights. The 57 OSCE member states—including the USA, Russia, Canada and the European states—reached agreement in 2013 on an initial package of eleven CSBMs in the area of cybersecurity. However, these measures included none that extended beyond political and politico-military trust-building.
Harness Germany’s experience to benefit the OSCE
Germany is predestined to lead this effort because, first, it has historically rooted political and economic ties to both West and East, and its diplomatic efforts as a mediator are respected. Second, Germany is a leader in the field, known for setting high technical and regulatory standards in areas like data security and privacy. Third, Germany has been successfully engaged in bodies of norms and rules setting for cyberspace, including the United Nations Groups of Governmental Experts (GGE) for information security. Germany can build upon this wealth of experience.
‘Basket 1’: Security
The CSBM catalogue of 2013 is an array of voluntary agreements on military cooperation among member states. In the area of cybersecurity, agreement was reached to use the OSCE as a platform for the exchange of information on cyberattacks and for mutual support in expanding national capacities for improved IT baseline protection. Cooperation often fails to emerge, however, not only for lack of trust but also because the technicalities are highly complex and because there is disagreement over terminology. There is, for example, no generally accepted definition of the term ‘information security’. In China and Russia, information security includes efforts to block foreign propaganda and the political aspirations of the opposition, whereas in the West it refers to the protection of IT systems. To prevent the cooperation on protecting critical infrastructure from being torpedoed by a lack of understanding of technological issues or by terminological differences, the German chairmanship should work to ensure that scientists—computer scientists above all—are included in all aspects of cyber diplomacy, not just in the security dimension alone. Scientific exchange can help diffuse diplomatic tensions, as seen in the example of the Pugwash Conferences, which since the 1950s have brought leading physicists from all nations together to discuss nuclear security. The group was awarded the Nobel Peace Prize in 1995 for its ground-breaking contribution to disarmament and non-proliferation.
‘Basket 2’: Economic cooperation
This past summer, Germany passed its IT Security Act, which mandates higher security standards for the protection of critical infrastructure. Owners and operators of critical infrastructure are now required to report cyberattacks in the expectation that information-sharing will help thwart future attacks. Germany took a leading role among OSCE member states with this law, and its approach has become a point of reference in current negotiations over the EU’s Network and Information Security Directive (NIS Directive). Similarly, Germany’s Federal Office for Information Security (BSI) has become a model of technical expertise for many OSCE partners. The German chairmanship can contribute to the development of these kinds of institutional capacities in OSCE partner states. This opens a new horizon of capacity building within the context of OSCE economic cooperation.
‘Basket 3’: Human rights
The OSCE promotes human rights as part of its third ‘basket’. In many instances, however, its member states continue to severely restrict free speech on the internet. This stands in contradiction to Germany’s policy to protect the freedom of cyberspace, and Germany should, therefore, work ardently to improve the situation in the most severely affected countries. Suitable institutions for this purpose include the OSCE’s Office for Democratic Institutions and Human Rights (ODIHR), which assesses the compatibility of proposed legislation in member states with rule-of-law principles or the OSCE Representative on Freedom of the Media, who gives early warning of repression against journalists. Germany should take measures to ensure that these bodies receive more resources and, in the context of digitalization, that they more frequently address themselves to issues of censorship, network surveillance and new aspects of copyright law.
Cyberspace was created by human beings and encompasses all aspects of human society. Concentrating on military aspects alone entails limiting ourselves to a one-dimensional focus on isolation, distrust and power politics between states. This impedes cooperation among members of civil society who advocate internet freedom. For this reason, confidence and security building measures must be developed for all three OSCE ‘baskets’. Germany has the unique opportunity in 2016 to create an international framework for this purpose. The economic benefits of this approach may be powerful enough to win over some of those who stand in opposition to internet freedom.
A German Version of this »Point of View« has been translated into English by Scott Stock Gissendanner.
The text has also been published on the Council on Foreign Relations (CFR) »Net Politics« blog.
