Shifting Paradigms in Europe’s Approach to Cyber Defence

Ambiguous definitions

In the November 2022 Communication on an EU Cyber Defence Policy, the Euro­pean Commission called on member states to devel­op capabilities across the full spec­trum of cyber defence, including active meas­ures. The Council Conclusions on Cyber Defence Policy of May 2023 further emphasise the importance of civil-military cooperation. Capabilities for early detection, defence against and deterrence of cyber threats would have to complement the portfolio of defence instruments. While underscoring that these are national com­petences – with the decision and responsibility for the deployment of cyber defence measures lying squarely with the governments of member states – the Council pointed to the defensive character of these measures. Which techniques and procedures member states might explore as part of their active cyber defence ambitions is left open in the Conclusions. Instead, the member states are called upon to specify their own goals and outline measures for achieving them. The methods of active cyber defence documented so far through policy papers, interviews and limited exam­ples from state practice include the diver­sion of harmful data traffic, the disabling of botnets and the takeover of servers or internet domains by law enforcement agencies to strip attackers of control over their infrastructure. The defence tools also include the identification and deactivation of malware in computer systems and inter­vention in attacking IT infrastructure out­side the systems of the affected victims. In this vein, active cyber defence may include disinformation campaigns, the manipulation of foreign media, the electronic disrup­tion of servers and the halting of data traf­fic abroad.

The principle of due diligence

The German government, EU member states and the EU are guided by the re­quire­ments of “due diligence” in the imple­men­tation of their cybersecurity strategies. This obligation binds states in peacetime to en­sure that no activities emanating from their territory violate the rights of other states. In its cybersecurity strategies, the EU points out that the protection of computer systems and networks is essential for a modern, high-tech and digitised industrial state. To this end, the resilience of infrastructure, the ability to defend against and detect (also state-directed) cybercrime and aware­ness of disinformation campaigns are the focus of enhanced defence efforts.

The EU and Germany pursue a defensive cyber security strategy based on internation­al agreements. The concept of due diligence is, however, not per se in conflict with active cyber defence. Yet, intervening in adversary cyber operations poses new challenges to state due diligence in peace­time, even as such actions may be justi­fiable in terms of defence against “immi­nent danger”. International norms act as anchor points for the design of active cyber defence measures. Proactive cyber defence therefore requires the disclosure of norm-violating behaviour in order to justify in comparable cases that the intervention was carried out to avert danger or in the context of an imminent threat. US authorities have repeatedly demonstrated the willingness to make operational insights public through indictments of threat actors, even where those responsible are likely to remain beyond prosecution.

Revealing such information as part of attribution efforts signals a commitment to hold threat actors accountable to allies. Steps in this direction have strengthened an international “attribution coalition” among EU and NATO states and international part­ner countries. To clearly define what is con­sidered acceptable behaviour, details on the powers and mandates of the new authorities must be provided, especially in the case of active defence initiatives. Ex­pos­ing adversary activity and distinguishing “blue actions” from hostile operations are instru­mental for not upending progress in shap­ing the very norms that provide legitimacy for disrupting threats. At the same time, states will have to find a delicate balance in their public reporting to protect sources and methods and to avoid undermining their ability to conduct future operations.

State practice of active cyber defence

The US Department of Defence transitioned to a new approach to cyber defence in 2018. In the attempt to “defend forward”, US Cyber Command, under this doctrine, focusses on countering threat activities as close to their source as possible to avert damage before it can occur and intercept hostile actors. It pursues this approach through “persistent engagement” – the targeted disruption of cyber threats and the degradation of an adversary’s capabilities – in order to im­pose costs on attackers and influence be­hav­iour that has proven difficult to shape through other instruments, or otherwise could only be addressed after the fact. The National Cyber Security Strategy published in March 2023 develops this approach fur­ther for civilian agencies. The document establishes a stand-alone pillar of disrupting and weakening threat actors. According to General Paul Nakasone, head of US Cyber Command and director of the National Secu­rity Agency, the US Department of Defence’s new cyber strategy – adopted two months later and classified – builds on the change of course made in 2018. While the Department’s fourth edition, the 2023 strategy, is the first to be “informed by years of significant cyberspace operations”.

In contrast to the rise in pronounce­ments about active cyber defence initiatives, little is known about the scenarios for their deployment. Even for the US, which has been among the most transparent about its wil­lingness to use offensive capa­bilities, public cases and operational details are sparse.

The first known case of active intervention in malicious cyber activity by US Cyber Command was aimed at disconnecting the Trickbot botnet from command-and-control servers in autumn 2020 to counter a pos­sible ransomware campaign in the run-up to the US elections.

The Cyberspace Solarium Commission, a body set up by the US Congress to develop a concept for defence against serious cyber­attacks, proposed an expanded interpreta­tion of “defend forward” in 2020. According to this interpretation, consistent implementation of the doctrine no longer only drew on military instruments, but all state capa­bilities (diplomacy, regulatory powers, etc.), especially to make intelligence on threat activities available to potential targets, there­by contributing to their resilience. The Commission’s interpretation indicates that a robust “defend forward” policy will also be measured by whether and to what extent it contributes to strengthening international norms of behaviour. In the public summary of its new cyber strategy, the Department of Defence recognises its capabilities are most effective when deployed as part of an inte­grated approach, though it does not address other instruments in further detail.

Countering attack activity is only one step in bringing about a change in adver­sary behaviour. Demonstrating the ability and determination to continue to do so to potential attackers underwrites these sig­nalling efforts. According to General Nakasone, in response to Russia’s invasion in the spring of 2022, the US conducted offensive cyber operations in support of Ukraine, in addition to defensive ones.

Other states also intend to use opera­tional influence capabilities to actively disrupt malicious cyberattacks. In addition to the aforementioned deployment of the Australian JSO for cyber defence, the Aus­tralian government announced earlier this year that it will triple its investment in offensive cyber defence capabilities.

The UK has made public a range of assis­tance measures since Russia’s invasion of Ukraine in February 2022. The programme includes supporting critical infrastructure and Ukrainian government agencies in deal­ing with cyber incidents, assistance to avert sabotage attempts against the power supply, forensic intelligence, and access to security solutions to protect high-value targets from future attacks. Not all of these measures have received full endorsement among EU member states. Nor are the tech­nical cyber capabilities that are necessary for more active support roles equally dis­tri­buted among EU member states. Ukraine’s resilience to Russia’s attacks suggests that it may have benefited from forward-leaning cyber defence measures. Kyiv’s proactive cali­bration of defence efforts relied, among other things, on the results of Hunt For­ward Operations (HFOs), which were con­ducted by US Cyber Command and Ukrain­ian part­ners between December 2021 and March 2022.

Hunt Forward Operations as active threat prevention

As interpreted by US Cyber Command, HFOs are defensive efforts in which internal protection teams – at the request of part­ner states – scan networks on site for mal­ware in order to detect new attack patterns early on and close security gaps and back­doors. The key advantage of the hunt-forward approach, according to General Nakasone, is that threat actors and their tools can be detected in advance. To date, US Cyber Com­mand has conducted more than 50 HFOs with at least 23 countries. Partners have included several EU member states and NATO allies, including Albania, Mon­te­negro and northern Macedonia. Short­ly after Russia’s invasion of Ukraine in Feb­ru­ary 2022, teams were deployed to Lithuania and later Latvia. European part­ners have thus not only already participated bilaterally in HFOs but are directly requesting deploy­ments in their networks.

Germany and other EU states interested in exploring HFOs may engage in three separate ways. A joint deployment in their own networks makes it possible to draw on the analytical capabilities of international partners in the reconnaissance of attack activ­ities to a degree that could not be achieved through an exchange of informa­tion only.

In the opposite direction, such an operation in support of international partners can provide new knowledge about tactics and attack tools that are being tested. This knowledge expands the possibilities to pre­pare for attempted attacks and, ideally, to prevent them before they can cause damage.

European states are faced with the ques­tion of whether the development of an­tici­patory capabilities requires similar pro­grammes under their own leadership. With­out committing member states to partici­pate directly, a European project could be set up with the aim of maintaining inde­pendent capabilities and having clarified operational modalities in case of need. The EU’s Permanent Structured Cooperation (PESCO) provides an existing framework within which member states could invest in HFO resources.

European reactions

A strategic reorientation towards active cyber defence is politically controversial among member states. The head of the French Cyber Defence Command, General Aymeric Bonnemaison, expressed reser­vations to this effect in a hearing of the National Assembly in December 2022. In Bonnemaison’s rendition, even defensive missions that serve to scout out adversary activity in allied networks remain aggressive. Support of this kind, especially for Eastern European countries, while pro­vid­ing reassurance, presupposes far-reaching access to the networks concerned and requires a strong operational presence – which in Bonnemaison’s view would make accompanying diplomatic engagement and capacity-building on the ground indispensable. To address these points, the French cyber commander floated the idea of a Euro­pean cyber intervention group that offers assistance similar to US-led HFOs. Even for countries that stand to benefit from this assistance in light of long-term security challenges, it could require tem­porary, far-reaching access to their sensi­tive networks.

At a low-threshold level, EU Cyber Rapid Response Teams (EU-CRRTs) already offer sup­port to third countries in monitoring and combating cyber threats. A group of eight member states has built up the neces­sary capabilities within PESCO. The EU-CRRTs, comprising eight to twelve national experts, were the first operational units under PESCO. The states participating in the PESCO project alone decide on mobili­sation. Although operational since 2019, an EU-CRRT was activated for the first time at the request of Ukraine in February 2022, shortly before the start of Russia’s war of aggression. After initial efforts to deploy forces both onsite and remotely, Russia’s assault necessitated a change of course towards fully virtual support. The deployment of another force to Moldova is report­edly in preparation. The EU also delivered equipment for a cyber lab to the Ukrainian armed forces in December 2022 under the European Peace Facility. The lab will serve as a training environment to build addi­tional capabilities through real-time simu­lations to detect, understand and defend against attempts to penetrate Ukrainian networks.

Normative foundations are missing

Emerging state practice by the US, the UK and Australia outlines the rationale and expected contributions of active defence measures in containing threats. Any deploy­ing state has a duty to ensure that such deployments are appropriate and comply with accountability obligations. Any con­sideration of active cyber defence first needs to define which active measures should be meaningfully pursued by which domestic actors and in which international or Euro­pean partnerships. It also requires clarity on how these actions address security con­cerns that otherwise lack remedy and how they can contribute to the resilience of part­ners. In an increasingly volatile strategic environment for the EU, the potential of active cyber defence increasing the costs for engaging in malicious activity may be ap­peal­ing, but needs to be tied to the defini­tion of preconditions regarding transparency, legitimacy and accountability of such op­era­tions, at least in the following points:

• Active defence measures should be closely linked to firm operational prin­ciples and a careful impact assessment. This places high demands especially on explaining the necessarily forward-looking character of defensive and at the same time disruptive actions. Their purpose of disrupting offensive operations must be clearly distinguished from actions designed with the intention to cause harm. Considerations of the effects must not be limited to influencing an adversary’s cost-benefit calculations but should also include downstream consequences for global stability in the cyber and information space. Similarly, there is a need for an evaluation framework and metrics that allow for an integrated, strategic, operational and tactical assess­ment beyond the mere number of operations conducted or their immediate tac­tical effects.

• The Solarium Commission emphasises that the tactical and operational implementation of the “defend forward” policy includes deployment in networks of part­ners and allies if disruptive measures can only achieve their goal in this way. As the example of the deletion of propaganda material of the “Islamic State” from a Ger­man server shows, such cross-border active cyber defence interventions require a shared situational understanding and advance communication between the countries concerned. Against this back­drop, the Commission pointed out that such actions should be carried out with the support of allied partners when­ever possible. Regardless of their willingness to develop active cyber defence capa­bilities, from the US perspective this requires close coordination with allies and other like-minded governments. On the EU side, the planned Cyber Defence Coordination Centre (EUCDCC) could in the future be a platform for coordination with international partners. At least ini­tially, the EUCDCC’s efforts to establish a situational awareness of ongoing cyber operations will focus on Common Security and Defence Policy missions and operations.

• Existing formats for sharing voluntarily provided cyber capabilities, such as NATO’s SCEPVA programme (Sovereign Cyber Effects Provided Voluntarily by Allies), show how difficult it is to put cooperation in this area into practice. Participating actors are concerned about revealing the building blocks of their own capabilities. In practice, therefore, capabilities are not shared but deployed at the request of allies. For active defence, these hurdles to capability-sharing sit even higher, considering its premise of the continuous and proactive engage­ment of threat activity. Active defence takes aim at activities below the thresh­old of an armed attack. Rules of engage­ment are therefore much broader in scope than for SCEPVA, which is limited to alliance operations and missions.
  These developments might increase the political pressure to be able to pursue active cyber defences, at least to some extent, or else risk falling behind. The development of national capabilities raises questions about the possible dis­placement effects that simply push mali­cious activities – if these are not target-specific (e.g., ransomware, certain types of industrial espionage) – to the next low-hanging target. Such crowding-out effects risk disruptive approaches evolving into “beggar-thy-neighbour” policies, whereby countries that choose not to respond with disruptive means may find themselves exposed to concentrated threat activity. An example of this is Australia, whose motivation for establishing the JSO was to ensure that it did not present itself as a soft target.

• Information on how the new active cyber defence powers are exercised should be an integral part of a shift in policy and posture. Detecting adversary activities and distinguishing between allied actions and hostile operations are impor­tant to demonstrate responsible behav­iour and the protection of norms. A com­mon understanding of active cyber defence measures can only be achieved if states link both disrupted offensive operations and the defensive measures deployed for their disruption to discussions on state behaviour in cyberspace.
  The public disclosure of “defend forward” operations does not necessarily conflict with protecting sources and methods. On the contrary, transparency about the rationale, the objective and the achieved effect of active defence meas­ures can strengthen the acquis of norms and support the declaratory doctrine. Although there may be cases of operational disruptions to consider in which adversaries do not suspect outside interference, a general presumption that com­munications on these points routinely depend on disclosing intelligence assets sells short how far public accounts have come.

• Similar mechanisms for responsible trans­parency are already in place for the proactive use of FBI authorities to delete pre-positioned malware – in these cases the underlying affidavit usually is made public.
  A UK National Cyber Force (NCF) report published in early April 2023 assesses active cyber defence as an expression of the responsible exercise of “cyber power”. The paper outlines a framework for engaging in disruptive measures while clearly upholding and reinforcing internationally recognised norms and international law. To this end, the NCF paper sketches out a roster of operational pre­requisites and identifies indicators for assessing active cyber defence measures in terms of their impact and stabilising influence. In the absence of concrete operational examples, however, how this framework is applied to ensure that opera­tions are conducted according to its “responsible”, “precise” and “adapted” standards remains unclear.
  In this context, the document points out that transparency with the public is an essential building block of the NCF’s “licence to operate”. The paper links this provision, among other things, to the ad­ditional financial resources that the UK government has dedicated to the develop­ment of cyber capabilities.
  A critical consideration for ensuring legiti­macy and accountability not directly referenced in the document is the forward-leaning character of active cyber defence measures. This expansion of the scope of action is becoming apparent in Germany, not least because of the intend­ed amendment of the Basic Law to grant new authorities. An informed public discourse about any potential exten­sion of powers only gains in importance with respect to the claim that corresponding capabilities are to be deployed in a democratically supported and responsible manner.

For close to a decade, the US has detailed the responsibilities of individual operators and the timing of their actions in indictments and in cooperation with European part­ners in the form of notices about sanc­tions. Indeed, efforts to publicly attribute responsibility for cyberattacks have laid the groundwork for the imposition of costs on which any endorsement of active defence would have to stand. As part of their respec­tive cyber defence doctrines, states need to consider under which circumstances in­for­mation about the use of active defence meas­ures can be made public, especially where such information is already known to the adversary. Such data also provide the feedstock for evaluating whether active defence meets its stated purpose.

A paradigm shift in the strategic culture of European cybersecurity from a reactive to a defensively designed active cyber defence requires critical engagement with the issues raised above. The development of tools for evaluating such missions – in particular assessing the risks of conflict escalation, collateral damage and inadver­tent consequences – must be designed into the deliberations about extended powers from the very beginning. European cyber­security must be measured against its own due diligence principles. A paradigm shift from reactive to active cyber defence is only justifiable with democratic support. At the foundation of this approach is a public understanding of the strategic environ­ment, and by extension of the conditions that shape cyberspace as a permanently contested field of conflict. Empirically driven cyber conflict and peace research can be a valuable resource in this communication effort. Public data collection to track the development of cyber threats and state responses, as conducted by the Euro­pean Repository of Cyber Incidents (EuRepoC), can make an important contri­bution towards ensuring that cyber defence considerations are discussed responsibly and democratically supported.