Recently, the Federal Cabinet adopted the Cyber Security Strategy 2021; it formulates the fields of action and goals for the next five years. However, the decisive factor for success is missing, say Annegret Bendiek and Matthias Schulze.
Whether financial crisis, migration or Corona – the past decade has shown that Germany cannot easily implement its international goals without the EU. This fact is hardly taken into account in the German cybersecurity strategy adopted on 8 September. Germany's positioning in European and international cybersecurity policy is listed as the last of four prioritised fields of action. These fields are largely of a domestic nature. This also applies to the German discourse on the topic of IT security: representatives of digital civil society, the Association of the Internet Industry (eco) as well as some computer science professors criticise the planned development of an active cyber defence – including the possibility of digital counterattacks, so-called hackbacks.* However, they primarily discuss domestic federal competences or fundamental rights issues such as the separation requirement. There are four reasons why the EU would have to be much more involved in order for the strategy to work.
First, the number of serious cybersecurity incidents affecting EU services of general interest continues to rise. Diplomatic action, travel restrictions and asset freezes – for example, Russian intelligence officers blamed for cyberattacks – have proven cumbersome, incoherent and ineffective here in the past. A purely national perspective means that EU member states do not react uniformly to cyber incidents.
Secondly, the EU is not only the framework for German policy, but also inextricably intertwined with it through the direct effect of European law. The 2014 ruling on data retention by the European Court of Justice not only formulated requirements for data protection, but also for data security. In the same way, the EU Cybersecurity Act of 2019 is a regulation and thus obliges all member states to implement it. However, the importance of EU law and the case law of the European Court of Justice is underestimated in the German cybersecurity strategy. Yet these are central reference points for German legislation. On the other hand, Germany cannot impose cyber sanctions against third countries or their so-called proxies without the EU.
Thirdly, the German government cannot reduce the EU to a coordinating role, if only because internal market protection is inconceivable without the Commission acting as a safeguard of EU treaty obligations. The security and stability of the Union is not the task of the member states alone. For example, the EU Commission will set up a joint cyber unit by 2023 to take joint action against attackers. Part of the necessary investment will be provided through the Digital Europe programme. The development of cyber defence capabilities will be financed by the European Defence Fund. In her State of the European Union address on Wednesday, EU President Ursula von der Leyen also announced a cyber resilience act to define common standards.
Fourth, transnational cybercrime cannot be solved effectively on a purely national level. Europol and the European Cybercrime Centre (EC3) are regarded by other states as role models in the international fight against cybercrime precisely because of their transnational investigative successes. The call for a European investigative agency modelled on the FBI is therefore becoming louder in cyber security policy.
Overall, it becomes clear here that cyber security in the EU is no longer a national matter, but must be understood as a component of its shared sovereignty.
However, the necessary integration in the German cybersecurity strategy is not limited to the EU; it must also be coupled with strong transatlantic cooperation between the EU and the US within the newly established Trade and Technology Council. Far too often, transatlantic cooperation is thought of in terms of a national bilateralism between Germany and the USA. The first argument in favour of this is that Alliance solidarity obliges the German government to maintain an active cyber defence even in peacetime. However, a demanding technical, legal and political attribution can neither be coordinated without the European External Action Service nor realised without US cooperation. For this, Germany must in turn act in close coordination with its EU partners such as France, the Netherlands, Denmark or Sweden. Germany's transnational critical infrastructure in itself effectively precludes it from going it alone in cyber defence, not least because the expertise for sophisticated technical solutions is not sufficiently available in Germany.
A convincing security strategy therefore requires close cooperation with international experts as well as the knowledge imparted at the EU level via Europol in coordination with the Cybersecurity Research Centres and the European Union Agency for Cyber Security (ENISA). Sustainable influence on global standards and norm setting in the multi-stakeholder forums of Internet governance can also only be successful in the long term if democratic states coordinate among themselves in data protection and data security policies. In the face of increasingly complex global politics, the new German government should promptly Europeanise the cybersecurity strategy so that it sees itself as part of the EU Cyber Strategy 2020 and, in a global context, serves to cooperate with its democratic allies.
*Dr. Matthias Schulze was part of this initiative.
This text was also published by fairobserver.com.
What Part Does the New EU Cybersecurity Act Play?
Digital Foreign Policy, Cyber-Security, International Law & Human Rights, Regional Perspectives. The dossier seeks to offer orientation in this complex field and offers compilations of relevant publications by SWP authors in the respective fields.
Guidelines for International and European Cyber Policy and Cybersecurity Policy