Whether financial crisis, migration or the coronavirus pandemic, the past decade has shown that Germany cannot easily implement its international goals without the European Union. This fact is hardly taken into account in the German cybersecurity strategy adopted on September 8.
Is Big Tech Ready to Tackle Extremism?
Germany’s positioning in European and international cybersecurity policy is listed as the last of four prioritized fields of action. These fields are largely of a domestic nature. This also applies to the German discourse on the topic of IT security: representatives of digital civil society, the Association of the Internet Industry (eco) and some computer science professors criticize the planned development of an active cyberdefense, including the possibility of digital counterattacks — so-called hackbacks.** However, they primarily discuss domestic federal competence or fundamental rights issues such as the separation requirement.
There are four reasons why the EU would have to be much more involved in order for the strategy to work.
First, the number of serious cybersecurity incidents affecting EU services of general interest continues to rise. Diplomatic action, travel restrictions and asset freezes — for example, Russian intelligence officers blamed for cyberattacks — have proved cumbersome, incoherent and ineffective in the past. A purely national perspective means that EU member states do not react uniformly to cyber incidents.
Secondly, the EU is not only the framework for German policy, but it is also inextricably intertwined with it through the direct effect of European law. The 2014 ruling on data retention by the European Court of Justice (ECJ) not only formulated requirements for data protection, but also for data security. In the same way, the EU Cybersecurity Act of 2019 is a regulation and thus obliges all member states to implement it.
However, the importance of EU law and the case law of the ECJ is underestimated in the German cybersecurity strategy. Yet these are central reference points for German legislation. On the other hand, Germany cannot impose cyber sanctions against third countries or their so-called proxies without the European Union.
Thirdly, the German government cannot reduce the EU to a coordinating role, if only because internal market protection is inconceivable without the European Commission acting as a safeguard of EU treaty obligations. The security and stability of the EU is not the task of the member states alone. For example, the European Commission will set up a joint cyber unit by 2023 to take joint action against attackers. Part of the necessary investment will be provided through the Digital Europe program. The development of cyberdefense capabilities will be financed by the European Defence Fund. In her state of the European Union address on September 15, European Commission President Ursula von der Leyen also announced a cyber resilience act to define common standards.
Fourth, transnational cybercrime cannot be solved effectively on a purely national level. Europol and the European Cybercrime Centre (EC3) are regarded by other states as role models in the international fight against cybercrime precisely because of their transnational investigative successes. The call for a European investigative agency modeled on the Federal Bureau of Investigation is therefore becoming louder in cybersecurity policy.
Overall, it is clear that cybersecurity in the EU is no longer a national matter, but must be understood as a component of its shared sovereignty.
Germany in a Global Context
However, the necessary integration in the German cybersecurity strategy is not limited to the EU. It must also be coupled with strong transatlantic cooperation between the European Union and the US within the newly established Trade and Technology Council. Far too often, transatlantic cooperation is thought of in terms of national bilateralism between Germany and the United States.
The first argument in favor of this is that alliance solidarity obliges the German government to maintain an active cyberdefense even in peacetime. However, a demanding technical, legal and political attribution can neither be coordinated without the European External Action Service nor realized without US cooperation.
For this, Germany must in turn act in close coordination with its EU partners such as France, the Netherlands, Denmark or Sweden. Germany’s transnational critical infrastructure in itself effectively precludes it from going it alone in cyberdefense, not least because the expertise for sophisticated technical solutions is not sufficiently available in Germany.
A convincing security strategy, therefore, requires close cooperation with international experts as well as the knowledge imparted at the EU level via Europol in coordination with cybersecurity research centers and the European Union Agency for Cyber Security (ENISA). Sustainable influence on global standards and norm-setting in the multi-stakeholder forums of Internet governance can also only be successful in the long term if democratic states coordinate among themselves in data protection and data security policies.
In the face of increasingly complex global politics, the new German government should promptly Europeanize the cybersecurity strategy so that it sees itself as part of the EU cyber strategy 2020 and, in a global context, serves to cooperate with its democratic allies.
*[This article was originally published by the German Institute for International and Security Affairs (SWP), which advises the German government and Bundestag on all questions related to foreign and security policy. **Dr. Matthias Schulze was part of this initiative.]
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.