The COVID-19 Pandemic has meant that democracies have gone online without the legal and institutional preparation required. The deeper digital transformation of economies and societies have increased the interface of the digital and physical world, the interdependence of states and societies, and the pressure for infrastructural convergence. We live in a global world, with a world-wide-web and the sum of our national cybersecurity capacity. Thus far, the discussion has been tactical rather than strategic. Here, we start to redress that balance.

Cyber-Convergence and Democracy

While we rightfully emphasize the benefits of ongoing economic and normative convergence within Europe, there is a wider spectrum of security threats we need to come to terms with. Both state and non-state actors are uniquely exploiting cyberspace to challenge collective defense and transnational market arrangements. Terms such as ‘hybrid threats,’ ‘active cyber defence measures,’ ‘cyberthreat vectors’ or ‘advanced persistent threats’ describe an emerging security domain whose target is not control over land but fundamental pillars of European societies such as democracy, the rule of law, human dignity, equality and respect for human rights.

The challenges Europe faces in cyberspace also have a geopolitical dimension.

For decades, Europe operated as a multilateral and cooperative space developing an ever-higher benchmark of citizenship rights. The emergence of this European space that is often taken for granted is the result of cumulative work over decades on confidence-building measures, peaceful conflict-management of disputes, and since 2017 the European Union has also harnessed the power of coordinated diplomatic responses to security threats. The foundation of this structure lies in international law, with a normative benchmark that builds and goes beyond the United Nations’ international standards. But without cybersecurity all these norms are called into question.  

Between crime and espionage

Geopolitical competition in cyberspace is not merely between individuals, firms, political parties or advocacy groups but also between “systems” and “regimes.” Authoritarian regimes operate by proxy through nonstate actors just as liberal regimes have done in the past. Plausible deniability and covert action in cyberspace is a game two can play.

According to the EU Agency for Cybersecurity (ENISA) the “development and deployment of new technologies, are reshaping the cyber landscape and significantly impact society and national security.” There are now low-end attacks on IoT devices and services that blur the distinction between National Security and Home Affairs, posing a threat to European security and the EU. For instance, state-sponsored cyberattacks and phishing messages can be classified as operations in the gray area between organized crime and espionage.

Though there is a growing recognition that existing laws apply, there are additional technical parameters in cyberspace that make law enforcement much more difficult, such as anonymity and, therefore, legal responsibility. This is a world in which proxy-warfare is proliferating on and off-line. Both states and non-state actors have weaponised information technology, turning the liberal essence into a problem.

Catch me if you can

Both state and non-state actors have figured out how to manipulate the profit model of social media where the user is treated as a product on the advertising market. Designed to sell attention and produce instant gratification, algorithms learn what people like and monetise these preferences. This leads to a “filter bubble” effect, creating communities of the like-minded. The network (friends) turns into an indicator and a filter.

Producing information with clickbait and eye-catching titles is a trend in journalism that predates online engagement. It is now worsening as media platforms exchange print dollars for digital pennies, making such journalism an inevitable business model. The trend is more impactful in poor and linguistically small markets in the Western Balkans, turning these societies into easy prey for predators of disinformation and mal-information.       

Strategic dilemmas

To address contemporary challenges the EU has already prioritized cyber capacity building. Nevertheless, unlike China, Russia, or the United States, the EU cannot rely on individual foreign and interior policies, their unified military structures and the legal and budgetary power of central governments for the development of coherent cyber capacities. Member states are responsible for their own cyber capacities, having widely varying levels of cyber maturity, different threat perceptions, priorities and capabilities.

Though cybersecurity is an important element in the age of evolving threat landscapes, if the EU is about to preserve geostrategic relevance, building cyber defense capacities is a strategic imperative. In this context, the EU needs to address several challenges that include a balance between national sovereignty and EU-pooled competencies, a challenge that will not be easy to address. Coextensively, there are a number of normative challenges, such as the standardization and taxonomy of definitions of threats, civic rights, perceptions of privacy and common security, the balance between Home Affairs and National Security.