HELSINKI ― Estonia will organize a strategic level cyber defense exercise in September that specifically caters to European Union (EU) defense ministers. The exercise, the first of its kind to be held at EU-level, will test the post cyberattack management strategies and overall capabilities of individual ministers.
“One of the motivating factors behind the exercise is to promote improved cooperation between the European Union and NATO,” said Jüri Luik, Estonia’s defense minister.
Called EU CYBRID 2017, the strategic level table-top exercise is scheduled to take place in Tallinn on Sept. 7. The exercise is being run as part of Estonia’s six-month Presidency of the Council of the European Union.
The need for such a dedicated exercise is more urgent that ever, said Luik. NATO as well as European countries, he observed, face ever more aggressive security threats in cyberspace.
“There are no borders between countries or organizations on the internet. Barriers to cooperation between the European Union and NATO must be reduced to counter threats in cyberspace,” said Luik.
Significantly, the September cybersecurity exercise is happening in response to enhanced defense collaboration initiatives within the European Union. These are strategically aimed at harmonizing rules of cooperation and engagement both at EU-policy level as well as project-specific collaboration between EU states.
For EU leaders, the EU CYBRID 2017 exercise will take place against a backdrop where leading global information communication technology, or ICT, corporations, including Microsoft and Deutsche Telekom, are calling for a Digital Geneva Convention-style treaty to regulate cyber operations between sovereign states.
According to ICT chiefs, a Digital Geneva Convention is fundamental to empowering nation states to better protect civilians and national infrastructure against cyberwarfare attacks in peacetime.
However, researchers at the Tallinn-based NATO Cooperative Cyber Defense Center of Excellence, or CCD-COE, think tank are less than lukewarm to the idea of a ‘Digital Geneva Convention,’ describing it as both “legally confusing and politically unrealistic.”
“The original Geneva Convention and Additional Protocols form part of international humanitarian law, or law of armed conflict,” said Tomáš Minárik, a research analyst at NATO-CCD-COE’s Law Branch. “They are designed primarily for an armed conflict, such as the ongoing war between Russia and Ukraine. They apply to cyber operations that have a link to an armed conflict. However, they have a limited applicability outside the scope of an armed conflict.”
Other rules of international law play a major role with respect to peacetime cyber activities, said Lt. Col. Kris van der Meij, a senior researcher in NATO CCD-COE’s Law and Policy Branch.
“These protections are included in the Council of Europe’s Convention on Cybercrime as well as customary legal rules regarding the responsibility of states for unlawful activities that have been set down in the International Law Commission’s Draft Articles on Responsibility of States for Internationally Wrongful Acts,” van der Meij said.
The momentum exists for states to improve cybersecurity as it relates to critical infrastructure, said Minárik. For states, the focus should be on extending the right to privacy extra-territorially while curbing indiscriminate online surveillance and data retention.
Addressing international law violations by governments are important and realistic goals, Minárik said.
“They are achievable through gradual progress and do not require universal consensus. Devoting efforts to a Digital Geneva Convention that has little chance of ratification by most countries would be counterproductive,” said Minárik.
Minárik questions the level of inter-state unity that exists for a Digital Geneva Convention given that a number of member countries in the United Nations Group of Governmental Experts, or UN-GGE, recently failed to agree on a joint position as to whether armed conflict applies to cyberspace.
The UN-GGE’s special area of focus covers developments in the field of information and telecommunications that impacts international security.
It is hard to imagine, said Minárik, the adoption of a broadly multilateral cyber-specific treaty “anytime soon.”
“Even in the unlikely event of such a treaty coming to fruition, it is unclear if there is a technically viable mechanism by which it could be verified,” Minárik said.