The Role of Non-State Actors in EU Cybersecurity Policy : Towards a Cyber-Resilient Europe (Part 2)

Written by Adriana Mara

Click here to read Part 1

Introduction

As established in the first part of this article cybersecurity constitutes a particular challenge for the EU due to the unique structure of threats and responsibilities. Indeed, as cybersecurity is an ongoing process that involves protecting both the end-user and the medium (i.e. internet and communication infrastructures often owned by private companies) it is only logical that state and private actors must work together in order to adapt to these threats. However, as with every aspect of security, the line between protection and invasion of human rights is quite thin. States often override their citizens’ privacies and rights in the name of security and similarly, corporations have abused their power over infrastructure and data motivated by generating profit. Evidently, there is a need to include an actor that can uphold the ethical and democratic dimensions of European efforts towards cybersecurity — this actor is civil society.

In terms of efficiency, the former part of this article identified some impediments in achieving high levels of innovation and cooperation in Public-Private Partnerships (PPPs). Those include a lack of trust, reluctance to assume responsibility, cultural/structural differences, divergent motives and asymmetric hierarchies. Civil society has the potential to act as a bridge between governments, institutions, corporations and citizens by facilitating dialogue, advocacy and even digital literacy. Civil society organizations also take into account the socio-political dimension of the cyberspace that tends to be neglected especially by private entities. Academic fora, conferences, and non- military Confidence Building Measures are only a few examples of the ways trust can be enhanced. In more general terms it can strengthen the ties of actors while simultaneously preserving fundamental rights.

Civil society is inherently a broad term that is frequently defined not by what it is but what it is not. As one paper puts it “we define civil society as a social sphere separate from both the state and the market and made up of non-state, not-for-profit, voluntary organizations” (Kavanagh and Stauffacher 2014: 2). Although not everything that is non-state falls into the category of an organization (citizens are the primary users of the Internet and play a significant role in advocacy), this paper will adopt this definition and will include academia as part of its analysis as not-for-profits, academia and other similar organizations hold the appropriate structure for liaising and formally engaging with governmental and corporate bodies. Strictly speaking, academia is not a part of civil society but since both act as an intermediary between the state and private actors and both advocate for societal issues for the purposes of this paper they will be considered as one actor.

Moreover, civil society is not one coherent actor nor does it function within a certain framework. Similarly to multinational corporate entities, a plethora of organizations operate transnationally or consist of a large-spanning network of organizations. Thus, this paper mainly refers to the usefulness of the Global Civil Society in formulating cybersecurity policies. In order to clarify, “global civil society” is not an undifferentiated whole, but an amalgam of multiple and diverse local networks. Regardless of their differences, citizens who share an interest in democracy and human rights also share common interests in a secure but open global communications space. Those common interests can lay the basis for a civil society cyber security strategy” (Deibert 2011: 23).

This paper will examine the role of civil society in the formulation of coherent European cybersecurity policies. Divided in two parts, the former will examine civil society as a means of improving cooperation between state and non-state actors and the latter will focus on the ways civil society can uphold ethical and democratic standards in cybersecurity processes. Finally, the article will conclude by endorsing the active engagement of civil society in the cybersecurity debate as well as with a summary of the main points raised in part one and two.

Civil Society as a Means of Strengthening Cooperation

This article has been closely examining PPPs and how they present a great opportunity to deal with an issue of transnational and decentralized character. More precisely, particular focus has been placed on the “European Public-Private Partnership for Resilience” (EP3R) as it is a pan- European partnership rather than a national one which is the most common form of PPPs. The EP3R is increasingly important to examine as it is a part of a wider European cybersecurity strategy and it not only attempts to engage with the private sector but also to coordinate national efforts. This has also been observed this year in the implementation of the NIS Directive and GDPR where all EU countries had to learn how to adhere to high standards of privacy and protection.

Even though this partnership is a highly positive step towards addressing cyber threats, it also has its shortcomings as was observed. Some of these shortcomings are common within national PPPs and often concern public-public or private-private actors.

One prominent barrier to effective cooperation has always been cultural differences. These include difficulties in communication, different work environments and technical language that signal an overall divergence of motivations for joining the partnership.

Civil society and track 2.0 practices have long been considered as a successful way to foster meaningful dialogue and bridge cultural gaps. Conferences and academic fora, as well as confidence-building measures, are prime examples of facilitating such dialogue. Through this dialogue, civil society can help create a common language of cybersecurity that may consequently lead to the built of new shared ICT norms as well as objectives that represent the needs of Internet users. As Kavanagh and Stauffacher argue “Finally, civil society can help deepen understanding of cultural dynamics and differences as a means to build trust in cyberspace and different cybersecurity challenges. Indeed, significant misunderstandings (many of them cultural) still remain in the area of cybersecurity, which can lead to a heightening of tensions between states, and between states and citizens if left unresolved” (2014 :21). They also recognize that civil society is often excluded from policy formulation processes and some relevant conferences (such as one launched in London in 2011) were stalled indefinitely (:10).

In the aforementioned quote, the word trust emerges, a word that is prevalent in the majority of studies that examine the efficiency of PPPs. Building relationships of trust between states and corporations (as well as between states/corporations themselves) is extremely difficult due to their aversion towards information sharing. Trust is based upon sharing knowledge, capabilities and accepting responsibility should anything happen. When it concerns national security (in this case European security) corporations are to an extent understandably reluctant in assuming any form of responsibility (Carr 2016: 61-62).

As simply explained by Pupillo “[…]given the very fragmented nature of the cybersecurity landscape in Europe and the voluntary nature of cooperation and information-sharing among member states, the EU’s ability to operate through a single coordination point remains uncertain, at best […] In this respect, trust and coordination are the two pillars of a future EU cybersecurity strategy. Trust is not only needed between public institutions, but also between public and private players” (2018: 3).

However, the mere involvement of civil society in cybersecurity policy formulation is not a guarantee of efficient cooperation. Monaghan, that examines the EU Communication Strategy has concluded that invoking civil society involvement is not an end in itself but it is contingent to the nature of communicating activities, characteristics of the organizations involved and funding (2008: 18). In this case, the author is referring to bridging the gap between citizens and the EU but the criteria also apply to our subject in question.

More specifically, it is important to comprehend the versatile nature of civil society. Organizations do possess various characteristics and objectives, “For civil society this is particularly an issue: not only does civil society essentially represent a wide range of different but pertinent interest groups within and across countries, the same civil society group also often does so in a variety of ways. And so sometimes they intervene as experts, while sometimes they voice the concerns of the users. Sometimes they represent non-users and sometimes they are simply there to hold other stakeholders accountable” (Rai Handa 2016). Therefore, the context of the involvement of global society is crucial for improving collaboration. In order to build this common language of cybersecurity then, suitable civil society organizations must identify critical knowledge gaps between stakeholders, contribute with solid evidence-based research and facilitate dialogue by assuming the roles outlined by Rai Handa.

Overall, in the effort to combat cybercrime and cyber conflict, decentralized responses are needed. In a pan-European partnership with multinational corporations, it is only appropriate to include a global civic network of various local and international organizations that address every angle necessary for promoting cooperation and efficiency.

Civil Society as a Means of Protecting Human Rights

Apart from acting as a binder between state and private actors, civil society is vital to ensuring the openness of the Internet as well as basic human rights. Such rights include privacy, freedom of speech and access to information. Do PPPs and various cybersecurity initiatives hinder these fundamental liberties? The answer depends on the way cybersecurity is perceived.

When the Internet is placed under a security context there is a tendency to “police” it. That is because national security entails a sense of urgency that requires an imminent solution (Comninos 2013: 3). However, we have already established cybersecurity as an ongoing effort that cannot achieve complete safety. Therefore, the traditional approaches to national/international security may not be appropriate for addressing the growing threats. Instead, they may be counterproductive as they could possibly lead to censorship and deprivation of citizens’ privacy.

Cybersecurity is commonly understood as a technical sphere that requires a specific background in IT for being comprehended which may lead to accepting information at face value (: 5). Consequently, users are often compelled to voluntarily sacrifice their privacy as a response to the perceived urgency and complexity of the issue. Civil society has been detrimental in preventing such invasions, either voluntary or not, from taking place by promoting digital literacy and deepening knowledge among users in order to increase resilience. By promoting literacy but also cooperating with various actors, civil society can effectively create a “balance of investment between the different, yet overlapping policy areas (security/ defence, governance, development and protection and promotion of human rights)” (Kavanagh and Stauffacher 2014: 19).

Fundamental human rights are also not protected under collaborations with the private sector. These collaborations may, in fact, exert huge control over citizens especially in the case of cybersecurity where multinational corporations tend to own data and infrastructure (Internet Service Providers and so on). Governments often exercise control by outsourcing security to private corporations and tasking companies with “policing” the internet. Research has shown “how private sector actors not only facilitate access to information for law enforcement, but actually derive revenues from doing so” (Deinbert 2011: 24).

One of the most recent examples of such exploitation of rights regards the newly EU proposed Regulation on Preventing the Dissemination of Terrorist Content Online that surfaced in September 2018. This regulation showcases the dangerous potential of allowing information to be filtered by private mechanisms. Under this proposal, information online may be taken down according to tools such as the Hash Database that is overseen by the Global Internet Forum to Counter Terrorism (Proposed Regulation 2018). This database, developed and shared by platforms such as Facebook, Youtube, Twitter and Microsoft, contains traces (or hashes as they are referred to) of images that involve violent/extreme content. Currently containing more than 80,000 images and videos, the database can use automated tools to remove content from the platforms (Civil Society Letter to European Parliament on Terrorism Database 2019). Since its formation, it has been observed that in some cases what the database/platform considers terrorist content may be a source of reporting or of propagating crucial information showcasing the tremendous censoring potential this tool has.

Moreover, this case is also an example of how civil society can react in order to preserve freedom of speech by such proposed regulations. A large number of national and international ICT-related organizations have signed a letter denouncing the proposal and warning of the consequences of such practices. As Comninos and Seneque put it “Civil society needs to be wary of putting too much trust in either governments or corporations for assuring cyber security. Responsibility for cyber security should be distributed and not concentrate power too much in one particular place” (2014: 38).

The increasing securitization of the Internet and the hazards of outsourcing security to private actors call for the much-needed participation of civil society as a means of promoting digital literacy, promoting transparency and accountability and more generally protecting human rights both offline and online. This can only be achieved by actively engaging in the cybersecurity debate and by articulating a strategy that puts the security of human beings at the centre (: 38).

Conclusion

In the aftermath of examining the role of non-state actors in formulating cybersecurity policies, it can be concretely concluded that not only they play a crucial role but are also detrimental in responding to threats that have unconventional structures. More specifically, private corporations are nowadays widely affected by cybercrime and hold the much-needed expertise to address pertinent vulnerabilities. By engaging in public-private partnerships and overcoming issues of mistrust there is vast potential for combating the criminal and terrorist exploitation of the internet.

Secondly, members of civil society play a fundamental role in fostering cooperation between the aforementioned actors and citizens as well as are key to protecting the ethical standards that the Internet should abide by. This can be achieved through research, advocacy, promoting digital literacy and pushing for transparency.

Overall, it is extremely positive that there are pan-European efforts towards cybersecurity including European organizations, multinational corporations and global civic networks as the Internet exists outside of the mainstream notion of state security and “functions in the absence of centralised control” (Deinbert 2011: 26). Thus, we should embrace the openness of the Internet and strive for a multistakeholder approach to cybersecurity.