Chaired by Professor George Christou (University of Warwick), the presentations and discussions associated with this initial panel drove home the point that inequality challenges run the gamut of EU policies and are indissociably linked to European integration dynamics across all policy fields the EU is active in. This holds true in the increasingly visible and challenging digital space where the EU, as a key regulatory actor, significantly contributes towards shaping the opportunity structures at play. Within both the wider digital space and the more specific construction of a (European) Digital Union, cybersecurity was the particular concern of the panellists. This reflected the expertise present as all scholars were associated with CyDiplo – a Jean Monnet Network of Excellence exploring the emerging field of cyberdiplomacy in the EU; as well as the growing geo-political and security-driven focus of EU policy in this field.
From a variety of disciplinary and topical perspectives, the members of the panel all interrogated what issues pertaining to inequality are raised by what the EU is doing in the field of cybersecurity. The first contributor Professor Andrea Calderaro (Cardiff University/EUI) focused on the mixed impact of EU internet diplomacy on the Global North-South Digital Divide; the second speaker, Professor Agnes Kaspar (TalTech), explored how inherent tensions within the EU’s narrative construction of cybersecurity produce unequal capacities; and lastly Professor Joe Burton (ULB) tackled why inequality itself is a cause of cyber insecurity.
Cybersecurity as foreign policy
In exploring the global inequalities in Cyber Diplomacy, Pr. A. Calderaro sketched the promise and pitfalls of European external cybersecurity capacity building efforts. In his own words, the context is one of “a growing demand for a transnationally coherent and coordinated governance approach to cybersecurity, cyber diplomacy is emerging as a priority in states’ foreign policy. However, due to the fast-changing geography of the internet where most of the internet users live in the Global South, there is a significant need to develop cyber diplomacy dialogue beyond the Global North”. This in turn raises questions born from the radical asymmetries in negotiation capacities between both-sides. With serious concerns arising about the Global South’s ability to engaging with the complex and multistakeholder transnational dialogue underpinning internet governance.
Indeed, the transnational nature of the internet – in terms of its physical infrastructure as well as the routing of data across multiple jurisdictions – necessarily means its management and safeguarding involves multiple State-actors as well as several transnational corporate services providers.
This multistakeholder and multinational reality has created an imperative for a complex and difficult to sustain multilateral and intersectoral (state-private) dialogue which actors from the Global South are ill-equipped to fully engage with. So, even though an inclusive transnational dialogue on the internet and cybersecurity is key, specific diplomatic measures are necessary for it to crystalize.
This is where a space could exist for EU external action and capacity building to play a role in bridging North-South divides in the field. Such internet diplomacy involving the “adoption of diplomatic practices by States and non-state actors to negotiate agreements in the cyber domain” is a new set of challenges and practices not to be confused with either digital diplomacy (i.e., use of digital tools by diplomats and foreign ministries) or Cyber-Diplomacy (i.e., security dialogues on cyber threats involving foreign & defence ministries). As an early-mover and a traditionally proactive member of global internet governance fora, the EU is well positioned to play a constructive role in terms of internet diplomacy targeting the Global South, but only timid EU initiatives have emerged so far with the EU prioritizing other goals.
Most of the current discussions on internet governance are concentrated at the UN-Level in the UN Group of Gov experts & the Open-Ended working Group (UNOEWG). While engagement with the UNOWEG varies greatly between countries overall, the Global North produces the lion share of interventions shaping UNOEWG. Investments in Internet Diplomacy or Cybersecurity Capacity Building to tackle this divide within the governance instances vary across the global, but above all the share invested in Internet Diplomacy centred on transnational dialogues is consistently limited, with only +/- 6% of the EU budget in the field flagged to this end.
Pr. A. Calderaro explains said timidity considering priorities and practices that have only shifted recently at the EU-level. As such, a potential for growth and heightened action of the EU in response to the Global North-South Divide in Internet governance Fora is seen as a possible result of the increasing role of diplomatic frames and actors in European cyber policymaking. In contrast to the early days of internet governance where EU policymaking on cyber enjoyed significant early-mover advantages and was coordinated through the relevant topical line DG – i.e., DG CONNECT which had its own “international Affairs Desk”, more recently the coordination of EU cyber policy has increasingly shifted towards the EEAS bringing in more geopolitical considerations and diplomatic practices. As the EU redefines its role in global internet governance efforts in more geopolitical terms, questions of internet diplomacy and the unequal access to global governance dialogues will become an increasingly pressing challenge for European policymakers as they seek to make their mark in an increasingly crowded space where previous early-mover advantages have waned.
The EU cybersecurity narrative
Though a discussion of dual-use cyber tools, Pr. A. Kasper showed how EU’s narrative constructions on cybersecurity introduced unequal and fragmented capacity building dynamics. It was indeed the lack of a unified EU cybersecurity narrative and the unequal implementation of European Cybersecurity strategies that prompted the analysis of the specific example of export control mechanisms mobilized in the framework of the dual-use technology controls.
Ever since the EU’s first Cybersecurity Strategy in 2013 it has sought to “lessen its own vulnerabilities by shielding Europe from the harmful effects of global cyberspace and reducing the threats originating from outside the EU using various legal, policy and technological means”. International cybersecurity capacity building is seen as potentially contributing to both aims.
However, as Pr. A. Kaspar reiterates “cyber capacity building is not value-neutral, in particular when it comes to policy dilemmas, such as uses of encryption, exploitation of software or hardware vulnerabilities, or deployment of different emerging technologies”.
While the EU ISS (2021) does not offer clear-cut normative choices in the field, Pr. A. Kasper shows how a European value frame of sorts seems to have been produced as an unintended consequence of the EU exercising its technological sovereignty, notably in seeking to keep a tighter grip on dual-use technologies.
Fundamentally cybersecurity is about the confidentiality, integrity, and availability of data. In this respect there is an obvious capability gap between States which increases the vulnerability of global networks. In response, this calls for a wide-ranging cybersecurity capacity building (CCB) efforts ranging from technical assistance and tech transfers to legal frameworks and organizational architectures by way of heightened cyber awareness. However, the unintended cybersecurity framework the EU seems to have built for itself offers a far more restrained definition and it can vary across different cases. Its defining feature seems to be a function of the prevailing threat perception which can vary across countries as well as UN agencies with differing threat-definitions. In one value system the perception of the threat will be very different from another. Overall, inequalities in threat-perceptions and cybersecurity capabilities are unavoidable but the question is how much is acceptable, non-detrimental and legitimate, be it within the EU or at the global stage.
In the specific case of the EU, its international capacity building strategy Pr. A. Kaspar unpacks the shift from “closing the digital divide” to “advance responsible state behaviour in cyberspace strengthen global capacities” by way of a call for “greater differentiation”. In the lead up to the 2022 Strategic Compass’ cybersecurity increasingly prioritized partnerships serving narrowly defined EU interests. This produced a European operational agenda differentiating between partners as it sought to increase the resilience and capacity of those partners necessary to the investigation and prosecution of unwanted and dangerous online behaviour. What the EU’s unintended normative framework seems unwilling to do countenance however is additional surveillance regimes. Equally it prioritizes civil and political rights over economic and social ones. Equally limits to the EU’s internal dimension (e.g., internal issues). Lastly, regardless of realities on the ground the legitimating discourse associated with European cyber-diplomacy still largely maintains that (cyber)tech is neutral, and that the problems are to be tackled at their roots which are in its opinion necessarily human.
Inequalities as a cause of cyber insecurity
Lasty, Pr. J. Burton unpacks how inequalities themselves contribute to cyber insecurity. This in turn articulates why inequalities should be a central to any EU platform tackling cyber insecurity. Cyber insecurity is defined as any weakness between connected computers, with such weakness having led in recent years to massive losses and ransoms, often targeting vulnerable groups.
These raising threats have gone together with the development of both defensive and offensive cybersecurity tools through both State and commercial services. Despite the unequal distribution of the threats, the costs born from these threats and the tools developed in response to the threats being widely accepted, the political economy literature on this topic is in its infancy with little focus being given to the role inequality might play in rising cyber insecurity as it is both a cause and consequence of the current problem. In response to said gap in the literature, the presented paper “assesses the extent to which societal and global inequality is a cause of or contributor to cyber insecurity” and to this end it distinguished three types of inequalities: (i) power-, (ii) access-, and (iii) responsibility-related ones.
Power inequality, understood as asymmetries between actors, be they state or non-state, is the central root of the international system and its corollary systems of checks and balances. Inequality in all its forms is the defining political problem of said international system, as power inequalities are born from the asymmetries at the intersection of (i) market power, (ii) social power, and (iii) political power. Similarly, States use cyber tools to either entrench or close power asymmetries. While great powers often use offensive capabilities against smaller players because their cyber power is largely unchecked, smaller players will use the cover of defensive capabilities to possibly balance larger players by way of anonymous networks. However, if akin to traditional security dilemmas cyber insecurity is a symptom of power inequality between sovereign states; commercial power inequalities are a distinctively potent also feature in the cyber space. In particular, the recent consolidation of the global internet between a few very powerful internet companies has raised new forms of power asymmetries between actors which have compounded the traditional inequalities between State actors.
One of the fallouts from the widening power inequalities is a rise in access inequality.
While obviously a product of power inequalities, access inequalities are also a consequence of specific widely shared practices which are causing inequities in terms of access and engagement for States and citizens from the Global South. For example, the generalized and widely accepted use of lesser, pirated, out of-date products in the developing world are a source of increased vulnerability and cyber insecurity. Equally, a structural lack of diversity in the cybersecurity workforce has proven to be a further source of insecurity as it has entrenched certain blind spots and allowed some undesirable behaviours to become ingrained. With state- and private-sector led cyber security efforts within and beyond the EU overlooking several intersectional concerns related to gender, racial or socio-economic hardship. Narrow threat-definitions, gendered stereotyping, and uncritically repeated practices all feed of the unequal access to the field of cyber security and in turn produce additional weakness and thus cyber insecurity.
Lastly, Pr. J. Burton adds to reinterpretation of the previous two inequalities with an original contribution on the growing inequality in responsibility. Building on the observation that the recent growth in cyber security policies has mainly involved the security and intelligence communities, the question of the growing inequality between policy domains and expertise is intelligently raised. Responses to perceptions of cyber insecurity are shown over the recent past to have primarily involved military and intelligence practices reliant on a centralized sovereign response that stands in contrast with the decentralised multistakeholder reality of the internet. The relative marginalization of other expert communities such as technical, legal, academic, or police-related voices in favour of the military or intelligence-community-related ones has produced new sources of insecurity and non-transparency. Overall, the centralization that has come with shifting responsibilities and practices in the field is shown to have increasingly contributed to further inhibiting access to a free and open internet experience.
In general, the panel broached the overarching challenge of inequality in European cybersecurity policies from three different yet complementary perspectives, thus proving inequality is central to the field, whether as a product of the Europeanisation of policy narratives; as a target of European external capacity-building policies; or even as one of the main roots of the challenges facing European policies in the field. Collectively, the panel clearly articulated the centrality of the ‘inequality’ question to any European cybersecurity policy; be it as the product of, the target of, or the root of any further European (dis)integration in the field.