Cyber security is becoming an increasingly prominent issue in the transatlantic political community. Henry Farrell, associate professor of political science and international affairs at George Washington University and co-author of a forthcoming book on privacy and homeland security in the EU-US relationship, spoke toEuropolitics about the key challenges ahead. While the United States, fearful of cyber attacks from China, has for years been devoting major government resources to address the threat, Europe is much less well prepared, Farrell believes. The challenges it faces include lack of institutional capacity and competence, impending turf wars and divergent EU and US approaches. 

What does ‘cyber security’ actually mean?

There are several ways of thinking about it. You can think of it in purely technical terms, from the operational perspective of somebody who is managing some kind of computer system and is trying to prevent incursions into that system. But you can also look at it from a top down perspective, where it is another aspect of national security and it is this perspective that has come to dominate in the US. The attacks against Estonia in 2007 are a good example, where you saw perpetrators, without very many resources, managing to paralyse substantial portions of the economy. In such attacks, you typically would bombard a publicly available website with fake requests and if you succeed, you overwhelm the system and make the website completely inaccessible. The attacks are usually launched through botnets, networks of computers that have been compromised. They might be perpetrated against a country for something that country did, as with Estonia. It can also be used as a form of blackmail against companies - for example gambling websites, and it is used to attack various NGOs, such as Falun Gong or Wiki-leaks.

Why is it becoming such a big issue now?

The focus is being led by the US. The US government is pouring billions of dollars into it. They have set up a major centre for cyber security (Cyber Command) within the Department of Defence (DoD) and they are talking about upgrading its role so that it has the same importance as commands covering entire regions of the world. A lot of it has to do with the US perception that China is engaging in cyber espionage - trying to grab commercially and militarily sensitive information. The other issue is that the US feels that if there is a conventional war, the US wants to develop an offensive cyber capability capable of overwhelming the defences of any other actor. The US is, meanwhile, looking at its allies in Europe, seeing that they are less developed and seeking to make them more capable of defending their own territory.

What role should the EU play?

The EU is in big trouble on cyber security because of the way it is set up. In the US, the DoD is in the lead in coordinating but it has a lot of linkages to other parts of the US government, like the Department of Homeland Security (DHS). The EU can’t do that because cyber security involves both traditional national defence issues and homeland security issues. The EU has a lot of competences in the latter, where it works closely with the private sector. But it has almost no capacity or competence in the former so the national security stuff is happening through NATO, which only deals with the militaries. These two parts are completely disconnected and we don’t have good ways to link them.

What potential turf wars do you see developing?

In terms of EU-US relations, I don’t see a turf war. In fact, people don’t realise that the quiet story which has developed since 9/11 has been one of growing cooperation, especially between the DHS and the European Commission. This story is much more important than the flashy headlines about the EU and US fighting over privacy and security. Within the EU, we see an effort from Home Affairs Commissioner Cecilia Malmström and others to plant their flag in this territory. Because while they don’t have the competences to do the national security stuff, I still see a push by the Commission to establish networks of expertise so that later down the line, when there are institutional changes, they will be at the front of the queue in demanding more competences. Europol, too, sees this as an area where it can expand its authority. I think the European Parliament will accept these extra powers as long as it gets its oversight. However, you may see some fights developing with data protection commissioners.

Do the EU and US approach cyber security differently?

Yes. The EU prefers to exercise its weight through regulation, treaties, persuasion and financial incentives, but not through the projection of military power overseas. So I see the EU being willing to take on a role on cyber defence but not any kind of offensive capacity. The US, by contrast, has adopted the Teddy Roosevelt policy of speaking softly but carrying a big stick. From the US viewpoint, defensive and offensive ability go together. I also think that the EU will be more willing than the US to listen to Russia and China’s calls for an international treaty.