European Cybersecurity in Context: A Policy-Oriented Comparative Analysis

The almost total reliance of modern societies on information and communication technologies (ICTs) has made cybersecurity a top priority in EU agen- da-setting and policy-making processes. Empirical data suggests that anarchy is likely to prevail in cyberspace, despite several international normative and regulatory attempts to govern the responsible use of this muddled domain. Indeed, the implemen- tation of an effective governance system based on non-binding norms is apparently considered an opti- mistic mirage. This pessimistic evaluation is triggered and exacerbated by the intrinsic features that char- acterise cyberspace: as explained by the National Military Strategy for Cyberspace Operations in 2006, the cyber domain has core attributes belong- ing to the acronym VUCA (Vulnerability, Uncertainty, Complexity, Ambiguity). These attributes enable the increasing divergence between states’ declarations in support of cyber norms and their real (or realistic) misconduct of large-scale cyber operations against their adversaries, for military, economic, and polit- ical purposes, which are deemed legitimate by the various sources. The result is a complex interplay between ‘personalised’ and vague regulations and the safeguarding of states’ national interests. There is an extensive literature that covers the pro and cons of the cyber domain, ranging from tech- nical definitions and socio-political peculiarities to ongoing progress in integrating the virtual and physical dimensions. However, recent political and military events (i.e., the Russia–Ukrainian conflict, USA–China confrontation, etc.) have stressed: a) the strategic importance of the cyber domain in the international political power dynamics of the twen- ty-first century, b) the growing intersection between cybersecurity and space security for national security and international stability and peace, c) the growing importance of private actors in guaranteeing both digital transformation and national security (i.e., Internet Service Providers, Over The Top, technol- ogy leading companies, SpaceX), d) the new powers acquired by non-state actors to influence conven- tional forms of conflict thanks to the unconventional means granted to them by the digital revolution. With this distressing reality in mind, the major con- cern is that, due to the above-mentioned peculiar- ities of cyberspace, it is not possible to implement binding cyber rules or norms to deter the offensive use of cyber capabilities. According to a cost-bene- fit analysis (conducted in line with a construct of the realist theory of International Relations), an aggres- sor has more incentive to deviate from than to observe existing international norms of responsible state behaviour in cyberspace because no targeted retaliation is internationally declared if red lines are crossed. This creates a vicious cycle with serious political, social, and economic repercussions. This scenario highlights the need for adequate normative and policy tools and an appropriate reg- ulatory framework to avoid and prevent the mali- cious use of the cyber tools. In this sense, Joseph Nye, in an article published by Foreign Affairs, was correct to point out: ‘violations, if not addressed, can weaken norms, but they do not render them irrelevant (...) history shows that societies take time to learn to how respond to major disruptive techno- logical changes and to put in place rules that make the world safer from new dangers’.