sign in sign up
<<
Home , French Defence

EUROPEAN COUNCIL ON FOREIGN SOVEREIGNTY STRATEGIC RELATIONS ecfr.eu PROTECTING EUROPE AGAINST HYBRID THREATS

Gustav Gressel

On 12 October 1983, Ronald Reagan signed off the top secret National Security Decision Directive 108 on “Soviet Camouflage, Concealment and Deception”. The document SUMMARY bluntly stated that: • Geopolitical rivals to Europe are increasingly incorporating hybrid threats The Soviet Union has developed a doctrine of “maskirovka” which calls for the use of camouflage, into their armouries – and deploying them. concealment and deception (CC&D) in defense- related programs and in the conduct of military • This amorphous set of threats exists below operations. They define maskirovka as a set of the level of war, enabling other powers measures to deceive, or mislead, the enemy with to exploit existing societal divisions respect to Soviet national security capabilities, and sow confusion and instability. actions, and intentions. These measures include concealment, simulation, diversionary actions • To deal with hybrid threats on their and disinformation. A Soviet Directorate for own, EU countries will need to more strategic maskirovka has been established … Several recent discoveries reveal that the Soviet thoroughly investigate such hybrid activities maskirovka program has enjoyed previously – and go public with their findings. unsuspected success and that it is apparently entering a new and improved phase. • Europe should pursue a ‘dual track’ approach of confrontation followed by This quote could easily come straight from a defence white dialogue with unfriendly cyber powers. paper of an average NATO member state in 2019. Europe’s current geopolitical circumstances are not the first in which • EU member states should also jointly it has had to face threats of a “hybrid” nature. They are invest in offensive cyber capabilities unlikely to be the last. within PESCO, expand Europol’s remit The situation may not be wholly new, but it is certainly to include counter-intelligence, and strained nevertheless. After a decade of economic crisis, improve personal cyber hygiene standards Europe’s political systems are worn out. Relations are worse in government and among citizens. than usual among some of the European Union’s member states, between Europe and the United States, and between social groups within member states. And it is now cheaper and easier than ever for those wishing to exacerbate those cleavages to do so through cheap social media adverts, a few bots, and a handful of hacks – all backed up with some shady

June 2019 finance schemes. Without relying on the US, can Europe 2 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT tts r nat eorce pecuid ih hi own their with 1 preoccupied democracies infant or states reforming by surrounded largely was Europe 1990s the In European wayoflife. subversion, let alonedirectmilitaryaction, is athreatto the that accept not does that Europe in prevalent still zeitgeist environment; matter: globalisation and the common market; and a post-historical geopolitical factors war main in inherent vulnerabilities and legal technological post-cold Three changing exploit. the can adversaries external that opportunities several provides today EU The threats Europe today: Fertile territory for hybrid the it latent threatofpotentialfollow-upviolence. within contains Russia as such players powerful by the remains action non-direct use its – although threats hybrid of manifestation principal said, That deniability. of characteristic the retained men’, green ‘little of deployment Russian with action, direct That Crimea. of invasion the in culminated eventually the Ukraine of witnessed destabilisation Russia’s they had been have Ukraine, extensive subversive effort Russia made in pre-war Ukraine. not against would war they hybrid but Russia’s of determination a and speed allows the by surprised that were Europeans western Most way a situation. the of in advantage take and enter to power foreign society opponent’s an weaken can conspiratorial, andsubversive efforts intelligence, Extensive action. subversive further for stage preparatory rather a but in itself, And disinformationisrarelyanend elements. these beyond far go adversaries their weaken to assets unattributed and undisclosed using of means states’ But campaign. hybrid a of element visible most the is news fake understandable: is attention This manipulation. media threats hybrid social about and warfare, information news, fake on concentrates debate Public pressure. assassinations, economic by are they disinformation,manipulation,and corruption, spying, as punctuated peace of ‘hybrid’, periods are even Indeed, today. hackers by malware written Trojan the to Odysseus by devised horse Trojan the from history, throughout used been have tricks Hybrid policy fieldsarefusedtogether.” various from threats when play into comes Hybridity own]. Foreign on Council European Relations: “There is no such thing as a ‘hybrid threat’ [on its the told hybrid recently for “ambassador threats” of title bestowed newly the with official state member EU one As threats. such behind force aggressor’s the strategic interests. There is an implicit warning of the use of with complying into threat a of object the resortto coerce to is threats hybrid of purpose The violence. physical not do that inshort, actors (deniable), affiliated officially But, ‘subversion’. not but state-sponsored, of use the to refers threats’ ‘hybrid and conflict’, ‘asymmetric war’, it,and ‘non-linear as such to too, it with compete terms themselves other attached have definitions Various threats’ ‘hybrid term The What are‘hybridthreats’? From Trojanhorse to Trojanmalware: can EU the deal withsuchthreatsiftheyhavetoactalone. of states the extent what to and how assesses paper This threats? hybrid of face the in sovereign be really Telephoneinterview, 7February2019. has 1 obfl ocpul value. conceptual doubtful countries combat these threats. For some states, and even and states, some For threats. these combat European countries which the with between methods and differences importance, huge urgency, are There to and approaches threats. of diversity patchwork hybrid a retains Europe’s it that of is openness flipside the Fundamentally, strong politicians inmostoftheEU. a of patient option The is that and public for the uncomfortable deeply is response issues. resolve instinct will first engagement governments’ European – through when as such result, action intelligence or hyper-aggressive threats hybrid – a bullying geopolitical As with confrontation. confronted than rather which dialogue culture, political Europe’s in through resolution seeks very much that remains one reflected is this All returned to2008levels. years, European in recent overall defence spending the dangers swirling around them. Despite modest increases by untroubled fundamentally remain Europeans most but view, world this in dents small some made have Syria and harsh global and the regional reality to Europe faces. up The wars measure in Ukraine not end-of- does that Fukuyaman, view world a history developed largely have alike elite political and public Europe’s Both issues. these to approach laissez-faire a on settled has Europe choice. of matter a is it and globalisation: progress in technological risk inherent a not is attacks hybrid to vulnerability increased Europe’s but hostilestatescanalsoexploitthem. vulnerabilities, these of use make will criminals cyber state Non- alike. drivers Uber and ministers European by used Alexa speakers, WiFi-activated lights, and smart thermostats with – things of internet the of coming the with number, in amount of data and intelligence. Attack points are increasing military an increasing access actors tosuccessfully hostile enables from – infrastructure range communication to5Gtransmitters, to votingmachines– Digital wide points. a with attack actors of foreign hostile provided have digitalised EU’s the place, society and interconnected and increasinglyopen economy taken have changes these As technology industries. programme alsoencompassesstrategicinvestmentsinkey cyber attacksagainstindustriesandresearchfacilities, butits a softer target than the US. as It concentrates on launching Europe sees China active; very is economic espionage operations arelessvisiblethanRussianones, Chinese influence Chinese While apparatus. state its of assertiveness Another development istheriseofChinaandincreasing Europe. but US, the on Arabia’s concentrate Saudi active. also are and Iran Turkey but respects, these in actor best-known the is of gaining control by also communities, but emigrant targeting information operations through developments domestic their on narrative the control to want also may states Such silencing, involve may which suppressing Europe, to ideologies and instincts repressive states’ spreading of that including aims, in forces anti-system of variety a have can with projection power This well. as Europe work them in power of soft Many and Europe. hard both project to seek that powers ambitious neighbours continent the Now, transformation. I Erp, Russia Europe, In organisations. cultural andreligious , oreven dissidents residing there. residing dissidents eliminating of them are visible in are visible them of some influence operations influence has only has skilled skilled political parties, taking these threats on is a full-time them are Sweden, Finland, Poland, Lithuania, and Spain. state activity; for others, ‘hybrid threats’ is a temporarily This list suggests a particular concern with Russia. Spain is fashionable term peddled by geopolitical scaremongers. a geographic outlier but, as one European diplomat explains, Thus, resources, competencies, and political choices focused the 2017 independence referendum in Catalonia forced Spain on hybrid threats vary wildly across the EU. to rapidly prioritise hybrid threats.5 The biggest EU countries, France and Germany, have not really internalised the notion The EU’s role of hybrid threats yet, but both have been seeking ways to respond to them. States such as Austria, Hungary, and Italy Parts of the EU’s machinery have been very active on these do not yet appear to be much concerned with hybrid threats. matters, but it still lacks a holistic approach to them. In recent years, new communications, laws, strategies, task forces, Overall, despite increased EU and member state activity funding, and member state working groups have emerged on cyber issues, a lack of coordination and leadership to bolster the EU’s security and resilience. For example, in from the top means that hybrid attackers continue to have 2017 the EU set up a Cyber Diplomacy Toolbox. The EU’s diverse opportunities to conduct operations. Some of the cybersecurity agency, the European Union Agency for EU’s external competitors are less than fearful of its efforts. Network and Information Security (ENISA), is set to receive Vladimir Putin’s special representative on information a revamped, and stronger, mandate. Speaking to ECFR, security has compared Russia to a cyber elephant and the one senior European official dealing with cybersecurity EU to a small, irrelevant barking dog. So, the question for characterised ENISA as “frankly, a think-tank”.2 Even with Europe concerns how it can build up its capacity to resist the revamp, it will remain a tiny agency by any standards: hybrid attacks, while also adopting a foreign policy posture the number of staff it employs is set to rise from 84 to 125, that is not simply defensive but actually contributes to a and its budget is set to increase from €11m to €23m, over gradual reduction of the threats directed at it. the next few years. Intelligence agencies and hybrid threats This process has been somewhat reactive and still lacks high-level political leadership. One senior member state Intelligence activities are central to efforts to combat hybrid diplomat has remarked that: “The EU Council and member threats: intelligence agencies are usually the first to do states’ response to hybrid threats in Brussels have been everything from tracking cyber attacks to identifying foreign mostly driven by the Skripal affair. The Commission has funding for violent anti-system forces. Other investigative been doing a lot of work on cyber and the security union. forces, such as police and prosecution services, rely heavily The [European External Action Service] has done plenty of on them. However, a multiplicity of actors is involved in good things on the working level – good action plans, task intelligence: the military, the police, national intelligence forces, conceptual work. But Mogherini does not want to services, national cybersecurity agencies, private companies touch the subject. And there is little sense of coordinated (which also have cybersecurity obligations), media actors, and strategic work on the matter. And many think [it is] just NATO, the EU, Europol, and ENISA. another irritant on the agenda of EU-Russia relations.”3 This institutional hotchpotch is mirrored by a wide Increasing adhocism accompanies this incremental variation in national bureaucratic security cultures. One institutional progress – which takes the form of coalitions official working on this subject outlines the challenge in the of the willing cobbled together on a case-by-case basis, following way: “Hybrid threats come from outside the EU, beyond the realm of EU bodies. These developments point but the way you combat it is through institutions that deal to a lack of ambition for a more coordinated EU-level with domestic issues – police, media watchdogs, education response. This is especially the case on the most threatening systems, border guards, anti-corruption watchdogs.”6 hybrid attacks. For instance, diplomatic expulsions over the However, it is not just, or even mostly, the proliferation of Skripal affair took place outside the EU framework. And agencies and actors that had created the EU’s inadequacies so did public attribution and indictments against Russian in this area. A lack of political leadership is also responsible. operatives who tried to hack into the Organisation for the The same official adds that: “the [agencies] don’t have Prohibition of Chemical Weapons (OPCW). When that the culture and often the desire to be combating external incident became public, non-EU member states such as New threats. Especially because some of these threats are Zealand, Australia, Canada, and the US released statements certainly no good, but they are not illegal: fake news, in support of the Netherlands that were more forceful than conspiracy theories, trying to influence history narratives those from half a dozen EU member states. And this was or manipulate identity issues and feed culture wars is not despite the fact that the OPCW headquarters is located in illegal. Quite the contrary. They often are part and parcel EU territory. One senior EU official recounts excruciating of domestic political practices.” Aggressors take advantage meetings in which some member states stonewall others of this legal patchwork by picking the jurisdictions with when they try to obtain support to attribute attacks to the weakest regulations as bases from which to conduct state-backed hacking groups This is despite reams of cyber operations in other countries. forensic evidence and intelligence assessments.4 A basic lack of resources is also a major problem. There are Some EU member states that acknowledge hybrid threats as a few fields in which Europe as a whole is so dependent on major priority have appointed special ambassadors or created American support, and where the discrepancies between dedicated units within the government or their foreign affairs the haves and have-nots within the EU are as great, as in ministries, to coordinate responses to these threats. Among intelligence. Today, only the United Kingdom and France 2 Interview with EU official, Brussels, 12 March 2019. have the requisite legal frameworks and capabilities to 3 Telephone interview with EU member state diplomat dealing with hybrid threats, 25 January 2019. 5 Telephone interview with an EU member state diplomat, 11 March 2019. 4 Interview with EU official, Brussels, 12 March 2019. 6 Telephone interview with EU member state diplomat, 11 March 2019. 3 4 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT ae fetvl otore itliec t ter S ally, US their to intelligence outsourced effectively have states European Most agencies. US by provided intelligence without attacks terrorist prevent to able be not would states European most that is truth the Indeed, great. particularly countries’ is their dependence this countries, European some For safeguard interests. to US rely the services still They with China. cooperation or intelligence on US the of best-equipped those to equal EU’s not are the even Yet strategic states, other intelligence islittlemorethanguesswork. most For and to. governments up their are what bureaucracies into insight gain and to Arabia, Saudi Turkey Russia, Iran, China, as such countries European few in sources developing systematically a of capable are states Only risk. at are north programmes assistance as operational (such to Europe to Africa and the Balkans), confined where European troops and foreign close theatres often in intelligence are European addition, efforts In it. intelligence upon act should they whether not therefore, and, do accurate is intelligence they their whether know that means This intelligence. electronic and through other sources,particularlysignals – thisintelligence invalidate or – validate to chance a have not do They states. is what these of moves the anticipate and countries in other on going them tell to – processes of decision-making knowledge foreign personal on with rely people – agencies intelligence human intelligence European most Currently, was this While focus. necessary, state actors have made a comeback in recent main years. services’ intelligence became and networks adaptation terrorist – actors hostile state rather than – radicalised individuals similar groups, a sub-state Hostile through process. Most went threats. services asymmetric intelligence and warfare refocused expeditionary armies European on war, cold the of end the After all spheres.Andtherearemanystrandstothis: in operations and counter-intelligence intelligence conduct • • • • • on oneselfinalltheareasmentionedabove. intelligence gather to attempts enemy’s the foiling monitoring,and detecting, Counter-intelligence: ways to intercept, decrypt, deceive, or defeat them. find and capabilities, their out work activity, and theirdeployment to detect communications systems and platforms, of sensors, corresponding systems, weapons (signatures) enemy fingerprints emission and collecting intelligence on otheremissionsandsignatures: intelligence Electronic and-control processes. command- its into and insight gain access to them enemy’s the andanalysing decrypting communications before intercepting intelligence: Signals means (suchastroops,money,andpropaganda). of tactical priorities,anduse orders, operational and moves, their anticipating military, and assets) paramilitary economic, assets diplomatic, operational (including enemy’s the monitoring and identifying, detecting, intelligence: Operational as welltheirdecision-makingpreferences. moves and interests of other countries’ leaderships, the or anticipating predicting intelligence: Strategic n Urie ec o wih a a esnby strong and anti-EU promoting reasonably on focused mostly have operations a has which of – Russianinformation consensus anti-Russian political each – Romania, Poland, Ukraine Georgia, and as such countries In France. the active insupporting also been groups from abroad. Many pro-Brexit Twitter accounts have been systematic, often automated, efforts to boost pro-Leave had there that concluded F-Secure company cybersecurity a In This isallinplainsight. continent. the across parties populist of activities the and France, in in destabilises protests referendums jaunes moment: whatever and Catalonia,gilets Scotland given any support at politics to European appears RT opinion. domestic European shape to seeking in role a play least at government Russian the to linked bodies that suggests as RT such outlets news state-backed Russian of activity The discussion onbothsidesisoftenspeculative. the public and political elites do not see them anywhere. The of sections large Equally everywhere. elections influence to attempts Russian see elites political the and of public Sections European . such of scale and reality the into about much scepticism is also means there activities these investigation proper of lack a elections, European in In Europe, while there is much talk about Russian interference the presidentialelectionearlyon into intrusion cyber Russian of US the informed Dutch the likelihood, all in that, fact the despite is This interference. Russia of scope and nature exact the understanding in has Europe than activities. progress more made these has US the dispute sense this In longer no to seems Russia Even and credible details of names, procedures, and money flows. directly the presidential election. So far, influence to effort Russian the of evidence publicise helped has investigation Mueller the US, the In referendums. and elections European in interference Russian any about than election presidential American 2016 the influence to tried that operators even more and techniques, scope, much exact the about know citizens American and European most electoral Russia has indeed tried to influence some elections. By now, European in that assume Westerners Most interfere referendums. and processes to attempts Russian of scale and level the of understanding unified a lacks Europe Russia andelectioninterference Huawei products. and Kaspersky use to whether and attacks, cyber Russian to how to on respond to how those interference, election Russian include with deal debates These threats. such of to how consequences, administrative and decide regulatory the to with deal reluctance the of and views, countries’ European between divergence the of illustrative are debates policy ongoing Several phase. acting, than rather thinking, threats, Europe’s response to the issue is generally still in the to combathybrid creating aseriesofstrategies Despite Current ‘hybridthreat’policychallenges from. benefit nevertheless but dislike may citizens their activity in engaged have not that they to makeout them enabling f 4 ilo Bei-eae tweets, Brexit-related million 24 of recent analysis ae en ae. hi idcmns ie specific give indictments Their named. been have 25 Russiancitizensinvolved . protests in jaunes protests gilets anti-NATO sentiment and ‘neutralism’, or equidistance For example, one Nordic diplomat interviewed for this between Russia and the Western alliance. paper was convinced that the UK’s Conservative Party had deliberately stonewalled a full investigation into the Russian However, it is unlikely that Russia is involved in every role in Brexit because this would have been embarrassing for disinformation campaign that takes place in Europe. In it – as the champion of Brexit. If they aim to devise policies some of these campaigns, Russian disinformation activities that strengthen their sovereignty, European countries must have been absent or modest, or have paled in comparison gain a coherent shared understanding of the threat that to local political parties’ manipulation of the media. For Russian interference poses to their domestic politics. instance, when Facebook took down 168 accounts trying to influence elections in Moldova, most of the accounts Russian intelligence were local, not Russian. The Macedonian referendum held in September 2018 also attracted claims of Russian Russia’s interference in European elections has primarily interference. But none of the multiple political players ECFR been an issue of disinformation, igniting a controversial asked about this on a visit to Skopje during the campaign debate on media standards and political accountability of – from the prime minister to political party operatives and internet companies – Facebook and Twitter above all. But pollsters – had seen a massive Russian operation to sway the issue of how to deal with Russian intelligence operatives the vote. And Donald Trump, Brexiteers, and the French is even more explosive for European cohesion. For example, far right have had much greater success than RT or Russian after the Skripal attack, EU member states Austria, Cyprus, trolls at spreading fake news and conspiracy theories. Greece, Hungary, Slovakia, and Slovenia did not expel Russian diplomats. This led to a discussion on solidarity European countries’ law enforcement agencies and among EU states such as the UK – having witnessed a Russian- parliaments have barely even begun any sort of systematic sponsored chemical attack on its soil – wanted to send as and detailed attempts to untangle myth from reality in strong a message as possible. The Austrian government’s Russian attempts to influence European elections and explanation of its reluctance to expel diplomats – that it referendums. This allows intra-European mistrust to grow. should not take sides but serve as a “bridge” between east Even states with similarly critical views of Russia do not and west – further irritated other European governments, as entirely trust each other on this question, underlining the it suggested an equivalence between an external aggressor difficulties of forging a unified understanding of the threat. and the EU member that had been targeted. 5 6 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT Kaspersky anti-virus programmesa however: including data, personal transfer structures data, toRussianstate location would it fear for Taxi, agencies. government Lithuanian officials have been advised against using Yandex from software in US Kaspersky the banning followed have Netherlands the and Lithuania, for a ban onmaliciouscyberproducts and called The European Parliament has already singled out Kaspersky as YandexTaxi. such services taxi Uber-style centreseven or Baikal, data Lake around Lenovo, Xiaomi, ZTE, include could These well. as companies non-EU other involving controversies in the themselves find eye ofapoliticalstorm, buttherearelikelytobesimilar currently companies two critical These hold China? and Europe or they Russia, and majorEurope between a crisis Can of event the in powers? hostage EU the foreign in infrastructure by data and these apotentialconduitforthecollectionofintelligence as such companies Are equipment? telecommunications Huawei’s and programmes anti-virus Kaspersky’s about ministries, foreign and intelligence services, andtelecommunicationsgiantsdo defence Europe’s should What Kaspersky andHuawei Washington with actor thatcouldreplacetheUS. relations if policy orpolitical further, isnotangible there deteriorate But Europe. contacts working throughout theUS preserve to able in and stable more much remained confidence has community intelligence US the government, undermined significantly have personnel erratic sometimes its and administration Trump the while And affairs. intra-European in balancer external an became – London extent lesser a to and – Washington so, doing In been work. toxic politically has this outsource to counter-intelligence, happy with issues historical has in counter-intelligence work in Germany. And Berlin, which engage to right post-war the have services the British and of US situation, legacy a As imbalances. these addressed mentality. In the past, bilateral cooperation with US services weak laws, and their decision-makers maintain a ‘hands-off’ supervision andoccupationafter1945 – havecomparatively priority. first Germany and its Austria – is both countries counter-terrorism that were but framework under Allied action, legal such the for has France so. do to reluctant more resources in monitoring are Russian operatives, otherstates very robust counter-intelligence laws and invested significant adopted have flank eastern the on states member EU While these preparations. progressed as well. Europe has a mixed record of disrupting of positions have – infrastructure in critical of reconnaissance and agents power, placement the data, of excavation and espionage, penetration reconnaissance, cyber strategic actions other that assume as sort ofactivity–such basisforthis provide the that may One actions. covert tier top- are actions These enemies. perceived of assassination training forparamilitaryresistancegroups,andthe military incursions, preparation ofinfrastructureforfuture aims: forces,thepurchaseand cultivation ofanti-system In others, their activities hint at much more espionage. classical robust involve subversive operatives Russian of activities known the cases, Insome debates. security in public up pop increasingly services intelligence Russian of activities The Gray ad nepl ae given have Interpol and Germany, , Belgium clean billofhealth . Others disagree, Others . . The UK, The . . anti-virus softwareandtelecommunications gear. services or military services if they did not trust each other’s intelligence between exchanges and cooperation risk at put could issues these resolve to failure A this. about go should from operating altogether, it would companies remain unclear these how they prevent to agree to states member EU of number significant a were And, consensus. no reached have they and performance, companies’ these have into looking experts been technical of Hundreds is. problem the what in on agree to begun even interference not has Europe that Russian demonstrates around question elections, the use of Kaspersky the and Huawei, or even Palantir, with As data ourselves,wewillbecondemnedtovassals.” analysing up give we If achievable. is this think I Palantir. European a creating of capable not are we why understand Cyber threats have increasingly moved beyond financial financial beyond moved theft, cybercriminality, andintelligencecollection intomuch increasingly have threats Cyber Cyber attacks h aec director agency The to possible technically it Is disconnect fromPalantir? Would itbepossibletoreplaceit?” data. online of units of billions general directorateforinternalsecuritysince2016toanalyse software of Palantir, a company linked to the CIA, is used by the agency cybersecurity French of the chief the asked One Palantir. about questions raised have intelligence services and agencies enforcement law by used widely is For and China. Russia instance, take the case of Palantir, a US software company that around questions to confined not is hardware and software in sovereignty European of issue The potential lossofaccesstoChina’smarkets to due is act This alone it. let against problem, the about talk to want even not do more companies if notmost,affected in engage to many, espionage, cyber over China with diplomacy forceful ready were governments European some and institutions EU if even that, is problem Another every weekinEurope. story Huawei the in twists new are There governments. and companies sector private between and UK, the and Italy of some European countries, within governments and such as US those the between rows mobile political and tension diplomatic 5G of of source a and deployment potato hot political a become has networks the in participation Huawei others, suchastheUK, have beenmorewelcoming. such as France, have been sceptical of Huawei for years, while to spy on or disrupt entire telecommunications sectors. Some, used be could equipment Huawei whether on disagree States market. competitive a is what in replaced easily or conditions, Anti-virus programmescanatleastbeusedundercontrolled Anglo-Saxon worldagainstRussia.” the pitching conflict a of centre the in clearly is “Kaspersky his Cybersecurity In Kaspersky. National about Agency seemsmoresanguine French the of head the time, same the At companies. Japanese anti- and British from software virus with them replacing Kaspersky of off anti-virus products, gradually ministry itself weaning French is ministry the the for Now, defence. tender a won Kaspersky ago, years Several differ. can approaches countries, within Even . French members of parliament parliament of members French for bigdataanalysis. responded fear of Chinese retaliation and a retaliation Chinese of fear : “The “The question : following the and some other countries other andsome “ cnes d not do I confess “I : . view: France and fake news Fears of combined cyber and information attacks are driving some countries to patch up their electoral practices. Anti-fake news campaigns, laws, and other efforts are under way in several EU countries. France is a relevant case in point. “MacronLeaks” was an attempt to influence the French presidential election in 2017 by hacking and dumping information from Emmanuel Macron’s campaign headquarters. This attack was attributed to Russia. The attempt largely failed not just to influence the campaign, but to even get traction in the media and the wider public. One key reason that it failed was because there was no well-oiled transmission belt connecting the darker corners of the internet, where the hacked information was posted, to the wider public. No major French media outlets reported details from the dump, and whoever wanted to spread disinformation had no network of French Twitter or Facebook followers through which to do so. Since 2017, France has adopted an anti-fake news approach, but the problem is now that the transmission belt for similar attacks in the future is in place in the form of the popular, and reasonably ‘nativised’, RT France, which launched in early 2018. Should an operation such as MacronLeaks be conducted in 2019, it would probably be more successful than the effort two years ago. In 2017 MacronLeaks was played on a tiny speaker for a tiny audience; in 2019 it would use a powerful surround-sound system of television, websites, and social media.

more aggressive actions designed to shape national debates, searching on what to do about hybrid threats. Most EU referendums, and elections in European countries. According countries are still at this stage. Many have identified to Europol, a growing share of these attacks are the work hybrid threats as a priority and, as mentioned above, some of state-supported hackers, rather than just criminal cyber have appointed special ambassadors as a result. But these syndicates or bored teenage hackers working from their countries are still very much in the search phase on specific bedrooms. And there continues to be a lack of preparedness policy issues such as how to respond to cyber attacks and for this on the part of EU and member state institutions. how to handle RT. ENISA states that: “Should a crisis arise from a large-scale cyber incident, Member States would lack a harmonised When the search phase draws to an end, it usually results in framework to effectively respond to the challenges posed by countries selecting one of two types of approach. One is to this incident.” pursue a more or less formal ‘cyber dialogues’ with external powers, which could be official-to-official or minister- Cyber attacks have also taken a political turn, thereby to-minister. Another is to start pushing back through demonstrating their hybrid potential. Unfriendly states public attribution, by ‘naming and shaming’, and even have done this in several ways, from releasing hacked contemplating indictments, sanctions, or cyber counter- information to seeking to discredit and intimidate political attacks (so-called “hack backs”). actors, to using fake or automated accounts. Disinformation, rumours, and manipulation have always existed in politics, Options for the EU and have always been driven by both domestic and external players. Now, they can reach directly, through social media, Dialogue into a much wider spectrum of society. This is especially the case because of the current political turbulence in Europe Talking to those who launch hybrid operations is an and the lack of agreed-upon, Europe-wide safeguards. option perfectly in tune with the European predilection for dialogue. The philosophy that guides this is that a good EU member states currently pursue one of what might be talk is always better than a good fight. And it is the right termed ‘two and a half’ approaches to countering these approach when it works. But it often does not work, such as dangers. in the US-China cyber dialogue initiated by Barack Obama in 2015, which resulted in an agreement to hack each other The ‘half’ approach involves maintaining the status quo. less and, seemingly, only a short-lived lull in aggressive This has evolved from a laissez-faire response to soul- cyber behaviour.

7 8 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT to the cyber domain. Dialogues can thus serve the purpose the serve thus can Dialogues domain. cyber the to energy, as such issues policy visas, andforeign policy on EU the divide to sought states. European between wedges drive operations orto to itshostile responses organised either to tactics Russia’s of part form may dialogues Such way toSyria. north Africa, was reopened to Russian naval vessels on their Three days after this , the Spanish port of Ceuta, in Catalonia.” of republic independent the proclaim to trying of Spain at a time when pro-independence groups have been “will always support the sovereignty and territorial integrity Borrell thanked Russia and Putin and Russia thanked Borrell designed tofueltheindependencemovementinCatalonia ministries November 2018, ayearaftertheSpanishforeignanddefence in minister andhisSpanishcounterpart Russian foreign the between exchange following the example, for Witness, cyber. just not and domains, policy other from concessions mutual if itincludes meaningful become favours canonly of exchange mutual the Thus, Russia. as such country a with to trade are unabletooffermanycyberconcessions they because But, most EU member agreement. states have only US-China meagre cyber capabilities, the with case the was – as feasible be domain might cyber favours inthe mutual of exchange an France, as such capabilities, cyber offensive significant or less more with Russia? Forthose as such state For a country engaged in such a dialogue, what can it offer a the sensitivityofthisarea. would they collection, given ever cover hacking for cyberintelligence believe to hard is it though: limits, their dialogues have Cyber infrastructure. election or infrastructure critical other’s each hack dialogue to not agreements Such in result could pact. non-aggression a even or conduct of code an implicit to agreeing by manner, including in ahostile acting to cease hybrid threats originator ofthe the persuade London with dialogue with Russia. Moscow has allegedly offered to conduct such dialogues cyber bilateral own their launched also Portugal launched cyber dialogues with Russia. In late 2018 Spain has and France instance, For road. this taken have states Some from Russianmedia. came news] false [the that true is it but Russia, of Josep Borrell: We never said it was the government ensuring cybersecurity. in cooperation our on group working that a establishing me to seemed Spanish partners areinterestedinthe idea of It dialogue. through issues emerging discussing for stand We issues. cybersecurity on mechanisms establishing working partners bilateral US and European our to suggested repeatedly have we that reminded colleague my I awry. go to friend, good our Spain, a with than with relations our want not microphone. Wedo rather professionally issues such discuss to prefer we that now, you telling am I as minister, the told I countries. other in processes electoral domestic in interference unacceptable in beyond their journalistic mission go and are involved media Russian some that said He today. this about minister the with spoke I Lavrov: Sergey openly railed against openly as well. The aim of these efforts is to is efforts these of aim The well. as . Now, it applies the same approach same the applies it Now, . hostile online activities online hostile for indicating that they for indicatingthat Russia haslong : a :

f iie atvss h cosrfrne a a registration car a cross-referenced who activists citizen of of Russian operatives–upto305 –byBellingcat network whole a of exposure the to leading operatives, This doubters. Russian two the of aliases real the for search a sparked then staunchest the to much even – looked persuasive suddenly more events of plausibility version of British lack the and that ineptitude such with so did they But involvement. their deny to television twoindividuals Russian on the went poisoning, the Russian of officers alleged intelligence two accused UK the its When confirmed involvement. but all that mistakes several made it in which mode defensive a into Russia forced UK the approach, name-and-shame aggressive an adopting by Furthermore, rest ofEuropewerestrainedoverBrexit. the with relations its when time a at incident, international major a in alone stand not did UK the ensuring of goal the met tactics Such Europe. across partners with intelligence sharing involved that and door Russia’s at firmly blame the laid that campaign vigorous a with responded UK the case, Skripal the In responses. sanctions or diplomatic possible for support building and matter, the to attention drawing public and parliamentarians about what has really happened, the in buildinggreaterresilience:preparingandeducating exercise an also is attribution this, In countries. allied and shore public wider to the among action also government to for but support up just down, not back to is actors attacks foreign attribute persuade publicly to reason key A attacks againstthedefenceministry. cyber of source constant and major a being as Turla group hacker to Russianstate-supported minister haspointed as a state-backed agent of influence, and the French defence acting of RT accused has Macron Emmanuel level. political highest attribution atthe by public punctuated periodically Madrid, 22March2019,undertheChatham Houserule. a firm voice, but behind closed doors.” closed behind but voice, firm a with know we what them tell We relations. French-Russian Russia. public “aggressive attribution with that: to Russia will not ECFR work, and told is operations not in diplomat the style of French several One attributed publicly has since but mid-2018, in Russia with issues cybersecurity on France is an interesting case of a state that started a dialogue aaiu cbr nrpeer, n i wih h css of costs aggressive misbehaviourarevirtuallyzero. the which in one entrepreneurs, cyber rapacious for free-for-all a into field cyber the turned has tactics cyber approach cyber laissez-faire and the against aggressive lack ofpushback to attributionandthe view, hybrid states’ against these back In threats. push to more adopted ways have assertive states fails, diplomacy polite Where Pushback of Chemical Weapons. Prohibition the for Organisation Hague-based the into hack to Skripal affairandRussianattempts over the peak tensions when a reached Netherlands time the and UK the and Russia the between around and just Spain happened with dialogues Portugal cyber of launch The tatters. in but strategy or response states, pan-EU a for plans leaving member others, not EU some for to détentes lead cyber genuine also can dialogues such Alternatively, behaviour. cyber its Russia tochange of cybertalksthatdonotforce rounds long, excruciatingly least at or endless, enabling of 8 7 Memberstatediplomat,remarksatECFR EU-RussiaStrategyGroup, InterviewwithFrench foreignministryofficial,November 2018. 8 But such patience is patience such But 7

, a network a , The pitfalls of attribution Attribution of attacks in the cyber domain is notoriously difficult, though not impossible. Several high-profile cases have helped reduce public trust in professions of certainty based on intelligence, such as that preceding the military intervention in Iraq on the grounds that it had weapons of mass destruction. Attribution can rely on cyber forensics, but it has often relied more on intelligence sources, which can be harder to deploy publicly to change opinion and win wider support. Providing more detail may help adversaries close their security loopholes. For example, just three weeks after US intelligence services issued a report on Russian cyber activities around the 2016 presidential election, the Russian intelligence services arrested one head of department and his deputy from the FSB Cyber Centre for Information Security for being CIA moles. In such circumstances, Western intelligence services are often reluctant to engage in public attribution that can devalue or endanger their sources.

Private companies can also be reluctant to publicly attribute cyber attacks to foreign states. It was not always this way: companies used to be happy to blame cyber attacks on foreign state-backed actors as they looked less inept if their cyber defences had failed in the face of supposed Russian or Chinese state-backed hackers rather than criminal cyber groups or teenage amateurs. But this is changing. Insurance companies now hold that a hack supported by a foreign state is cyber warfare and, therefore, refuse to provide . This happened in the fallout from NotPetya, the world’s costliest virus attack, which started in Ukraine but then affected dozens of companies around the world. The UK government accused Russia of attacking Ukraine’s digital infrastructure with NotPetya. But when the virus spread and one of the affected companies – the maker of Cadbury chocolate – made an insurance claim for the attacks, its Swiss insurer refused to provide compensation, invoking the UK government’s attribution of the attack to Russia as proof that NotPetya was an act of cyber warfare not covered by its insurance. plate with a GRU address. So what started as a name-and- details – such as those the Mueller inquiry provided in the shame exercise by the UK ended up in a major diplomatic US. Despite a plethora of journalistic investigations, and and intelligence debacle for Russia. Attribution also helped periodic statements from politicians, European legislative unify the European response, which resulted in the more or and judicial bodies have released few details about their less simultaneous expulsion of Russian diplomats by 19 EU assessment of the situation. This certainly does not help the member states, and ten non-EU states. EU arrive at a more united understanding of the scope of threats it faces. Beyond naming and shaming, states have started to make greater use of indictments, counter-offensive cyber Key instruments for creating a more unified awareness strategies, and even hack backs. Their goal is to change the across Europe lie in the hands of national elites. These calculations of foreign state-backed cyber actors by starting to include more systematic use of parliamentary or UK-style impose costs – on the cyber actors themselves and the states public inquiries (such as the Chilcot and Leveson inquiries) supporting them. The US pioneered this approach, which has and more systematic law enforcement work to pursue those been increasingly adopted by the UK, the Netherlands, and, who broke electoral law by attempting to influence votes on a smaller scale, France. All three countries have changed through digital or financial activities. their cyber doctrines to move from an almost exclusive focus on cyber defence and cyber intelligence collection towards The digital home front the possibility of counter-offensive cyber actions. What drives this greater assertiveness is an understanding that On issues such as election interference, one way to hedge toothless cyber diplomacy is not enough to combat the state- against the vagaries of the digital age is to return to analogue sponsored cyber threats to Europe. methods. The Netherlands reverted to paper ballots and hand counting in elections in 2017 as insurance against cyber Conclusion and recommendations tampering with voting machines and digital infrastructure. On some occasions, internet giants have chosen not to run Dealing with hybrid threats involves action on several fronts. political adverts at all – Facebook took this course during The first is the political front. The second is the digital home the recent Nigerian election. And, after Canada introduced front. The third is the intelligence front: setting new goals strict requirements on the transparency of electoral adverts, and standards for intelligence services, and improving Google decided not to run these. This is not a long-term the coordinated approach within Europe. And, finally, solution, but it could be a temporary one until governments EU member states and the EU itself can take steps on the and these companies flesh out transparency rules governing diplomatic front to deal with foreign powers that conduct campaign ads. hybrid operations against them. Dealing with cyber threats presupposes investment in The political front the EU’s capacities to deal with such issues. This requires several types of action: The European conversation on hybrid threats is polarised between political actors that see Russian interference in • Transform ENISA into a well-staffed and well- every European election and those that are completely financed cybersecurity institution in which multiple dismissive of such fears. Europe would benefit if accusations functions are centralised: computer emergency of foreign interference were better supported with facts and response teams (CERTs), cyber forensic teams, 9 10 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT • • • standards acrosstheEU. hygiene cyber up drive that teams legislative and and compulsory use of minimally safe passwords safe minimally of use sector; compulsory and public the in passwords manufacturers’ of use the on bans abroad; travelling delegations European for cages Faraday on: policies include could undertaking The forward. step a constitute militaries, diplomats, parliamentarians, and other European officials would already for standards push tocoordinateandspreadcorecyberhygiene strong a even So, notare. cages do Faraday what diplomats know many Indeed, not. do others while buildings, public entering when bags cage Faraday in phones their mobile their make keep diplomats collections. ministries foreign intelligence European Some electronic and space foreign countries thatareperceivedasaggressive incyber in institutions state visiting when ways diplomats of from differentmemberstatesbehavein consisting delegations European example, For government. in and public general cyber hygienestandards,bothamongthe personal improve should countries European All member statestospearheadtheprocess. EU capable most the to left be will it whether or board on states European all with developed be can policies such whether seen be to remains it Still, them). use to threat the (and weapons cyber ofEuropean effect deterrent the from benefit to want will they later, or sooner And, by states. third weapons cyber offensive of employment by the affected be will this of legitimacy ethical the of sceptical are that states Even weapons. cyber sophisticated employing already are – China, Israel and Russia, US, the as such powers orregional global and – states European key But states. cyber member EU developed. most sophisticated for controversial highly jointly is This be more only can of which weapons, expense the at of duplication avoid basic capabilitiesinevery nationalcyberagency also would This on. build provide thecorecapabilitiesthatotherstatescan affiliated could stays Brexit) after it cooperation defence (if EU with UK the or France nations as such Lead PESCO. within capabilities cyber EU member states should jointly invest in offensive responses diplomatic subsequent against suspectedperpetrators(seebelow). for basis the create and protection future improve would This attacks. cyber of sources potential the of analysis to andpost-factum sophisticated, systematic, conduct capacity the needs also EU the resolved, been has crisis a once But attacks. states cyber serious member tackle help would that Force Response been have states effort EU the member leading EU Six issues. cyber on collection intelligence and poolingtogether for bothcyberforensics, capacities but alsofocusing European up beefing means This infrastructure. attacks or critical institutions state sensitive at directed cyber major capacity of sources pan-European the investigate to sovereign, a acquire to interest EU’s the in is it ENISA, outside or Within to build an EU Cyber Rapid Cyber EU an build to nac Erpa cpblte. h E ad t member its and states shouldconsiderthefollowingactions: EU The capabilities. European enhance US in the short or even medium term. But it would certainly the with cooperation intelligence for up make not will This them. reinforce and amplify to capacities, national existing of top on come to have would capacity European new Any suppress to chance thattheEUwilldothis. attempts short little is there said, cut That reasons. political for investigations would this as services, intelligence foreign by institutions state of subversion the be would affairs and in domestic to tacklinginterference suited best states member from independently works that prosecutor general a and Service Investigative European A The intelligencefront • • • • cekd gis dtbss f opoie or leaked passwords). compromised of databases against (checked for counter-intelligence. of this matter. The same approach would be helpful state bureaucracies’ knowledge and understanding branches ofgovernmenthas increasedmember The reports. situation various between information of exchange constant national of threats compiling analysing Centre of and job good Defence a does Cyber Excellence Cooperative NATO The subversion and counter-intelligence: Establish a centre of excellence on against organisedcrimeaswell. fight the facilitate would ownership corporate and estate real on transparency Greater agitation. for and companies fake information networks; and sources; fake news outlets to use to to schemes money financial funnel opaque or accounts bank logistical infrastructure such require as illegal operations residences; anonymous intelligence crime, foreign organised Like actors: state-affiliated and investment screening offoreign supervision financial for standards Tighten cross-border in the indictmentofsuspects. Common facilitate particularly authorities, between also operations. cooperation would influence standards hostile and what constitutes espionage, of subversion, definitions conspiracy, binding legally clear, without between work varies not will activities Counter-intelligence countries. European intelligence some of and hostile intelligence services Set common legal standards on subversion intelligence services’activities. foreign against fighting states small for beneficial particularly be would This activities. cross-border analytical cells, bureaus, and data exchange formats counter-intelligence to tackle create now should members Europol crime. organised with foreign intersect across which of come some past, the in operations intelligence has It organised activities. criminal against fight crime, money laundering,andothertransnational countries’ European intelligence Expand Europol’s remit to include counter- Erpl a ln supported long has Europol : : the legality : the • Introduce common procurement of states in response to hybrid threats; NATO support strategic intelligence, surveillance, and capabilities (such as air transport, cyber troops, engineers); reconnaissance platforms: On hybrid and emergency situations in Europe. threats, domestic counter-intelligence is often the focus of policy discussions. But in an escalating Finally, military and civilian intelligence sharing within confrontation, the capacity to predict adversaries’ NATO is important to Europe’s overall preparedness for all military moves is pivotal. Europe needs to acquire sorts of threats – ranging from hybrid threats to traditional airborne and shipborne strategic intelligence military threats. Exchange of experts and officials between platforms. It currently lacks electronic- and Europe’s inward-looking institutions (such as Europol and signals-intelligence aircraft with long endurance the European commissioner for justice and home affairs) and corresponding ground-based surveillance and NATO’s outward-looking assets and experts could stations, particularly in the Black Sea. It also lacks improve their situation awareness. Here, too, member stealthy autonomous aerial vehicles to collect states need to circumvent the diplomatic impasse between intelligence in highly contested airspaces, such as Turkey and Cyprus by creating exchange forums on their Syria or Crimea. own .

The diplomatic front Fostering new cyber alliances

European cyber diplomacy needs to become much more The EU should expand its partnerships to combat hybrid ambitious in developing a strong diplomatic infrastructure and cyber threats in conjunction with friendly governments that reduces hybrid, cyber, and intelligence risks to the – in countries ranging from those in the western Balkans to EU. It needs to do so jointly with potential allies. This Ukraine and New Zealand. infrastructure would need three layers: working with existing allies, fostering new cyber alliances, and developing Friendly cyber partnerships can have multiple aims: assertive dialogues with states that are testing EU countries’ capacity-building; providing assistance in establishing defences with their hybrid tools. national cybersecurity strategies; addressing cyber crime; instituting cybersecurity standards; protecting critical Working with allies infrastructure; and helping defend electoral processes from interference. The EU will never be entirely sovereign in the defence sphere without a nuclear deterrent. But there is no prospect of this To a degree, the EU should conduct lawfare against its unless France extends its nuclear protection to the entire EU cyber adversaries. It is in EU’s interest to become one of the and all other EU states accept it. driving forces of a global alliance promoting a crackdown on aggressive state-sponsored cyber behaviour through legal Even in other spheres, Europe is a long way from means. State-to-state dispute resolution is always difficult, establishing a self-sufficient capacity to push back against not least in the cyber domain. Various models have been hybrid, cyber, and intelligence threats. And even if it attains discussed in this respect. Some legal scholars have argued self-sufficiency, the EU’s sovereign action will only become that state-sponsored cyber attacks fall well within the stronger if it can sustain strong allied responses to these jurisdictional scope of the International Court of Justice, risks coordinated with the post-Brexit UK, the US, Canada, as they constitute potential violations of state sovereignty. and NATO. So, whether the EU has its own capacities to Another form of legal and institutional pushback is to combat such threats or not, the first port of call will still be seek to create a World Trade Organisation-style dispute its closest allies in NATO – where a clear division of labour, settlement mechanism for inter-state cyber affairs, in or joint action with NATO, is likely to be the rule of thumb. which an international body would have investigatory and adjudicatory powers. The EU should forge a global alliance For NATO, the first task is deterrence (including nuclear of states that push for more assertive legal mechanisms deterrence) and defence. On hybrid threats, the picture is less to combat cyber threats through international law and clear. Hybrid operations are often a prelude to more intense international legal bodies. pressure or even aggression. They are intended to erode the opponent’s will or capacity to resist. The EU will remain Hard cyber talks the prime legal arbiter countering most hybrid threats to Europe. This is due to the EU’s common space on security European efforts to forge global cyber partnerships should and justice, the close cooperation between its member states be matched by cyber dialogues with problematic cyber on homeland affairs, and the EU’s legal authority over the players such as Russia, China, North Korea, and Iran. One common market (which is important on energy issues, dictum of conflict resolution is that peace deals arise during 9 fighting financial crime and illegal financial transactions, mutually painful . In the cyber domain, there is and border security) and its evolving competences in the currently no : the situation is painful only for EU digital space. states. The nuclear détente in the 1970s was possible because each side was armed to the teeth and competition between However, the EU should aim to closely coordinate its own them was costly. So, both had an incentive to slow things procedures and policies with those of NATO. While Turkey down. Today, most of the EU is a punch bag for hybrid and blocks formal EU-NATO coordination, it is possible to cyber operations. circumvent this: EU member states can push for the same agenda and programmes within both organisations. This is Europe should pursue a ‘dual track’ approach of particularly the case in planning and exercises for: NATO confrontation followed by dialogue with unfriendly cyber troops reinforcing local police detachments in frontline 9 Jonathan Powell, Talking to Terrorists: How to End Armed Conflicts, Vintage, London, 2015. 11 12 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT netgtn hbi atvte drce aant European against directed activities hybrid investigating involve will This US. the like EU more acting start the to have – will sovereign more become to – own its on threats hybrid with dealing of capable more become to Ultimately, part ofmajorEUpartnershipagreements. become should on combatingcyberthreats Cooperation field behaviour. cyber enough’ cyber ‘polite on assistance development the over leverage gain screening, and trade, investment conditioning free by to look also can One probably will activities cyber continue. hostile of forms some that accepting also tacitly infrastructure,but electoral including attacks oncriticalinfrastructure, cyber attacks:penalising supplement would concessions this approach. It could include mutually agreed red lines for mutual of Hard- trading improve. not nosed do things if attackers of indictments even and attribution public periodic as well as doors, closed behind attribution involve will dialogue adversarial more A directed atit. behaviour starting tobemoreconfrontationalabouthostile by détentes cyber of series a towards work actively should Europe approaches. both combine to need will Europeans united, EU the keep to and efficient, more be To failing. be have others while issues, to seems dialogue for confrontationbecause to opt started hybrid and cyber on dialogue prefer some – split currently are states member EU powers. *** paper restssolelywithitsauthor. the for Responsibility paper. this for research conducting in author The itself. would like to paper thank Marta Pellón Brussosa for the her assistance on or paper the in expressed ideas in MadridMarch2019 on the for theirfeedback held diplomacy cyber on session brainstorming ECFR an in participants the and Reinholdt, Thomas Meer, der van Sico Varma, Tara Rapnouil, Lafont Manuel Herpig, Sven to go also Thanks anonymous. remain to prefer officials these of External all topic, the of European nature sensitive the to the Due Service. Action and Commission, European the Kingdom, United the Sweden, Spain, Poland, Netherlands, the Lithuania, Latvia, Germany, France, Estonia, Republic, Czech from the those analysis, including and thoughts their The author would like to thank the officials who have shared Acknowledgements of degree true liable toincorporatehybridthreatsintotheirarmouries. any increasingly are countries attain which in world will it a in sovereignty Europe measures, that these unlikely Without is attribution. public as such pushback engaging and alike, dialogue adversaries and of friends with a involve will This engagement. of amorerobustform adoption of theproblemand scale the of acknowledgement fully to stage assessment ‘soul-searching’ and the from quickly countries more move European to need investigations. also these of findings the and transparencyabout detail, in muchgreater countries About the author

Gustav Gressel is a senior policy fellow with the Wider Europe Programme at the European Council on Foreign Relations’ Berlin office. His topics of focus include Russia, eastern Europe, and defence policy. Before joining ECFR, Gressel worked as a desk officer for international security policy and strategy in the Bureau for Security Policy of the Austrian Ministry of Defence from 2006 to 2014, and as a research fellow of the Commissioner for Strategic Studies with the Austrian Ministry of Defence from 2003 to 2006. He was also a research fellow with the International Institute for Liberal Politics in Vienna. Before beginning his academic career, he served in the Austrian Armed Forces for five years.

13 14 ECFR/289 June 2019 www.ecfr.eu STRATEGIC SOVEREIGNTY: HOW EUROPE CAN REGAIN THE CAPACITY TO ACT www.ecfr.eu institutions. or individuals to grants make not does but organisations and tanks think other with partnership in works ECFR policy. EU foreign avalues-based for advocate and ideas our publish to us allow donors These entities. corporate Foundations and other generous foundations, individuals and Society Open by the funded charity aregistered is ECFR •  • •  its activities: define that elements ECFR three developed has astrategy with distinctive foreign policy. andvalues-based developmentEuropean ofcoherent,the effective conduct research andpromote across informeddebate Europe on European think-tank. isto Launched 2007,its objective inOctober pan- first the European is The Council on Foreign (ECFR) Relations ABOUT ECFR for research, debate, advocacy andcommunications. Madrid, Paris, Rome, andWarsaw. Sofia are platforms Ouroffices among European London, think-tanks, inBerlin, offices has A physical presence ECFR, mainEUmemberstates. inthe uniquely Council ischaired by Carl Bildt, Lykke Röttgen. Friis, andNorbert own their countries. within The activities ECFR’s with andhelp ideas advice with members provide andfeedback onpolicy ECFR staff body.year afull as Through geographical task forces, andthematic andcandidatemember states countries –which meets once a decision makers, thinkers peoplefrom andbusiness EU’s the hundred Councildistinguished Members–politicians, ofover two A pan-European Council. ECFR brought has togethera capitals; andreaches outto strategicmediaoutlets. inEU gatherings ofECFR” and“friends meetings, publicdebates, private produces hosts research; original reports; policy publishes apan-European developmentwith projects focus.and policy ECFR frompractitioners allover Europe outinnovative to carry research researchersbrought ofdistinguished together ateam and contagiousDeveloping peopletalking. get that ECFR ideas has Berlin, London,Madrid,Paris,Rome,Sofia, Warsaw on ForeignRelations(ECFR), Published bytheEuropeanCouncil ISBN: 978-1-911544-89-0 © ECFRJune2019 European CouncilonForeignRelations. use requiresthepriorwrittenpermissionof personal andnon-commercialuse.Anyother content fromthispublicationexceptforyourown reproduce, republishorcirculateinanywaythe Council onForeignRelations.Youmaynotcopy, Copyright ofthispublicationisheldbytheEuropean Relations, representsonlytheviewsofitsauthors. publications CouncilonForeign oftheEuropean positions. Thispaper, likeall collective take not The EuropeanCouncilonForeignRelationsdoes