Supranational cyber governance and cross-border alliances – relevance and legal challenges for governments
In a world that is changing ever faster, the challenges in the area of cyber security are also growing. Due to the complexity of data streams and networks, as well as the many different parties involved in the exchange of data, multiple challenges arise. Attacks are increasingly not limited to one country or jurisdiction, but more and more often affect several territories at once. Due to these cross-border attacks, the question now arises as to what extent such attacks or the defence strategies against them can be coordinated supranationally. A complicating factor in this context is that the legal framework for dealing with such attacks is different in most cases. For this reason, it is of utmost relevance to promote supranational cooperation and coordination and to harmonise the legal framework in order to create the greatest possible flexibility and resilience against cyber-attacks in the future.
Approaches to harmonisation
As shown above, harmonisation of the law is therefore of particular importance. Only through a common legal framework are effective responses to cyber-attacks possible. Initial approaches to this can already be found in the EU and the USA. On 17 April 2019, the EU launched the EU Cybersecurity Act. In the course of this, the European Union Agency for Cybersecurity (ENISA) was provided with extensive personnel and financial resources and given a permanent mandate to strengthen the European cybersecurity infrastructure. In addition, the first EU-wide certification framework was launched, which aims to define a uniform cybersecurity certification approach for digital products and services. Furthermore, within the framework of the Cybersecurity Act, ENISA supports the member states in the coherent implementation of EU directives in the field of cybersecurity as well as the promotion and development of strategies in this field.
Similar efforts can also be seen in the US. On 13 July 2023, the National Cybersecurity Strategy Implementation Plan (NCISP) was adopted. The plan is based on five pillars, of which the fifth pillar appears to be the most important in this context. The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. Based on that, every effort regarding cybersecurity will be evaluated and closely coordinated with allies going forward. Also, in the countries of middle east is seen a continuing success of digitization initiatives. Every national government in the region is striving to create a secure digital environment, but too often these efforts are fragmented, tactical, and reactive.
However, these approaches themselves and the overall situation worldwide bring new challenges. In the context of the cyber solidarity law proposed by the EU Commission in April, the European Court of Auditors stated that there are still unaddressed problems in this context, especially regarding the financing and implementation of aforementioned capabilities. Part of the law on cyber solidarity is, among other things, the establishment of a European cyber shield. The Court of Auditors points out that the functioning of the cyber shield is dependent on EU funds. In addition, the exchange of information between the implementing actors has so far been inadequate. Additionally, it was shown that there are overlaps of existing tasks between different organizational units and therefore clear governance structures are necessary to avoid coordination difficulties.
Success factors of public cross-border cyber alliances
As a basis for effective public cross-border cyber alliances there is required an adequate legal framework. This applies both to the de facto cooperation between different states and to the corresponding governance. Due to the lack of a general legal framework in international public law for the field of cyber security, this can initially mostly be pursued on a level of constituted supranational law – like in the EU. In the area of such an existing supranational governance, there is also the possibility of enacting hard binding regulations. Besides, in future other supranational alliances could enable the building of cyber security frameworks, too.
Where such supranational basis is completely missing, contractual frameworks are required between the states concerned which are then likely to be determined by general international law. For these areas it is all the more important to establish bases for cooperation among relevant actors.
The essential core content of such international treaties should be, in particular, the obligations and responsibilities of the actors concerned as well as regulations on an effective, but also legally secure, exchange of information. These areas of regulation should specifically address e.g. the exchange of relevant cyber security incident alerts as well as a general exchange of relevant data in order to be able to ensure functioning cyber governance at supranational and international level. This includes tackling the challenge of synchronize as far as feasible the different legal requirements of the national prevention and security laws. Because only if all parties are able to act on a common regulatory level cyber security can be managed effectively in cross-boarder context by the public sector.