Confidence Building in an Era of Distrust: Baby Steps Toward a Stronger Cyber Defense
AICGS Senior Cyber Fellow
Dr. Sarah Lohmann is currently the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. She manages projects which aim to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms. Since 2010, Dr. Lohmann has served as a university instructor at the Universität der Bundeswehr. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department. Dr. Lohmann also serves as Communications Lead Faculty at the University of Washington, where she teaches classes on big data and preventing disinformation and misinformation and has helped develop a new Emerging Technology Certificate.
Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokesman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020) and written over a thousand articles in international press outlets. Her current areas of research include cybersecurity as it relates to election security, national security, transatlantic relations, energy, international law, and big data.
In the era of distrust that has followed the Snowden revelations, changing administrations, and a transatlantic relationship that is publicly unraveling, “confidence building measures” (CBMs) is a loaded term. In early 2017, when the idea for this partnership was born, the bilateral cyber dialogue between the U.S. State Department and the German Federal Foreign Office had been put on ice. By June 2017, negotiations in the leading forum for discussing cyber norms, the United Nations Governmental Group of Experts (UN GGE), had stalled due to disagreements on interpretation and implementation of the agreed cyber norms as portrayed in its 2015 report.
Yet targeted intrusions into the networks of both countries, sometimes by the same foreign actors, made cooperation between the two countries even more urgent. Agreement on CBMs—the benchmarks for the baby steps that each country takes to show that it is implementing concepts it has agreed on—could not be left for a fair-weather day while espionage attributed to foreign government actors had compromised the networks of Germany’s Federal Foreign Office, and the state election system infrastructure in the United States.
While the Organization for Security and Cooperation in Europe (OSCE) had pounded out quite a detailed list of CBMs in years past, these had not been formally adopted by governments. A forum was urgently needed that could provide a space for further negotiation to ensure that allies could work together to help each other with attribution, accountability of bad actors, and early warning.
This Transatlantic Cybersecurity Partnership, which brought together cyber experts from the U.S. State Department, Germany’s Federal Foreign Office, USEUCOM Joint Cyberspace Center, the German Ministry of Defense, the U.S. Department of Homeland Security, the German Interior Ministry, the Bundestag, Congress, academia, and the private sector, provided a first step. The aim of the group was not to address all stalled CBMs of the past GGE agreements, but rather to find consensus in the areas most urgent to the current cyber defense challenges and to the German-American relationship.
The aim of the group was to find consensus in the areas most urgent to the current cyber defense challenges and to the German-American relationship.
In AICGS’ cyber defense working group, several CBMs were the focus of the discussion: 1. establishing the best fora for information sharing on cyber threats and attribution (falling under the category of “communication and information exchange” in the GGE context); 2. coordination and communication about the legislative process; and 3. establishing common definitions for when the use of a cyberattack is legitimate in coordination with international law (jus ad bellum) and how that force can be used (jus in bello). Additional confidence building measures discussed during the workshop were ways to protect critical infrastructure from Information and Communication Technology (ICT) threats and to build resilience, and steps toward having a common understanding of the application of international law to the use of ICT to not exacerbate international conflict.
This contribution addresses the working group’s outcomes on information-sharing, while Ms. Rotter’s text focuses on the dialogue around the legislative process and Mr. Schulze’s essay on the common definitions the group discussed. Mr. Tousley shares ideas for protecting critical infrastructure.
Information Sharing Is Best If It Stays Operational
While allies have many levels of analysis where close communication is valuable, this group focused on improving information-sharing modalities on attribution for a malicious cyber intrusion, potential cyber threats, and indicators of compromise. The working group agreed that information-sharing on those topics can happen between Germany and the United States best if it stays on the operational and technical level. Information-sharing between and across countries is easiest when it happens, for example, between military branches, and stays separate from intelligence, participants argued, as this keeps political considerations separate from the technical analysis. At the same time, participants agreed that the aim should be closer cooperation on information-sharing across agencies to defeat stove-pipe mentalities that look only at one analysis.
To strengthen confidence building measures in the cybersphere with allies on the diplomatic front, participants agreed that joint exercises on operational cybersecurity should be undertaken between Germany’s Foreign Office and the U.S. Department of State in the near future. Such joint exercises already occur regularly on the military front in the context of NATO, among other venues.
Closer cooperation across the corporate sector and government on cyber threats and solutions is highly desirable, the participants agreed. However, information-sharing connected to the Vulnerability Equities Process, the process that guides when the government tells a software vendor about zero-day vulnerabilities they have discovered in their products, will remain a topic for future discussion.
New Centers of Coordination Needed
Rather than agencies working alone and duplicating work in both countries, the working group proposed a “Cyber Defense Center Plus” as a forum to serve as a conduit for information on cybersecurity internationally. The Cyber Defense Center in Germany is already mandated to act as a hub to bundle data on cyber threats from police, military, and the intelligence community. The proposal would add an international communication arm to coordinate information-sharing with allies.
Such coordination is urgently needed on both sides of the Atlantic. In the United States, there is currently no White House cybersecurity coordinator or homeland security advisor with a cybersecurity focus, but there remains an abundance of government agencies tasked with protecting the nation’s cybersecurity or coordinating policy on it at home or abroad. These include: the National Security Council, the Department of Homeland Security, the Department of Justice acting with the Federal Bureau of Investigation, the Office of the Director of National Intelligence, the U.S. Cyber Command Center, and the U.S. Department of State, to name a few. A new Integrated Cyber Center and Joint Operations Center aims to deal with some of those challenges. The new center, opened May 4 by the U.S. Cyber Command and the National Security Agency, provides command and control, and integrates cyber operations across U.S. agencies and with foreign partners. The new center became operational in August and allows different government agencies and foreign allies to sit together under one roof and synchronize cyber operations. While this new center may not address the working group’s concern that information-sharing happens on the operational level and stays separate from intelligence agencies, it does provide the opportunity for improved transatlantic information-sharing and stronger mutual operational cyber defense.
Going forward, participants suggested that Germany and the United States undertake a division of labor on identifying threats and analysis of attribution using Open Source information and Early Warning tools available in both countries. This would allow more timely response to malicious cyber incidents, as well as more effective prevention of damage caused by cyberattacks.
Proposing divisions of labor, inviting foreign partners to coordinate operations, sharing hub space and pertinent information on malicious actors, and calling those actors to account: These are the hallmarks of seventy years of the German-American partnership, reflected in a new and creative way in the strong proposals of the working group participants. In the realm of cybersecurity, that partnership is just beginning. In an era of distrust, a transatlantic cybersecurity dialogue will remain vital to keep cyber defense in both countries strong, and to help the bilateral relationship flourish.
 Patryk Pawlak, “Confidence-Building Measures in Cyberspace: Current Debates and Trends” in International Cyber Norms: Legal, Policy & Industry Perspectives, ed. Anna-Maria Osula and Henry Rõigas (Tallinn: NATO CCD COE Publications, 2016), pp 136.
 For a reflection of the GGE discussions around jus ad bellum and jus in bello, see: Ibid, p. 131, and for information sharing and legislation coordination, see: Ibid, pp. 134-142.