Cooperating in Cyber Diplomacy: The Role of OSCE and The Experience from the Visegrád Region

Cooperating in Cyber Diplomacy: The Role of OSCE and The Experience from the Visegrád Region

By Federica Cristani

Cybersecurity has become an integral part of national, European, and international policies, especially during the COVID-19 pandemic and the armed conflict in Ukraine. In this context, the concept of “cyber diplomacy” has come into global use, and countries are even deploying their own “cyber diplomats.” Generally, when we talk about cyber diplomacy, we refer to "a set of diplomatic practices concerned with the broadly defined governance of cyberspace." In particular, cyber diplomacy encompasses cyber capacity-building measures, which aim to reduce cyber-threats through enacting national cybersecurity strategies and confidence-building measures which are intended to promote cooperation and information-sharing among states.

This article focuses on the confidence-building measures (CBMs) that have been developed by the Organization for Security and Cooperation in Europe (OSCE) and their implementation in the European Union (EU). In particular, it focuses on implementation in the Visegrád countries (or V4, which includes Czech Republic, Hungary, Poland, and Slovakia).

The OSCE has been a crucial regional forum for discussion of cyber CBMs, defined as "actions and processes designed to reduce or eliminate the causes of mistrust, tensions, and hostilities between and among states" in the cyberspace. In 2012, the OSCE established an informal working group to explore the possible role of the OSCE in the field of cybersecurity (PC.DEC/1039). Following the work of the informal working group, and after several exchanges among the participating countries, the first set of CBMs was adopted by the OSCE Permanent Council in 2013. In this CBM, countries agreed to voluntarily establish national points of contact for the implementation of CBMs and to develop communication lines for preventing possible tensions resulting from cyber activities (PC.DEC/1106). In 2016, the OSCE Permanent Council adopted the second set of CBMs which are focused on further enhancing cooperation between OSCE participating states. Countries have voluntarily consented to "develop mechanisms to exchange best practices of responses to common security challenges stemming from the use of [information communication technologies (ICTs)][…and to ] encourage responsible reporting of vulnerabilities affecting the security of and in the use of ICTs" (PC.DEC/1202).

Following the adoption of the cyber CBMs, the OSCE has been focused on their implementation by participating states through practical support, like the use of the OSCE Communications Network. The OSCE also plays a crucial role in disseminating all relevant information on this implementation among all participating countries. Moreover, the OSCE has convened several meetings to facilitate capacity-building, information exchange, and sharing of best practices at the regional level (see PC.DEC/371), as well as scenario-based, interactive discussions on the implementation of CBMs and table-top simulations (e.g. SEC.PR/239/16).

The EU has actively supported the development of confidence-building measures adopted by the OSCE. In the field of cyber-defense, the 2017 adoption  of the  Joint EU Diplomatic Response to Malicious Cyber Activities (the so-called cyber diplomacy toolbox) reiterates that "the EU and its Member States have a strong commitment to actively support the development of voluntary, non-binding norms of responsible State behavior in cyberspace and the regional confidence building measures agreed by the OSCE to reduce the risk of conflicts stemming from the use of information and communication technologies." The toolbox allows the EU and member states to implement a diplomatic response to malicious cyber activities through the Common Foreign and Security Policy. These can include preventive (e.g. awareness-raising, capacity-building), cooperative, stabilizing, and restrictive measures (e.g. travel bans, arms embargoes, freezing funds).

On the topic of cyber diplomacy in the V4, even though there has been no significant joint document on cyber diplomacy (or cybersecurity in general), we find important programmatic references in public documents issued by the Group on several occasions. First, in the 2021 Visegrad Group Joint Declaration on Mutual Cooperation in Digital Projects, and second, in the 2017 Joint Declaration of Intent of V4 Prime Ministers on Mutual Cooperation in Innovation and Digital Affairs ("Warsaw Declaration"), which restated the willingness of the V4 to “[…] work towards sustainable, efficient, resilient and secure cyberspace.”

However, it is in the field of technical cooperation in cybersecurity that the V4 has made major progress, having developed a unique model of sub-regional cooperation in the cybersecurity sector thanks to the Central European Cybersecurity Platform (CECSP). The CECSP was established in 2013 and includes representatives of governmental, national, and military Computer Security Incident Response Team (CSIRT) teams along with representatives of national security authorities and centers of cybersecurity from Slovakia, the Czech Republic, Poland, Hungary, and Austria. The CECSP facilitates the exchange of information and sharing of best practices among the countries on cybersecurity issues and serves as an example of successful implementation of CBMs. Among the activities of CECSP, we can recall the organization of cyber security exercises among its participants (in 2014, 2015, and 2017), as well as the coordination of relevant policies – such as the implementation of the 2016 NIS Directive in the CECSP countries. The work program and the meeting agendas of CECSP are not publicly available; however, we find several references to the importance of its role in V4 public documents, like in the most recent 2020/2021 V4 Polish Presidency Program, which refers to CECSP as an “established channel[..]” to carry out “consultations with a view of finding topics of mutually beneficial cooperation in cyber security.”

The CECSP has proved to be a platform that builds trust among participants and “facilitates the harmonization of positions in the international arena, such as […] the OSCE.” In particular, the CECSP can serve as an example of successful cooperation in the implementation of the OSCE´s CBMs. At the 2018 OSCE Forum for Security Co-operation meeting in Vienna, the V4 stressed how the group “has been serving as a platform […] aimed at stimulating co-operation in various areas of common interest.” The participating countries have recognized that the platform is a useful forum for discussing cybersecurity issues.  This is also true when it comes to implementing CBMs and, more broadly, cyber-diplomacy tools, which is further stressed by the participants at the 2021 OSCE-wide Cyber/ICT Security Conference, “multilateral engagement is key to building confidence” in the cyberspace (SEC.PR/205/21). This approach should serve as a model for other countries, both in the EU and at the international level.

Federica Cristani is a Senior Researcher at the Institute of International Relations in Prague (CZ), Visiting Senior Researcher at the Arctic Centre of the University of Lapland (FI) and Visiting Researcher at the Mathias Corvinus Collegium Alapítvány in Budapest (HU). She holds a PhD in public international law from the University of Verona (IT). Her main research interests include international economic law, the policies of sub-regional groups in Europe, and international law of cyberspace. This post was written during the research visiting at the OSCE Documentation Centre in Prague (CZ) between February and April 2022 within the framework of the Researcher-in-Residence Programme. She can be reached at: cristani@iir.cz.

Storage Servers is by grover_net and is licensed under CC BY-ND 2.0.

Staying in Touch During Escalation

Staying in Touch During Escalation

Adapting Law Enforcement to Climate-Induced Conflict

Adapting Law Enforcement to Climate-Induced Conflict