Research, ideas, and leadership for a more secure, peaceful world
Author
Cathryn Clüver Ashbrook
Author
David E. Sanger
When the Internet began to flourish in the 1990’s, there was an assumption that it would foster the values that the United States and its European allies held dearest: Freedom of expression, the spread of democracy, the empowerment of the individual. Presidents, prime ministers and German chancellors embraced the idea that the world’s democracies would be bound together, and that over time greater connectivity would enhance not only trade and understanding, but the alliance.
Now, a new reality is dawning.
There is broad recognition that the same technologies that two decades ago were celebrated as liberating have been turned into tools of repression by the West’s adversaries. China has learned to make facial recognition a key tool in identifying—and arresting—dissenters. Meanwhile, it is using its power, and the digital elements of the Belt and Road Initiative to roll out 5G networks, using its market power (and its government subsidies) to wire up small countries and large, even some NATO members.
Meanwhile, Russia has discovered that the undersea cables that link together the world’s democracies are also vulnerable to being cut, potentially plunging its rivals into darkness. It has deployed submarines capable of threatening to cut the networks on which the West depends.
And it is not just the Great Powers who have learned how to turn these technologies to advantage, or how to use them to cling to power. Autocrats from Kim Jong-un to Iran’s ayatollahs have grown increasingly sophisticated on how to turn networks into weapons, launching cyber attacks on adversaries their missiles cannot reach.
As Jared Cohen and Richard Fontaine have argued, we have barely noticed that
“[A]utocratic states have caught up. China is at the forefront, no longer a mere rising power in technology and now an American peer. In multiple areas—including facial and voice recognition, 5G technology, digital payments, quantum communications, and the commercial drone market—it has surpassed the United States. Leaders in Cuba, Iran, North Korea, Russia, Venezuela, and elsewhere are increasingly using technology for illiberal ends, following China’s example. And despite the United States’ remaining advantage in some technologies, such as artificial intelligence (AI) and semiconductor production, it has fallen behind China in formulating an overall strategy for their use.”
This must change. Gone are the days when leaders could gather at summit meetings, adopting largely content-free commitments to develop common strategies, only to return home and pursue their own agendas. Yet it hasn’t happened. While at summit meetings, leaders make promises to turn the power of social networks and artificial intelligence into tools to strengthen old alliances. When they return home, European leaders focus on limiting the powers of Facebook, Google and other social media and about new rules to preserve the privacy of Europeans. Skilled in rule-making, the EU defaults to that muscle memory, instead of engaging in a transatlantic norm-, rule- and standard-setting enterprise.
There are fundamental disconnects in the way Europeans and Americans have approached strategic questions in the stewardship of technology.
Europeans have addressed platforms and software. The Americans have gone after hardware: The Trump administration declared that if Europe built its 5G networks with equipment from companies like Huawei, the Chinese telecommunication giant, it would cut off the continent’s access to American intelligence. Not surprisingly, Europe reacted negatively to the threats, and have been internally divided about whether to follow America’s lead or take advantage of lower-cost options from Huawei and other Chinese providers.
More importantly, the Europeans have largely been unable to bridge policy divides at home—among member states and between NATO and the EU. Rather than cooperate internally, and with the U.S. on how to use an array of new technologies to defend NATO nations, Europeans have been doggedly focused on protecting the privacy of Europeans—highlighting a difference in cultural values across the Atlantic. While a critical concern, it has often replaced a laser-like focus on the competitiveness of Europe’s own civilian technology sector. Meanwhile, Americans have focused intently on limiting China’s technological reach, but have done so unilaterally, without taking the time to bring Europeans along as full partners in the development of a strategy. It has been a bad combination. Late to the realization of the scope and ambition of China’s strategic deployment of technology, surveillance and disinformation, Europe is only now beginning to consider a common strategy to address these interlinked issues.
The results are obvious. Rather than focus on the connections between technology and the risks to liberal democracy, common goals in artificial intelligence, data protection or the proper use and limits on offensive cyber weapons, allies have spent their time arguing about taxes, regulatory differences, antitrust and standard-setting. No structured, strategically organized transatlantic dialogue currently exists to map joint goals in emerging technologies, from artificial intelligence to autonomous vehicles and factories, aerospace, biotechnology or Fifth Generation networks.
NATO is attacked daily with Russian and other cyber weapons, yet there is little joint strategic thinking about whether NATO needs a “defend forward” offensive cyber program, similar to Washington’s, to match its losing efforts at defensive cyber. In the United States, there is a recognition that there is no good cyber defensive strategy without an offensive element; most European partners (with the notable exception of Britain) have been reluctant to create full-scope offensive cyber units similar to United States Cyber Command.
Similarly, there is little transatlantic discussion on what happens to the alliance when its major adversaries have next-generation autonomous weaponry, or what back doors to place, if any, in encryption products. It is a sign of the absence of effective communication that Europe and America have reacted so differently on the question of whether they can wall themselves off from Chinese-controlled networks, or how to deal with apps like TikTok and AliPay that their citizens are downloading on their iPhones. Incredibly, there is not even a common approach on what kind of data stays localized, or what kind China can use as it builds its databases and refines its use of artificial intelligence technologies.
There has also been little discussion, at a government-to-government or industry level, about the relationship between technological security and the survival, and spread, of liberal democracies. Countering disinformation is an obvious place to start. Yet on this issue, too, there is no common approach.
We can no longer afford to tread water on these issues, or pursue independent strategies. Too momentous are the challenges. China isn’t hesitating: since its “Made in China 2025” initiative was announced five years ago, it has sped ahead with a coordinated commercial or technological security strategy. The West has not matched it with one of its own. It is possible, as many in Silicon Valley insist, that relying on market forces alone will enable the West’s technological talents to prevail. But that is a hope, not a strategy.
To emerge from the toxic spiral allies have created around hardware issues like 5G, and the regulation of U.S. tech giants like Google, Facebook and Apples platforms. Those issues are now complicated by the newer problem by the spread Chinese and other apps into our phones and our lives. To deal with these networked challenges we need a network. We would urge a single Forum: A broader, coordinated structure designed to marshal the plethora of issues in transatlantic technology policy, instead of the usual piecemeal conversations.
There are many ways to design such a Forum—but it must be an action group, not a set of bureaucratic study groups. We favor the recommendation of the Bipartisan Cyber Solarium group that the White House needs a senior cyber coordinator, who may also be a Deputy National Security Advisor (with appropriate staff and structure); if the White House is not at the center of this discussion, the U.S. will not have authority to speak within the Forum. Europeans, for their part, would need to stand up their own coordination mechanism between the EU Commission and member state governments, perhaps with an EU Tech Envoy who holds real authority and a NATO Cyber and Tech Envoy to consider the security implications of each move. Taken together, these executive roles should serve to oversee the whole range of inter-linked issues.
Specialized sub-working groups, such as the proposed EU–U.S. Tech and Trade Council should address digital taxation and platform regulation in particular. Other key issues include digital supply chain security; joint industrial policy; digital currency and blockchain strategies; anticipatory joint standard-setting to avoid being pre-empted by Russian and Chinese measures; and innovative ways to combat the weakening of the fabric of our democracies by tech-driven interference. To address these issues, the Forum would need to deliberately cut across NATO, the EU, and many different departments of the U.S. government. But it must also include the private sector, R&D institutions, infrastructure operators and civil society. A NATO–EU Statecraft Initiative on Cyber should support this Forum, expanding on the NATO2030 plans announced in late November 2020. In coordination, a standing-group convened by the Forum would drive the transatlantic norm-setting process where Russia and China have recently dominated, such as in the UN Group of Governmental Experts (UN–GGE) with like-minded democracies as part of a “Tech10” with the U.S. and European countries at the core.
To launch this new type of strategic cooperation in good faith, however, we will first need a truce on a number of issues currently causing acrimony in the transatlantic technology relationship, including on planned digital taxes by individual member states. The time it will take for the Commission’s Digital Services Act and the Digital Compass to be addressed by the European Parliament and EU Member States should also be used to broaden and elevate transatlantic cooperation through the Transatlantic Technology Forum. We suggest:
Enhance joint industrial policy to develop viable Western technology competitors. It’s not enough to try to insulate the West by cutting off Chinese access to U.S. and European markets. U.S. and European governments, in cooperation with major technology companies, must develop joint industrial policies and ethical standards to create viable Western competitors in 5G and other emerging technologies. These may include embracing open architectures that would essentially allow the West to develop a variety of different kinds of systems that would run on common, inexpensive hardware. We must recognize that we cannot beat Chinese products without similarly capable, and similarly priced, products of our own.
Retaining the “U.S. market reserve” for European providers Ericsson and Nokia, perhaps even joining forces with a U.S.-based chip-maker could set a real counterpoint to Chinese advances. This will require recognition that 5G is not just another iteration of existing services; it is a rewiring of the Internet. Recognizing this fact, Congress should extend R&D funding into 5G software standards to transatlantic partners, recognizing that this is as essential to weaving together common defenses as the Joint Strike Fighter is to weaving together NATO allies. The West—transatlantic allies plus, eventually other technologically advanced democracies—must develop a shared funding pipeline for 5G/6G and an emerging tech joint research platform (funded in part by joint government initiatives, but not government administered). The EU 5G toolbox and risk assessment mechanisms along the value/supply chain could be enhanced with U.S. and European intelligence assessments. Applying jointly agreed regulatory pressure to domestic technology distributors on each side could force the adoption of security standards throughout supply chains. Building “Clean networks,” a Trump era initiative worth building on, free of Chinese technology, could even be considered part of the 2% GDP goal in NATO.
As detailed elsewhere in this report, joint priorities to curtail Chinese overreach should be immediate priorities. These could include the pursuit of a transatlantic export control regime and expanded investment screening standards. Clearly, there must be improved commercial intelligence exchange to push back against Chinese cyber-espionage and IP theft at scale.
With a Biden-Harris administration generally in favor of greater data protection, and with its interest in examining tech platform regulation (though with a different focus than the EU side) at home, there is an opening for coordinated consultation. Expanding the EU ‘code of conduct’ to a transatlantic effort is an initial idea. Aligning antitrust efforts more effectively and reframing “digital sovereignty” as ‘open to America’ will be necessary to advance transatlantic consensus. GAIA-X, the “by Europeans-for Europeans” cloud-based data storage and management initiative, and the Digital Services Act must allow for transatlantic coordination. Microsoft recently joining GAIA-X sends the right signal that the panoply of data issues is a joint transatlantic concern—but more importantly, it underlines that these solutions have to be built on the basis of leading-edge, effective technology.
The EU–U.S. Privacy Shield agreement will need urgent renegotiation. The U.S., UK and EU should be core partners in building a data space that allows for intelligence collection and managed, open data flows while balancing privacy and fundamental rights concerns adequately. The Privacy Shield attempted—however insufficiently—to remedy the shortcomings of the earlier Safe Harbor Agreement, which was invalidated by the European Court of Justice (ECJ) because of perceived National Security Agency (NSA) overreach in collection and usage of foreign data. Still, even with the fixes introduced into the Privacy Shield, weaknesses remained around questions of independent and authoritative redress for Europeans and legal issues around standard contractual clauses designed to regulate data transfers to the U.S. The ECJ voided the Privacy Shield in July 2020, leaving thousands of U.S. and EU companies uncertain how to proceed.
For as much as Americans may have overreached on data intelligence in the early years of these agreements, intelligence cooperation based on signals and digital financial transaction tracing (all based on data) are predominantly requested by Europeans—and have measurably reduced terrorism in Europe. Transatlantic intelligence and security agencies will have to balance the demands of security and privacy in a more equal partnership, creatively rethinking a surveillance security regime that both America and its allies need to confront the new threats in a multipolar world.
On AI, the U.S. and EU must sweep away the concept of competition within the alliance and develop common goals—and ethics standards—for the use of autonomous technology. The EU’s current plans on AI could tip into protectionism, and at worst significantly hamper the kind of R&D necessary to keep pace with progress in the US and China. Expanding the Trump era U.S.-UK AI agreement quickly to include EU member states would clear the way toward a Transatlantic AI Agreement, as suggested by the EU Commission in December 2020.
Russia has successfully reframed the Council of Europe’s Budapest Convention on Cybercrime to its advantage. China has asserted its leadership in UN specialized groups, to set standards in cyber or adjacent areas. They are already using these seemingly bureaucratic victories to establish rules that make it easier to exploit the internet. Increased transatlantic leadership in multilateral and international bodies is essential to the preservation of liberal values in the institutional system. This applies equally to standard-setting in the ICT area, where China has made fast inroads. China has already appointed the heads of the International Telecommunications Union, the International Standards Organization and the International Electrotechnical Commissions. The transatlantic alliance needs to be putting forward strong, common positions at these bodies where possible, and push back against blatant efforts by the Chinese to control these bodies. Members of the transatlantic alliance should ensure they have implemented the UN Group of Governmental Expert (UN GGE) norms at home and continue to expand investments in a robust international cyber-security architecture, through real-world capacity-building exercises with like-minded democracies, to help allies identify gaps in their cyber armor. Better tracing and attribution capacities should make joint sanctions regimes against cyber attacks increasingly possible: Expanding the summer 2020 EU cyber sanctions transatlantically could be a way forward.
Countering the spread of mass disinformation (including deep fakes, cheapfakes and other next-generation disinformation technology), particularly from China and Russia, must be at the core of the joint transatlantic project to defend the integrity of democracies. Europe and the United States were equally the target of strategically launched disinformation campaigns by Russia and China at the height of the spring COVID outbreak.
As part of the Tech Forum’s work, the U.S. State Department’s Global Engagement Center and the EEAS detection and early-warning systems must be closely aligned. The 2018 G-7 summit Charlevoix agreed to build transatlantic data competence to identify dual-use tech and tech-powered human rights violations so that powerful nations can coordinate sanctions design. Transatlantic nations need to expedite the implementation of this decision.
Both sides have a vested interest in protecting election infrastructure from technological interference by malign actors. This includes a tighter control on election advertising, bots, deep fakes, inauthentic behavior, and hate speech. But there must also be a recognition that these efforts cannot be used to give governments greater power to restrict real political speech—including unpopular opinions.
The December 2020 European Democracy Action Plan (EDAP) signals the EU could be willing to make a joint effort with U.S. agencies and lawmakers to focus on the twin challenges of increasing transparency and accountability of platforms. A joint EU–U.S. ‘code of conduct’ on removal of hate speech, illegal and illiberal and blatantly harmful content could create a ‘race to the top’ when coupled with a credible threat of regulatory action—all while safeguarding provisions of transparency and free speech. A transatlantic audit mechanism of ‘black box’ algorithms could also force changes in business models. Joint EU–U.S. standards around identifying and marking disinformation could give platforms greater credibility and accountability.
The Tech Forum could also work to correct the information asymmetry on technology that exists among EU, member state and American lawmakers devising platform regulation. And it could coordinate joint research funding by American and European foundations and academic institutions into the impact of disinformation on society and democratic integrity to better anticipate, educate and counter its spread.
Ensure close coordination between private sector and cyber-authorities on the detection and pre-emptive strike capacities against hacker/bot operations that endanger democratic election and voting systems. We saw promising efforts at this when Microsoft and other firms worked alongside Cyber Command to dismantle the Trickbot tools network in the runup to the U.S. election. But even that effort was hampered by some absence of coordination.
This list is not comprehensive. There must be joint work on encryption, and joint strategy on cyber deterrence. But it is a start.
Clüver Ashbrook, Cathryn and David E. Sanger. “Transatlantic Action Plan: Technology.” Project on Europe and the Transatlantic Relationship and the German Council on Foreign Relations, February 2021
