A Transatlantic Innovation Strategy and Tomorrow’s Black Swan

Sarah Lohmann

Sarah Lohmann

Dr. Sarah Lohmann is Non-Resident Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. Dr. Lohmann is an Acting Assistant Professor in the Henry M. Jackson School for International Studies and a Visiting Professor at the U.S. Army War College. Her current teaching and research focus is on cyber and energy security and NATO policy, and she is currently a co-lead for a NATO project on “Energy Security in an Era of Hybrid Warfare”. She joins the Jackson School from UW’s Communications Leadership faculty, where she teaches on emerging technology, big data and disinformation. Previously, she served as the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University, where she managed projects which aimed to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms.

Starting in 2010, Dr. Lohmann served as a university instructor at the Universität der Bundeswehr in Munich, where she taught cybersecurity policy, international human rights, and political science. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department.

Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokeswoman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist and Fulbright scholar. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020), and has written over a thousand articles in international press outlets.

“Black Swans” are the unpredictable, high impact events that must be accounted for in every early warning algorithm. Their catastrophic consequences can often be predicted only in hindsight. In the cybersphere, black swans could be anything: new actors, new attack methods, new targets. They change daily, just enough to shift calculations so that accurate threat predictions remain difficult. In the new global context, China’s creation of wireless technology infrastructure that Europe is dependent on—and whose use aggravates tensions between old allies—should not be considered a black swan, but it is currently being treated by some in the transatlantic community as if it is one.

While many in the West slept, China’s military spending and prowess has consistently grown over decades to make it a world power.

While many in the West slept, China’s military spending and prowess has consistently grown over decades to make it a world power. Its innovation strategy, imbedded in the $900 billion Belt and Road Initiative since 2013, has been well-advertised, well-planned, and deeply funded. It includes providing telecom infrastructure, including 5G, across Europe and South America; AI surveillance across Asia and Africa; “new media trainings” promoting cybersecurity law similar to their own in developing countries; creating an alternative GPS Beidou navigation system to be used across the Belt and Road countries; and submarine cables to connect the BRI countries with internet, telephone and digital data.

Its methods in the cybersphere—to curtail privacy of its own citizens, spy on competitors, and create innovation that allows it to play by rules different than those of the transatlantic community—have been well-documented by governments and intelligence agencies across the NATO countries. Increased cyber espionage on behalf of the Chinese state has also been reported connected to China’s Belt and Road Initiative, which aims to connect 68 countries across Asia, Europe, and Africa through the new infrastructure projects.

It should be no surprise, then, that the European Commission came out with a strategic agenda toward China this month which includes a cyber strategy for the EU that takes into account China’s status as “a systemic rival promoting alternative models of governance.” That EU cyber strategy includes: “a sanctions regime to counter cyber-attacks,” a joint approach to security risks to 5G networks rooted in EU law on cybersecurity, and ensuring that cybersecurity and surveillance technology are regulated under EU rules for dual-use export goods, especially if there is foreign investment involved in the technology or infrastructure.

The document is a welcome starting point for a cyber strategy toward China and for transatlantic innovation cooperation at a point when Germany and the United States do not have a unified common strategy toward China on innovation. Chancellor Angela Merkel’s insistence that a one-country exemption for Germany attached to certain anti-spy conditions can be applied to 5G infrastructure supplied by China shows a lack of understanding of the non-territorial nature of the wireless technology and the data it is transmitting and collecting. It also ignores the real security risk that could be posed to allies across the NATO community if sensitive data were compromised. That’s the reason why Germany’s BND intelligence service, its interior ministry, and its foreign ministry are openly speaking about the espionage and sabotage risk Huawei poses to Germany’s network infrastructure. The fact that Germany has put itself in a place where it has not developed an alternative telecommunications infrastructure makes its dilemma more complicated.

While America leads the world in cyber capabilities and innovation tools, shifting cyber strategies and cyber leadership in the government makes long-term planning on innovation strategy a challenge.

But it is essentially no less naïve than the United States’ previous decades-long policy of deepening trade ties between the United States and China, which assumed that investing in the country would force it to liberalize its trade policies, respect human rights, and improve its procurement practices. To add to the problem, while America leads the world in cyber capabilities and innovation tools, shifting cyber strategies and cyber leadership in the government makes long-term planning on innovation strategy a challenge. China is fast catching up in both cyber capabilities and technological innovation, with long-term goals and consistent funding and government support in the areas of AI, space and navigation, and smart cities.

A Transatlantic Innovation Strategy

China’s cyber strategy within the Belt and Road Initiative begs a response. Germany, as Europe’s economic powerhouse, must know whether it is willing to be part of China’s broader plan for the European economy and technological infrastructure and the different standards of privacy and security that come with it. Likewise, an isolationist response by the United States to China’s innovation strategy could have long-term economic consequences. Incorporating isolated elements of the Commission’s cyber plan (which has some similarity to cyber strategies being currently discussed in the NATO context) into a transatlantic cyber strategy could improve defense preparedness and strengthen innovation in both countries.

A Common Approach to Sanctions

To be more specific, a joint approach to sanctions in response to China’s cyber espionage, intrusions, and attacks will make both countries more secure. The Worldwide Threat Assessment of the Office of the Director for National Intelligence of January 29, 2019, listed the top threat this year as coming through the cybersphere, with China being the nation state “most active” in cyber espionage targeted at the United States and its allies, threatening both military interests and civilian critical infrastructure.

Paul Stockton of John Hopkins University’s Applied Physics Lab calls for cost imposition on cyber adversaries so that they would know there are consequences if they, for example, strike critical grid infrastructure. Cost imposition requires allies on both sides of the Atlantic to be unified in their agreement on what those costs are—sanctions or otherwise—and when to levy them.

However, for true cost imposition to be effective, there must be accurate, faster attribution. A new NATO information-sharing center, called the Cyber Security Collaboration Hub, will act as a NATO CERT community and provide access to all twenty-nine NATO member states later this year. It could help improve the attribution process. The Allied Computer Emergency Response Teams (CERTS) from Belgium, France, the Netherlands, the United Kingdom, and the United States have already been connected to NATO’s protected business network through the NATO Communications and Information Agency since February. Increased cooperation through preexisting CERTs for infrastructure intrusion as well as among agencies on local and federal levels will also strengthen that process.

A Joint Policy on Security Risks and Innovation Gains

Such information sharing is only possible if the networks through which information is being shared, whether 5G wireless or otherwise, are secure, and real risks to data privacy, business intelligence, and national security are recognized. This will be true across Europe but will also be vital transatlantically.

At the same time, continued investment in the United States and in Europe in the development of legal uses of AI, IoT, and the protection of cyber and information technology infrastructure will be vital to ensure their economies and their systems are resilient and sustainable. This will require cooperation between the government and the private sector and will come at no small cost. Utility companies were expected to spend $73 billion worldwide on the IoT in 2018, according to the International Data Corporation, with spending focused on smart grids for electricity, gas, and water.

Both the United States and Germany have seen increased cyberattacks on their energy infrastructure within the last two years, and efforts should be made in both countries to ensure the utilities sector is also setting standards as they develop new systems to ensure critical infrastructure is not at risk.

Critical infrastructure providing for civilian needs is becoming increasingly reliant on IoT, smart grids, and smart devices. The same innovation that improves efficiency in the energy industry also makes it the most attractive target because of the ripple effect that a cyberattack could cause on the Industrial Control Systems (ICS) of nuclear, coal, or oil plants. In fact, the Energy Sector ICS is the most attacked infrastructure, with 40 percent of all industrial control systems being attacked by malware at least once in the second half of 2017. Both the United States and Germany have seen increased cyberattacks on their energy infrastructure within the last two years, and efforts should be made in both countries to ensure the utilities sector is also setting standards as they develop new systems to ensure critical infrastructure is not at risk.

China’s innovation gains should not be surprising. Germany, and the United States, can reduce the number of black swans in tomorrow’s cyber threat scenarios if they follow a new proactive innovation strategy that invests in new technology, has eyes wide open to current risks, and are willing to together sanction the adversaries that pose them.

The views expressed are those of the author(s) alone. They do not necessarily reflect the views of the American-German Institute.