This article depicts the struggle that small states face implementing effective cyber security. Joe Burton explores whether small states are confronting unique or unusual challenges in enhancing their cyber security. Utilizing small states literature, the article formulates three conceptual models of small state security, based on alliances, institutional cooperation and norms. The author argues that institutional cooperation on cyber security issues and the emergence of cyber security norms are being hindered by strategic rivalries between the U.S., Russia and China. The author further explains that military alliances are struggling to adapt to collective defense against cyber threats. Before beginning to explore the three models the term ‘small’ for small states (or powers) is defined as “local powers whose demands are restricted to their own and immediately adjacent areas…”

The first model explained and later explored is alliance. Due to the inability to apply power and/or resist the application of power against them by larger powers, small states seek to enter into alliances with more powerful states. The small states are faced with deciding whether to join forces with or against a threatening state. This can be beneficial for both states- the large and the small- because it can create a mutual relationship if both states have something to offer. The larger state for example, usually offers protection, and the smaller state may offer other things. But these alliances can run their course leaving the small states confined.

The second model stems from liberal institutionalism. In this model small states seek to institute rules and transparency within international institutions, they incite cooperative approaches to international security issues. In this type of model, small states can have substantial institutional influence on other states. According to Peter Jakobsen, One example of this is how small Nordic states enhanced the Civilian Crisis Management agenda within the European Security and Defense Policy (ESDP), in spite of firm opposition from France. This leads me to understand that if small states invest time and resources in in international organizations they can be perceived as a greater power than they actually are. As Baldur Thorhallsson said, “when small states invest time and resources in the UN system, are perceived as neutral, work on niche issues, develop administrative capabilities and actively work to build coalitions, the extent of their influence can be disproportionate to their size.” So to be able to benefit from this model, small states not only benefit from this system, but they must also contribute to it. The institutional approach gives small states soft-power, which is the power of persuasion and attraction. It may not seem like it, but in this way small states can prevail by using psychological or tactical resources to change outcomes or perceptions. In this sense, a small state’s institutional power may be disproportionate to its physical size.

Identity and norms are what the third model is based on. According to Laurent Goetschel, small states may develop a security identity from ‘past behavior and images and myths linked to it which have been internalized over long periods of time by the political elite and the population of a state. I understand this model as a state functioning with and advertising firm morals, values and beliefs. Goetschel also argues that a state’s security identity can be very influential. A good example of this is the European Union, in which various small states become security actors. In this way small states then start to develop what is called acceptable standards of behaviour. These three models can be accomplished by states concurrently through their foreign policy. The norms originate from states forming partnerships and alliances.

These models can be applied to cyber security to some extent. One reason for this is that the issues on cyber security have only just started to be acknowledged. Military alliances and international institutions are beginning to respond politically and operationally to cyber security issues, so cyber norms are slowly evolving. Even though alliances are supposed to mutually provide aid in the event of an attack, this is not yet the case when it comes to cyber security. NATO, for example, conducted a crisis meeting during the cyber attacks against Estonia in 2007. However, the term cyber attack does not have a clear definition, nor, are the actions to take against this type of attacks stipulated clearly.

Small states can benefit from an alliance, contribute to a greater good, and lead by example but part of what is hindering them when it comes to cyber security is that there is no clear blueprint to follow when it comes to cyber security. The attacks on Estonia gave way to an intra-alliance concentration on cyber security and NATO established an Emerging Security Challenges division, Cyber Defense Management Authority (CDMA), and a Rapid Reaction Team (RRT), and a Cooperative Cyber Defense Centre of Excellence (CCD COE). While steps are being taken to move forward in small state cyber security, there are also large states manipulating cyber security for their own benefit.

Such is the case of New Zealand, a small state that sought a closer security relationship with the U.S. In 1951 New Zealand joined ANZUS (a collective deference pact) with America and Australia. This lead to their troops being used by larger powers for their own benefit. However, New Zealand faces new challenges in cyber security due to a globalized cyber security environment. The small state has taken steps to enhance its domestic cyber security capacity and its international cyber security partnerships. The New Zealand government now intercepts the communications of their citizens, and has continued with a partnership with the U.S., which provides them with the resources they need. New Zealand does not have the manpower or the infrastructure to be able to defend itself against cyber attacks. The U.S. provides the necessary resources. However, this also means that the U.S. can monitor the small state’s communications. This type of problem can be seen in other cases as well.

It is clear that small states, like New Zealand and Estonia, face significant technical difficulties and resource challenges. These obstacles range from financial, to human resources, to technical expertise and knowledge to keep up with the ever-changing cyber security environment. There is a serious gap between small and large states when it comes to cyber capabilities, making the smaller states vulnerable. A dependency on large states is thus created. However, cyber security cooperation among states is not reliant on states being in close geographical proximity, so even though cyber threats are global, cyber cooperation can be as well. Small states also remain outside formalized security pacts, so their contributions to groups like the UN and NATO are vital and instrumental in their cyber security defense. The three models of small state security can be useful in analyzing cyber security challenges, but there needs to be a balance between security and privacy.

Fatih DURUKAN

Leave a Comment