Since the early 2010s, the Kremlin has consistently invested in efforts to undermine Europe's stability and security. Alongside the kinetic war waged in the East, well-documented evidence shows the Kremlin utilizing a spectrum of hybrid tactics across the European Union to achieve its goals.
For its part, Europe has consistently found itself in a defensive position, often taken by surprise when facing attempts to influence electoral processes or sow discord. A purely reactive approach will only weaken us, as adversaries exploit current vulnerabilities to strike where the state and society are most susceptible.
The campaign to undermine democratic resilience shows no signs of abating. On the contrary, with increased connectivity and the accessibility of advanced tools, including generative AI, malign influence becomes more pervasive.
Effectively building resilience against such efforts demands a multi-sectoral approach that encompasses a broad spectrum of state and societal elements. Three key sectors, however, stand as the bedrock of resilience-building that all states should master:
- Cyber resilience: Since the latter part of 2022, both Microsoft and Thales have reported a surge in cyber-attacks against EU countries since late 2022 originating from Russia. Attacks coming from Russia reportedly account for approximately 60% of all recorded cyber-attacks worldwide.
While predominantly targeting government agencies, academic institutions are not spared either, as demonstrated by cases in Austria or Slovakia. The key takeaway? States must invest significantly in ensuring that all key actors holding data susceptible to malicious use are as attack-proof as possible.
This encompasses not only public institutions and academia but also political parties and NGOs. Beyond technological capabilities, investments should minimize the risk posed by human factors and prioritize awareness-raising among employees, fostering collaboration with the private sector.
- Information resilience: The influence of information has not ceased infiltrating into EU information spaces with measures like blocking Russia Today or Sputnik. In addition to well-documented imitation of trusted sources, development of networks of web and social media pages, and deployment of trolls and bots, generative AI introduces new avenues for flooding information spaces with disinformation undermining democracy and translatlantic unity.
The European Commission report from autumn 2023 revealed that social media enabled the spread of Kremlin-based disinformation, reaching at least 165 million citizens in Europe. Resilience-building requires, first and foremost, substantial investment in strategic communication and education to ensure public awareness and immunity to these tactics. Second, it demands decisive actions to curb such practices by adjusting regulations related to security threats.
For example, the use of inauthentic behavior to manipulate the public should not be legally viable. It falls well beyond the scope of free speech and is employed almost exclusively with manipulative intent. If considered illegal, it would fall under the scope of the EU’s Digital Services Act, which requires social media companies to remove all instances of illegal content from their platforms.
Research, however, indicates that the Digital Services Act has, so far, not proven truly effective in limiting the spread of harmful content online in the EU. Hence, the question of implementing bolder and quicker mechanisms to penalize social media companies for allowing such content to appear on their platforms should be revisited at the EU level.
- Public sector resilience: Political cycles may sway the direction of a country's foreign policy, but a resilient public sector equipped with meaningful checks and balances can significantly mitigate potential harm.
Key vulnerabilities within state administration that GLOBSEC found across Central and Southeast Europe were related to corruption, outdated defense and security strategies, a lack of transparency and communication from institutions assessing security threats and risks, insufficient independence of these institutions from government influence, as well as poor awareness of civil servants. Equal attention and investment in these areas are imperative to safeguard the most critical aspects of the state, which can impact both information and cyber resilience.
Resilience-building against malign influence is often narrowly perceived as propaganda-fighting on social media, with debates primarily centered around the fears of free speech limitation. While these discussions hold significance, a myriad of other measures that states can and should adopt do not infringe on any rights and freedoms within their societies. On the contrary, measures aimed at protecting democracies from malign influences contribute to building long-term democratic resilience from within.