11 minute read
Marietje Schaake MEP, Strasbourg/Brussels
Cyber Security − the threats and solutions Cyber security is more than technical implementation. It is also strategic decision making on an integrated approach bringing all aspects together in an EU Cyber Strategy
Marietje Schaake MEP ...................................................................... 54 Gilles de Kerchove........................................................................... 57 Arne Schönbohm ............................................................................. 59
Security measures must respect human rights in the EU and when considering EU’s global role Balancing Cyber Security and Human Rights
The European: Cyber crime is without any doubt a global phenomenon. What are the risks for the European Union as a whole? Mrs Schaake: The internet has made possible global communication and interaction. As with any online activity, criminals can work together well across borders and act globally. We need more cooperation among law enforcement organizations and officials in Europe. The risks of cyber attacks particular to the European Union should be analyzed in detail before we agree on a specific strategy.
The European: Aren’t there enough industry-funded reports? Mrs Schaake: Yes, the vast majority of comprehensive research on cyber crime is available through reports funded by the Infor - mation and communications technologies (ICT) industry. But there is a need for more independent scientific research. I would add that developing policies on cy ber crime should go hand in hand with safeguarding internet freedom. The resulting policies should also be subject to democratic oversight.
Marietje Schaake MEP Marietje Schaake is a Member of the European Parliament for the Dutch Democratic Party with the ALDE political group since 2009. She serves on the Committee on Foreign Affairs, where she focuses on neighbourhood policy human rights, with a specific focus on freedom of expression and press freedom; and Iran. In the Committee on Culture, Media, Education, Youth and Sports, she works on Europe’s Digital Agenda and the role of culture and new media in the EU’s external actions. Before joining the European Parliament, she worked as an independent advisor to governments, diplomats, businesses and NGOs, on issues of transatlantic relations, diversity and pluralism, civil and human rights and integration. She studied American Studies and New Media at the University of Amsterdam.
The European: It seems to me that you are rather downplaying the actual status of the discussions. Mrs Schaake: Talking about cyber security is over-hyped, so it is important to keep a realistic viewpoint. To put it in perspective, no cyber attack has had the impact of 9/11 in terms of casualties.
The European: What are the general objectives of cyber attacks? Mrs Schaake: Cyber attacks can be conducted based on diffe - rent motives. They can be waged to undermine a corporation, organization or government. Generally, attacks are made by either states, politically motivated networks, organized crime syndicates, or individuals. The problem is that the attack is not always visible or even known to the targeted system, organization or individual, making it difficult to accurately detect.
The European: Can you see any trends? Mrs Schaake: Increasingly, we can observe attacks by governments against citizens. In the weeks before the street demonstrations and violent crackdowns in Syria, the government deployed aggressive technologies to break into citizens’ emails and social media accounts to gather information. This information was then used against the people to track opposition voices and networks as well as to harvest personal data.
The European: And similar crimes in other countries? Mrs Schaake: In Egypt, for example, the government turned off the internet and mobile connections entirely in an unprecedented crackdown. Equally unprecedented was the fining of Mubarak and two of his ministers, who were held accountable by the courts for resulting economic losses.
The European: Isn’t this an important step forward? Mrs Schaake: It is an important step, but not including human
rights violations in the charges, such as limiting speech and press freedom or creating an environment in which human rights violations went undocumented, is a missed opportunity.
The European: I think we should try to find a definition for cyber crime. Would you make an attempt? Mrs Schaake: Cyber crime is defined very broadly as any crime involving a computer. Many people believe it means different things, so there is a need for more understanding and shared definitions. Advertising a stolen bike online is a very different ‘cybercrime’ than deploying the computer worm Stuxnet, even though both would fit under the same current definition.
The European: The public and the private sectors appear linked when it comes to cyber crime. Are they in the same boat? Mrs Schaake: The public and private sectors face similar threats and have to work together to mitigate these; risk mana gement and prevention are important. As with any security situation, 100% security does not exist. The difference is that the private cyber security sector makes more money when the perception of a threat is more serious.
The European: And what role do governments have? Mrs Schaake: Governments in principle should act to protect citizens and critical infrastructures. In a recent parliamentary session, I urged the Commission to carry out its own research to find out which means are appropriate and proportionate and to ensure that cyber security measures do not violate the fundamental rights of citizens.
The European: It seems that prosecuting internet crime stops at national borders. Is this a weak point? Mrs Schaake: While physical borders are less important on the internet, laws are made in the context of nation states. Governments are responsible for protecting their citizens. In Europe, there is free movement of people, capital, labour and services. In addition, we can speak of a fifth freedom, the free movement of information and data.
The European: Are EU citizens aware of this? Mrs Schaake: European citizens need to know their rights in the European context. With globally-used cloud services such as Twitter, the question is how European governments can best protect their citizens. Recently, the U.S. Department of Justice subpoenaed Twitter to hand over the private information and communications of an EU citizen. There should be increased awareness of the laws applicable when an online service is used. The EU should ensure that the rights of its citizens are guaranteed. People increasingly rely on the services of commercial actors incorporated in different countries.
The European: In 2013, all European citizens should have access to the internet. Will the EU have ready at that date its own strategy? Mrs Schaake: Developing an EU strategy on cyber crime should be based on solid independent research. It will be a process of constant tweaking; I would prefer to focus on content and results rather than dates as an assessment of success.
The European: What could be the essentials of such a strategy? Mrs Schaake: An EU strategy should be carefully balanced, where we take account of citizens’ fundamental rights, real risks as opposed to perceived dangers, and make sure the policy is subject of democratic oversight.
The European: How do cyber security and internet freedom go together? Mrs Schaake: Cyber security and internet freedom are two sides of the same coin and need to be considered as such. When I hear discussions on the threats of cyber attacks, and the lengths to which proposals to stop them go, I can’t help but think of the ‘war on terror’. By now we know that the medicine can be more harmful than the disease, and we must be very careful not to repeat the mistake of compromising fundamental rights for alleged security. We must not compromise the freedom we are seeking to protect!
The European: You alluded to cyber crime and cyber war. Could you define the difference between these? Mrs Schaake: A cyber crime is a criminal act carried out via computer networks or even with the use of only one single computer. The term cyber warfare recalls ground wars and casualties, suggesting a larger scale. The acts which have been classified as cyber warfare are like acts of espionage or sabotage, or acts initiated by one government against another. In cyberspace, non-state actors are becoming more important, so to speak of only nation states as actors would unduly limit the scope.
The European: When can we speak of an attack? What are the criteria? Mrs Schaake: A judge should decide that on a case by case basis; it is impossible to make generalizations. There are different levels of harm that attacks can cause. Also, individuals have varying levels of responsibility. Many people own computers through which attacks are jointly launched via viruses, even though that is not the owner’s wish. Levels of intent and impact will be important criteria in defining attacks and in holding the attacker accountable.
The European: Next, we should discuss responsibilities. What role will the European Union play within the designed strategy?
56 Actively or passively acting, or only advising? Mrs Schaake: Information flows across borders, and so will information which is transmitted with malicious intent. Thus, a trans-national approach is desirable: Member States, the European Commission and the European Parliament should coordinate their activities. The European Union’s network and security agency, ENISA, could play such a coordinating role. Additionally, a more active dialogue with businesses and civil society should be sought. Different players represent different interests that are difficult to separate.
The European: How do you envision such cooperation with the Member States, more precisely between the EU institutions and the nations? Mrs Schaake: Many national centres of expertise already exist. The European Union should foster their collaboration and communication. Knowledge should be shared at the European level, so we can prevent attacks where necessary.
The European: In Member States, communication and responsibilities are rarely centralized. How will the EU communicate with relevant national authorities? Mrs Schaake: When building the European strategy, we should seize the opportunity to redesign any inefficiency in the whole communication process. It remains to be seen whether this will be mainly a top-down system, or organized in a way where coordination and cooperation are stimulated. Laws differ among Member States, and we should learn from the way good as well as poor practices play out.
The European: How do you see communication and coordi - nation with third countries, which entails a sort of global networking? Mrs Schaake: There are a growing number of international organizations and multilateral initiatives dealing with cyberspace, such as NATO, UN-IGF or the G8. Governments of some third countries are part of the problem; others are part of the
News: ENISA on Cyber
Cyber security − map on good practice in Europe On 8 June 2011, the European Network and Information Security Agency ENISA launched online an updated edition of its “Country Reports”, which provide an overview of the “state of the art” in network and information security in each of the 30 countries of the 27 European Union Member States and the 3 members of the European Economic Area. The updated Report shows that European countries are highly varied in how prepared they are for dealing with cyber crime, network attacks and network resilience.
The Report can be found via the ENISA Website: > http://www.enisa.europa.eu/act/sr/country-reports solution. As with any subject, it is important to identify allies and to set standards that ensure security without compromising the fundamental rights and freedoms of citizens. The Uni ted States recently stated that cyber attacks may be labelled as an 'act of war', which would justify military retaliation. The EU must react to this statement and define its own parameters and norms in the context of the EU's Common Security and Defense Policy.
The European: How could this experience be used by the public sector? Can Europe make use of U.S. experiences or those of NATO? Mrs Schaake: Governments should not rely solely on the private sector. A new EU strategy should encompass capacity building in the public sector, and the private sector can help in this objective. Europe should certainly learn from the U.S. and NATO approaches and share valuable knowledge, but at the same time act independently and in the best interest of its citizens.
The European: What should be the EU’s first steps in becoming an efficient coordinator of cyber defence? Mrs Schaake: The first step should be research into the real risks of cyber attacks. Afterwards, the EU should define its own role in the overall strategy.
The European: And how do you see an optimization of the coordination of anti-cyber threat measures at the different levels and sectors? Mrs Schaake: That is a difficult question to answer at a time when we do not clearly know the real threats. We must begin to gather independent knowledge on a number of issues. However, when finding an optimal level of coordination, internet users’ fundamental rights should be taken into account at all times. Optimization does not mean constant surveillance of all internet traffic.
The European: Are there special efforts for special sectors? Mrs Schaake: The extension of the ENISA mandate is currently being discussed. Now would also be the time to discuss the overall budget for network security for the coming years.
The European: How do you see the role of the European Parliament in making other institutions push forward? Mrs Schaake: The European Parliament should refrain from being a limiting factor or taking too long to act. However, due to the complexity and delicacy of the topic, the Parliament should also not rush its decision making. It is important to include various stakeholders, and to bring knowledge to decision makers so that better-informed decisions are made.
