By MAX METZNER and OKSANA TRIFONOVA, with BROOKS TIGNER
BRUSSELS – The WannaCry ransomware cryptoworm attacks in May raises two fundamental questions regarding the safety of classified information. How do policymakers ensure international cyber-safety in the technological era, and what steps should be taken to deter and prevent cyberattacks before the damage is done?
During a recent talk in Brussels on the EU’s Security Union, a senior European Commission official laid out the priorities and next steps.
“Three critical factors need to be emphasized when dealing with cyber security, especially as it relates to fighting terrorism transparency, traceability, and accountability,” said the official. “On counterterrorism, we are working around two fronts. The first is to close down space around which terrorists can operate. The second is to build our resilience while strengthening communications, critical infrastructure, transport, energy, and cybersecurity.”
In one example, he brought up the ability of an IP address to cover thousands of users, which can make it difficult to trace down one account. And even if authorities do manage to track the account, there’s the issue of accessing the evidence in that account due to legal hurdles and technical complexities.
The Commission hopes to eliminate some of the complexity of investigating online counter-terrorism by promoting cooperation among technological corporations and national and international law enforcement bodies. Between now and September, the EU will implement a number of measures as part of its NIS Directive on network and information system security – a measure to enable the member states to defend themselves against cyber attacks while boosting international cyber-cooperation. Adopted on 6 July 2016, national capitals have until May 2018 to transpose the directive into national law. However, the official said the directive’s implementation so far is patchy, which will “hopefully be fixed” in the near future.
When asked about vulnerability disclosure – policies dealing with publishing information and informing users about a computer security problem – the official admitted it is difficult to force people to act responsibly. Nonetheless, he said the EU will cooperate with the governments of member states to develop a programme of work on encryption.
Before doing so, he said the member states would first need to agree on the legal framework of encryption by outlining the legal parameters for information about encrypted content. If they can agree on a common framework, then additional technical options and possibilities could be discussed, with concrete ideas possibly ready as soon as October 2017.
While stressing the need for such solutions to fight radicalisation online, he said that can only work in conjunction with other solutions. “It’s crucial we don’t lose the civil society element,” he said, pointing out that many in marginalised communities do not trust their local governments, let alone the EU. “There needs to be a good degree of community involvement.”
One example of EU community involvement is the Civil Society Empowerment Programme. Launched by the EU Internet Forum, it seeks to counter radicalisation by promoting alternative points of view in communities that could be susceptible to radicalization.
A similar EU initiative is the EU Internet Referral Unit (EUIRU), launched in 2015 by Europol. The EUIRU serves as an open source monitoring unit for identifying and removing extremist material posted online. All these civilian-based counter-terrorism measures need to be scaled up, said the official, noting that EUIRU “has taken down tens of thousands of postings, but hundreds of thousands remain online.”
Finally, the official acknowledged that governments need the trust of civil society to support work in the field of security, pointing the Commission-funded Radicalisation Awareness Network (RAN), a European Commission initiative that connects local practitioners to disaffected youth to swing them away from radicalization. Through such a network, “policymaking becomes intertwined with real-life experience” said the official, adding that if “sustain and support measures are to really support counter radicalisation, then they must respect the values that we’re seeking to defend”.
And if the NIS is any indication, the EU-national capital dialogue on a common approach to encryption risks doing the same. By the time EU encryption standards fall into place, the sector’s “bad guys” will have moved on to a different set of capabilities or priorities.
As for RAN, as this publication has repeatedly stated: where is the beef? RAN has received a lot of money from the EU for a lot of years. But aside from some local community how-to “manuals” and such, the concrete examples of what it has actually achieved in quantifiable terms are thin on the ground. For example, the network does not make its annual conferences on boosting community awareness public. Why? The “public” cannot be trusted?
RAN’s raison d’etre is solid, but it’s time for it to show in detail what it does with the European taxpayers’ money.