Forget about foreign conflict, instability and terrorism: cyber security attacks are quickly becoming the biggest threat to European democracies. Over the past ten years, we have witnessed a steady and worrisome increase in online criminal activity, with cases of theft, espionage and data extraction on the rise. What were once merely disruptive threats have now become destructive attacks. Dealing with cyber attacks will require more than legislative proposals and “mainstreaming cybersecurity”.
The main targets so far have been businesses, alongside banking, telecom and defence, but with the 2016 US election, the focus of cyber attacks seems to have shifted towards governments and national parties. The state-sponsored cyber attacks against the Democratic Party and the subsequent leak of stolen information reflect a trend towards highly-publicised, overt campaigns designed to destabilize and disrupt organisations and sovereign countries.
European countries are no stranger to episodes of software piracy either: case in point, the hacking of French presidential candidate Emmanuel Macron’s campaign allegedly perpetrated by APT 28, a group linked to the Russian military intelligence, and the subsequent diffusion online of nine gigabytes of private data, hours before the French election. Four months before, at least ten members of the German Bundestag were also victim of an attempted cyber attack. Here the hackers used advertising on the Jerusalem Post website to “spear-phish” users and redirect them to a malicious site.
Both the DNC hacking and the cyber attacks on the German Parliament and on En Marche should be viewed as cautionary tales, especially since a number of European Union member states will be holding their general elections in the upcoming months, including Germany and Italy.
The efforts by foreign agents to destabilize elections should be met with readiness and resolve. Yet according to this year’s UN global cyber security index, most European countries do not have enough effective measures in place to counter this menace. Only two EU countries made the top ten: Estonia and, ironically, France.
The UN recommends implementing “prevention and mitigation measures to reduce the risks posed by cyber-related threats”. The EU’s official cyber security strategy dates back to 2013 and, while it has had promising but not entirely satisfactory results, it undoubtedly needs updating.
After a mid-term review of the Digital Single Market strategy carried out at the beginning of 2017, the following suggestions pertaining cyber security within the EU were made: a review of the “EU Cybersecurity Strategy” by September 2017 and additional measures on cyber security standards. The Commission has additionally pledged “600€ millions of EU investment for research and innovation in cyber security projects during the 2014-2020 period”.
The United States have increased their budget for cyber security from 5.5$ billion in 2016 to 7$ billion in 2017, and are planning to invest 35$ billion in the next five years. It is safe to assume that other superpowers like China and Russia are doing the same.
It is now clear that the biggest threat many European nations face at the moment is foreign interference in their elections, which will inevitably undermine the democratic process. Cyber warfare should be viewed as a matter of national security, just as terrorism is. It is in the interest of European states and European institutions to be prepared to confront cyber attacks and to protect the civil society from them.
The funds allocated by the Commission for cyber infrastructure pale in comparison to what other global superpowers spend on cyber defence, showing that this issue has not yet gained the significance it should.
The Commission needs to recognize the urgent necessity of proper cyber infrastructure and increase the budget for cyber defence. Moreover, these funds need to be allocated wisely if we want to make sure no hacking incidents obscure the results of the next elections.
One obvious option the Commission has to improve online security for its member states is enhancing public-private partnerships in regards to cyber defence.
The Commission already recognized the potential of public-private partnerships in tackling cyber threats. But while the underlying goal is “to foster cooperation at early stages of the research and innovation process”, its reach shouldn’t stop at the “traditional” fields of energy, health, transport and finance. Instead, it should be made effective for government institutions and political parties as well. The number of start-ups specialized in cyber defence is thriving: the Commission ought to make sure those businesses get appropriate funding in order to scale up their operations.
Enhancing funding and encouraging public-private partnerships in the field should be taken into account in the review process of the “EU Cybersecurity Strategy”. Continuous investments need to be made in cyber security measures. It is crucial for the EU to make sure software capabilities of its member states are fit to resist foreign attacks.
Modern warfare is swiftly moving to the virtual front: if the European Union wants to stand a chance in this fight, it becomes imperative that member states are fully prepared to defend themselves from the cyber attacks of criminal organisations, terrorists or indeed state-sponsored agents. The stakes haven’t been higher.1 comment