Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Comments on the EU Commission’s Flawed Cybersecurity Strategy

Félix Tréguer ft at laquadrature.net
Fri Feb 8 08:10:00 PST 2013


Hi all,

Frustrated by the lack of critical reporting on the matter, I put
together a post on the EU Cybersecurity Strategy that was announced
yesterday. Apart from prof. Ross Anderson's, I've read very few
worthwhile analysis of it coming from civil society or academia. So I
thought it would be useful to have your take:

http://www.wethenet.eu/2013/02/comments-on-the-eu-commissions-flawed-cybersecurity-strategy/

Corrections welcome, especially if you think I'm being overly
pessimistic/negative.

Best,

Félix

PS: Since this is my first post to the list, a few introductory words: I
was a policy analyst (now volunteer) at Paris-based La Quadrature du Net
for three years, and I'm currently writing my PhD thesis on the
Internet's consequence for free speech law and citizen empowerment in EU
democracies.


------------------------------------


    Comments on the EU Commission’s Flawed Cybersecurity Strategy

On Thursday February 7th 2013, during a press conference, the European
Commission announced a milestone initiative in the field of
“cybersecurity”, publishing two documents:

- A *proposal for a directive
<http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-DRAFT-PROPOSAL.pdf>
*“concerning measures to ensure a high common level of network and
information, security across the Union” (apparently nicknamed the “NIS
directive”).

- A *communication
<http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-JOINT-COMMUNICATION.pdf>
*on a “CyberSecurity Strategy of the European Union : An Open, Safe and
Secure Cyberspace”.

[Reminder : Cybersecurity in the sense used by the Commission is a
buzzword covering issues ranging from the management of computer
security systems in defense and private sector, to "cyberwar",
payment-fraud, zero-day exploits and malicious code, trafficking (among
other things), but also the protection of Internet freedom
internationally (just a few unconvincing words on the matter, but
they’re there, in bold
<http://europa.eu/rapid/press-release_IP-13-94_en.htm>! And there is
"open internet and online freedoms" in the title of the Commission's
press release <http://europa.eu/rapid/press-release_IP-13-94_en.htm>!!
If that's not a proof...).]/
/
Both the press conference <https://www.youtube.com/watch?v=qYOIlT9hqPA>
of commissioners Kroes, Malmström and Ashton as well as the documents
released show two things: *the Commission is not taking freedom
seriously in Internet policy*, *and it might be paving the way for the
militarization of cyberspace.
*


    EC should start by getting the math right

The commissioners started off by presenting very *vague and inflated
statistics about the cost of cybercrime* (several studies
<http://www.commercialriskeurope.com/cre/1588/239/Report-rails-against-in...>
have already made that point clear)**. From copyright to cybersecurity
policy debates, bogus numbers remain, in this case to the benefit of the
security and surveillance industry1
<http://comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote2_9oip6ek>.
This is classic, lobby-induced, pure *threat inflation* (on that note,
see Brito & Watkins’s 2011 article
<http://mercatus.org/sites/default/files/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy_0.pdf>:
/Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity
Policy/).

Then, the commissioners moved to the substance of the proposal. Things
were not particularly clear, as the questions of the journalists sitting
in the press room would later reveal. The few reporters in attendance
had interesting questions, but sadly these were largely unrelated to the
actual texts2
<http://comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote2_9oip6ek>.
They had apparently not been able to read the recent leaks of both texts
by anonymous Brussels sources, released on the Internet last month (as I
write, the documents officially released yesterday still cannot be found
on the EU Commission website).

Going over the 60-plus pages of the proposed directive
<http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-DRAFT-PROPOSAL.pdf>
and the accompanying communication
<http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-JOINT-COMMUNICATION.pdf>,
it becomes clear that the EU cybersecurity strategy suffers from several
flaws…


    Towards a centralized network of cybersecurity authorities

The proposed “Network and Information Security” directive aims to set up
a “*NIS network*” of “cybersecurity firemen”, headed by the EU agency
ENISA
<https://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency>
(created in 2004 and based in Athens). ENISA will lead a group of
national counterparts (each Member State shall have its own NIS
authority). For the most part, these already exist and are usually
primarily in charge of *defense and military networks* (see this
analysis
<http://www.edri.org/edrigram/number11.1/cybersecurity-draft-directive-eu>
by computer security researcher at Cambridge University, Prof. Ross
Anderson, about how the proposal risks centralizing cybersecurity
policy-making within the public sector).

This centralized network of /de facto/ cybersecurity policy-makers will
operate *out of public scrutiny*, with the always-convenient excuse of
handling “confidential information” (see recital 17 and 18). Behind the
scene, these public authorities of course risk being *under the harmful
influence of security vendors* and other “private sector providers”, who
will help pushing for the kind of fear-mongering displayed at the very
beginning of the conference/./

The new “data breach disclosure” obligations that made the headlines
<http://www.zdnet.com/businesses-forced-to-admit-data-breaches-under-eu-cybersecurity-plan-7000010985/>
/may/ be made public, at the entire discretion of NIS authorities. As
Prof. Anderson, points out
<http://www.lightbluetouchpaper.org/2013/02/08/eu-cyber-security-directive-considered-harmful/>:

    “Whereas security-breach notification laws in the USA require firms
    to report breaches to affected citizens, articles 14 and 15 instead
    require breach notification to the ‘competent authority’.
    Notification requirements can be changed later by order (14.5-7) and
    the ‘competent authorities’ only have to tell us if they determine
    it’s in the “public interest” (14.4).”

What is more, this NIS network will also be *absorbing a potentially
enormous amount of information* (article 15.2) *from virtually all the
significant players of the Internet* (among the many “market operators”
concerned, see Annexe IV), which in return will benefit from nice
insurance premiums if they properly follow the recommendations on
security practices and the standards imposed by the NIS authorities
(elaborated how? Following what procedures or criteria? In the same
vein, article 15.3 does not say much about the “*binding instructions*
to market operators and public administrations” that NIS authorities
will have the power to issue). Meanwhile, the EU Commission is given
broad competency to impose “*standards* and/or technical specifications
relevant to network and information security” (article 16).

The NIS network will work with Computer Emergency Response Teams (CERTs
are official security experts teams, already exist, but will be beefed
up under the proposed directive) and law enforcement agencies,
especially Europol’s brand-new EC3: the “European Cyber Crime Center”
(watch this “cool” video
<http://ec.europa.eu/avservices/video/player.cfm?ref=I075479> to get a
sense of how hype EC3 is)…


    The strategy’s missing players

This all could have been a little different. And better.

For instance, the Commission could have promoted a more *decentralized
governance of cybersecurity*, insisting on *procedural safeguards *on
how cybersecurity policy is made and conducted (at least general but
tangible legal principles). Many peoples in many places today are doing
a great job in ensuring the resiliency of the Internet (in the spirit of
Prof. Zittrain’s enlightening TED talk
<http://www.ted.com/talks/jonathan_zittrain_the_web_is_a_random_act_of_kindness.html>).
Many of them would probably have wanted actual *guarantees for broad
participation in an /open/ policy forum* (guarantees enacted preferably
not just as a nice gesture, but out of conviction that it is how you can
best ensure trust and reliability in cybersecurity policy).

But these contributors to cybersecurity (in academia, in civil liberty
organizations, in hackerspaces, etc.) are mostly kept out of the loop.
And they have reasons to worry. Not only can they righlty question the
competence of the EU executives in caring after the Internet. Actually,
several state actors —including in EU and US— are rather promoting
“cyber-/in/security” (i.e: trade of Zero-Day exploits
<http://Should%20the%20secretive%20hacker%20zero-day%20exploit%20market%20be%20regulated>,
attendance in trade fairs on Internet surveillance
<http://Valentino-Devries,%20Jennifer,%20Julia%20Angwin%20et%20Steve%20Stecklow.%202011.%20%C2%AB%C2%A0Document%20Trove%20Exposes%20Surveillance%20Methods%C2%A0%C2%BB,%20Wall%20Street%20Journal.>,
etc).They also have to bear
<http://www.wired.com/threatlevel/2012/04/hacking-tools/> the risk of
repression because of another proposed directive (directive 2010/0273
<http://parltrack.euwiki.org/dossier/2010/0273%28COD%29> on “combating
attacks against information systems”), currently in first reading in the
EU Parliament and which could criminalize
<http://www.wired.com/threatlevel/2012/04/hacking-tools/> security
researchers and white-hat hackers.


    Trying to put some “net freedoms” flavor

The articles of the proposed directive on cybersecurity and the overall
strategy bring *very little protection to the rights of Internet users*,
and none to the decentralized architecture of the network (the text
makes no mention of Net neutrality, for instance). It all comes down to
a few reassuring lines:

- The directive makes a short reference to the EU *privacy* legislation
(recital 23, 37, 39 and article 5). This is a smart move, underlining
that EU is big on privacy (we’ll see what comes out of the new data
protection regulation <http://www.privacycampaign.eu/>…), and above all
useful to differentiate the proposed EU directive from its infamous US
cousin, the ill-fated Cyber Intelligence Sharing and Protection Act
<https://duckduckgo.com/Cyber_Intelligence_Sharing_and_Protection_Act>
(CISPA3
<https://ww-on-eu-commissions-vague-cybersecurity-strategy-0#footnote3_pi82d6q>).

- The cybersecurity communication released alongside the directive makes
mention of the pompous NO DISCONNECT strategy
<http://europa.eu/rapid/press-release_IP-11-1525_en.htm?locale=en>,
announced in late 2011 by Neelie Kroes4
<https://ws-on-eu-commissions-vague-cybersecurity-strategy-0#footnote4_p6b6an7>,
and which has yet to achieve anything significant (see below).

- The Commission also announces the upcoming release of*international
guidelines on freedom of expression* “offline and online” to assist its
diplomacy.

- … (There might be some other similar “net freedoms” overtones in there).

Overall, these good words will do very, very little to put into practice
the “Digital Freedom Strategy” report
<http://www.marietjeschaake.eu/2012/12/european-parliament-endorses-first-ever-digital-freedom-strategy/>
adopted by the EU Parliament in December 2012, or any of the policy
proposals made by civil society and academia to better protect human
rights online, both in the EU and globally.


    In the meantime…

In the meantime, no /ad hoc/ and effective regulation exists for
regulating the use of privacy invasive technologies in network
architectures5
<https://won-eu-commissions-vague-cybersecurity-strategy-0#footnote5_2i8hl48>.
And Net neutrality is officially
<http://www.laquadrature.net/en/net-neutrality-neelie-kroes-yields-to-operator-pressure>
abandonned as an actual regulatory objective by Neelie Kroes.

In the meantime, workshops and consultations are being organized in
Brussels, while free speech NGOS are left suing “censorware” vendors
before the… OECD (??! … yes, the OECD is not known to be an actual
judicial authority but, at least they have some useful words put on
paper against what these companies appear to have done —and still seem
to be doing— in authoritarian regimes around the world. See the RSF
press release
<http://en.rsf.org/bahrein-human-rights-organisations-file-04-02-2013,44016.html>).
There are also criminal charges brought in France for complicity of
torture
<http://www.edri.org/edrigram/number10.10/amesys-complicity-in-torture>
against Amesys (later bought by BULL) for its former cooperation
<http://online.wsj.com/article/SB10001424053111904199404576538721260166388.html>
with Kaddhafi’s political police. However, the trial is taking quite a
long time; Amesys has been absorbed by BULL; the French government
invests
<http://reflets.info/qosmos-et-fsi-restons-optimistes-il-reste-quelques-dictatures-et-quelques-etats-policiers/>
public money in BULL; and BULL thrives on defense and private-sector
contracts, in France and abroad6
<https://wwments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote6_z5qyizd>.
It is also very hard to have any information on these companies’
controversial activities, in spite of parliamentary requests to
governments7
<http://.net/en/comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote7_e4oubml>,
or whether and how they are being regulated under dual-use export
<http://ec.europa.eu/trade/creating-opportunities/trade-topics/dual-use/> controls.

In the meantime, in an interview, the EC3 chief Troels Ørting lists
<http://www.euractiv.com/infosociety/cybercrime-centre-work-fbi-us-se-news-516968>
“hacktivism <https://en.wikipedia.org/wiki/Hacktivism>” as a
cybersecurity threat alongside terrorist activities and extremism. This
shows once again that high-ranking officials tend to overlook crucial
policy distinctions in apprehending the “cybercrime” phenomenon, and in
particular politically-motivated hacking and other forms of online civil
disobedience.

After the Telecoms Package, after HADOPI, after SOPA/PIPA, after CISPA,
after ACTA, after the WCIT, our dear democracies still don’t seem to get
it right. And so we are left watching our political system put much
effort and spending lots of time on discussions that in the end deliver
so little. *Repressive proposals keep coming. One after the other.* A
significant “core” of policy-makers remains stuck in fear, and keeps
refusing to put the protection of freedoms online onto the legislative
agenda. And so we’re left with questions.

Will more citizen pressure on Internet policy-making do the trick? Will
the EU Parliament come to the rescue? Because this proposed NIS
directive could use some serious improvement. A much more open
discussion on cybersecurity policy is urgent.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130208/8f7ca7be/attachment.html>


More information about the liberationtech mailing list