A selection of experts answer a new question from Judy Dempsey on the foreign and security policy challenges shaping Europe’s role in the world.
Europe has no choice but to rise to the challenge of dealing with a fast-evolving cyberthreat landscape. NATO has seen an increase in frequency and sophistication of cyberattacks in the last year. And the alliance is stepping up its game on cyberdefense. Over 200 experts help protect NATO’s networks around the clock. NATO Cyber Rapid Reaction Teams are on standby to counter attacks against NATO networks, or to assist allies, on request. The organization has enhanced information sharing, including with partners such as the EU and through a malware information sharing platform.
Recognizing that resilient national cyberdefenses are key to collective defense, NATO allies adopted a cyberdefense pledge at their 2016 summit in Warsaw to prioritize investment in strengthening national cyberdefenses. This is consistent with the fundamental responsibility of allies to defend their networks; NATO supports them through the sharing of information, analysis, intelligence, and technical expertise and by promoting benchmark requirements for national capability development and relevant skills. The alliance is also intensifying cooperation with trusted partners, including the EU, industry, and academia. NATO and the EU are already doing a lot together and, in the cyberdomain, are working on much more.
Toomas Hendrik Ilves, Bernard and Susan Liautaud visiting fellow at the Center for International Security and Cooperation in the Freeman Spogli Institute for International Studies
Europe can begin to deal with cyberattacks once member states realize that there is little they can do alone. These incidents, as demonstrated by the ransomware attack on May 12, know no national boundaries. At the same time, nations—whether in the EU or NATO—remain reluctant to share information, treating the cyberworld more as an intelligence issue.
The EU can take a far more robust approach to standards in cybersecurity. Estonia, for example, was virtually untouched by the ransomware attack, due to a number of factors, some technical or architectural, but first and foremost the requirement that critical infrastructure, including healthcare systems, use updated software. After all, the attack last week targeted an operating system that has not been supported by Microsoft for years.
This episode should also give pause to those who have repeatedly called for so-called back doors. If the inner sanctum of the NSA could be penetrated by hackers to release the zero-day exploit for an outdated operating system and cause such damage, would an EU member state or the European Commission really be immune to an attack? I doubt it. Yet hacking an institution to steal the EU’s back door would in effect yield to criminals or a hostile state the keys to the kingdom.
Jakub Janda, Deputy director and head of the Kremlin Watch Program at the European Values Think Tank
Almost every intelligence agency is investing massively in cybercapacities. European intelligence agencies have already warned about hostile meddling in states’ internal affairs—for example, the U.S. and French presidential elections.
Cybersecurity is becoming a mainstream tool that armed forces across Europe need to master—also because of what the Russians are doing in Ukraine. When specialized teams look at Russian hostile activities, they know cyberwar is one of the key tools used by the Kremlin.
At the same time, cybersecurity experts are not always involved in decisionmaking, as they are often considered merely technical specialists. Slowly this is changing, as political decisionmakers and commanders understand that they need these experts in the situation room.
The bottom line is that European democracies are arming up and integrating cybersecurity into their defense systems. Some, like the Baltic states or Germany, are acting faster; some more slowly. But everybody understands that it needs to happen.
Sam Jones, Defense and security editor at the Financial Times
Europe is weak and unprepared to defend itself in cyberspace. But it needn’t be.
The threat of cyberattacks—be they from criminal networks, terrorists, hacktivists, or state actors—has been uniquely underplayed in Europe by both the private sector and governments. The big digital debates that have dominated discussions since the 2013 revelations by former NSA contractor Edward Snowden have skewed perceptions of risk and responsibility.
Events in the past eighteen months should be a wake-up call. Nation-state adversaries have not just shown a capability to destroy European businesses and property by digital means—they have also attempted to do so. They are willing to manipulate elections. And cybercriminals now have access to the kind of online arsenal that only the best-resourced superpowers used to wield.
Part of the European challenge is institutional. Due to underfunding and cultural reasons, Europe’s electronic intelligence agencies are still weak in cyberspace. But there are also broader structural challenges. The online realm is owned by the private sector. Functional security partnerships with the business and tech worlds are needed. Regulation should be one small part of a broader tool kit.
Europe has some unique opportunities, however. Above all else, the cyberthreat is transnational. Cross-border information sharing is crucial for attack mitigation. A cross-border legal framework is vital for prosecution. And a common digital security foreign policy—with real international heft—would be a powerful deterrent.
Edward Lucas, Senior editor at the Economist
Cyberattacks—a slippery term—are not the problem. What people should worry about is the security of their computers and networks in the face of all sorts of threats. The new EU data-security directive is a good start, as it imposes real penalties on companies for carelessness. Governments need to hammer tech companies for their complicity, for example in making money from fake news. And they need to apply the criminal and civil justice systems to deter criminals from using cybermeans to steal and extort money. In all this, the EU is crucial.
Tim Maurer, Fellow at the Carnegie Endowment for International Peace
On May 12, malware crippling the UK’s healthcare systems made news globally. Gone are the days when experts discussed whether cyberwar would or would not take place and when cyberthreats mostly boiled down to checking monthly credit card statements. Last week was a wake-up call that even common malware such as ransomware can impact people’s health and lives, not just their wallets. Such ransomware has been on the rise in the past year. According to a Forbes article, 2016 saw more than 167 times as many attacks as 2015. Ransomware has been around for much longer, but digital currency has offered new ways to monetize ransomware infections.
Europe has made great progress during the past few years in developing the institutions, policies, and overall capacity to address cyberthreats. Individual EU member states have been making greater investments, and the bloc’s institutions have made cybersecurity a top priority as well. At the same time, as the ransomware infections worldwide have made clear, cybersecurity, especially effective law enforcement, requires international cooperation, often beyond the usual suspects. That’s where the real and bigger challenges lie, and where Europe needs to do more.
Stefan Meister, Head of the Robert Bosch Center for Central and Eastern Europe, Russia, and Central Asia at the German Council on Foreign Relations:
Probably, but only if EU member states start to take cybersecurity more seriously and learn to cooperate with each other. NATO deals with cyberattacks in its Cooperative Cyberdefense Center of Excellence in Riga, whereas the EU’s East StratCom Task Force deals only with disinformation and is completely underfunded. EU member states need to understand that the warfare of the twenty-first century takes place in cyberspace and that the 2015 cyberattack on the German Bundestag and the hacking of e-mail accounts in the U.S. and French presidential elections are only the tip of the iceberg. Next will be public infrastructure, energy networks, and power stations.
To respond adequately, EU member states must not only update their own infrastructure and protection mechanisms but also cooperate with each other. This is about sharing information as well as pooling know-how and defense strategies. Military operations need military and security answers. Someone has to collect and supervise all the relevant information to protect, respond, and contain in the case of an attack. This requires an institution at the EU level that can coordinate the member states and much better interlocking with the activities of NATO, which has the know-how in this area.
Fabrice Pothier, Senior associate and director of the Ukraine Project at Rasmussen Global:
When then U.S. defense secretary Leon Panetta talked in 2012 of a looming cyber Pearl Harbor, people reacted with a smile of amusement. Though no Pearl Harbor, the series of ransomware attacks launched on May 12 make up the first world cyberattack. With hundreds of thousands of computers affected worldwide, including in hospitals that had to cancel thousands of operations and appointments, the threat to infrastructures and people’s way of life is real.
This attack should be a wake-up call. Europe needs to focus on building up its cyberresilience. Look at Estonia: it is telling that the small but networked country has been one of the few spared by the wave of attacks. Resilience means building redundancy networks, which can more easily recover from attacks. It also means improved intelligence sharing and early warning processes. One attack is often similar to previous ones, and there are usually early signs of a coming wave of attacks. These steps will require greater cooperation between European governments to more proactively share data, between governments and industry and the private sector, and between the EU and NATO.
Gianni Riotta, Member of the Council on Foreign Relations
Europe is not much more vulnerable than the United States, Russia has a formidable offensive arsenal but a crummy line of defense, and China is somewhat protected by its closed social media environment but is still pretty vulnerable. Many experts assume there is no clear-cut border between political states on the web. Countries share gray areas, and hackers—whether independent or state-sponsored—may act with ease. The web is fragile and, as more of people’s personal and public lives are built on it, can undermine security and trust.
Political leaders and tech companies should cooperate more to avoid back doors and Trojan horses, blackmail and leaks. Countries will continue to assemble arsenals of digital weapons but have to do a much better job of patrolling them. A digital code can be as dangerous as a nuclear weapon, if hackers can shut down electrical grids or blind satellite communications.
Marietje Schaake, Member of the European Parliament:
No. There is effective impunity for those responsible for cybercrimes. This is due to a combination of reasons: overreliance by governments on private companies without clarity over responsibilities; a lack of international norms on state behavior in cyberspace; and a perverse relation between intelligence gathering and cybersecurity. It is essential that the rule of law apply online as well. The Wannacry ransomware attack launched on May 12 is a reminder of how urgent this is.
Although it’s too early to tell whether a nation-state or criminals were behind the Wannacry attack, the EU must already draw important lessons. First, crimes and attacks must have consequences. There needs to be a strong deterrent against attacks on critical infrastructure in the EU. Governments and the hackers they employ must be put on a sanctions list if critical infrastructure is attacked or massive cybercrimes are perpetrated.
Second, the price of negligence should be increased. European countries should create a permanent vulnerability equities process, which holds intelligence agencies to account when they withhold information about software flaws from developers, or when a company is negligent in patching flaws. The ongoing review of the European Commission’s cybersecurity strategy offers a key opportunity to develop an ambitious, values-based approach to cybersecurity. The EU must lead the way in showing how the rule of law applies in a hyperconnected world.
Sinan Ülgen, Visiting scholar at Carnegie Europe:
The latest wide-scale episode of ransomware demonstrates the fragility of the world’s interconnected societies and the growing challenge of building a resilient digital ecosystem able to withstand ever more sophisticated forms of cyberattacks. This attack has underscored one more time the complexity of developing and coordinating policies for improved cyberdefenses in democracies. One reason for this complexity is that the relevant infrastructure spans both private and public assets as well as a wide range of services and industries from banking to transportation.
That is why a proper response can be devised only on the basis of public-private partnerships. More than any other security threat, mitigating the impact of cyberattacks requires governments to work in concert with nongovernmental actors. The EU has taken stock of this phenomenon, as illustrated by the provisions of its cybersecurity legislation, which aims to facilitate this type of collaborative behavior. But the latest wave of attacks can be traced back to efforts by the U.S. government to identify and use vulnerabilities in existing software platforms. From the EU’s perspective, this episode underlines the importance of developing a more robust policy on these zero-day exploits, which will require frank conversations with U.S. policymakers.