Incorporating positive security into EU Policy formation
As the EU strives to strengthen its cyber resilience, it becomes ever more important for its institutions to have coherent advice on the cybersecurity implications of legislative and regulatory decisions. Current practice, including in the context of the Digital Market Act (DMA), suggests action is needed to establish a policy-agnostic technical mechanism to generate such advice, develop important partnerships and create a dynamic process that reviews regulatory decisions and their implementation as threats evolve. The EU should define what makes up a properly constituted decision on technology risk.
In a keynote at the recent Munich Security Conference, European Commission Vice-President Margaritis Schinas warned that cyberattacks are evolving to reach to the heart of EU society and democracy. He urged the EU to respond by moving away from traditional security approaches and mobilising all means at its disposal. His remarks reflected fears of Russian cyber action related to the conflict in Ukraine, but are also more generally applicable.
Schinas called for a clear and advanced legal framework, enhanced operational capacity and a focus on developing the skilled workforce necessary to respond to cyberattacks. He also talked about developing partnerships in and outside the EU to create a ‘ring of resilience’. While he mentioned existing and planned legislative and regulatory moves and the EU Joint Cyber Unit, he implied that these measures are a start to, rather than the conclusion of, what the EU must do to remain sovereign and safe.
Dynamic threat needs dynamic review
VP Schinas’s speech warned against thinking of cyber threats as ‘business as usual’. Rather, they are ‘evolving’ – and the rate of change is dramatic. By way of example, the chief information security officer (CISO) of a large technology company supplying small and medium enterprises across Europe recently said privately that he feels like a 2018 CISO facing 2022 threats. Even well-resourced and technically accomplished network operators are being stretched by the industrialised supply of sophisticated intrusion techniques by Russian-language crime groups, by reckless use of ransom malware, by attacks on cloud-hosted processes and by increasingly active hostile states using unique techniques embedded in the software and data supply chains.
Policymakers increasingly recognise this dynamic threat, but few have a lived appreciation of the way revealed vulnerability calls into question past decisions about operational and security architecture and risk. Many organisations are the victims of both criminal groups and state-sponsored Advanced Persistent Threat groups (APTs). On occasion, these APTs have used previously unseen ‘zero-day’ exploits to gain access. Decisions on segmentation of networks are then found to have been overly optimistic about the prevention or detection of intrusion. Those past decisions were based on known threats and exploitable vulnerabilities at the time, rather than those emerging today. Yet, increasingly, information commissioners judge that changes in the threat calculus should have been foreseen by businesses and that, even though a sophisticated APT intrusion is hard to counter, the business is liable. The same ‘foreseeability’ applies to EU regulatory decisions.
Where is the EU’s equivalent to a National Technical Authority?
Of course the EU makes technology policy decisions based on bespoke technical advice. Telecommunications stands out as an example: whether considering the 5G supply chain or the Electronic Communications Code, BEREC (the Body of European Regulators for Electronic Communications) has an important role in assessing the security implications of mandated interoperability. As the EU strives for cyber resilience, it has made use of individual technical experts, working groups from industry and academia, and ENISA (European Union Agency for Cybersecurity), while drawing on analysis and staff from the Member States’ cybersecurity bodies. However, there is no settled and communicated way in which technical security and privacy advice is drawn up or tested.
These ad hoc arrangements leave the EU short of insight on dynamic threats. Both the European cybersecurity industry and academia provide lagging indicators of threats in that they relate largely to known threats or vulnerabilities. There is also great variation in the cybersecurity capabilities and institutions of the Member States. Some have national CERTs (Computer Emergency Response Teams) and advisory national cyber security centres that depend on partnerships with academia and industry to track and manage developments. Others have cyber centres with strong ties to telecommunications and cybersecurity service providers. A small number, such as Germany, France, the Netherlands and Sweden, have world-class Signals Intelligence capability and offensive cyber programmes which transform their understanding of threat and vulnerability and of what Europe’s adversaries are doing.
When the UK set up the National Cyber Security Centre (NCSC), a decision was taken to make it part of the UK’s Signals Intelligence organisation, GCHQ. The UK CERT was folded in for two good reasons. First, the UK wanted a single national technical authority which could communicate technical realities clearly to executive and legislative decisionmakers, industry and the public. This body was to be founded in technical expertise, to be policy agnostic and coherent. Second, the NCSC needed to be able to operate at every security classification from unclassified to top secret to be able to apply technical insights from the UK’s own offensive cyber programme and intelligence coverage of what others were doing in cyberspace and in multiple geographies. This included insights from partners such as EU Member States and major global technology companies with sophisticated monitoring systems and profound interests in protecting their customers. This provided the UK with the best chance of having leading indications of threats and vulnerabilities.
The DMA as a worked example
Acurrent example where security advice to policymakers seems less than the sum of Europe’s parts is the Digital Markets Act (DMA). A particular issue is the sideloading of applications on mobile devices. Apple, from its CEO down, has warned that this practice would undermine their security architecture and therefore put at risk the security and privacy of hundreds of millions of users of their mobile devices in the EU. The company points out that iOS applications uploaded through the App Store contain much lower levels of malware than other apps, which it attributes to more thorough vetting – including by human review – of apps and upgrades. Some representatives of Member States share this concern, but others see special pleading and are inclined to set Apple’s warnings aside.
The trilogue negotiation over the text of the DMA is ongoing. In the meantime, it’s worth considering whether those negotiating have the objective technical advice to determine the security and privacy implications of whatever sideloading model suits their competitive purposes.
An outside observer cannot and should not be privy to every security consultation in every Member State or in Brussels. Nor should we expect every detail to be published. Preparation of the DMA has been handled by the Commission’s Competition Department and by those in Member States responsible for competition policy. However, while some cyber and national security bodies have been drawn in, some say they have not been. Indeed, technical cybersecurity bodies are wary of taking positions which could reshape favoured competition policy points. Even though there is certainly a need to boost competition in markets dominated by large, usually foreign, enterprises, the key argument here is that competition measures should enhance rather than diminish cybersecurity.
What is clear is that there is no coherent body of technical advice representing the sum total knowledge of the EU’s constituent parts and partnerships and informed by a national security understanding of how cyber-capable EU armed forces and intelligence services could exploit this information – as well as how adversaries may be or are exploiting it. EU cybersecurity bodies that could create such a cohesive view – such as ENISA – have not been commissioned to do so. In short, it appears that the DMA is being written on the basis of, at best, incomplete security and privacy insight.
What makes up a ‘properly constituted decision’?
One frame which may help is to think through what components EU decision makers need in order to make a ‘properly constituted decision’. A process where poorly quantified cyber threats and vulnerabilities and their mitigation obstruct the EU’s economic security purposes cannot be right. At the same time, it seems undesirable to make decisions without the full range of security inputs available to the EU to maintain its sovereignty and freedom of manoeuvre; or to run a process that is so selective the evidence is shaped to the policy and not vice versa; or to give insufficient weight to advice from a major supplier to EU citizens. The EU should, therefore, define what a properly constituted decision on technology risk consists of. It will need to include review mechanisms, given the rate of change in the threat. This is a process solution, not an institutional one, but it is sorely needed if Vice-President Schinas’s aspiration is to be realised.