cyber

Switching Off The Lights - Cyber Security and AI Series

Switching Off The Lights - Cyber Security and AI Series

There is the confidence that the globalised, networked systems we have built are resilient enough to overcome significant disruptions. What if this confidence is misplaced? This article seeks to answer this question in relation to what is likely the most important of humankind’s networks: the electrical grid. Two methods for conducting a cyber attack against the electrical grid will be considered; the first for disrupting the grid, and the second for destroying core elements. A warning will be offered to the West not to rely on technological supremacy in cyberspace as a deterrent to cyber attacks.

Disinformation and Cyber-Threats: Vulnerability and Resilience in the 2019 EU Elections

In May 2019, over 350 million European citizens will express their vote for the constituency of the new European Parliament in a moment of significant challenges for the European Union (EU). As these may be the most important elections ever faced by the EU, policy-makers should pay particular attention to disinformation campaigns and cyber-threats to guarantee fair and free elections.

by Stefano de Blasi

In May 2019, over 350 million European citizens across 28 (27, if the United Kingdom exits the EU) countries will elect their representatives for the European Parliament. These elections come at a time of considerable challenges for European institutions. Brexit, immigration, populism, and economic unrest are already threatening the stability of the EU, risking to jeopardise years of cooperation among European member states. Therefore, these elections are of the utmost importance, they will shape the future policies and trajectories of one of the largest democratic bodies in the world.

In the digital era, elections have increasingly become one of the primary targets of cyber-attacks[i]. The EU elections in May will likely expose several vulnerabilities to malicious state and non-state actors who would benefit from a fragmented Europe. Some of these vulnerabilities are inherently a product of the latest technological developments, whereas others are due to specific circumstances of the European case, where the organisation of elections remains a national prerogative. Considering the political magnitude of May’s elections, EU governments must acknowledge the threat posed by potential hacks and respond with a comprehensive strategy.  

Hacking election infrastructures or manipulating the voting behaviours of citizens constitute the main cyber-areas of vulnerability for democratic elections. Failing to address these issues could have dramatic implications for the future of the Union. When it comes to the hacking of voting technologies, threats are mainly connected to voter registration, vote counting, and communication of the vote outcome[ii]. This constitutes a critical issue as many European states partially (i.e. France, Hungary, Italy and more) or entirely (Estonia) rely on technology to coordinate their elections[iii]. This approach naturally exposes the entire voting process to cyber-attacks against election infrastructures such as voting machines, databases, and member states’ election websites. Given the cross-border nature of these elections, hackers have the opportunity to exploit and attack each country’s vulnerabilities and create security breaches for their own malevolent purposes.

The second area subject to cyber-meddling is the manipulation of the voting behaviour of European citizens. Nowadays, hackers have powerful tools to influence preferences at the ballot-box. First, trolls and computer bots are widely used to spread rumours and fake news on social media in order to divide and sway public opinion. For example, these tactics have been deployed extensively in Italy to foster anti-immigration and anti-Non-Governmental Organisation sentiments across the population[iv]. Secondly, hackers may exploit security breaches in politicians’ e-mails and databases in order to steal sensitive information to release during delicate moments of the elections. Such efforts have already been observed in Europe, notably with the Macron Leaks– the release of more than 20,000 private emails just two days before the French presidential elections[v]. Third, hackers may undermine free and transparent democratic elections using targeted social media posts and advertisements based on the data-mining of internet users’ preferences. In this regard, the most notable case is the Cambridge Analytica scandal, which involved exposing the data of up to 87 million Facebook profiles for political purposes, shedding light on the (mis)use of social media data in political environments[vi]. Finally, the latest developments in Artificial Intelligence and digital technology are paving innovative paths that may be dangerously exploited by hackers for political purposes. The coming years will likely see a widespread use of “deep fakes” – digital manipulations of audio or video resources almost indistinguishable from real ones – that will further challenge the resilience of democracies all over the world[vii]. While it is unlikely that deep fakes will be used for the upcoming elections, European governments should be aware of the direction in which the disinformation war is heading to prepare for the variety of future threats.

While there are several measures that might reduce the aforementioned threats, there is no infallible way to eradicate cyber-threats and information operations[viii]. Therefore, the EU should increase the efforts stated in the 2013 Cyber Security Strategy concerning high-level deterrence and resilience cyber-strategies[ix] to ensure transparent and fair elections in May, which undoubtedly requires a close co-operation among EU governments. The implementation of a permanent mandate for the European Union Agency for Network and Information Security (ENISA)[x] represents a considerable improvement in the common fight against cyber-attacks. Moreover, member states will need to implement a mix of short- and long-term policies to combat the most delicate aspects of these phenomena.

In the short-term, European governments should focus their attention on technological and normative fields, setting up firm codes of conduct for tech companies, as well as coercive measures for all actors involved in disinformation campaigns. Although it failed to live up to its expectations[xi], the ‘Code of Practice’ signed in September 2018 by the European Commission with Google, Facebook, and Twitter to address the spread of disinformation and fake news represented a strong step forward for the development of joint measures to tackle these issues[xii].

In the long-term, European member states will have to direct their efforts towards development in the IT, social, and cultural fields. In fact, if these issues cannot be solved entirely by technological advancements, it means that European citizens will have to learn to operate in an environment characterized by the presence of fake-news. States should, therefore, invest massively in media literacy to assure a wide development of critical and analytical skills among their citizens, reducing, in turn, the impact of disinformation efforts. Additionally, EU governments will have to further cooperate to create a pan-European normative framework that will apply strict regulations against malignant actors in this digital arms race.

A joint European approach to these threats and a common perspective on election security are necessary to ensure the legitimacy of these elections. As previously mentioned, it will be crucial for the future of the EU and its member governments to do everything in their power to ensure a fair, free, and transparent vote during the upcoming elections. Involving technology in the electoral process should not compromise any of these fundamental requirements. Moreover, since the organization of elections is a national responsibility, varying greatly among member states, there is a significant risk that malicious actors will try to exploit vulnerabilities and consequent security breaches in the electoral process, as some countries are more prepared than others to face these threats[xiv]. Ultimately, EU governments must recognise that the future stability of the EU will depend significantly on the outcome of these elections and will require the utmost attention to guarantee that the founding values of the European institutions – freedom of speech and pluralism within the media – are upheld. Guaranteeing these principles while combatting external meddling constitutes the best weapons available to the EU in the current disinformation war.

Sources:

[i] Hansen, I., & Lim, D. J. (2019) ‘Doxing democracy: Influencing elections via cyber voter interference,’ Contemporary Politics, Vol. 25, No. 2, pp. 150-171.

[ii] Cheeseman, N., Lynch, G. & Willis, J. (2019) ‘Digital dilemmas: the united consequences of election technology,’ Democratization, Vol. 25, No.8, pp. 1397-1418.

[iii] Microsoft Corporate Blogs (2018) ‘Elections under threat: Europe's electronic voting landscape,’ [online] available at https://blogs.microsoft.com/eupolicy/2018/11/22/europes-voting-landscape/ accessed on 14th April 2019.

[iv] Alandete, D. & Verdù, D. (2018) ‘How Russian networks worked to boost the far right in Italy’, El Pais [online] available at https://elpais.com/elpais/2018/03/01/inenglish/1519922107_909331.html accessed on 17th January 2019.

[v] Mohan, M., (2017) ‘Macron Leaks: the anatomy of a hack,’ BBC [online] Available at https://www.bbc.com/news/blogs-trending-39845105 accessed on 17th January 2019.

[vi] The Guardian (2018) ‘The Cambridge Analytica Files’, [online] available at https://www.theguardian.com/news/series/cambridge-analytica-files, accessed on 18th January 2019

[vii] Floridi, L. (2018), ‘Artificial intelligence, deepfakes and a future of ectypes,’ Philosophy & Technology, Vol. 31, No. 3, pp. 317-321.

[viii] NIS Cooperation Group (2018) ‘Compendium on Election Technology,’ [online] Available at https://www.ria.ee/public/Cyber_security_of_Election_Technology.pdf accessed on 21st January 2019

[ix] European Commission, (2013) ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace,’ [online] Available at https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf , accessed on 25th January 2019.

[x] European Parliament, (2018) ‘ENISA and a new cybersecurity act,’ [online] Available at http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2017)614643 accessed on 24th January 2019.

[xi] King, Sir J., Mariah G. (2019) ‘Facebook and Twitter told us they would tackle ‘fake news’. They failed’, The Guardian. [online] Available at https://www.theguardian.com/commentisfree/2019/feb/28/facebook-twitter-fake-news-eu-elections accessed on 2nd March 2019.

[xii] European Commission (2018) ‘Code of Practice on Disinformation’ [online] Available at https://ec.europa.eu/digital-single-market/en/news/code-practice-disinformation accessed on 28th January 2019.

[xiii] King, Sir J. (2018) ‘ Democracy is under threat by the use of technology. The EU is fighting back’, The Guardian. [online] Available at https://www.theguardian.com/commentisfree/2018/jul/28/democracy-threatened-malicious-technology-eu-fighting-back accessed on 28th February 2019.


When Smarter Is Not Always Safer: the Cybersecurity of the Electric Grid

An increased reliance on electricity combined with new production methods and structural changes in the grid pose new challenges in guaranteeing stable and affordable access to electricity. These structural changes imply the integration of ‘smart’ control systems, which often rely on internet connections. Yet, considering the rapid development of malicious activities in the cyber domain, a smarter grid is not always safer.

By Dorien Van Dam

In 2015, representatives of 196 state parties negotiated the Paris Agreement, whose focal point was to limit global warming to below 2 °C, but preferably below 1.5 °C. The Intergovernmental Panel on Climate Change published a new report in October 2018. This report calls for urgent action to phase out fossil fuels by outlining the disastrous impacts of global warming that could be avoided by limiting global warming to 1.5 °C compared to 2 °C [1]. The need to phase out fossil fuels is well acknowledged, but this transition opens up a whole new range of hurdles to overcome. An increased reliance on electricity combined with new production methods and structural changes in the grid pose new challenges in guaranteeing stable and affordable access to electricity. These structural changes imply the integration of ‘smart’ control systems, which often rely on internet connections. Yet, considering the rapid development of malicious activities in the cyber domain, a smarter grid is not always safer.

Phasing out the use of fossil fuels requires the intensified use of alternative sources of energy. Among the largest sources of renewable energy are wind and solar-power. This production takes place on both the industrial and household levels, for example on large solar farms as well as individual solar panels on rooftops. This development means that electricity is now ‘injected’ in the grid from multiple entry-points: both in the ‘traditional’ top-down direction, as well as in bottom-up processes. However, in the absence of (economically viable) large-scale electricity storage capacity, the grid has to be perfectly balanced at all times: input and output have to be equal. This balancing act becomes increasingly difficult due to several reasons. One is the aforementioned multidirectional injection of electricity into the grid. Another reason is the intermittent production nature of renewable energy sources; solar and wind energy are only produced when the sun shines and the wind blows, and therefore are difficult to regulate.

Properly regulating and balancing the grid requires the collection of large amounts of data about the production and consumption of energy. This is often done through Supervisory Control and Data Acquisition systems (SCADA systems) – these are control systems installed on remote places in the electricity grid. SCADA systems have a dual function. First, they gather data about energy flows and send this data to a central command centre. Second, they execute control commands that they receive from the centre with the purpose of keeping the grid balanced and thus operational [2] [3]. These SCADA systems sometimes referred to as SMART systems (Self-Managing and Reliable Transmission systems), are credited with increasing efficiency and enabling the integration of ‘irregular’ production methods [4]. However, they are also more vulnerable to hackers.

The exchange of data and commands between a SCADA system and the central command centre frequently takes place through an internet connection. Such connections, especially wireless ones, make a system easier to target. Therefore, the risk that external actors gain access to control systems is larger. Subsequently, if a hacker manages to take control and disconnect the system, it can take longer for the grid regulators to regain control because such SCADA systems are often placed in remote locations. By accessing control systems and using this access for disrupting command structures, hackers can disrupt the balance of the grid and ultimately even cause blackouts. This, for example, happened in 2015, when hackers managed to gain access to a remote substation in Ukraine and rendered it inoperable and again in 2016 when Ukrainian Industrial Control systems were hacked [5] [6].

In the context of an increased reliance on electricity, to enable our shift away from fossil fuels, it is safe to conclude that the stable functioning of the electricity grid is of paramount importance. Additionally, the strategy of the European Energy Union heavily relies on the future development of the electricity sector. Integration and standardization of electricity control systems might streamline cross-country energy flows and stimulate the development of a truly interconnected market, but could also render it more vulnerable. If you figure out how to hack one, you know how to hack all of them. Ultimately, we can conclude that a smarter grid is not always a safer grid.

Sources:

[1] Intergovernmental Panel on Climate Change (2018). Global Warming of 1.5 °C. Retrieved 8 October 2018 at http://www.ipcc.ch/report/sr15/.

[2] Jarmakiewicz, J., Maslanka, K., & Parobczak K., (2015). Evaluation of the Cyber Security Provision System for Critical Infrastructure. Journal of Telecommunications and Information Technology, no. 75, 22-29.

[3] Jarmakiewicz, J., Parobczak, K., & Maślanka, K. (2017). Cybersecurity protection for power grid control infrastructures. International Journal of Critical Infrastructure Protection, 18, 20-33.

[4] Beaulieu et al. (2016). Smart Grids from a Global Perspective: Bringing Old and New Energy Systems. Springer: Switzerland.

[5] Cox, J. (2016). The Malware That Led to the Ukrainian Blackout. Vice Motherboard. Retrieved 8 October 2018 from https://motherboard.vice.com/en_us/article/wnx5yz/the-malware-that-led-to-the-ukrainian-blackout

[6] Imeson, M. (2017). Electricity industry on alert for ‘cyber sabotage’. Financial Times. Retrieved 8 October 2018 from https://www.ft.com/content/1fc89bd8-996c-11e7-8c5c-c8d8fa6961bb.

EU’s role in shaping cyber legislation – Part Two of Three

The European Union´s role as a global cyber power mainly relies on its ability to shape cyber-related legislation and standards of state behavior. This might prove challenging due to its institutional structure and civilian power characteristics. Still, the cyber diplomacy directive adopted by the European Council in December 2015 marks the EU’s more proactive role in international cyberspace policy development.

By Rusudan Zabakhidze

While the European Union (EU) has established itself as a regional cyber security player, it is far from being a global cyber power. With the EU’s defense and security policy still under construction, the EU remains a civilian power that lacks hard power capabilities – both in the “analog” and the “digital” realm.

The EU’s aspiration to become a cyber power has been the result of two developments. The first is the increasing development of EU competences and the second is the blurred distinction between domestic and international agendas. In order to demonstrate unity, the European Council has called for the development and implementation of a common and comprehensive approach to global cyber diplomacy. The Council of the EU [1] also encourages the Union and its Member States ‘to prepare cyber dialogues, avoiding duplication of efforts and taking into account the broader EU political and economic interests, collectively promoted by all EU actors’.

The EU’s role as a global cyber power mainly relies on its ability to shape cyber-related legislation as well as norms and standards of state behavior. This might prove challenging due to its institutional structure and civilian power characteristics. Still, the cyber diplomacy directive adopted by the European Council in December 2015 marks the EU’s more proactive role in international cyberspace policy development [2].

Even though the type of cyber security threats and their sources are more diversified than ever, liberal democracies are failing to respond to them with active measures. Regulating cyberspace is obviously a challenging task, as it requires to bring together diverse actors with various interests. This is where the window of opportunity opens up for the EU. The EU has been relatively successful in bringing together civilian and military stakeholders, as well as centers of excellence, industry, and academia [3]. (More on this in Part 1 of the series: EU Cyber Security Capabilities).

One of the main goals of the EU’s cyber diplomacy is to find international consensus on how to apply existing international law to cyberspace and to develop norms for responsible state behavior. The United Nations Charter does not refer to cybersecurity as by the time it was created, the Internet simply did not exist. The EU supports the idea that the UN Charter should apply to the cyber realm as well. The September 2017 Joint Communication on ‘Resilience, Deterrence and Defense: Building strong cybersecurity for the EU’ endorses the non-binding norms, rules, and principles of responsible state behavior in the field of Information and Telecommunications that have been articulated by the UN Group of Governmental Experts [4].

One of the notable examples that can be analysed to further understand the EU’s ability to influence international norm setting is the General Data Protection Regulation, which gives European citizens more control over the use of their private data. In a United States Senate hearing, Facebook CEO Mark Zuckerberg noted that the European legislation seems fair and suitable to prevent unwelcome interferences and misuse of customer data in the future [5]. Even though the regulation has not become an international standard yet, international discourse commends the EU’s progressive vision regarding data protection. Decreasing the vulnerability of European citizens and companies, in addition to building secured information and communication systems, creates a strong foundation for cyber security deterrence.

The real challenge to develop an effective legislation lies in overcoming the EU bureaucracy against a fast-developing and ever-changing cyber environment. Even though the European Union is yet to become a powerful cyber security actor, its diplomatic efforts to support the application of the international law to cybercrimes have the potential to set international norms and principles of responsible state behavior. Amongst others, the EU has started to influence the global discourse through cooperation with third countries and other regional organisations. The scale, achievements and challenges of this type of cooperation will further be discussed in the final part of the series on the EU Cyber Security Capabilities.

Sources:

[1] Reform of the Cyber Security in Europe. 2017. Council of the European Union. Retrieved on July 27, 2018 from: http://www.consilium.europa.eu/en/policies/cyber-security/ [2] European Commission. (2017. Digital Single Market. Cybersecurity. Retrieved on July 27, 2018 from: https://ec.europa.eu/digital-single-market/en/cyber-security [3] European Commission and High Representative of the EU for Foreign Affairs and Security Policy. (2013). Cyber Security Strategy of the EU: An Open, Safe and Secure Cyberspace. Retrieved on July 27, 2018 from: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf [4] Jaku Bund, Pawlak Patryk. (2017) Minilateralism and norms in . cyberspace. EU Institute for Security Studies. Retrived on Sep 15, 2018 from https://www.iss.europa.eu/sites/default/files/EUISSFiles/Alert%2025%20Cyber%20norms_0.pdf [5] The Washington Post. (2018). Mark Zuckerberg testifies on Capitol Hill (full Senate hearing). Retrieved on July 27, 2018 from: https://www.youtube.com/watch?v=6ValJMOpt7s

Online Political Microtargeting in the United States

Online political microtargeting is personalised advertising targeting the voters who are on the fence in a campaign, and are thus most susceptible to personalised political advertisements. In the US, microtargeting allows political campaigns to target swing states, which fluctuate between supporting Democrats and Republicans and possess considerable weight in the outcome of an election.

By Agniete Pocyte

‘Political elites do not employ new communication channels with the aim of citizen empowerment, greater democratic deliberation, or any other normative goals’ [1]. The goal of investing in new media communication tools is to win elections.’

Online political microtargeting is personalised advertising which targets voters based on the predictions of an algorithmic model, manipulated from publicly available data and private data [2]. Facebook is the most popular advertising platform as nearly three-quarters of American adults use Facebook, and 44% of the adult population cite it as a part of their news sources [3]. Although Facebook is not the only social media site that functions as a news source, it is by far the largest [4].

Despite the focus on President Trump’s 2016 campaign, George W. Bush made use of similar, albeit less complicated, microtargeting. In 2004, Bush’s presidential campaign bought data on 5.7 million Michigan consumers from Acxiom, one of the world’s largest data brokers, and merged it with their own polling information to categorise Michigan voters into 34 ‘microtargeting segments’ [5]. With this information, the campaign created advertisements and scripted messages targeted at the narrow categories of voters through telephone and direct-mail messages. Mitt Romney’s 2012 US presidential campaign used micro-categories to target undecided voters with advertisements that emphasised different aspects of his campaign. Zac Moffet, the digital director of Mitt Romney’s 2012 presidential campaign stated: ‘two people in the same house could get different messages. Not only will the message change, the type of content will change’ [6].

A microtargeting strategy will rarely target more than a small portion of the voting population. That is because most of the population is either set on voting for a particular candidate or is extremely unlikely to vote. By targeting the voters who are on the fence in a campaign, and are thus most susceptible to personalised political advertisements, microtargeting becomes a cost-effective strategy. Most importantly in the US, microtargeting allows political campaigns to target swing states, which fluctuate between supporting Democrats and Republicans and possess considerable weight in the outcome of an election. Since 1980, the number of contested swing states has dwindled [7]. In 1976, 20 states were won by a margin of less than 5%. This number dropped to 11 states in 2004 and to just 7 states (Florida, Ohio, Virginia, New Hampshire, Wisconsin, Iowa, and Colorado) in 2008. The fact that US presidential elections are fought over ‘relatively small margins in a handful of states sets up conditions for continued importance of fine-grained tactical efforts’ to persuade a select group of voters [8]. That being said, ‘political elites do not employ new communication channels with the aim of citizen empowerment, greater democratic deliberation, or any other normative goals’ [9]. The goal of investing in new media communication tools is to win elections.

Although political microtargeting purports to engage with voters in a more relevant fashion, the threats to individual privacy, the electorate, and democracy outweigh the benefits. American voters do not have adequate control of their data and cannot dictate who uses it. Many organisations, including political campaigns, are under no obligation to protect user’s information privacy and political privacy. Moreover, microtargeting practices suppress certain voter populations and exacerbate the effects of the ‘filter bubble’ by channeling voters into informational silos. Due to the highly personalised nature of the messages in political ads, thousands of variations of the same ad exist to maximise voter receptiveness. Political campaigns do not publish a database of all the ad variations which makes it difficult for journalists and the general public to investigate the honesty of a particular campaign. Third parties including social media companies, data brokers, and data analytic firms, are unregulated and possess a questionable amount of political power if the effects of microtargeting are as extreme as purported by campaign managers. Regulations are difficult to implement due to alleged conflicts with freedoms of speech and expression and the lack of empirical evidence surrounding the effects of microtargeting. Technology has outgrown regulation and it is vital to keep the possible threats of microtargeting in mind not only for policymakers, but the voters as well.

N.B. ‘the ‘filter bubble’ is the intellectual isolation that can occur when websites make use of algorithms to selectively assume the information a user would want to see, and then give information to the user according to this assumption’ [10].

Sources:

[1] Bimber, B. (2014). Digital media in the Obama campaigns of 2008 and 2012: Adaptation to the personalized political communication environment. Journal of Information Technology & Politics, 11(2), p.146.

[2] Gorton, W. A. (2016). Manipulating Citizens: How Political Campaigns’ Use of Behavioral Social Science Harms Democracy. New Political Science, 38(1), 61-80.

[3] Gottfried, J., & Shearer, E. (2016). News Use Across Social Media Platforms 2016. Pew Research Center’s Journalism Project. Retrieved 2 May 2018, from http://www.journalism.org/2016/05/26/news-use-across-social-media-platforms-2016/
[4] Ibid.

[5] Gorton, W. A. (2016). Manipulating Citizens: How Political Campaigns’ Use of Behavioral Social Science Harms Democracy. New Political Science, 38(1), 61-80

[6] Ibid.

[7] Bimber, B. (2014). Digital media in the Obama campaigns of 2008 and 2012: Adaptation to the personalized political communication environment. Journal of Information Technology & Politics, 11(2), p.146.

[8] Ibid, p. 144

[9] Ibid, p146

[10] Techopedia. (2018). What is a Filter Bubble? – Definition from Techopedia. [online]. Available at: https://www.techopedia.com/definition/28556/filter-bubble [Accessed 30 Aug. 2018]

Author’s further reading:

[1] Borgesius, F. J., Moller, J., Kruikemeier, S., Fathaigh, R. Ó., Irion, K., Dobber, T., … & de Vreese, C. (2018). Online Political Microtargeting: Promises and Threats for Democracy. Utrecht L. Rev., 14, 82.

[2] Ienca, M. (2017). Do We Have a Right to Mental Privacy and Cognitive Liberty?. Scientific American Blog Network. Retrieved 2 May 2018, from https://blogs.scientificamerican.com/observations/do-we-have-a-right-to-mental-privacy-and-cognitive-liberty/

[3] Tenove, C., Buffie, J., McKay, S., & Moscrop, D. (2018). How Foreign Actors Use Digital Techniques to Undermine Democracy. Centre for the Study of Democratic Institutions, UBC.

EU and Cyber Security: New Player against Emerging Threats in Cyberspace – Part One of Three

Transport, energy, health, and finance are the most vulnerable sectors exposed to cyber-threats. Issuing the EU Cybersecurity Strategy in 2013 was an important step forward in developing a common framework; however, the strategy lacked the practical initiatives that would deliver tangible outcomes.

By Rusudan Zabakhidze

In the past decade, cyber warfare has become an exceptional phenomenon that has increased the vulnerability of individuals, non-state actors, and state actors to unprecedented levels. Businesses and governments rely on networks to provide their services across the EU. However, the cyber threat vulnerability of the world’s second-largest economy remains unclear. This article provides an introduction to the EU’s strategic cyber security vision by critically analysing internal and external challenges in the implementation of the recently published cyber security strategy: “Resilience, Deterrence, and Defense: Building strong cybersecurity for the EU.”

In the case of a cyber offense, the victimised country is often hampered to find a proper response because of the ambiguity surrounding the nature and origin of the attack. Since the cyber-attacks against Estonia in 2007, there have been growing concerns over the possibility of election hacking by foreign states, ransomware attacks, and other cybercrime. According to the statistics provided by the European Commission, 80% of European companies experienced at least one cybersecurity incident in 2017 [1]. Correspondingly, 86% of Europeans believe that the cybercrime risks are increasing [2].

The European Union is working on completing the Digital Single Market which will further extend the “four freedoms” (movement, capital, goods, and labour) by providing the rules of fair competition for the individuals and businesses of the Member States to engage in online activities [3]. Therefore, the costs related to cyber attacks are only expected to increase, creating a need for the development of effective preventive mechanisms. Some Member States have already included Cybersecurity in their National Security Strategies. Yet, the ambition of creating the Digital Single Market coupled with the highly interdependent nature of the EU economy indicates a need for action on the collective European level, rather than the individual national levels.

Transport, energy, health, and finance are the most vulnerable sectors exposed to cyber-threats [4]. Issuing the EU Cybersecurity Strategy in 2013 was an important step forward in developing a common framework; however, the strategy lacked the practical initiatives that would deliver tangible outcomes [5]. Necessary resources, for example, are still up to each Member State to acquire. In September 2017, the European Commission proposed a wide range of concrete measures that aim to further strengthen the EU’s cyber defense structures and capabilities, entailing more cooperation between the Member States. The updated strategy, “Resilience, Deterrence, and Defense: Building strong cybersecurity for the EU,” revolves around three principles: building resilience, developing legislative responses, and strengthening international cooperation [6].

While the implementation of the proposed initiatives is a long-term process, the EU has already taken its first steps regarding the security of its own institutions. An inter-institutional arrangement established a permanent Computer Emergency Response Team (CERT-EU) covering all EU institutions, bodies, and agencies.

The European Commission has created the EU Cybersecurity Agency for Network and Information Security (ENISA). This agency coordinates cooperation among member states against cyberattacks. The EU has created a blueprint that guides incident responses for large-scale cyberattacks. An EU-wide certification scheme is also in consideration to increase the quality and security of digital products and services. The EU plans to support Research and Competence Centers and to set up a cyber defense training and education platform. The EU also aims to develop a framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and to deepen cooperation with the North Atlantic Treaty Organization (NATO) [7].

Even though the proposed initiatives cover a wide range of responses, there are a number of practical challenges that will significantly affect the speed, as well as the outcomes, of the mentioned initiatives. The EU has neither properly defined resilience or deterrence nor made sufficiently clear how it intends to overcome institutional fragmentation and lack of legal authority in cybersecurity issues [8]. Other tasks that lie ahead include finding consensus on what constitutes a cybercrime and building the capacities to trace the sources of attacks.

While updating the original cyber security strategy can be considered a positive step towards the EU’s increased resilience, the challenges posed by institutional fragmentation of the Union may hinder the implementation process. Ultimately, as the frequency and scale of cyberattacks increase, effective mechanisms are essential. Failure to implement the proposed initiatives will automatically result in the failure of the establishment of the Digital Single Market. Failure to adapt to the risks and realities of the 21st century could harm the EU’s credibility, and ultimately its viability, not only with its citizens, but worldwide.

Sources:

[1] European Commission. 2017. State of the Union. Cyber Security Factsheet. [online]

Available at: http://www.consilium.europa.eu/media/21480/cybersecurityfactsheet.pdf

[2] ibid

[3] European Commission. 2015. Shaping the Digital Single Market. [online]

Available at: https://ec.europa.eu/digital-single-market/en/policies/shaping-digital-single-market

[4] Council of the European Union. 2017. Reform of the Cyber Security in Europe. [online]

Available at: http://www.consilium.europa.eu/en/policies/cyber-security/

[5] European Commission and High Representative of the EU for Foreign Affairs and Security Policy.

2013. Cyber Security Strategy of the EU: An Open, Safe and Secure Cyberspace. [online]

Available at: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf

[6] European Commission. 2017.

State of the Union - Cybersecurity: Commission scales up EU's response to cyber-attacks.

[online] Available at: http://europa.eu/rapid/press-release_IP-17-3193_en.htm

[7] European Commission. 2017. State of the Union. Cyber Security Factsheet. [online]

Available at: http://www.consilium.europa.eu/media/21480/cybersecurityfactsheet.pdf

[8] Bendiek, A, Bossong, R & Matthias Schulze. 2017. The EU’s Revised Cybersecurity Strategy.

German Institute for International and Security Affairs. [online]

Available at: https://www.swp-berlin.org/fileadmin/contents/products/comments/2017C47_bdk_etal.pdf

Swarming Technology is Changing Drone Warfare – Part One of Three

Swarming technologytherefore, represents a disruption in terms of the strategic status quo of warfare due to the low entry cost, the general trend towards more autonomous systems, and the onus of differentiation being placed on those being attacked.

By Caitlin Irvine

‘Swarm technology is nascent, and some have pegged it as the next significant drone innovation’ [1]. It allows a group of unmanned aerial vehicles (UAVs) to complete an objective whilst coordinating with one another [2]. It is not pragmatic to ask one individual to monitor up to 250 UAVs so the operator delegates a task to the swarm and monitors the network that senses, communicates, and computes the surrounding environment [3]. Investment in this subset of independently operating systems has made the use of swarming technology in operational theatres a topical matter.

 The economic case for this new technology is clearly attractive as shown by the two major players investment in the field. The US Army’s funding for robotics for 2017-2021 has tripled to $900 million whilst China currently holds the world record for the largest swarm of drones collectively controlled at the Guangzhou Air show in 2017 [4]. The cost of a swarm relative to a harpoon missile (around $1.2 million) highlights that creating an entire swarm may be cheaper than building conventional defence systems [5]. Swarm technology has been developed primarily in small quadcopters because they are cheaper, easier to transport, and can be deployed in a shorter time than larger hardware such as the Predator B or MQ9-Reaper [6].

 Militarily, these small drone swarms provide several advantages in a built-up operational theatre where bottlenecks are common and buildings or trees can reduce the signal range. Quadcopters are adaptable simply because of their size – they are able to navigate through narrow urban terrain [7]. A swarm can also project further than an individual quadcopter; by placing members of the swarm at different points along the approach to an operational area they can act as relay stations back to the base station where the operator is [8].

 The issue surrounding swarms is how to defend against them. Their innovation causes a paradigm shift. Due to their ability to overwhelm and confuse traditional radar detection-based missile shields mass again becomes a decisive factor on the battlefield [9]. ‘A manned or unmanned aircraft can be brought down by a single missile, but a swarm can take multiple hits’; this places a military with a dilemma of how to respond to a swarm without looking like the aggressor [10]. Simply put, ‘there is lower costs for offense relative to the difficulty of defending against a swarm’ [11].

 Swarming technology therefore represents a disruption in terms of the strategic status quo of warfare due to the low entry cost, the general trend towards more autonomous systems, and the onus of differentiation being placed on those being attacked. Militaries are interested in developing and deploying swarm technology because of the cost-effective advantages it presents in urban environments and the difficulties of defending against such a system. Their use in contested areas could lead to a perpetual cycle of warfare given that the best way to respond to a swarm of UAVs is to deploy your own. The investment drone swarms have received from both civil and military entities shows that they are an important developmental step for the future conduct of warfare. However, the growing trend towards autonomous weapons is concerning primarily because of the lack of thought given to the knock-on effects of such weaponry. 

Sources:

[1] Sims, A (2018) ‘How do we thwart the latest terrorist threat: swarms of weaponised drones?’The Guardian

[online]

available at: https://www.theguardian.com/commentisfree/2018/jan/19/terrorists-threat-weaponised-drones-swarm-civilian-military-syria accessed on 11th April 2018

[2] Hambling, D (2016) ‘Drone Swarms will change the face of modern warfare’, Wired

[online] available at: http://www.wired.co.uk/article/drone-swarms-change-warfare

Accessed 10th April 2018

[3] Lachow, I (2017) ‘The upside and downside of swarming drones’,

Bulletin of the Atomic Scientists, Vol 73:2, p96

[4] Ibid.

[5] Hambling, D (2016) ‘Drone Swarms will change the face of modern warfare’, Wired

[online] available at: http://www.wired.co.uk/article/drone-swarms-change-warfare

Accessed 10th April 2018

[6] Bürkle, A, Segor, F, and Kollman, M (2011) ‘Towards Autonomous Micro UAV Swarms’

Journal of Intelligent And Robotic Systems, Vol 61(1-4), p340

[7] Ibid.

[8] Hambling, D (2016) ‘Drone Swarms will change the face of modern warfare’, Wired

[online] available at: http://www.wired.co.uk/article/drone-swarms-change-warfare

Accessed 10th April 2018

[9] Feng, E and Clover, C (2017) ‘Drone swarms vs conventional arms: China’s military debate’,

The Financial Times [online] available at: https://www.ft.com/content/302fc14a-66ef-11e7-8526-7b38dcaef614

Accessed on 16th April 2017

[10] Hambling, D (2016) ‘Drone Swarms will change the face of modern warfare’, Wired

[online] available at: http://www.wired.co.uk/article/drone-swarms-change-warfare

Accessed 10th April 2018

[11] Kania, E (2017) ‘Swarms at war: Chinese advances in Swarm Intelligence’

The Jamestown Foundation: China Brief, Vol 17, Issue 9, p14

Author’s Further Reading

[1] Kumar, V (2015) ‘The Future of Flying Robots’, Ted Talks [online]

Available at: https://www.youtube.com/watch?v=ge3--1hOm1s A

ccessed on 9th April 2018

[2] Boyle, MJ (2013) ‘The Costs and Consequences of Drone Warfare’

International Affairs, Vol 89: 1 (2013) pp1–29

[3] Nurkin, T (2016) ‘Unmanned ground vehicles: technology and market trends’

Jane’s Review [online]

available at: http://www.janes.com/article/61176/security-unmanned-ground-vehicles-technology-and-market-trends-es2016d1

Accessed on 10th April 2018