On February 24th, Russia launched a full-scale invasion of Ukraine. Although evidence detected by United States (US) intelligence services revealed that the Kremlin was planning an invasion [1], the attack nonetheless came as a shock to the whole world. The war in Ukraine is the largest invasion in Europe since the Second World War which has already caused the deaths of thousands and forced millions to become refugees. In light of these devastating developments, it is essential to look back and ask how we got here. For many in the West, Moscow’s actions seem unprecedented. Unfortunately, the Kremlin’s revisionist plans have long been clear for Russia’s immediate neighbours. However, alarms raised about Vladimir Putin’s imperial ambitions were willfully refused until the Kremlin’s tanks crossed Ukraine’s border.
Disinformation and Cyber-Threats: Vulnerability and Resilience in the 2019 EU Elections
In May 2019, over 350 million European citizens will express their vote for the constituency of the new European Parliament in a moment of significant challenges for the European Union (EU). As these may be the most important elections ever faced by the EU, policy-makers should pay particular attention to disinformation campaigns and cyber-threats to guarantee fair and free elections.
In May 2019, over 350 million European citizens across 28 (27, if the United Kingdom exits the EU) countries will elect their representatives for the European Parliament. These elections come at a time of considerable challenges for European institutions. Brexit, immigration, populism, and economic unrest are already threatening the stability of the EU, risking to jeopardise years of cooperation among European member states. Therefore, these elections are of the utmost importance, they will shape the future policies and trajectories of one of the largest democratic bodies in the world.
In the digital era, elections have increasingly become one of the primary targets of cyber-attacks[i]. The EU elections in May will likely expose several vulnerabilities to malicious state and non-state actors who would benefit from a fragmented Europe. Some of these vulnerabilities are inherently a product of the latest technological developments, whereas others are due to specific circumstances of the European case, where the organisation of elections remains a national prerogative. Considering the political magnitude of May’s elections, EU governments must acknowledge the threat posed by potential hacks and respond with a comprehensive strategy.
Hacking election infrastructures or manipulating the voting behaviours of citizens constitute the main cyber-areas of vulnerability for democratic elections. Failing to address these issues could have dramatic implications for the future of the Union. When it comes to the hacking of voting technologies, threats are mainly connected to voter registration, vote counting, and communication of the vote outcome[ii]. This constitutes a critical issue as many European states partially (i.e. France, Hungary, Italy and more) or entirely (Estonia) rely on technology to coordinate their elections[iii]. This approach naturally exposes the entire voting process to cyber-attacks against election infrastructures such as voting machines, databases, and member states’ election websites. Given the cross-border nature of these elections, hackers have the opportunity to exploit and attack each country’s vulnerabilities and create security breaches for their own malevolent purposes.
The second area subject to cyber-meddling is the manipulation of the voting behaviour of European citizens. Nowadays, hackers have powerful tools to influence preferences at the ballot-box. First, trolls and computer bots are widely used to spread rumours and fake news on social media in order to divide and sway public opinion. For example, these tactics have been deployed extensively in Italy to foster anti-immigration and anti-Non-Governmental Organisation sentiments across the population[iv]. Secondly, hackers may exploit security breaches in politicians’ e-mails and databases in order to steal sensitive information to release during delicate moments of the elections. Such efforts have already been observed in Europe, notably with the Macron Leaks– the release of more than 20,000 private emails just two days before the French presidential elections[v]. Third, hackers may undermine free and transparent democratic elections using targeted social media posts and advertisements based on the data-mining of internet users’ preferences. In this regard, the most notable case is the Cambridge Analytica scandal, which involved exposing the data of up to 87 million Facebook profiles for political purposes, shedding light on the (mis)use of social media data in political environments[vi]. Finally, the latest developments in Artificial Intelligence and digital technology are paving innovative paths that may be dangerously exploited by hackers for political purposes. The coming years will likely see a widespread use of “deep fakes” – digital manipulations of audio or video resources almost indistinguishable from real ones – that will further challenge the resilience of democracies all over the world[vii]. While it is unlikely that deep fakes will be used for the upcoming elections, European governments should be aware of the direction in which the disinformation war is heading to prepare for the variety of future threats.
While there are several measures that might reduce the aforementioned threats, there is no infallible way to eradicate cyber-threats and information operations[viii]. Therefore, the EU should increase the efforts stated in the 2013 Cyber Security Strategy concerning high-level deterrence and resilience cyber-strategies[ix] to ensure transparent and fair elections in May, which undoubtedly requires a close co-operation among EU governments. The implementation of a permanent mandate for the European Union Agency for Network and Information Security (ENISA)[x] represents a considerable improvement in the common fight against cyber-attacks. Moreover, member states will need to implement a mix of short- and long-term policies to combat the most delicate aspects of these phenomena.
In the short-term, European governments should focus their attention on technological and normative fields, setting up firm codes of conduct for tech companies, as well as coercive measures for all actors involved in disinformation campaigns. Although it failed to live up to its expectations[xi], the ‘Code of Practice’ signed in September 2018 by the European Commission with Google, Facebook, and Twitter to address the spread of disinformation and fake news represented a strong step forward for the development of joint measures to tackle these issues[xii].
In the long-term, European member states will have to direct their efforts towards development in the IT, social, and cultural fields. In fact, if these issues cannot be solved entirely by technological advancements, it means that European citizens will have to learn to operate in an environment characterized by the presence of fake-news. States should, therefore, invest massively in media literacy to assure a wide development of critical and analytical skills among their citizens, reducing, in turn, the impact of disinformation efforts. Additionally, EU governments will have to further cooperate to create a pan-European normative framework that will apply strict regulations against malignant actors in this digital arms race.
A joint European approach to these threats and a common perspective on election security are necessary to ensure the legitimacy of these elections. As previously mentioned, it will be crucial for the future of the EU and its member governments to do everything in their power to ensure a fair, free, and transparent vote during the upcoming elections. Involving technology in the electoral process should not compromise any of these fundamental requirements. Moreover, since the organization of elections is a national responsibility, varying greatly among member states, there is a significant risk that malicious actors will try to exploit vulnerabilities and consequent security breaches in the electoral process, as some countries are more prepared than others to face these threats[xiv]. Ultimately, EU governments must recognise that the future stability of the EU will depend significantly on the outcome of these elections and will require the utmost attention to guarantee that the founding values of the European institutions – freedom of speech and pluralism within the media – are upheld. Guaranteeing these principles while combatting external meddling constitutes the best weapons available to the EU in the current disinformation war.
Sources:
[i] Hansen, I., & Lim, D. J. (2019) ‘Doxing democracy: Influencing elections via cyber voter interference,’ Contemporary Politics, Vol. 25, No. 2, pp. 150-171.
[ii] Cheeseman, N., Lynch, G. & Willis, J. (2019) ‘Digital dilemmas: the united consequences of election technology,’ Democratization, Vol. 25, No.8, pp. 1397-1418.
[iii] Microsoft Corporate Blogs (2018) ‘Elections under threat: Europe's electronic voting landscape,’ [online] available at https://blogs.microsoft.com/eupolicy/2018/11/22/europes-voting-landscape/ accessed on 14th April 2019.
[iv] Alandete, D. & Verdù, D. (2018) ‘How Russian networks worked to boost the far right in Italy’, El Pais [online] available at https://elpais.com/elpais/2018/03/01/inenglish/1519922107_909331.html accessed on 17th January 2019.
[v] Mohan, M., (2017) ‘Macron Leaks: the anatomy of a hack,’ BBC [online] Available at https://www.bbc.com/news/blogs-trending-39845105 accessed on 17th January 2019.
[vi] The Guardian (2018) ‘The Cambridge Analytica Files’, [online] available at https://www.theguardian.com/news/series/cambridge-analytica-files, accessed on 18th January 2019
[vii] Floridi, L. (2018), ‘Artificial intelligence, deepfakes and a future of ectypes,’ Philosophy & Technology, Vol. 31, No. 3, pp. 317-321.
[viii] NIS Cooperation Group (2018) ‘Compendium on Election Technology,’ [online] Available at https://www.ria.ee/public/Cyber_security_of_Election_Technology.pdf accessed on 21st January 2019
[ix] European Commission, (2013) ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace,’ [online] Available at https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf , accessed on 25th January 2019.
[x] European Parliament, (2018) ‘ENISA and a new cybersecurity act,’ [online] Available at http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2017)614643 accessed on 24th January 2019.
[xi] King, Sir J., Mariah G. (2019) ‘Facebook and Twitter told us they would tackle ‘fake news’. They failed’, The Guardian. [online] Available at https://www.theguardian.com/commentisfree/2019/feb/28/facebook-twitter-fake-news-eu-elections accessed on 2nd March 2019.
[xii] European Commission (2018) ‘Code of Practice on Disinformation’ [online] Available at https://ec.europa.eu/digital-single-market/en/news/code-practice-disinformation accessed on 28th January 2019.
[xiii] King, Sir J. (2018) ‘ Democracy is under threat by the use of technology. The EU is fighting back’, The Guardian. [online] Available at https://www.theguardian.com/commentisfree/2018/jul/28/democracy-threatened-malicious-technology-eu-fighting-back accessed on 28th February 2019.
What ISIS’ Defeat in the Middle East Means for Europe: Counter-Radicalisation in the EU
Radicalisation has emerged as a sincere issue in Europe in the last five years. Since ISIS started to lose territory, foreign fighters have begun to return to Europe, while ISIS’ web presence has strengthened and increased. In response, the European Union has created some of the most successful anti-radicalisation programmes to tackle those threats. However, these measures have failed to prevent some of the worst terrorist attacks that have ever occurred on European soil. This is due to a lack of true coordination and cooperation between member states’ approaches and at the broader EU level.
by Sabbir Jubaer & Valerio Viscardi
Propaganda & Returning Fighters
As ISIS has finally been defeated on the ground, losing its entire territorial control in the Middle East [i], some observers may underestimate ISIS as a continuing and viable adversary in the future for Western countries, especially for Europe given its proximity to the Middle East. Careful observation, however, suggests that ISIS is adapting to the new circumstances through maintaining a robust presence online and by posing new security challenges. In order to address these challenges, the European Union formulated a number of policies and discussed their efficiency in addressing extremism on European soil.
Since 2013, extremist propaganda has undergone a transformation. ISIS has started to produce ‘top notch’ quality propaganda videos, with graphic details and narratives directed towards radicalisation: considered here as intolerance and a possible use of violence against democratic values.[ii] The rise of social media has further bolstered the effectiveness of ISIS’ communications, a stark contrast to al-Qaida’s communications during the previous decades.[iii] The slow destruction of ISIS’ territory and its retreat underground has ultimately been downplayed by ISIS propaganda. This has encouraged homegrown terrorist fighters to act, causing devastating harm. Recent findings suggest the increased use of encrypted communications apps (Telegram & WhatsApp) have been essential mediums for the successful distribution of ISIS propaganda.[iv]
The issue of how to deal with the returning fighters and their families has been a serious concern for European countries. Some states for instance (France and the United Kingdom), before the decision was made to withdraw American troops from Iraq, were not interested in taking back their citizens who had left to fight alongside the so-called Islamic State, fearing a further spread of militancy. In fact, different European cities had already been attacked by militants alleged to be linked with ISIS. France had argued in favour of conducting the prosecutions of the fighters in the countries where their actions took place, i.e. Iraq. However, some European countries, including France, have now agreed to take back the fighters after the United States (U.S.) announced the withdrawal of its troops, fearing the militants may otherwise escape due to the absence of U.S. forces.[v]
Another major concern is the rehabilitation of the detainees. Instead of functioning as rehabilitation centres, prisons in many European countries have emerged as new ground for radicalisation. Prisons provide a space where militants of various degrees of radicalisation can come in touch with, and influence, non-radicalised prisoners. Thus, a prisoner or a person with a lower level of radicalisation can become fully radicalised. This was suspected to be the case for the convicted burglar and prison inmate, Benjamin Herman, a white suburban teen and nominal Catholic when he was first arrested. During his detention, he came in contact with an Islamist recruiter. Whilst allowed out into the community as part of a ‘two-day home leave’ in May 2018, he murdered three people. During the investigation, the authorities found a Quran and a prayer rug in his cell. This, coupled with his link to the radicalist preacher in custody, led Europol to classify the incident as a jihadist terror attack. [vi]
Responses & Rehabilitation
To respond to these threats, the European Union created a centralised strategy for Combating Radicalisation and Recruitment to Terrorism. This strategy, revised in 2014, aims primarily at ‘combating radicalisation and recruitment while taking into account evolving trends, such as lone-actor terrorism, foreign fighters, and the use of social media by terrorists’.[vii] To this purpose, the strategy focuses on four main pillars: prevention, protection, pursuit, and response. Specifically, the prevention pillar tries to ‘prevent people from becoming radicalised … being recruited to terrorism and prevent a new generation of terrorists from emerging’ [viii]. Some examples of ongoing work in countering Islamic radicalisation are the Europol Internet Referral Unit (IRU) to combat terrorism and violent extremist propaganda, and the Radicalisation Awareness Network.
Regarding the former, on 12 March 2015, the Justice and Home Affairs Council of the European Union authorised Europol to create a special unit ‘aimed at reducing the level and impact of terrorist and violent extremist propaganda on the internet’. [ix] The IRU provides operational support to member states by identifying and referring relevant online content towards responsible internet service providers, which remove illegal content from their domain.[x] The European Union’s Radicalisation Awareness Network Internet and Social Media Working Group (RAN@) was created in 2011 by the European Council. Existing as Europe’s largest and highest funded counter-narrative campaign, it is a ‘network of frontline practitioners from across Europe who work on a daily basis with people who have already been radicalised or who are vulnerable to radicalisation’.[xi] This campaign is designed to support objectives such as implementing de-radicalisation and rehabilitation programmes, developing approaches for handling returning foreign terrorist fighters, equipping teachers and youth workers in addressing the root causes of radicalisation, and strengthening resilience, in particular among young people. Moreover, it creates synergies between different actions and policy areas of member states, enhancing the cooperation between them and the European Union.[xii]
Finally, these tools allow counter-narrative campaigns to inspire change in social structures inside each member state in order to increase integration and discourage individuals to radicalise. Each of the different thematic approaches addresses terrorist propaganda from a different angle, and none of them are comprehensive in themselves. Instead, each of these approaches have merit and, collectively, they create a stronger response to terrorist propaganda.
Counter-Radicalisation in Prison & European Countries
In order to tackle radicalisation in prison, each European country has implemented different measures. Some of the most illustrative are those of Belgium and Germany. Belgium, in 2018, developed a program known as ‘Deradex’. According to this program, radicalised inmates were kept isolated and were allowed only limited contact with other prisoners considered radicalised at the same level. The opposite approach was taken in Germany where the idea of isolating radicalised inmates was rejected favouring instead the implementation an intense monitoring and intervention program to prevent further radicalisation from occurring. [xiii] These are only two examples of the different approaches European member states have chosen. These differences are preventing the European Union, and its law-enforcement agencies, from implementing a more effective and unified action. European policy makers need to pay equal attention to homegrown extremists. The detainment and prosecution of returning fighters may give comfort for some time, however, new homegrown fighters will rise unless the root causes of extremism are addressed. Undetected radicalized European citizens can exploit their anonymity to cause more havoc and may emerge as fighters if a new front is opened.
ISIS’ future strategies
Losing territorial control in the Middle East could push ISIS to try to establish strongholds in new theatres. It has previously been successful capturing an area in a non-Muslim majority country far from its traditional area: Marawi city in the Philippines in 2017.[xiii] The group now has a presence in Libya and has declared “wilayats” (provinces/branches) in many regions around Europe. Therefore, ISIS may try to find another front near or even within European soil.
Even with an absolute lack of control over land, ISIS will continue to exist and even may thrive as long as its ideological foundation appeals to individuals. ISIS’ future strategy will likely involve attempts to evolve as a fully-fledged virtual caliphate. The cyber caliphate will engage in asymmetric warfare and provide a platform to direct its followers to organise, propagate extremist narratives, recruit new militants, and incite attacks on European soil.
In conclusion, the national approaches to tackle radicalisation in Europe have proven to be effective on a national level. However, more cooperation at a European level could empower national approach and extend their effectiveness to the whole union. The recent wave of attacks have strengthened the current European transnational cooperation and proven its necessity. At the same time, the European counter-messaging campaigns and programme provide effective support to member states, not limited to national territories, in the battle against radicalisation. However, the lack of coordination and the differences in the national commitment of addressing radicalisation undermine the general effectiveness of anti-radicalisation in Europe. Therefore, there should be more cooperation with the European law enforcement institutions in order to allow them to work as bridges between different law enforcement agencies around Europe, significantly increasing the general operational effectiveness.
Sources:
[i] The Soufan Center. 2019. “IntelBrief: A State Without Territory”. Accessed on February 12, 2019. https://thesoufancenter.org/intelbrief-a-state-without-territory/
[ii] European Commission.“Radicalization”. Immigration and Home Affair Accessed February 15, 2019. https://ec.europa.eu/home-affairs/content/radicalisation-0_en
[iii] Gambhir, Harleen K. 2014. “Dabiq: The Strategic Messaging of the Islamic State”. Institute for the Study of War.
[iv] “Counter-terrorism strategy”. European Union. 2017. Accessed February 08, 2019. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=LEGISSUM:l33275.
[v] McAuley, J. & Birnbaum, M. 2019. “France to take back ISIS fighters, reversing policy in wake of U.S. withdrawal from Syria”. Washington Post. Accessed February 12, 2019. https://wapo.st/2BxJP6K
[vi] Erickson, A. 2018. “Europe’s prisons breed terrorism. Can anything be done?”. Washington Post. Accessed March 19, 2019. https://www.washingtonpost.com/news/worldviews/wp/2018/07/26/europes-prisons-breed-terrorism-can-anything-be-done/?noredirect=on&utm_term=.51905d015a4c
[vii] “Counter-terrorism strategy”. European Union. 2017. Accessed February 08, 2019. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=LEGISSUM:l33275.
[viii] Meleagrou-Hitchens, Alexander. 2017. “The Challenges and Limitations of Online Counter-Narratives in the Fight against ISIS Recruitment in Europe and North America.” 18 (3): 95–104. doi:10.1353/gia.2017.0041.
[ix] “Europol’s Internet Referral Unit to combat terrorist and violent extremist propaganda.” 2015. News release. July 1. Accessed February 08, 2019. https://www.europol.europa.eu/newsroom/news/europol%E2%80%99s-internet-referral-unit-to-combat-terrorist-and-violent-extremist-propaganda.
[x] Dr Alastair Reed,Dr Haroro J. Ingram, Joe Whittaker. 2017. “Countering Terrorist Narratives.
[xi] European Commission. 2019. “Radicalisation Awareness Network (RAN)”. Accessed January 27, 2019. https://ec.europa.eu/home-affairs/what-we-do/networks/radicalisation_awareness_network_en.
[xii] Idem
[xiii]Betteridge-Moes, M. 2017. “What happened in Marawi?”. Aljazeera. Accessed February 12, 2019. https://www.aljazeera.com/indepth/features/2017/10/happened-marawi-171029085314348.html
UK Access to EU Databases: The National Security Ramifications of a No Deal Brexit
The UK’s ability to prevent, prepare for, and respond to risks is enhanced by its ability to share data and expertise, exchange information, and collaborate closely with its nearest neighbours. Brexit presents a significant threat to both that information exchange and continued collaboration.
At present standing, with one deal presented by British Prime Minister Theresa May having already failed to pass through the Commons, the consequences of a no deal Brexit are looming. It is a scenario which many Members of Parliament expressly wish to avoid as leaving the European Union (EU) without a deal would have ramifications for the United Kingdom’s (UK) transnational policing, counter-terror operations, national border control, and forensic investigative capabilities. Each of these areas will be directly and immediately affected in the event of a no deal Brexit due to the specific instruments that the UK stands to lose access to and the effect this will have on its ability to ensure national security.
Without an agreement the UK would leave Europol and UK police forces would lose use of the European Arrest Warrant (EAW), access to Europol’s Information System, and the EU Internet Referral Unit[1]. Not only this but the National Crime Agency would lose access to the EU’s network of Financial Intelligence Units (based at Europol) and the Bomb Data System[2]. Back in 2016 Mrs May cited the EAW when she stated that ‘there are definitely things we can do as members of the European Union that I think keep us more safe’[3]. Informing her view was the fact that in the period 2004–2016 the EAW enabled the UK to extradite 7000 individuals accused or convicted of criminal offences in other EU countries[4]. In the past five years alone, 5000 people have been extradited to EU member states using the EAW[5] highlighting its increasing importance. The prospect of the UK losing rights to the use of EAWs after withdrawing from the EU, and by extension Europol, would mean reverting to more costly and time-consuming measures due to the sudden absence of provisions for mutual recognition of judicial orders[6].
It is well understood that the UK’s lack of access to these instruments would serve neither the UK nor their European partners and whilst examples do exist of bespoke arrangements with third-states, leaving Europol would mean that at best Britain would have to settle for non-voting observer status, forfeiting the right of British officers to lead Europol teams[7]. The argument often presented by leave supporters from all parties that post-Brexit access to the EAW will be straightforward discounts the question of legal oversight of the European Court of Justice (ECJ)[8]. Mrs May has already conceded that any prospect of the UK’s participation in EU agencies such as Europol would mean respecting the remit of the ECJ[9]. This point is entirely at odds with what backbench Commons Members, specifically those of the European Research Group, will accept.
Instead, pro-Brexit Members of Parliament claim that the UK’s contribution to Europol databases as well as the expertise they provide in operations is a big enough bargaining chip to secure the UK access to instruments post-Brexit. Denmark, for example, is able to exchange data with Europol as a third-state, but this is only facilitated through the time-consuming process of Danish officers contacting Danish-speaking Europol staff and being granted the requested information on a case-by-case basis. Denmark does not have right of access to Europol data. The applicability of this arrangement to the UK is extremely doubtful, the EU-Danish agreement depends upon Denmark’s continued membership of the Schengen area, domestic legislative implementation of EU data protection laws, and acceptance of the jurisdiction of the ECJ. These conditions are unworkable for the UK since they undermine many facets of the decision to leave the EU[10].
National border control and customs security will be similarly affected with the updated Schengen Information System (SIS II) and the European Criminal Records Information System (ECRIS) being two further tools that the UK will lose in a no deal Brexit scenario[11]. The SIS II supports external border control and law enforcement cooperation across 22 participating EU countries (plus four associated countries). The staggering extent of its use amounts to it having been consulted 2.9 billion times in 2015[12]. In 2017 Britain alone checked the system over 500 million times in relation to searches for people and objects wanted for law enforcement purposes[13].
ECRIS is a decentralised system utilised by the majority of EU members and provides judges with the information on criminal records of persons which transcends state borders[14]. The government has proposed continued participation in this system, recognising that the UK relies on it for the effective management of violent and sexual offenders. This reliance is reflected in the fact that the UK sent and received over 163,000 requests and notifications for criminal records just in 2017, amounting to over 3,000 a week or 600 requests and notifications to and from the EU per working day[15]. Continued access to both SIS II and ECRIS is of the utmost importance for continued effective law enforcement yet it would require a unique agreement as, to date, there are no examples of access by non-EU or non-Schengen countries in either case[16]. Iceland, Liechtenstein, Norway, and Switzerland have access to SIS II but all are members of the Schengen area[17]. Politicians and academics alike have pointed to these countries as evidence that the UK will be able to access similar databases after it leaves the EU without recognition of the criteria it will have to fulfil as a third-state to do so. It currently takes six days to determine the domestic criminal convictions of EU nationals visiting the UK, post-Brexit the process could take up to ten times longer[18].
Similar time-delay concerns abound when considering the forensic investigative capabilities of the UK and the removal of access to both the European Asylum Dactyloscopy Database (Eurodac), and the Prüm Framework. In 2016 then Home Secretary Mrs May described the Prüm Framework (a cross European agreement to search DNA and fingerprint databases) as ‘a tool which hugely increases the reach of UK law enforcement’[19]. To have the same accessibility to both Prüm and Eurodac (a mechanism for sharing fingerprint data for asylum and law-enforcement purposes[20]) following a no deal Brexit, the UK would need to negotiate individual agreements with each EU government. The importance of continued access to the Prüm Framework has been challenged due to the fact that equivalent manual requests can be made through Interpol. The reality is that UK police forces sent 69 DNA profiles abroad in 2014-15 using Interpol, whereas 9,931 profiles were sent in less than six months during a pilot of the Prüm system[21] demonstrating that requests through Interpol are not an equitable comparison to the capability facilitated by Prüm.
All these platforms and information sharing systems are mutually beneficial to participating countries and many Brexit fears are exacerbated by the fact that the UK is both a large contributor and consumer of the information held and shared. What is often not considered however is that some mentioned above largely contain information on only convicted criminals rather than terrorist suspects. Classified or secret information on terror subjects, or information on counter-terror operations, are not shared on some databases because they are not sufficiently advanced to host intelligence above a classification level of “confidential”[22]. Intelligence relating to terror suspects and operations is contained on national security databases and are therefore shared between individual countries on a “need to know” basis, something that is not currently set to change after the UK leaves the EU. In the absence of a deal however it is possible that EU countries will demand proof of the UK’s willingness to recognise the rulings of the ECJ if it wishes to maintain current levels of counter-terrorism co-operation. Failure to offer this assurance could lead to renewed concerns amongst Member States about mass surveillance by the UK government and a decrease in the aforementioned co-operation.
The government has in-part identified non-EU mechanisms that exist to replace a proportion of the apparatus identified above but none would provide the same level of capability as those available in either a deal or remain scenario[23] meaning they would increase pressure on UK security, law enforcement, and judicial authorities. The fall-backs are slower, more bureaucratic, and ultimately less effective. The importance of introducing measures to combat these national security concerns is recognised by the government as evidenced by their assertion of the need to maintain, deepen, and strengthen operational and practical cooperation with the EU through an adequacy agreement. Given that over three-quarters of the UK’s data flows are with EU countries[24] it is certainly true that the absence of a deal will inevitably mean that the exchange of personal data for law enforcement and criminal justice purposes would be impacted[25]. UK capabilities in cross-border policing, counter-terror operations, national border control, and forensic investigative capabilities stand to be severely disadvantaged. The uncertainty and instability that Brexit is causing in the information sharing and transnational policing realms stand to be exploited by terrorists and organised crime cells. Both the EU and the UK would be negatively affected by the immediate operational disruption and security implications[26] potentially affecting the political stability of all concerned.
Sources:
1. de Vries, G. (2018) A hard Brexit will see criminals taking back control. LSE Brexit Blog. Available at: http://blogs.lse.ac.uk/brexit/2018/03/12/a-hard-brexit-will-see-criminals-taking-back-control/ [Accessed 4 Dec. 2018].
2. ibid.
3. Mason, R. (2016) Leaked recording shows Theresa May is 'ignoring her own warnings' on Brexit. The Guardian. [online] Available at: https://www.theguardian.com/politics/2016/oct/26/leaked-recording-shows-theresa-may-is-ignoring-her-own-warnings-on-brexit [Accessed 6 Jan. 2019].
4. House of Lords (2016) Leaving the European Union: Foreign and Security Policy Cooperation. London: Her Majesty's Stationary Office.
5. May, T. (2016) The UK, EU and our place in the world. Institute of Mechanical Engineers, London.
6. Cabinet Office (2018) National Security Capability Review. London: Her Majesty's Stationary Office.
7. de Vries, “A hard Brexit”.
8. Duke, S. (2018) Will Brexit Damage our Security and Defence?: The Impact on the UK and EU. Cham: Springer Nature.
9. de Vries, “A hard Brexit”.
10. House of Commons European Scrutiny Committee (2017) Third-Second Report of Session 2016–17. London: House of Commons.
11. Inkster, N. (2016) Brexit, Intelligence and Terrorism. Survival. 58(3), pp.23-30.
12. House of Lords, Leaving the European Union, p.17.
13. European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (2018) SIS II – 2017 Statistics. Tallinn: eu-LISA.
14. Duke, Will Brexit Damage our Security and Defence?, p.62.
15. National Crime Agency (2017) Historical European Arrest Warrants statistics: Calendar and Financial year totals 2004 - May 2016. London: National Crime Agency.
16. Duke, Will Brexit Damage our Security and Defence?, p.68.
17. Centre for European Policy Studies (CEPS) (2018) Criminal Justice and Police Cooperation between the EU and the UK after Brexit: Towards a principled and trust-based partnership. [online] Brussels: CEPS. Available at: https://www.ceps.eu/system/files/TFR_EU-UK_Cooperation_Brexit_0.pdf [Accessed 6 Dec. 2018].
18. Inkster, “Brexit, Intelligence and Terrorism”, p.31.
19. House of Lords (2015) Hansard. col. 1637. Available at: https://publications.parliament.uk/pa/ld201516/ldhansrd/text/151209-0002.htm [Accessed 10 Dec. 2018].
20. Duke, Will Brexit Damage our Security and Defence?, p.66.
21. Cabinet Office, National Security Capability Review, p.6.
22. House of Lords, Leaving the European Union, p.8.
23. Doffman, Z. (2018) Brexit Chaos: Why It Is A Major Terrorism And Security Risk. Forbes. [online] Available at: https://www.forbes.com/sites/zakdoffman/2018/11/15/brexit-chaos-why-it-is-a-major-terrorism-and-security-risk/# [Accessed 5 Jan. 2019].
24. Duke, Will Brexit Damage our Security and Defence?, p.69.
25. Cabinet Office, National Security Capability Review, p.18
26. Duke, Will Brexit Damage our Security and Defence?, p.69.
EU’s role in shaping cyber legislation – Part Two of Three
The European Union´s role as a global cyber power mainly relies on its ability to shape cyber-related legislation and standards of state behavior. This might prove challenging due to its institutional structure and civilian power characteristics. Still, the cyber diplomacy directive adopted by the European Council in December 2015 marks the EU’s more proactive role in international cyberspace policy development.
By Rusudan Zabakhidze
While the European Union (EU) has established itself as a regional cyber security player, it is far from being a global cyber power. With the EU’s defense and security policy still under construction, the EU remains a civilian power that lacks hard power capabilities – both in the “analog” and the “digital” realm.
The EU’s aspiration to become a cyber power has been the result of two developments. The first is the increasing development of EU competences and the second is the blurred distinction between domestic and international agendas. In order to demonstrate unity, the European Council has called for the development and implementation of a common and comprehensive approach to global cyber diplomacy. The Council of the EU [1] also encourages the Union and its Member States ‘to prepare cyber dialogues, avoiding duplication of efforts and taking into account the broader EU political and economic interests, collectively promoted by all EU actors’.
The EU’s role as a global cyber power mainly relies on its ability to shape cyber-related legislation as well as norms and standards of state behavior. This might prove challenging due to its institutional structure and civilian power characteristics. Still, the cyber diplomacy directive adopted by the European Council in December 2015 marks the EU’s more proactive role in international cyberspace policy development [2].
Even though the type of cyber security threats and their sources are more diversified than ever, liberal democracies are failing to respond to them with active measures. Regulating cyberspace is obviously a challenging task, as it requires to bring together diverse actors with various interests. This is where the window of opportunity opens up for the EU. The EU has been relatively successful in bringing together civilian and military stakeholders, as well as centers of excellence, industry, and academia [3]. (More on this in Part 1 of the series: EU Cyber Security Capabilities).
One of the main goals of the EU’s cyber diplomacy is to find international consensus on how to apply existing international law to cyberspace and to develop norms for responsible state behavior. The United Nations Charter does not refer to cybersecurity as by the time it was created, the Internet simply did not exist. The EU supports the idea that the UN Charter should apply to the cyber realm as well. The September 2017 Joint Communication on ‘Resilience, Deterrence and Defense: Building strong cybersecurity for the EU’ endorses the non-binding norms, rules, and principles of responsible state behavior in the field of Information and Telecommunications that have been articulated by the UN Group of Governmental Experts [4].
One of the notable examples that can be analysed to further understand the EU’s ability to influence international norm setting is the General Data Protection Regulation, which gives European citizens more control over the use of their private data. In a United States Senate hearing, Facebook CEO Mark Zuckerberg noted that the European legislation seems fair and suitable to prevent unwelcome interferences and misuse of customer data in the future [5]. Even though the regulation has not become an international standard yet, international discourse commends the EU’s progressive vision regarding data protection. Decreasing the vulnerability of European citizens and companies, in addition to building secured information and communication systems, creates a strong foundation for cyber security deterrence.
The real challenge to develop an effective legislation lies in overcoming the EU bureaucracy against a fast-developing and ever-changing cyber environment. Even though the European Union is yet to become a powerful cyber security actor, its diplomatic efforts to support the application of the international law to cybercrimes have the potential to set international norms and principles of responsible state behavior. Amongst others, the EU has started to influence the global discourse through cooperation with third countries and other regional organisations. The scale, achievements and challenges of this type of cooperation will further be discussed in the final part of the series on the EU Cyber Security Capabilities.
Sources:
[1] Reform of the Cyber Security in Europe. 2017. Council of the European Union. Retrieved on July 27, 2018 from: http://www.consilium.europa.eu/en/policies/cyber-security/ [2] European Commission. (2017. Digital Single Market. Cybersecurity. Retrieved on July 27, 2018 from: https://ec.europa.eu/digital-single-market/en/cyber-security [3] European Commission and High Representative of the EU for Foreign Affairs and Security Policy. (2013). Cyber Security Strategy of the EU: An Open, Safe and Secure Cyberspace. Retrieved on July 27, 2018 from: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf [4] Jaku Bund, Pawlak Patryk. (2017) Minilateralism and norms in . cyberspace. EU Institute for Security Studies. Retrived on Sep 15, 2018 from https://www.iss.europa.eu/sites/default/files/EUISSFiles/Alert%2025%20Cyber%20norms_0.pdf [5] The Washington Post. (2018). Mark Zuckerberg testifies on Capitol Hill (full Senate hearing). Retrieved on July 27, 2018 from: https://www.youtube.com/watch?v=6ValJMOpt7s
EU and Cyber Security: New Player against Emerging Threats in Cyberspace – Part One of Three
Transport, energy, health, and finance are the most vulnerable sectors exposed to cyber-threats. Issuing the EU Cybersecurity Strategy in 2013 was an important step forward in developing a common framework; however, the strategy lacked the practical initiatives that would deliver tangible outcomes.
By Rusudan Zabakhidze
In the past decade, cyber warfare has become an exceptional phenomenon that has increased the vulnerability of individuals, non-state actors, and state actors to unprecedented levels. Businesses and governments rely on networks to provide their services across the EU. However, the cyber threat vulnerability of the world’s second-largest economy remains unclear. This article provides an introduction to the EU’s strategic cyber security vision by critically analysing internal and external challenges in the implementation of the recently published cyber security strategy: “Resilience, Deterrence, and Defense: Building strong cybersecurity for the EU.”
In the case of a cyber offense, the victimised country is often hampered to find a proper response because of the ambiguity surrounding the nature and origin of the attack. Since the cyber-attacks against Estonia in 2007, there have been growing concerns over the possibility of election hacking by foreign states, ransomware attacks, and other cybercrime. According to the statistics provided by the European Commission, 80% of European companies experienced at least one cybersecurity incident in 2017 [1]. Correspondingly, 86% of Europeans believe that the cybercrime risks are increasing [2].
The European Union is working on completing the Digital Single Market which will further extend the “four freedoms” (movement, capital, goods, and labour) by providing the rules of fair competition for the individuals and businesses of the Member States to engage in online activities [3]. Therefore, the costs related to cyber attacks are only expected to increase, creating a need for the development of effective preventive mechanisms. Some Member States have already included Cybersecurity in their National Security Strategies. Yet, the ambition of creating the Digital Single Market coupled with the highly interdependent nature of the EU economy indicates a need for action on the collective European level, rather than the individual national levels.
Transport, energy, health, and finance are the most vulnerable sectors exposed to cyber-threats [4]. Issuing the EU Cybersecurity Strategy in 2013 was an important step forward in developing a common framework; however, the strategy lacked the practical initiatives that would deliver tangible outcomes [5]. Necessary resources, for example, are still up to each Member State to acquire. In September 2017, the European Commission proposed a wide range of concrete measures that aim to further strengthen the EU’s cyber defense structures and capabilities, entailing more cooperation between the Member States. The updated strategy, “Resilience, Deterrence, and Defense: Building strong cybersecurity for the EU,” revolves around three principles: building resilience, developing legislative responses, and strengthening international cooperation [6].
While the implementation of the proposed initiatives is a long-term process, the EU has already taken its first steps regarding the security of its own institutions. An inter-institutional arrangement established a permanent Computer Emergency Response Team (CERT-EU) covering all EU institutions, bodies, and agencies.
The European Commission has created the EU Cybersecurity Agency for Network and Information Security (ENISA). This agency coordinates cooperation among member states against cyberattacks. The EU has created a blueprint that guides incident responses for large-scale cyberattacks. An EU-wide certification scheme is also in consideration to increase the quality and security of digital products and services. The EU plans to support Research and Competence Centers and to set up a cyber defense training and education platform. The EU also aims to develop a framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and to deepen cooperation with the North Atlantic Treaty Organization (NATO) [7].
Even though the proposed initiatives cover a wide range of responses, there are a number of practical challenges that will significantly affect the speed, as well as the outcomes, of the mentioned initiatives. The EU has neither properly defined resilience or deterrence nor made sufficiently clear how it intends to overcome institutional fragmentation and lack of legal authority in cybersecurity issues [8]. Other tasks that lie ahead include finding consensus on what constitutes a cybercrime and building the capacities to trace the sources of attacks.
While updating the original cyber security strategy can be considered a positive step towards the EU’s increased resilience, the challenges posed by institutional fragmentation of the Union may hinder the implementation process. Ultimately, as the frequency and scale of cyberattacks increase, effective mechanisms are essential. Failure to implement the proposed initiatives will automatically result in the failure of the establishment of the Digital Single Market. Failure to adapt to the risks and realities of the 21st century could harm the EU’s credibility, and ultimately its viability, not only with its citizens, but worldwide.
Sources:
[1] European Commission. 2017. State of the Union. Cyber Security Factsheet. [online]
Available at: http://www.consilium.europa.eu/media/21480/cybersecurityfactsheet.pdf
[2] ibid
[3] European Commission. 2015. Shaping the Digital Single Market. [online]
Available at: https://ec.europa.eu/digital-single-market/en/policies/shaping-digital-single-market
[4] Council of the European Union. 2017. Reform of the Cyber Security in Europe. [online]
Available at: http://www.consilium.europa.eu/en/policies/cyber-security/
[5] European Commission and High Representative of the EU for Foreign Affairs and Security Policy.
2013. Cyber Security Strategy of the EU: An Open, Safe and Secure Cyberspace. [online]
Available at: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf
[6] European Commission. 2017.
State of the Union - Cybersecurity: Commission scales up EU's response to cyber-attacks.
[online] Available at: http://europa.eu/rapid/press-release_IP-17-3193_en.htm
[7] European Commission. 2017. State of the Union. Cyber Security Factsheet. [online]
Available at: http://www.consilium.europa.eu/media/21480/cybersecurityfactsheet.pdf
[8] Bendiek, A, Bossong, R & Matthias Schulze. 2017. The EU’s Revised Cybersecurity Strategy.
German Institute for International and Security Affairs. [online]
Available at: https://www.swp-berlin.org/fileadmin/contents/products/comments/2017C47_bdk_etal.pdf
The State of the European Energy Union
In an increasingly open and interconnected market, one of the most vital elements of the European Union (EU) common market project is lagging behind: energy. The European Energy Union is an ongoing project of the EU to create an open and interconnected energy market throughout the EU providing secure, affordable and climate-friendly energy.
By Dorien van Dam
In an increasingly open and interconnected market, one of the most vital elements of the European Union (EU) common market project is lagging behind: energy. The European Energy Union is an ongoing project of the EU to create an open and interconnected energy market throughout the EU providing secure, affordable and climate-friendly energy. The initiative was launched in 2014 and published its last progress report in November 2017 [1]. These reports monitor the advancement of the EU towards its 2020 and 2030 energy and climate targets. The reports repeatedly draw the same unsatisfactory conclusion: more work will be needed. So, what exactly is going wrong?
The road towards this Energy Union is outlined in a framework, and can be roughly divided into four pillars: (1) more interconnection, (2) higher energy efficiency, (3) higher share of renewable energy and (4) cuts in greenhouse gas emissions. Some countries, however, are struggling more with their targets than others.
As per the 2014 numbers of Eurostat, nine member states have already met their national renewable energy targets for 2020. The states that are the furthest away from reaching their targets are France, the Netherlands and Ireland [2]. Ironically, these are countries with relatively high GDP per capita within the EU. Irish officials argue that their progress towards the targets were hampered by slow recovery following the financial crisis. Ireland was however not disproportionately affected by the financial crisis; it was a truly global crisis [3].
A possible explanation is that the four countries were not politically equipped to surpass the tragedy-of-the-commons problem. Renewable energy is a typical good that everyone wants but nobody wants to pay for. In the Netherlands, even after a sharp increase in ‘green’ voters during the 2017 election, the new government coalition agreement was exceptionally weak from an environmental perspective. The French system, on the other hand, is infamous for its layered bureaucracy with high amounts of red-tape. This system, in addition to a well-organized fossil fuel lobby are severely hindering the development of a green energy sector [4].
On a more positive note, the EU is expected to surpass their goals in cutting greenhouse gas (GHG) emissions by 1%. Even though this goal does not include ‘embedded emissions’: GHG emissions involved in the production of imported goods [5], it is still a hard-needed win for the EU in the realisation of their 2020 goals.
Another area where progress is being steadily observed is that of energy efficiency. Per capita energy consumption in the EU has decreased from 2007 to 2014. Yet, 2015 and 2016 witnessed small increases, likely due to cooler winters. This resulted in the repetition of the EU Energy mantra: “additional efforts may be needed.” Despite these cooler winters, the EU is the first economic bloc to decouple economic growth from energy consumption.
Finally, the EU has a range of projects on their way to increase energy interconnection. These projects, however, are facing their own geopolitical issues. To conclude, the EU has set out a structured path towards the creation of its Energy Union, but along the way it has had to face multiple political—and meteorological—realities. Most of the 2020 goals are legally binding targets, resulting in possibly hefty fines for the countries that fail to meet their targets. Yet it is doubtful that the European Court of Justice will accept a cold winter as a justification for a breach, but imposing fines when the EU is suffering from low levels of support might prove a politically risky move. All in all, 2020 will prove to be an interesting year, not just for the Energy Union, but for the wider European Union as well.
Sources:
[1] European Commission. 2018. Energy Union and Climate. [ONLINE]
Available at: https://ec.europa.eu/commission/priorities/energy-union-and-climate_en.
[Accessed 3 March 2018].
[2] TheJournal.ie. 2017.
Ireland is expected to miss its EU renewables target - and cop a multimillion-euro bill.
[ONLINE]
Available at: http://www.thejournal.ie/ireland-eu-2020-energy-fines-2-3231942-Feb2017/. [Accessed 3 March 2018].
[3] Ibid.
[4] ICIS. 2017. ICIS Power Perspective: France likely to miss 2020 renewables target. [ONLINE]
Available at: https://www.icis.com/resources/news/2017/10/06/10149918/icis-power-perspective-france-likely-to-miss-2020-renewables-target/?redirect=english. [Accessed 3 March 2018].
[5] European Commission. 2018. Energy Union and Climate. [ONLINE]
Available at: https://ec.europa.eu/commission/priorities/energy-union-and-climate_en. [Accessed 3 March 2018].