ENDitorial: Questions on the draft Directive on Cybersecurity Strategy
This article is also available in:
Deutsch: ENDitorial: Fragen zum Entwurf für eine Strategie und eine Richtlinie...
A draft of the already announced EU Directive on Cybersecurity Strategy that is circulation in Brussels seems to be totally misguided, in EDRi's opinion.
The Commission seeks to put ENISA at the heart of a network to act as an early warning system for bad stuff on the Internet, which is good. What is wrong is that instead of pulling together police forces, CERTs and service providers, ENISA seeks to set up a classified network of military and intelligence agencies.
It is true that large numbers of EU citizens have suffered from online frauds and that their ability to get redress varies quite disgracefully across the EU (as noted in the recent Eurostat survey, and discussed in the paper on "The Costs of Cybercrime"). However the appropriate policy responses are already well-known: they include improved and harmonised consumer protection, better police cooperation, security breach disclosure and a policy that vendors should supply and certify network-attached devices to be safe by default. Such measures are clearly within the competence of the EU and some are already being undertaken; see for example the security breach disclosure provisions in the draft Data Protection Regulation, and the new European Cybercrime Centre. Such proposals should be pursued and implemented with vigour.
This proposed directive, however, represents an attempt to militarise security in cyberspace. This has already been seen in some Member States; for example, the UK allocated a further £640m (approx. 770m Euro) to cybersecurity from 2011-5 but when the dust settled, GCHQ (the UK signals intelligence agency) had won 59% of it. The police, who actually have the responsibility for catching cyber-crooks, got an almost insignificant £5m (approx. 6m Euro) a year. So rather than giving the police the resources they need to catch cyber-crooks and put them in jail, the UK government decided to give most of the money to the spies so they could go commit more cyber-crimes (albeit in other people's countries).
It is a tragedy that the European Union is now considering following this UK- and US-centric policy lead. The proposed draft directive must be rewritten so that the network of cooperation on cybercrime includes those organisations in a position to push back on crime, including the police, network service providers, CERTs, researchers, online service firms, software vendors and security companies. A classified network will not be in a position to win the trust of most of these stakeholders and would not be able in any case to feed much useful information to them. At present, civilian organisations contribute much more to the fight against cybercrime, as well as owning most of the critical infrastructure; as a result we understand the problems much better. A network of governments talking only to each other could easily end up with the agencies amplifying each others' misconceptions.
Furthermore, the draft Directive concept of a "single national competent authority" is wrong in principle and unworkable in practice. Even in the UK, where cybersecurity is already being partly militarised along the US model, we see a plurality of players even in the public sector: GCHQ, the Serious and Organised Crime Agency, the Security Service, local police forces and the National Physical Laboratory. This diversity of mission and of policy is valuable. Similarly, in Germany the roles of the Bundesamt fuer Sicherheit in der Informationstechnik and the Bundesnachrichtendienst are quite properly separate. A directive that encourages one single agency to acquire primacy in each Member State would undermine the constitutional arrangements that various states currently have for separation of powers and accountability (weak though these already are in some cases). In the German case, for example, it would undermine the strict separation between criminal prosecution and national intelligence.
The draft directive also grants draconian powers to ENISA and to Member States, which would greatly exceed those granted under the Data Retention Directive and which now have been challenged successfully in the Constitutional courts of several Member States. Note for example point 28 (page 14):
"Competent authorities should have the necessary means to perform their duties,including powers to obtain sufficient information from market operators in order to assess the level of security of network and information systems as well as reliable and comprehensive data about actual security incidents that have had an impact on the operation of network and information systems."
The definition of a "market operator" is: "Enablers of Internet services, e.g. e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores, communication services other than those covered by the electronic communications framework. Software developers and hardware manufacturers are excluded."
In other words ENISA and the national agencies in its network will have access to "sufficient information" from almost everyone online, in effect extending the data-retention powers from phone companies and ISPs to service providers such as search engines, webmail providers, social networks and computer game operators. That is completely unacceptable as it would violate the constitutions of Germany and other countries (and in view of the hostile report by the UK parliament's review committee in the proposed Communications Data Bill, would likely be unacceptable even in the most surveillance-friendly of the EU member states). Finally, it is extremely difficult to see how such a provision could be squared with Article 8 of the European Convention of Human Rights.
The draft as it stands is unacceptable. It must be rewritten or abandoned.
The Costs of Cybercrime, R Anderson et al, 2012
Analysing Barriers and Incentives for Network and Information
Security in the Internal Market for e-Communication, ENISA 2008
EU cyber-security legislation on the horizon (11.05.2012)
(Contribution by Ross Andreson - EDRi member FIPR - UK)