This article is also available in:
Deutsch: [ENDitorial: Fragen zum Entwurf für eine Strategie und eine Richtlinie zur Cybersicherheit |]

A draft of the already announced EU Directive on Cybersecurity
Strategy that is circulation in Brussels seems to be totally misguided,
in EDRi’s opinion.

The Commission seeks to put ENISA at the heart of a network to act as
an early warning system for bad stuff on the Internet, which is good.
What is wrong is that instead of pulling together police forces,
CERTs and service providers, ENISA seeks to set up a classified
network of military and intelligence agencies.

It is true that large numbers of EU citizens have suffered from online
frauds and that their ability to get redress varies quite disgracefully
across the EU (as noted in the recent Eurostat survey, and discussed in
the paper on “The Costs of Cybercrime”). However the appropriate policy
responses are already well-known: they include improved and harmonised
consumer protection, better police cooperation, security breach
disclosure and a policy that vendors should supply and certify
network-attached devices to be safe by default. Such measures are
clearly within the competence of the EU and some are already being
undertaken; see for example the security breach disclosure provisions in
the draft Data Protection Regulation, and the new European Cybercrime
Centre. Such proposals should be pursued and implemented with vigour.

This proposed directive, however, represents an attempt to militarise
security in cyberspace. This has already been seen in some Member
States; for example, the UK allocated a further £640m (approx. 770m
Euro) to cybersecurity from 2011-5 but when the dust settled, GCHQ (the
UK signals intelligence agency) had won 59% of it. The police, who
actually have the responsibility for catching cyber-crooks, got an
almost insignificant £5m (approx. 6m Euro) a year. So rather than giving
the police the resources they need to catch cyber-crooks and put them in
jail, the UK government decided to give most of the money to the spies
so they could go commit more cyber-crimes (albeit in other people’s

It is a tragedy that the European Union is now considering following
this UK- and US-centric policy lead. The proposed draft directive must
be rewritten so that the network of cooperation on cybercrime includes
those organisations in a position to push back on crime, including the
police, network service providers, CERTs, researchers, online service
firms, software vendors and security companies. A classified network
will not be in a position to win the trust of most of these stakeholders
and would not be able in any case to feed much useful information to
them. At present, civilian organisations contribute much more to the
fight against cybercrime, as well as owning most of the critical
infrastructure; as a result we understand the problems much better. A
network of governments talking only to each other could easily end
up with the agencies amplifying each others’ misconceptions.

Furthermore, the draft Directive concept of a “single national
competent authority” is wrong in principle and unworkable in practice.
Even in the UK, where cybersecurity is already being partly militarised
along the US model, we see a plurality of players even in the public
sector: GCHQ, the Serious and Organised Crime Agency, the Security
Service, local police forces and the National Physical Laboratory. This
diversity of mission and of policy is valuable. Similarly, in Germany
the roles of the Bundesamt fuer Sicherheit in der Informationstechnik
and the Bundesnachrichtendienst are quite properly separate. A directive
that encourages one single agency to acquire primacy in each Member
State would undermine the constitutional arrangements that various
states currently have for separation of powers and accountability (weak
though these already are in some cases). In the German case, for
example, it would undermine the strict separation between criminal
prosecution and national intelligence.

The draft directive also grants draconian powers to ENISA and to Member
States, which would greatly exceed those granted under the Data
Retention Directive and which now have been challenged successfully in
the Constitutional courts of several Member States. Note for example
point 28 (page 14):

“Competent authorities should have the necessary means to perform their
duties,including powers to obtain sufficient information from market
operators in order to assess the level of security of network and
information systems as well as reliable and comprehensive data about
actual security incidents that have had an impact on the operation of
network and information systems.”

The definition of a “market operator” is: “Enablers of Internet
services, e.g. e-commerce platforms, Internet payment gateways, social
networks, search engines, cloud computing services, application stores,
communication services other than those covered by the electronic
communications framework. Software developers and hardware manufacturers
are excluded.”

In other words ENISA and the national agencies in its network will have
access to “sufficient information” from almost everyone online, in
effect extending the data-retention powers from phone companies and ISPs
to service providers such as search engines, webmail providers, social
networks and computer game operators. That is completely unacceptable as
it would violate the constitutions of Germany and other countries (and
in view of the hostile report by the UK parliament’s review committee in
the proposed Communications Data Bill, would likely be unacceptable even
in the most surveillance-friendly of the EU member states). Finally, it
is extremely difficult to see how such a provision could be squared with
Article 8 of the European Convention of Human Rights.

The draft as it stands is unacceptable. It must be rewritten or abandoned.

The Costs of Cybercrime, R Anderson et al, 2012

Analysing Barriers and Incentives for Network and Information
Security in the Internal Market for e-Communication, ENISA 2008

EU cyber-security legislation on the horizon (11.05.2012)

(Contribution by Ross Andreson – EDRi member FIPR – UK)