Friday

20th Sep 2019

Focus

EU struggling to fight cyber crime

  • Viruses can turn computers into 'zombies' that are controlled remotely (Photo: twenty_questions)

Faced with increasing cyber attacks, the EU is looking at a new law criminalising the use of 'zombie' computers and is setting up a 'cybercrime' centre and special teams of IT firefighters to prevent further attacks

Notoriously slow in its reaction to world events, the EU has even more difficulties when it comes to adapting its legislation and institutions to the fast-changing online environment.

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 18 year's of archives. 30 days free trial.

... or join as a group

A draft law put forward by the EU commission in 2010 on criminalising the spread of malicious software used to launch attacks on government or private company servers is only in the early stages of parliamentary work and still has to be agreed with member states.

And by some account the draft legislation is already out of date as it does not consider issues such as the jurisdiction over social network giants like Facebook or security breaches in cloud data centres.

Jakub Boratynski from the European Commission's cybercrime unit says that the draft bill was "triggered" by the large-scale cyber attack against Estonia in 2007. Four years later, he notes member states still need to update their legislation and "prosecute and convict criminals launching attacks from and outside the EU."

He admits the commission itself has problems with security, noting that people pretending to be using an EU commission email address manage to get past the cyber security gates to send email containing virues. "This is something we witness in the commission despite elaborate filters and protective mechanisms," he said.

The new law would make this practice illegal as well as obliging member states to collect data on cyber attacks.

Boratynski also downplayed the impact of this piece of legislation, which should not be seen as a "panacea for all problems on the internet", but just as one tool in the fight against cyber crime. The only way to avoid being outpaced by rapidly changing technology is for the law to be as "technologically neutral as possible," he said. So the draft law does not specifically refer to 'botnets' (hijacked computers), but rather to more generic terms such as "tools" or "devices".

Events have prompted further action. The EU's diplomatic service was subject to a large denial-of-service attack earlier this year prompting the commission to establish a special squad of IT specialists. The Computer Emergency Response Team (Cert) is meant to detect and prevent such attacks in all institutions.

Such teams already exist in most member states and experts wonder why it took the EU so long to set one up for its own institutions.

From the perspective of a country that had its entire e-government and online banking structure shut down for three weeks in 2007, an Estonian official said that the EU is still lacking a "comprehensive" cyber security response and contingency planning for the entire bloc.

Heli Tiirma-Klaar from the Estonian defence ministry says that while there have been "a mushrooming of cyber initiatives", harmonising penalties would be a "big step forward and a great deterrent."

Privacy concerns

But human rights defenders are concerned that the more information is collected and shared by law enforcement, the more citizens' privacy rights will be violated.

"Being successful in fighting cyber crime does not require continuous and systematic surveillance of internet users. Systematic tracking is a breach of fundamental rights," said Peter Hustinx, the EU's data protection czar. "We support only targeted measures, where required and proportionate, as it is the case in the offline world as well."

The controversial EU data retention law obliging phone and internet providers to store all traffic logs of their users is a case in point. Initially used to help investigators track down terrorism suspects, it is now primarily used for organised crime and child pornography rings. In Poland, where it has been praised as "efficient" by the police, it was also used to snoop on journalists and their sources.

"What people don't distinguish is using personal data in specific police investigations where you have a suspect and there are normal judicial procedures and a system whereby all citizens are being watched - just in case someone commits a crime in the future," says Dutch Liberal MEP Sophie in't Veld.

"We could just as well have preventive house searches every day. It's just that people don't know it's happening, because it's not in their homes, it's about their data."

It's the data, stupid

And just as intelligence services and police are interested in having access to as much private data as possible, so are cyber criminals.

With an explosion in information generated by every computer and smartphone user - the equivalent of 318 billion DVDs a year - and with social networking creating "countries" of user data, it is getting easier to launch cyber attacks. "There are tools you can search for and buy on the internet. You no longer have to be a computer geek to launch an attack," says Ilias Chantzos from Symantec, a security software firm.

"The target is information, anything that has a value - banking data, email passwords, government records. It is not the infrastructure. And this trend will continue," he said.

That the trend of attacks is increasing is confirmed by Europol, the bloc's police co-operation agency, and by hackers alike. But opinions vary greatly on how to deal with this. Florian Walther, a German hacker and member of the Berlin-based Chaos Computer Club, says that "sloppy IT administrators" and software vendors who are not securing their programmes properly are the ones to blame: "I have been a professional hacker since 1999. I know the financial, corporate and governmental security systems in and out. I know their passwords, because I cracked them. The root of the problem we're dealing here is that cybercrime is increasing because it's easy and less risky than real world crimes. From a cyberbank you can get millions in one night, a real bank would hold maybe only a few thousand euro in cash."

He singled out the embarrassing case of DigiNotar, an online "certificate authority" from the Netherlands which is supposed to mark websites as "trusted", meaning that they really are what they claim to be: banks, search engines, webmail services and not fronts for online scams.

The Dutch government, which was using DigiNotar for its own websites, had to shut it down earlier this month after it emerged that it had been hacked into and that fake certificates had been handed out to websites looking like the intelligence services of the UK, US and Israel, as well as for online services such as Google, Skype, Twitter and Facebook.

"DigiNotar's root password was 'prod admin', meaning production administrator. You can't have that kind of password, it's too easy. And then they inter-connected all systems to one master system. That's plain stupid. And it's even more stupid if you sign digital passwords," Walther said.

The fact that DigiNotar passes were provided without warranty highlights the main issue at stake in cyber security: liability. "Why can software manufacturers sell software without warranty? There is no incentive for them at the moment to make secure products. We should change this, they should have a financial risk if their software is not secure," he said.

To trust or not to trust

The DigiNotar fiasco may "reduce the trust people place in certificate authorities," currently a patchwork of private and partly state-owned companies, Colin Percival, an IT security expert told this website.

Faced with a fake website that his browser will not warn him about, a layman would be defenceless, says Percival: "There's not much people can do, save to use common sense about what they do online -- it's probably not a good idea to write 'let's get together next Monday and overthrow the government' no matter how much you trust the website you're writing it on."

Currently, there is no unified policy on who can set up a certificate authority and computer systems and internet browsers have various criteria on deciding which of these companies they recognise as trustworthy.

Percival said an EU-wide authority would not necessarily be a better solution, but "national certificate authorities would probably be better than private ones." In order for that to happen, however, the whole system would have to be changed, so for instance a small firm in the Netherlands like DigiNotar would no longer be able to sign certificates for sites like Google or Facebook.

"As long as web browsers come with a list of over 50 certificate authorities which can each sign any domain name, attacks like this are inevitable," said Percival.

Europol wants to host EU cyber crime centre

The EU's joint policy body, Europol, is angling to host a new European cyber crime centre, with the European Commission due next year to decide where to put its new defence against online threats.

The EU and cyber security

Cloud computing, smartphones, viruses attacking nuclear plants. In the October Focus, the EUobserver turns its attention to cyber security and EU's attempts to set up rules for safer navigation on the internet.

'There's a computer worm in your nuclear centrifuge'

With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure software operating 'critical infrastructure' such as power plants or water treatment facilities.

News in Brief

  1. UK Brexit minister to meet Barnier on Friday
  2. Russia-Ukraine gas deal talks show 'progress'
  3. Nobel economist: Ireland 'not good EU citizen' on taxes
  4. Germany takes carbon border tax on board
  5. Austria to veto EU trade deal with South America
  6. Brexit minister asks EU for 'flexibility' to secure a deal
  7. Kovesi has 'sufficient majority' for prosecutor post
  8. France, Finland give UK ultimatum for Brexit plan

Column

These are the crunch issues for the 2019-2024 EU commission

These developments will largely determine who will be running the world in the coming decades and perhaps generations. If the Europeans can't find an answer over the five years, they will be toast. And we haven't even mentioned climate change.

Podcast

Trumpworld In Europe

Pastors and plutocrats are sponsoring an ultra-conservative agenda in Europe. Many of them have links to Donald Trump.

Stakeholders' Highlights

  1. Nordic Council of MinistersNew programme studies infectious diseases and antibiotic resistance
  2. UNESDAUNESDA reduces added sugars 11.9% between 2015-2017
  3. International Partnership for Human RightsEU-Uzbekistan Human Rights Dialogue: EU to raise key fundamental rights issues
  4. Nordic Council of MinistersNo evidence that social media are harmful to young people
  5. Nordic Council of MinistersCanada to host the joint Nordic cultural initiative 2021
  6. Vote for the EU Sutainable Energy AwardsCast your vote for your favourite EUSEW Award finalist. You choose the winner of 2019 Citizen’s Award.
  7. Nordic Council of MinistersEducation gets refugees into work
  8. Counter BalanceSign the petition to help reform the EU’s Bank
  9. UNICEFChild rights organisations encourage candidates for EU elections to become Child Rights Champions
  10. UNESDAUNESDA Outlines 2019-2024 Aspirations: Sustainability, Responsibility, Competitiveness
  11. Counter BalanceRecord citizens’ input to EU bank’s consultation calls on EIB to abandon fossil fuels
  12. International Partnership for Human RightsAnnual EU-Turkmenistan Human Rights Dialogue takes place in Ashgabat

Latest News

  1. Nine EU 'commissioners' asked to clarify declarations
  2. Dismiss Italy's Salvini at your peril
  3. Malta PM accused of 'blackmail' over slain reporter
  4. Diplomats back Romania's Kovesi for EU top prosecutor
  5. Brexit raises questions for EU defence integration
  6. Low-carbon cities can unlock €21tn by 2050, report finds
  7. France, Italy want 'automatic' distribution of migrants
  8. Europe's refugee policy is test of its true 'way of life'

Stakeholders' Highlights

  1. Nordic Council of MinistersNew campaign: spot, capture and share Traces of North
  2. Nordic Council of MinistersLeading Nordic candidates go head-to-head in EU election debate
  3. Nordic Council of MinistersNew Secretary General: Nordic co-operation must benefit everybody
  4. Platform for Peace and JusticeMEP Kati Piri: “Our red line on Turkey has been crossed”
  5. UNICEF2018 deadliest year yet for children in Syria as war enters 9th year
  6. Nordic Council of MinistersNordic commitment to driving global gender equality
  7. International Partnership for Human RightsMeet your defender: Rasul Jafarov leading human rights defender from Azerbaijan
  8. UNICEFUNICEF Hosts MEPs in Jordan Ahead of Brussels Conference on the Future of Syria
  9. Nordic Council of MinistersNordic talks on parental leave at the UN
  10. International Partnership for Human RightsTrial of Chechen prisoner of conscience and human rights activist Oyub Titiev continues.
  11. Nordic Council of MinistersNordic food policy inspires India to be a sustainable superpower
  12. Nordic Council of MinistersMilestone for Nordic-Baltic e-ID

Stakeholders' Highlights

  1. Counter BalanceEU bank urged to free itself from fossil fuels and take climate leadership
  2. Intercultural Dialogue PlatformRoundtable: Muslim Heresy and the Politics of Human Rights, Dr. Matthew J. Nelson
  3. Platform for Peace and JusticeTurkey suffering from the lack of the rule of law
  4. UNESDASoft Drinks Europe welcomes Tim Brett as its new president
  5. Nordic Council of MinistersNordic ministers take the lead in combatting climate change
  6. Counter BalanceEuropean Parliament takes incoherent steps on climate in future EU investments
  7. International Partnership For Human RightsKyrgyz authorities have to immediately release human rights defender Azimjon Askarov
  8. Nordic Council of MinistersSeminar on disability and user involvement
  9. Nordic Council of MinistersInternational appetite for Nordic food policies
  10. Nordic Council of MinistersNew Nordic Innovation House in Hong Kong
  11. Nordic Council of MinistersNordic Region has chance to become world leader when it comes to start-ups
  12. Nordic Council of MinistersTheresa May: “We will not be turning our backs on the Nordic region”

Join EUobserver

Support quality EU news

Join us