Tuesday

17th Oct 2017

Focus

EU struggling to fight cyber crime

  • Viruses can turn computers into 'zombies' that are controlled remotely (Photo: twenty_questions)

Faced with increasing cyber attacks, the EU is looking at a new law criminalising the use of 'zombie' computers and is setting up a 'cybercrime' centre and special teams of IT firefighters to prevent further attacks

Notoriously slow in its reaction to world events, the EU has even more difficulties when it comes to adapting its legislation and institutions to the fast-changing online environment.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

A draft law put forward by the EU commission in 2010 on criminalising the spread of malicious software used to launch attacks on government or private company servers is only in the early stages of parliamentary work and still has to be agreed with member states.

And by some account the draft legislation is already out of date as it does not consider issues such as the jurisdiction over social network giants like Facebook or security breaches in cloud data centres.

Jakub Boratynski from the European Commission's cybercrime unit says that the draft bill was "triggered" by the large-scale cyber attack against Estonia in 2007. Four years later, he notes member states still need to update their legislation and "prosecute and convict criminals launching attacks from and outside the EU."

He admits the commission itself has problems with security, noting that people pretending to be using an EU commission email address manage to get past the cyber security gates to send email containing virues. "This is something we witness in the commission despite elaborate filters and protective mechanisms," he said.

The new law would make this practice illegal as well as obliging member states to collect data on cyber attacks.

Boratynski also downplayed the impact of this piece of legislation, which should not be seen as a "panacea for all problems on the internet", but just as one tool in the fight against cyber crime. The only way to avoid being outpaced by rapidly changing technology is for the law to be as "technologically neutral as possible," he said. So the draft law does not specifically refer to 'botnets' (hijacked computers), but rather to more generic terms such as "tools" or "devices".

Events have prompted further action. The EU's diplomatic service was subject to a large denial-of-service attack earlier this year prompting the commission to establish a special squad of IT specialists. The Computer Emergency Response Team (Cert) is meant to detect and prevent such attacks in all institutions.

Such teams already exist in most member states and experts wonder why it took the EU so long to set one up for its own institutions.

From the perspective of a country that had its entire e-government and online banking structure shut down for three weeks in 2007, an Estonian official said that the EU is still lacking a "comprehensive" cyber security response and contingency planning for the entire bloc.

Heli Tiirma-Klaar from the Estonian defence ministry says that while there have been "a mushrooming of cyber initiatives", harmonising penalties would be a "big step forward and a great deterrent."

Privacy concerns

But human rights defenders are concerned that the more information is collected and shared by law enforcement, the more citizens' privacy rights will be violated.

"Being successful in fighting cyber crime does not require continuous and systematic surveillance of internet users. Systematic tracking is a breach of fundamental rights," said Peter Hustinx, the EU's data protection czar. "We support only targeted measures, where required and proportionate, as it is the case in the offline world as well."

The controversial EU data retention law obliging phone and internet providers to store all traffic logs of their users is a case in point. Initially used to help investigators track down terrorism suspects, it is now primarily used for organised crime and child pornography rings. In Poland, where it has been praised as "efficient" by the police, it was also used to snoop on journalists and their sources.

"What people don't distinguish is using personal data in specific police investigations where you have a suspect and there are normal judicial procedures and a system whereby all citizens are being watched - just in case someone commits a crime in the future," says Dutch Liberal MEP Sophie in't Veld.

"We could just as well have preventive house searches every day. It's just that people don't know it's happening, because it's not in their homes, it's about their data."

It's the data, stupid

And just as intelligence services and police are interested in having access to as much private data as possible, so are cyber criminals.

With an explosion in information generated by every computer and smartphone user - the equivalent of 318 billion DVDs a year - and with social networking creating "countries" of user data, it is getting easier to launch cyber attacks. "There are tools you can search for and buy on the internet. You no longer have to be a computer geek to launch an attack," says Ilias Chantzos from Symantec, a security software firm.

"The target is information, anything that has a value - banking data, email passwords, government records. It is not the infrastructure. And this trend will continue," he said.

That the trend of attacks is increasing is confirmed by Europol, the bloc's police co-operation agency, and by hackers alike. But opinions vary greatly on how to deal with this. Florian Walther, a German hacker and member of the Berlin-based Chaos Computer Club, says that "sloppy IT administrators" and software vendors who are not securing their programmes properly are the ones to blame: "I have been a professional hacker since 1999. I know the financial, corporate and governmental security systems in and out. I know their passwords, because I cracked them. The root of the problem we're dealing here is that cybercrime is increasing because it's easy and less risky than real world crimes. From a cyberbank you can get millions in one night, a real bank would hold maybe only a few thousand euro in cash."

He singled out the embarrassing case of DigiNotar, an online "certificate authority" from the Netherlands which is supposed to mark websites as "trusted", meaning that they really are what they claim to be: banks, search engines, webmail services and not fronts for online scams.

The Dutch government, which was using DigiNotar for its own websites, had to shut it down earlier this month after it emerged that it had been hacked into and that fake certificates had been handed out to websites looking like the intelligence services of the UK, US and Israel, as well as for online services such as Google, Skype, Twitter and Facebook.

"DigiNotar's root password was 'prod admin', meaning production administrator. You can't have that kind of password, it's too easy. And then they inter-connected all systems to one master system. That's plain stupid. And it's even more stupid if you sign digital passwords," Walther said.

The fact that DigiNotar passes were provided without warranty highlights the main issue at stake in cyber security: liability. "Why can software manufacturers sell software without warranty? There is no incentive for them at the moment to make secure products. We should change this, they should have a financial risk if their software is not secure," he said.

To trust or not to trust

The DigiNotar fiasco may "reduce the trust people place in certificate authorities," currently a patchwork of private and partly state-owned companies, Colin Percival, an IT security expert told this website.

Faced with a fake website that his browser will not warn him about, a layman would be defenceless, says Percival: "There's not much people can do, save to use common sense about what they do online -- it's probably not a good idea to write 'let's get together next Monday and overthrow the government' no matter how much you trust the website you're writing it on."

Currently, there is no unified policy on who can set up a certificate authority and computer systems and internet browsers have various criteria on deciding which of these companies they recognise as trustworthy.

Percival said an EU-wide authority would not necessarily be a better solution, but "national certificate authorities would probably be better than private ones." In order for that to happen, however, the whole system would have to be changed, so for instance a small firm in the Netherlands like DigiNotar would no longer be able to sign certificates for sites like Google or Facebook.

"As long as web browsers come with a list of over 50 certificate authorities which can each sign any domain name, attacks like this are inevitable," said Percival.

Europol wants to host EU cyber crime centre

The EU's joint policy body, Europol, is angling to host a new European cyber crime centre, with the European Commission due next year to decide where to put its new defence against online threats.

The EU and cyber security

Cloud computing, smartphones, viruses attacking nuclear plants. In the October Focus, the EUobserver turns its attention to cyber security and EU's attempts to set up rules for safer navigation on the internet.

'There's a computer worm in your nuclear centrifuge'

With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure software operating 'critical infrastructure' such as power plants or water treatment facilities.

News in Brief

  1. EU to keep 'Dieselgate' letter secret
  2. No deal yet on Mediterranean alliance for EU agencies
  3. EU Commission condemns Maltese journalist's murder
  4. Poland denies wrongdoing over forest logging
  5. Risk to asylum kids in EU increasing, says charity
  6. Schroeder warns of Turkey and Russia drifting towards China
  7. EU parliament wants equal pay for posted workers
  8. Catalan independence leaders taken into custody

Stakeholders' Highlights

  1. EU2017EENorth Korea Leaves Europe No Choice, Says Estonian Foreign Minister Sven Mikser
  2. Mission of China to the EUZhang Ming Appointed New Ambassador of the Mission of China to the EU
  3. International Partnership for Human RightsEU Should Seek Concrete Commitments From Azerbaijan at Human Rights Dialogue
  4. European Jewish CongressEJC Calls for New Austrian Government to Exclude Extremist Freedom Party
  5. CES - Silicones EuropeIn Healthcare, Silicones Are the Frontrunner. And That's a Good Thing!
  6. EU2017EEEuropean Space Week 2017 in Tallinn from November 3-9. Register Now!
  7. European Entrepreneurs CEA-PMEMobiliseSME Exchange Programme Open Doors for 400 Companies Across Europe
  8. CECEE-Privacy Regulation – Hands off M2M Communication!
  9. ILGA-EuropeHealth4LGBTI: Reducing Health Inequalities Experienced by LGBTI People
  10. EU2017EEEHealth: A Tool for More Equal Health
  11. Mission of China to the EUChina-EU Tourism a Key Driver for Job Creation and Enhanced Competitiveness
  12. CECENon-Harmonised Homologation of Mobile Machinery Costs € 90 Million per Year

Latest News

  1. Nepal troops arrive in Libya to guard UN refugee agency
  2. Is Banking Authority HQ the Brexit 'booby prize'?
  3. EU-Russia trade bouncing back - despite sanctions
  4. No sign of Brexit speed-up after May-Juncker dinner
  5. EU defence strategy 'outsourced' to arms industry
  6. EU privacy rules tilt to industry, NGO says
  7. Malta in shock after car bomb kills crusading journalist
  8. Spanish and Catalan leaders continue stand-off

Stakeholders' Highlights

  1. ILGA-EuropeMass Detention of Azeri LGBTI People - the LGBTI Community Urgently Needs Your Support
  2. European Free AllianceCatalans Have Won the Right to Have an Independent State
  3. ECR GroupBrexit: Delaying the Start of Negotiations Is Not a Solution
  4. EU2017EEPM Ratas in Poland: "We Enjoy the Fruits of European Cooperation Thanks to Solidarity"
  5. Mission of China to the EUChina and UK Discuss Deepening of Global Comprehensive Strategic Partnership
  6. European Healthy Lifestyle AllianceEHLA Joins Commissioners Navracsics, Andriukaitis and Hogan at EU Week of Sport
  7. Nordic Council of MinistersNordic Council Representative Office Opens in Brussels to Foster Better Cooperation
  8. UNICEFSocial Protection in the Contexts of Fragility & Forced Displacement
  9. CESIJoin CESI@Noon on October 18 and Debate On: 'European Defence Union: What Next?'
  10. Nordic Council of MinistersNordic Innovation House Opens in New York to Support Start-Ups
  11. ILGA EuropeInternational Attention Must Focus on LGBTI People in Azerbaijan After Police Raids
  12. European Jewish CongressStrong Results of Far Right AfD Party a Great Concern for Germans and European Jews