Sunday

30th Apr 2017

Focus

EU struggling to fight cyber crime

  • Viruses can turn computers into 'zombies' that are controlled remotely (Photo: twenty_questions)

Faced with increasing cyber attacks, the EU is looking at a new law criminalising the use of 'zombie' computers and is setting up a 'cybercrime' centre and special teams of IT firefighters to prevent further attacks

Notoriously slow in its reaction to world events, the EU has even more difficulties when it comes to adapting its legislation and institutions to the fast-changing online environment.

Dear EUobserver reader

Subscribe now for unrestricted access to EUobserver.

Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.

  1. Unlimited access on desktop and mobile
  2. All premium articles, analysis, commentary and investigations
  3. EUobserver archives

EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.

♡ We value your support.

If you already have an account click here to login.

A draft law put forward by the EU commission in 2010 on criminalising the spread of malicious software used to launch attacks on government or private company servers is only in the early stages of parliamentary work and still has to be agreed with member states.

And by some account the draft legislation is already out of date as it does not consider issues such as the jurisdiction over social network giants like Facebook or security breaches in cloud data centres.

Jakub Boratynski from the European Commission's cybercrime unit says that the draft bill was "triggered" by the large-scale cyber attack against Estonia in 2007. Four years later, he notes member states still need to update their legislation and "prosecute and convict criminals launching attacks from and outside the EU."

He admits the commission itself has problems with security, noting that people pretending to be using an EU commission email address manage to get past the cyber security gates to send email containing virues. "This is something we witness in the commission despite elaborate filters and protective mechanisms," he said.

The new law would make this practice illegal as well as obliging member states to collect data on cyber attacks.

Boratynski also downplayed the impact of this piece of legislation, which should not be seen as a "panacea for all problems on the internet", but just as one tool in the fight against cyber crime. The only way to avoid being outpaced by rapidly changing technology is for the law to be as "technologically neutral as possible," he said. So the draft law does not specifically refer to 'botnets' (hijacked computers), but rather to more generic terms such as "tools" or "devices".

Events have prompted further action. The EU's diplomatic service was subject to a large denial-of-service attack earlier this year prompting the commission to establish a special squad of IT specialists. The Computer Emergency Response Team (Cert) is meant to detect and prevent such attacks in all institutions.

Such teams already exist in most member states and experts wonder why it took the EU so long to set one up for its own institutions.

From the perspective of a country that had its entire e-government and online banking structure shut down for three weeks in 2007, an Estonian official said that the EU is still lacking a "comprehensive" cyber security response and contingency planning for the entire bloc.

Heli Tiirma-Klaar from the Estonian defence ministry says that while there have been "a mushrooming of cyber initiatives", harmonising penalties would be a "big step forward and a great deterrent."

Privacy concerns

But human rights defenders are concerned that the more information is collected and shared by law enforcement, the more citizens' privacy rights will be violated.

"Being successful in fighting cyber crime does not require continuous and systematic surveillance of internet users. Systematic tracking is a breach of fundamental rights," said Peter Hustinx, the EU's data protection czar. "We support only targeted measures, where required and proportionate, as it is the case in the offline world as well."

The controversial EU data retention law obliging phone and internet providers to store all traffic logs of their users is a case in point. Initially used to help investigators track down terrorism suspects, it is now primarily used for organised crime and child pornography rings. In Poland, where it has been praised as "efficient" by the police, it was also used to snoop on journalists and their sources.

"What people don't distinguish is using personal data in specific police investigations where you have a suspect and there are normal judicial procedures and a system whereby all citizens are being watched - just in case someone commits a crime in the future," says Dutch Liberal MEP Sophie in't Veld.

"We could just as well have preventive house searches every day. It's just that people don't know it's happening, because it's not in their homes, it's about their data."

It's the data, stupid

And just as intelligence services and police are interested in having access to as much private data as possible, so are cyber criminals.

With an explosion in information generated by every computer and smartphone user - the equivalent of 318 billion DVDs a year - and with social networking creating "countries" of user data, it is getting easier to launch cyber attacks. "There are tools you can search for and buy on the internet. You no longer have to be a computer geek to launch an attack," says Ilias Chantzos from Symantec, a security software firm.

"The target is information, anything that has a value - banking data, email passwords, government records. It is not the infrastructure. And this trend will continue," he said.

That the trend of attacks is increasing is confirmed by Europol, the bloc's police co-operation agency, and by hackers alike. But opinions vary greatly on how to deal with this. Florian Walther, a German hacker and member of the Berlin-based Chaos Computer Club, says that "sloppy IT administrators" and software vendors who are not securing their programmes properly are the ones to blame: "I have been a professional hacker since 1999. I know the financial, corporate and governmental security systems in and out. I know their passwords, because I cracked them. The root of the problem we're dealing here is that cybercrime is increasing because it's easy and less risky than real world crimes. From a cyberbank you can get millions in one night, a real bank would hold maybe only a few thousand euro in cash."

He singled out the embarrassing case of DigiNotar, an online "certificate authority" from the Netherlands which is supposed to mark websites as "trusted", meaning that they really are what they claim to be: banks, search engines, webmail services and not fronts for online scams.

The Dutch government, which was using DigiNotar for its own websites, had to shut it down earlier this month after it emerged that it had been hacked into and that fake certificates had been handed out to websites looking like the intelligence services of the UK, US and Israel, as well as for online services such as Google, Skype, Twitter and Facebook.

"DigiNotar's root password was 'prod admin', meaning production administrator. You can't have that kind of password, it's too easy. And then they inter-connected all systems to one master system. That's plain stupid. And it's even more stupid if you sign digital passwords," Walther said.

The fact that DigiNotar passes were provided without warranty highlights the main issue at stake in cyber security: liability. "Why can software manufacturers sell software without warranty? There is no incentive for them at the moment to make secure products. We should change this, they should have a financial risk if their software is not secure," he said.

To trust or not to trust

The DigiNotar fiasco may "reduce the trust people place in certificate authorities," currently a patchwork of private and partly state-owned companies, Colin Percival, an IT security expert told this website.

Faced with a fake website that his browser will not warn him about, a layman would be defenceless, says Percival: "There's not much people can do, save to use common sense about what they do online -- it's probably not a good idea to write 'let's get together next Monday and overthrow the government' no matter how much you trust the website you're writing it on."

Currently, there is no unified policy on who can set up a certificate authority and computer systems and internet browsers have various criteria on deciding which of these companies they recognise as trustworthy.

Percival said an EU-wide authority would not necessarily be a better solution, but "national certificate authorities would probably be better than private ones." In order for that to happen, however, the whole system would have to be changed, so for instance a small firm in the Netherlands like DigiNotar would no longer be able to sign certificates for sites like Google or Facebook.

"As long as web browsers come with a list of over 50 certificate authorities which can each sign any domain name, attacks like this are inevitable," said Percival.

Europol wants to host EU cyber crime centre

The EU's joint policy body, Europol, is angling to host a new European cyber crime centre, with the European Commission due next year to decide where to put its new defence against online threats.

The EU and cyber security

Cloud computing, smartphones, viruses attacking nuclear plants. In the October Focus, the EUobserver turns its attention to cyber security and EU's attempts to set up rules for safer navigation on the internet.

'There's a computer worm in your nuclear centrifuge'

With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure software operating 'critical infrastructure' such as power plants or water treatment facilities.

News in Brief

  1. Vote of no confidence prepared against Spanish PM
  2. Syria to buy Russian anti-missile system
  3. Germany seeks partial burka ban
  4. Libya has no plan to stop migration flows
  5. EU has no evidence of NGO-smuggler collusion in Libya
  6. Poland gets 'final warning' on logging in ancient forest
  7. Commission gives Italy final warning on air pollution
  8. Romania and Slovenia taken to court over environment policies

Stakeholders' Highlights

  1. European Healthy Lifestyle AllianceCharlotte Hornets' Nicolas Batum Tells Kids to "Eat Well, Drink Well, Move!"
  2. ECR GroupSyed Kamall: We Need a New, More Honest Relationship With Turkey
  3. Counter BalanceParliament Sends Strong Signal to the EIB: Time to Act on Climate Change
  4. ACCARisks and Opportunities of Blockchain and Shared Ledgers Technologies in Financial Services
  5. UNICEFRace Against Time to Save Millions of Lives in Yemen
  6. Nordic Council of MinistersDeveloping Independent Russian-Language Media in the Baltic Countries
  7. Swedish EnterprisesReform of the European Electricity Market: Lessons from the Nordics, Brussels 2 May
  8. Malta EU 2017Green Light Given for New EU Regulation to Bolster External Border Checks
  9. Counter BalanceCall for EU Commission to Withdraw Support of Trans-Adriatic Pipeline
  10. ACCAEconomic Confidence at Highest Since 2015
  11. European Federation of Allergy and Airways60%-90% of Your Life Is Spent Indoors. How Does Poor Indoor Air Quality Affect You?
  12. European Gaming and Betting AssociationCJEU Confirms Obligation for a Transparent Licensing Process

Latest News

  1. EU boasts unity on Brexit talks
  2. May’s election juggernaut
  3. EPP scolds Orban over university and NGO laws
  4. Oxford-Studie besorgt über 'Schrott' News in Frankreich
  5. Alte Freundschaft zwischen Le Pen und Putin
  6. EP chief faces questions after homophobic 'summit'
  7. EU signals Northern Ireland could join if united with Ireland
  8. One year later: EU right to open internet still virtual

Stakeholders' Highlights

  1. Nordic Council of MinistersNordic Region and the US: A Time of Warlike Rhetoric and Militarisation?
  2. European Free AllianceEFA MEPs Vote in Favor of European Parliament's Brexit Mandate
  3. Mission of China to the EUXinhua Insight: China to Open up Like Never Before
  4. World VisionViolence Becomes New Normal for Syrian Children
  5. International Partnership for Human RightsTime to Turn the Tide and End Repression of Central Asia's Civil Society
  6. European Free AllianceAutonomia to Normalnosc - Poland Urged to Re-Grant Autonomy to Silesia
  7. UNICEFHitting Rock Bottom - How 2016 Became the Worst Year for #ChildrenofSyria
  8. Malta EU 2017Green Light Given for New EU Regulation to Bolster External Border Checks
  9. ACCAG20 Citizens Want 'Big Picture' Tax Policymaking, According to Global Survey
  10. Belgrade Security ForumCall for Papers: European Union as a Global Crisis Manager - Deadline 30 April
  11. European Gaming & Betting Association60 Years Rome Treaty – 60 Years Building an Internal Market
  12. Malta EU 2017New EU Rules to Prevent Terrorism and Give More Rights to Victims Approved