Sunday

19th Nov 2017

Hack the EU: IT security cuts cause concern

  • 'I am pretty sure that all the reports ... are being read by the Russians and by the Chinese' (Photo: europarl.europa.eu)

A plan to cut spending on IT security in the EU diplomatic corps is causing concern among officials who handle classified files.

According to the European External Action Service's (EEAS) draft budget for 2014, seen by EUobserver, spending on secure communications is to go down from €10.8 million this year to €8.3 million next year - a drop of 23 percent.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

An additional one page memo, also seen by this website, gives more detail.

It says the EEAS will slash funds for the so-called Solan secure network from €1.7 million to zero.

It will also cut investment on secure IT in its intelligence-sharing office, Intcen, from €700,000 to zero.

Its budget for secure phones and similar kit for EU diplomats overseas will fall from €647,000 to €487,000.

Among other measures, spending on Opswan - a network which connects the EEAS in Brussels with its satellite image centre in Torrejon, Spain - will go from €1.5 million to €774,000.

At the same time, it will spend €2.3 million more on private sector IT consultants.

EEAS spokesman Michael Mann said: "IT investments are multi-annual and vary from year to year. The proposed budget for 2014 reflects the very tight budget environment."

He indicated that Solan will be replaced by a new network.

"It is natural that, as a new organisation, the EEAS should review its needs in this area and consider different options. For the future, these could include … new replacement systems," he noted.

Some of the measures make sense.

Opswan is a back-up system which is rarely used.

Private sector firms give valuable advice on whether EU systems are up to date with ever-changing threats.

But some of the decisions are causing worry.

EEAS staff use four ways to circulate classified documents.

They use the so called New Communications Network (NCN) to encrypt "restricted," "confidential" and "secret" files before sending them to and from their 140 foreign embassies as attachments in emails on the open Internet.

They use Acid - software developed by a French company - to encrypt "restricted" documents before emailing them to each other or to the EU Council, the member states' secretariat in Brussels.

They use Solan to circulate "confidential" and "secret" files in the EU capital.

Solan is an air-gapped network - a set of computers and cables which is physically cut off from the Internet.

If an EEAS official wants to switch a document from NCN to Solan, they download it onto a USB stick, then upload it onto the air-gapped system.

"Top secret" files - the highest classification - are circulated by hand.

One EU contact said that instead of cutting back on IT security, the EEAS should be upgrading NCN.

The European Commission created it in 2006 when its foreign delegations' main task was to oversee aid projects.

But EEAS embassies have a more political role, making them into a target for hostile intelligence services.

"NCN encryption is not up to standard and has never been accredited by member states' national security authorities," the EU source noted.

"I am pretty sure that all the reports sent in from delegations in sensitive places, such as Mali or Lebanon, are being read by the Russians and by the Chinese," the contact added.

The decision to cut Solan might also cause problems.

If the EEAS creates a new network, it will have to be accredited by all 27 member states before it can be used in the Council.

The process can take years.

In the meantime, EEAS and Council staff would have to put "confidential" and "secret" files on USB sticks or on paper and carry them between various buildings in the EU quarter in Brussels.

According to the Belgian intelligence service, there is no shortage of spooks in the EU capital who might be keen to intercept them.

The EEAS has already been hacked at least once.

On 8 March 2011, commission and EEAS email passwords were compromised in what the commission described as a "serious" and "targeted" attack.

Staff were temporarily blocked from accessing work emails from home and obliged to change passwords.

On 14 January this year, Russian IT security firm Kaspersky Lab unveiled details of a cyber-espionage operation which it called Red October.

Alex Gostev, a Kaspersky Lab expert, told EUobserver that Red October targeted Acid and Chiasmus, another EU-accredited encryption software.

"Any encryption software is as secure as the passwords used to encrypt the documents or the private keys. If these are stolen, encryption is broken. This is exactly what Red October was targeting - documents with extensions from these programmes," he said.

In terms of the general IT environment, Cert EU, a new commission unit of about 12 people who monitor attacks on all EU institutions, is currently sending out some 50 alerts a month.

"The overall trend of the threat … seems to be increasing, both in frequency and in the level of sophistication," commission spokesman Antony Gravili said.

For his part, Raj Samani, a specialist from US-based IT security firm McAfee, said iPhones - beloved by EU staff - pose a risk because the manufacturer, Apple, has no control over potential malware in the applications which people download.

He warned EU officials on using social media, such as Facebook and Twitter, because they expose personal data which can help hackers to find weak spots.

He also said air-gapped networks, such as Solan, are not foolproof.

He noted that Stuxnet - a malware discovered in 2010 which is designed to harm industrial control systems - got into one air-gapped facility when somebody plugged in a compromised USB stick.

"Even a network that has no connection to the world wide web is not safe anymore," he said.

Hackers stole Van Rompuy's emails

Hackers last summer raided the emails of EU Council chief Herman Van Rompuy and 10 other senior EU officials.

EU parliament blocks websites 'to protect' staff

The EU parliament is routinely blocking websites such as Reddit or even the BBC in what internet security experts see as an exaggerated response to a virus which uses social networks.

MEPs ponder how to fight tax havens

After the Paradise Papers brought new revelations about tax dodging across the globe, including in the EU, the European Parliament wonders how to step up the fight.

News in Brief

  1. Bonn climate talks extend into Friday evening
  2. UK needs to move on Brexit by early December, Tusk says
  3. Puigdemont extradition decision postponed to December
  4. Ireland wants written UK guarantees to avoid hard border
  5. US did not obstruct climate talks, says German minister
  6. EU signs social declaration
  7. Puigdemont to be heard by Belgian judges
  8. Steep fall in migrants reaching EU

Stakeholders' Highlights

  1. European Jewish CongressAntisemitism in Europe Today: Is It Still a Threat to Free and Open Society?
  2. Counter BalanceNew Report: Juncker Plan Backs Billions in Fossil Fuels and Carbon-Heavy Infrastructure
  3. Nordic Council of MinistersNordic countries prioritise fossil fuel subsidy reform
  4. Mission of China to the EUNew era for China brings new opportunities to all
  5. ACCASmall and Medium Sized Practices Must 'Offer the Whole Package'
  6. UNICEFAhead of the African Union - EU Summit, Survey Highlights Impact of Conflict on Education
  7. Nordic Council of MinistersNordic Council Calls for Closer Co-Operation on Foreign Policy
  8. Swedish EnterprisesTrilogue Negotiations - Striking the Balance Between Transparency and Efficiency
  9. Access EuropeProspects for US-EU Relations Under the Trump Administration - 28 November 2017
  10. World Vision20 November: Exchange of Views at the EP on Children Affected by the Syria Crisis
  11. Nordic Council of MinistersSustainable Growth the Nordic Way: Climate Solutions for a Sustainable Future
  12. EU2017EEHow Data Fuels Estonia's Economy

Latest News

  1. EU keeps former Soviet states at arm's length
  2. EU leaders make pledge on social issues after populist backlash
  3. EU agencies and eastern neighbours This WEEK
  4. Germany slams Dutch call for more ambitious EU climate goal
  5. Mind the gap: inequality in our cities
  6. Climate activists 'disappointed' with EU at climate talks
  7. Davis outlines UK vision on Brexit in Berlin
  8. German coalition talks in near collapse

Stakeholders' Highlights

  1. Mission of China to the EUChina and EU Step Up Water Management Cooperation
  2. CECEMachinery Industry Calls for Joint EU Approach to Develop Digital Construction Sector
  3. Nordic Council of MinistersMale Business Leaders Gather in Copenhagen to Advance Gender Equality
  4. EnelNo ETS Deal Means It Can Still Be Strengthened
  5. EU2017EEEstonia Anticipates More Digital Cooperation With Sweden
  6. Mission of China to the EUChina Launches Campaign to Protect IPR of Foreign Companies
  7. European Jewish CongressEJC Condemns Attacks on Ruta Vanagaite and the Shredding of Her Books in Lithuania
  8. Bio-Based IndustriesDiscover the Future of the Bio-Based Economy. Register Now for the BBI Stakeholder Forum!
  9. European Free AllianceWelcome Catalonia!
  10. UNICEFGrowing Number of Unaccompanied Refugee Children in Greece in Need of Shelter
  11. Counter BalanceNature Destruction Cannot Be Compensated For, Say NGOs
  12. CES - Silicones EuropeSilicones - Enabling the Next Big Leap in Prosthetics and Health