Hi all, Frustrated by the lack of critical reporting on the matter, I put together a post on the EU Cybersecurity Strategy that was announced yesterday. Apart from prof. Ross Anderson's, I've read very few worthwhile analysis of it coming from civil society or academia. So I thought it would be useful to have your take: http://www.wethenet.eu/2013/02/comments-on-the-eu-commissions-flawed-cyberse... Corrections welcome, especially if you think I'm being overly pessimistic/negative. Best, FC)lix PS: Since this is my first post to the list, a few introductory words: I was a policy analyst (now volunteer) at Paris-based La Quadrature du Net for three years, and I'm currently writing my PhD thesis on the Internet's consequence for free speech law and citizen empowerment in EU democracies. ------------------------------------ Comments on the EU Commissionbs Flawed Cybersecurity Strategy On Thursday February 7th 2013, during a press conference, the European Commission announced a milestone initiative in the field of b cybersecurityb, publishing two documents: - A *proposal for a directive <http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-DRAFT-PROPOSAL.pdf> *b concerning measures to ensure a high common level of network and information, security across the Unionb (apparently nicknamed the b NIS directiveb). - A *communication <http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-JOINT-COMMUNICATION.pdf> *on a b CyberSecurity Strategy of the European Union : An Open, Safe and Secure Cyberspaceb. [Reminder : Cybersecurity in the sense used by the Commission is a buzzword covering issues ranging from the management of computer security systems in defense and private sector, to "cyberwar", payment-fraud, zero-day exploits and malicious code, trafficking (among other things), but also the protection of Internet freedom internationally (just a few unconvincing words on the matter, but theybre there, in bold <http://europa.eu/rapid/press-release_IP-13-94_en.htm>! And there is "open internet and online freedoms" in the title of the Commission's press release <http://europa.eu/rapid/press-release_IP-13-94_en.htm>!! If that's not a proof...).]/ / Both the press conference <https://www.youtube.com/watch?v=qYOIlT9hqPA> of commissioners Kroes, MalmstrC6m and Ashton as well as the documents released show two things: *the Commission is not taking freedom seriously in Internet policy*, *and it might be paving the way for the militarization of cyberspace. * EC should start by getting the math right The commissioners started off by presenting very *vague and inflated statistics about the cost of cybercrime* (several studies <http://www.commercialriskeurope.com/cre/1588/239/Report-rails-against-in...> have already made that point clear)**. From copyright to cybersecurity policy debates, bogus numbers remain, in this case to the benefit of the security and surveillance industry1 <http://comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote2_9oip6ek>. This is classic, lobby-induced, pure *threat inflation* (on that note, see Brito & Watkinsbs 2011 article <http://mercatus.org/sites/default/files/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy_0.pdf>: /Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy/). Then, the commissioners moved to the substance of the proposal. Things were not particularly clear, as the questions of the journalists sitting in the press room would later reveal. The few reporters in attendance had interesting questions, but sadly these were largely unrelated to the actual texts2 <http://comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote2_9oip6ek>. They had apparently not been able to read the recent leaks of both texts by anonymous Brussels sources, released on the Internet last month (as I write, the documents officially released yesterday still cannot be found on the EU Commission website). Going over the 60-plus pages of the proposed directive <http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-DRAFT-PROPOSAL.pdf> and the accompanying communication <http://www.wethenet.eu/wp-content/uploads/CYBERSECURITY-JOINT-COMMUNICATION.pdf>, it becomes clear that the EU cybersecurity strategy suffers from several flawsb& Towards a centralized network of cybersecurity authorities The proposed b Network and Information Securityb directive aims to set up a b *NIS network*b of b cybersecurity firemenb, headed by the EU agency ENISA <https://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency> (created in 2004 and based in Athens). ENISA will lead a group of national counterparts (each Member State shall have its own NIS authority). For the most part, these already exist and are usually primarily in charge of *defense and military networks* (see this analysis <http://www.edri.org/edrigram/number11.1/cybersecurity-draft-directive-eu> by computer security researcher at Cambridge University, Prof. Ross Anderson, about how the proposal risks centralizing cybersecurity policy-making within the public sector). This centralized network of /de facto/ cybersecurity policy-makers will operate *out of public scrutiny*, with the always-convenient excuse of handling b confidential informationb (see recital 17 and 18). Behind the scene, these public authorities of course risk being *under the harmful influence of security vendors* and other b private sector providersb, who will help pushing for the kind of fear-mongering displayed at the very beginning of the conference/./ The new b data breach disclosureb obligations that made the headlines <http://www.zdnet.com/businesses-forced-to-admit-data-breaches-under-eu-cybersecurity-plan-7000010985/> /may/ be made public, at the entire discretion of NIS authorities. As Prof. Anderson, points out <http://www.lightbluetouchpaper.org/2013/02/08/eu-cyber-security-directive-considered-harmful/>: b Whereas security-breach notification laws in the USA require firms to report breaches to affected citizens, articles 14 and 15 instead require breach notification to the bcompetent authorityb. Notification requirements can be changed later by order (14.5-7) and the bcompetent authoritiesb only have to tell us if they determine itbs in the b public interestb (14.4).b What is more, this NIS network will also be *absorbing a potentially enormous amount of information* (article 15.2) *from virtually all the significant players of the Internet* (among the many b market operatorsb concerned, see Annexe IV), which in return will benefit from nice insurance premiums if they properly follow the recommendations on security practices and the standards imposed by the NIS authorities (elaborated how? Following what procedures or criteria? In the same vein, article 15.3 does not say much about the b *binding instructions* to market operators and public administrationsb that NIS authorities will have the power to issue). Meanwhile, the EU Commission is given broad competency to impose b *standards* and/or technical specifications relevant to network and information securityb (article 16). The NIS network will work with Computer Emergency Response Teams (CERTs are official security experts teams, already exist, but will be beefed up under the proposed directive) and law enforcement agencies, especially Europolbs brand-new EC3: the b European Cyber Crime Centerb (watch this b coolb video <http://ec.europa.eu/avservices/video/player.cfm?ref=I075479> to get a sense of how hype EC3 is)b& The strategybs missing players This all could have been a little different. And better. For instance, the Commission could have promoted a more *decentralized governance of cybersecurity*, insisting on *procedural safeguards *on how cybersecurity policy is made and conducted (at least general but tangible legal principles). Many peoples in many places today are doing a great job in ensuring the resiliency of the Internet (in the spirit of Prof. Zittrainbs enlightening TED talk <http://www.ted.com/talks/jonathan_zittrain_the_web_is_a_random_act_of_kindness.html>). Many of them would probably have wanted actual *guarantees for broad participation in an /open/ policy forum* (guarantees enacted preferably not just as a nice gesture, but out of conviction that it is how you can best ensure trust and reliability in cybersecurity policy). But these contributors to cybersecurity (in academia, in civil liberty organizations, in hackerspaces, etc.) are mostly kept out of the loop. And they have reasons to worry. Not only can they righlty question the competence of the EU executives in caring after the Internet. Actually, several state actors bincluding in EU and USb are rather promoting b cyber-/in/securityb (i.e: trade of Zero-Day exploits <http://Should%20the%20secretive%20hacker%20zero-day%20exploit%20market%20be%20regulated>, attendance in trade fairs on Internet surveillance <http://Valentino-Devries,%20Jennifer,%20Julia%20Angwin%20et%20Steve%20Stecklow.%202011.%20%C2%AB%C2%A0Document%20Trove%20Exposes%20Surveillance%20Methods%C2%A0%C2%BB,%20Wall%20Street%20Journal.>, etc).They also have to bear <http://www.wired.com/threatlevel/2012/04/hacking-tools/> the risk of repression because of another proposed directive (directive 2010/0273 <http://parltrack.euwiki.org/dossier/2010/0273%28COD%29> on b combating attacks against information systemsb), currently in first reading in the EU Parliament and which could criminalize <http://www.wired.com/threatlevel/2012/04/hacking-tools/> security researchers and white-hat hackers. Trying to put some b net freedomsb flavor The articles of the proposed directive on cybersecurity and the overall strategy bring *very little protection to the rights of Internet users*, and none to the decentralized architecture of the network (the text makes no mention of Net neutrality, for instance). It all comes down to a few reassuring lines: - The directive makes a short reference to the EU *privacy* legislation (recital 23, 37, 39 and article 5). This is a smart move, underlining that EU is big on privacy (webll see what comes out of the new data protection regulation <http://www.privacycampaign.eu/>b&), and above all useful to differentiate the proposed EU directive from its infamous US cousin, the ill-fated Cyber Intelligence Sharing and Protection Act <https://duckduckgo.com/Cyber_Intelligence_Sharing_and_Protection_Act> (CISPA3 <https://ww-on-eu-commissions-vague-cybersecurity-strategy-0#footnote3_pi82d6q>). - The cybersecurity communication released alongside the directive makes mention of the pompous NO DISCONNECT strategy <http://europa.eu/rapid/press-release_IP-11-1525_en.htm?locale=en>, announced in late 2011 by Neelie Kroes4 <https://ws-on-eu-commissions-vague-cybersecurity-strategy-0#footnote4_p6b6an7>, and which has yet to achieve anything significant (see below). - The Commission also announces the upcoming release of*international guidelines on freedom of expression* b offline and onlineb to assist its diplomacy. - b& (There might be some other similar b net freedomsb overtones in there). Overall, these good words will do very, very little to put into practice the b Digital Freedom Strategyb report <http://www.marietjeschaake.eu/2012/12/european-parliament-endorses-first-ever-digital-freedom-strategy/> adopted by the EU Parliament in December 2012, or any of the policy proposals made by civil society and academia to better protect human rights online, both in the EU and globally. In the meantimeb& In the meantime, no /ad hoc/ and effective regulation exists for regulating the use of privacy invasive technologies in network architectures5 <https://won-eu-commissions-vague-cybersecurity-strategy-0#footnote5_2i8hl48>. And Net neutrality is officially <http://www.laquadrature.net/en/net-neutrality-neelie-kroes-yields-to-operator-pressure> abandonned as an actual regulatory objective by Neelie Kroes. In the meantime, workshops and consultations are being organized in Brussels, while free speech NGOS are left suing b censorwareb vendors before theb& OECD (??! b& yes, the OECD is not known to be an actual judicial authority but, at least they have some useful words put on paper against what these companies appear to have done band still seem to be doingb in authoritarian regimes around the world. See the RSF press release <http://en.rsf.org/bahrein-human-rights-organisations-file-04-02-2013,44016.html>). There are also criminal charges brought in France for complicity of torture <http://www.edri.org/edrigram/number10.10/amesys-complicity-in-torture> against Amesys (later bought by BULL) for its former cooperation <http://online.wsj.com/article/SB10001424053111904199404576538721260166388.html> with Kaddhafibs political police. However, the trial is taking quite a long time; Amesys has been absorbed by BULL; the French government invests <http://reflets.info/qosmos-et-fsi-restons-optimistes-il-reste-quelques-dictatures-et-quelques-etats-policiers/> public money in BULL; and BULL thrives on defense and private-sector contracts, in France and abroad6 <https://wwments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote6_z5qyizd>. It is also very hard to have any information on these companiesb controversial activities, in spite of parliamentary requests to governments7 <http://.net/en/comments-on-eu-commissions-vague-cybersecurity-strategy-0#footnote7_e4oubml>, or whether and how they are being regulated under dual-use export <http://ec.europa.eu/trade/creating-opportunities/trade-topics/dual-use/> controls. In the meantime, in an interview, the EC3 chief Troels Crting lists <http://www.euractiv.com/infosociety/cybercrime-centre-work-fbi-us-se-news-516968> b hacktivism <https://en.wikipedia.org/wiki/Hacktivism>b as a cybersecurity threat alongside terrorist activities and extremism. This shows once again that high-ranking officials tend to overlook crucial policy distinctions in apprehending the b cybercrimeb phenomenon, and in particular politically-motivated hacking and other forms of online civil disobedience. After the Telecoms Package, after HADOPI, after SOPA/PIPA, after CISPA, after ACTA, after the WCIT, our dear democracies still donbt seem to get it right. And so we are left watching our political system put much effort and spending lots of time on discussions that in the end deliver so little. *Repressive proposals keep coming. One after the other.* A significant b coreb of policy-makers remains stuck in fear, and keeps refusing to put the protection of freedoms online onto the legislative agenda. And so webre left with questions. Will more citizen pressure on Internet policy-making do the trick? Will the EU Parliament come to the rescue? Because this proposed NIS directive could use some serious improvement. A much more open discussion on cybersecurity policy is urgent. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE