In April, the Commissioner for the Security Union, Julian King, presented a strategy to address the cyber threat to digital democracies.
As vulnerability to cyber threat attacks increases, it also continues to evolve. The motives behind such attacks manifest in a variety of ways – shifting from financial to political motivations. As a result, cyber attacks can be used to undermine institutions and authorities, facilitate the distribution of disinformation, and thereby destabilise elections across the globe. In April, the Centre for European Policy Studies (CEPS) hosted a discussion on the topic, ‘How to tackle the threats to digital democracies’, where the Commissioner for the Security Union, Julian King, presented his strategy to address the cyber threat to digital democracies.
A lynchpin to our societies
“The internet has become central to our daily lives in a way that we still sometimes don’t fully recognise. Almost every area of society, whether public or private, relies to some extent on the internet, computers and online data,” King said. Transport infrastructure, hospitals, and businesses all rely upon the advantageous features which the digital revolution enables, meaning that the cyber threat to digital democracies extends far beyond computers and phones but encompasses the social lives of many, as well as the way in which we navigate around cities.
In light of this, the commissioner outlined the more negative results of digital dependence: “Dependence breeds vulnerability. The digital world carries significant potential to do good, but also harm. We are only now starting to wise up to how much.” In 2017, both the Wannacry and NotPetya cyber attacks raised awareness of the reality of cyber attacks and the damage of which they are capable. King added: “The threat posed by cyber is no longer seen as vague, speculative or far-off. Cyber attacks and manipulation have become part of our daily lives and there is a greater appreciation of their impact, with a dramatic increase in the use of cyber means, including in the form of politically motivated, cyber-enabled threats.”
Assessing the scale of cyber threats
It is estimated that Europe faces up to 4,000 ransomware attacks per day; in 2017, cybercrime cost consumers $172bn (~€141.3bn). “We are still coming to terms with the potential political impact of attacks and manipulation intended to subvert our democratic processes and values and turn them against us. These consist of everything from hijacking online petitions, to hacking electoral servers, to the deliberate spreading of disinformation and fake news,” King explained. As a result, there is a call for the EU to take action through two means:
- Addressing traditional cyber threats to systems and data; and
- Shutting down areas where cyber-enabled threats, such as fake news, are allowed to manipulate behaviour.
- In September 2017, the European Commission published a package of proposals which sought to address the cyber threat to digital democracies by strengthening the three pillars of cyber security: resilience; deterrence; and defence.
Pioneering the protection of Europe’s digital sphere
In its role to improve cyber defence, King explained that the European Commission will “be responsible for establishing and running an EU-wide cybersecurity standards and certification framework to ensure that products and services meet the highest standards of cybersecurity.” The EU Directive on the security of Networks and Information Systems – the NIS Directive – was implemented in May, and ensures operators of crucial systems assess potential risks, prepare a strategy for these, and adequately protect their systems.
King detailed the commission’s philosophy: “We are prioritising ‘security by design’ to ensure that protection is built into our connected devices. Making us more resilient also means making sure the EU retains and develops essential capabilities to secure its digital economy, infrastructure, society and democracy. Above all, as the private sector is responsible for so much of cyber space, we need to reinforce public-private co-operation.”
Cybersecurity and the digital skills gap
By 2022, the skills gap in the field of cybersecurity is expected to reach 350,000 people, which means there will be insufficient security experts to prevent the cyber threat to digital democracies. As a result, the commission is invested in conducting research in order to stay ahead of those cyber criminals looking to attack. In order to increase deterrence efforts, adequate detection, traceability, investigation and prosecution are integral. The commissioner explained: “We want law enforcement to have the tools they need to tackle online crime. As part of these efforts, we will shortly publish proposals to make it easier for law enforcement to access electronic evidence, which is often in a different jurisdiction or in the cloud.”
An ever evolving threat
Despite the measures taken to ensure protection in the digital sphere, cyber threats are ever evolving; “But as the threat evolves, so too must our response,” King furthered. In order to ensure adaptability, the resilience of societies to cyber-enabled behaviour is essential. As a result, this could mitigate the problems caused by fake news and leaked documents, which have been used to manipulate thinking amongst the public and undermine democratic processes. “We need to avoid being caught unawares – no longer can we be happy simply to trust the news and facts served up to us at the click of a mouse.”
Although the commission realises that disinformation is not a revolutionary new technique, the capabilities of the digital sphere are facilitating it at hastened speeds, on an ever larger scale. The use of disinformation is therefore a vital cyber threat to digital democracies. King said: “A wide range of malicious actors face us, be it private individuals, companies, non-state or state actors, and they are developing and sharpening new ways of increasing the reach and impact of their messages.”
Executing the appropriate action
In order to address the issue of cybersecurity attacks, safeguards are required immediately in order to prevent misuse on social media, and other technology services and tools that are used for social communication and inform us on current discussions. King welcomed the opportunity to collaborate with the Commissioner for Digital Economy and Society, Mariya Gabriel, who will be overseeing the implementation of such measures.
This work is already underway, he continued: “In a report to Commissioner Gabriel last month, the High-Level Expert Group on Fake News and Disinformation Spread Online suggested that online platforms and social media should sign up to a voluntary code of principles and good practice.” Moreover, the group highlighted the need to improve the curation and distribution of news, effectively safeguarding both the diversity and sustainability of media across Europe and, in turn, empowering journalists and consumers to address disinformation.
What can be done now?
“What might be called the ‘Cambridge Analytica technique’ – the use of mined user data to target information, playing on fears and amplifying prejudices – is simply not acceptable. Although widely used for marketing and commercial purposes, it takes on an altogether darker character in the context of democratic processes and elections,” King said. In the commission’s view, greater transparency is needed in relation to both the role and impact of algorithms in order to address this.
This will help to avoid the ‘Cambridge Analytica effect’, as well as ‘algorithmic confinement’, whereby those vulnerable to certain discourse are over-exposed, which is of a particular concern in relation to extremist and terrorist content online.
Eliminating the platforms for terrorist content
In terms of the latter concern, the commissioner added that efforts are already underway: “We already work with internet platforms on a range of issues, such as the timely removal of online terrorist content, and experience tells us the quickest way to make significant progress on disinformation would be to base our joint work with the platforms on strong voluntary co-operation, linked to clear performance indicators and metrics.
“But, at the same time – and again, as with online terrorist content – if such an approach does not deliver, we should be ready to consider a more direct and binding approach.” The introduction of enforcement mechanisms could prove vital to efforts to combat the growing cyber threat to digital democracies
Ensuring the delivery of concrete action
In order to ensure that the EU delivers on these issues, a clear game plan and concrete measures will deliver results, whilst offering reassurance to the public and building confidence prior to elections. The commissioner concluded: “I believe we can help member states, who are ultimately responsible for electoral security, by supporting their work at EU level; for example, by defining concrete guidelines for authorities, the media and online platforms.
“It is high time for a full and open debate on the challenges of a digital public sphere in the age of the algorithm. For too long there has been a sense that it is just not possible to create more accountability, transparency and traceability online, without falling into the trap of censorship.” Yet, owing to recent events, a new focus is crucial in order to identify what can and will be done in order to eliminate such threats throughout Europe.