The Future Shape of European Security

Published on 17th May 2017

The role which I hold as the first Security Union Commissioner – a post created by President Juncker last year - sends a very clear signal that the threats we face to our common security – and which range from terrorism through organised crime to cyber threats – require a response which corresponds to their growing dimensions. It is not alarmist to say that the lives of all of us our touched by these threats on a daily basis.

What I would like to share with you are my views on how the European Union can adapt to prevent, survive and fight back against threats in a rapidly changing world.

Let me first tell you where we stand today. Essentially we are working on two fronts: First, closing down the space in which terrorists and criminals and cyber criminals operate and denying them the means - money, munitions, movement. That includes working on preventing terrorism, countering radicalisation and increasing cyber security. Second, building our resilience: strengthening our information systems by closing information gaps and making them more joined up and strengthening critical infrastructure, particularly our transport, energy and cyber security.

Over the last couple of years we've made a lot of progress – but during the same period we've seen a significant increase in the level of threats we are facing. As we look across this shifting pattern of threats there is a red thread running through them that I want to talk about this evening – and that is cyber.

The people who want to do us harm – and they include crime bosses, terrorist organisations like Da'esh and state actors employing hybrid techniques to influence and undermine our institutions – are all bending the internet more and more to their will. But my hunch is that we are at a tipping point – perhaps the moment has already passed, undiscerned, where the common goods and wealth we've come to accept as cascading from the internet are matched and threatened by the multiple risks it presents through its position as a vast, borderless, unregulated space.

I don't wish to sound like some 21st century Luddite – the internet has been and remains an epoch-changing event in society's evolution. But we must now double down on complacency before the actual and potential threats which it poses become reality.

Let me give a few examples of how the internet is forcing us to change our security focus. Last week Damon Smith was convicted at the Old Bailey of trying to explode a rucksack bomb on the London Underground. Smith built the device with shrapnel and a £2 clock from Tesco after Googling an al-Qaeda article on bomb-making. He was still a teenager, evidently a troubled soul, at the time of his failed attack.

But the consequences, had his device exploded, are too horrific to contemplate. In fact we don’t have to imagine those consequences, because only a few weeks earlier a bomb on the St Petersburg metro killed 14 people.

In Smith's case, even Da'esh did not have the temerity to claim him as one of their "soldiers" – and the police did not charge him under anti-terrorism offences because they said there was insufficient evidence of a political motive. But in every other aspect, this young man's actions were in imitation of examples posted on the web, instruction manuals and twisted campaigns disseminated in the digital world.

Terrorist groups such as Da’esh have devoted huge amounts of time and effort to churning out online material at an alarming rate. This material includes threats and hate speech, training manuals, advice on how to obtain and import weapons, instructions on how make bombs and how to kill, and elaborate footage showing the most brutal and the most sickening torture and execution of their victims. Our youngest, most vulnerable citizens – particularly the disaffected or those who feel alienated – are susceptible to be tempted by such messages of violence.

Given that the internet is such fertile terrain for radicalisation, we need the cooperation of social media and internet providers to help to detect those being radicalised in their bedrooms. We have set up the EU Internet Forum to ensure that illegal content, promoting Da'esh for example, is taken down by internet companies. The Internet Referral Unit at Europol has referred tens of thousands of posts to internet companies and enjoys a higher than 80% take-down rate. Indeed, the growing success of this approach is such that there is now evidence that Da'esh is developing its own social media platform – its own part of the internet to run its agenda.

Turning to serious and organised crime, I think we are again at a tipping point where the old stereotypes of smash-and-grab, stocking-wearing bankrobbers will only exist - if at all - as avatars for the real raiders working on their laptops from the poolside in sunny foreign resorts. Robbing a bank has never in history been such an un-kinetic activity.

Europol's SOCTA report, which I had the pleasure of helping to launch in The Hague two months ago, warns that the rate of technological innovation and the ability of organised criminals to adapt these technologies to their purposes are increasing steadily and swiftly.

Developments such as the emergence of the online trade in illicit goods and services are set to result in significant shifts in criminal markets and confront law enforcement authorities with new challenges. What was once the preserve of the geek is now the modus operandi of the crook.

Drone technology, for instance, allows drugs traffickers to avoid borders and frontiers – walls are no obstacle to them. Social media is a gift to breaking and entering, with organised gangs monitoring the routines and holiday plans of target victims in their selected neighbourhoods.

And data, of course, has become a key commodity for criminals: increasing internet connectivity by citizens, businesses and the public sector, along with the exponentially growing number of connected devices and sensors as part of the Internet of Things will create new opportunities for criminals.

Last month Peter Yuryevich Levashov was arrested in Barcelona while on holiday with his family. Arrested on a US warrant executed by Spanish police, this Russian citizen, a resident of St Petersburg, is the creator of the Kelihos botnet which, since 2010, has infected possibly more than a hundred thousand computers worldwide. The Kelihos botnet has distributed hundreds of millions of spam emails, intercepted details of financial accounts and installed malicious software. And Kelihos is only the tip of the iceberg.

But taking down Kelihos and apprehending Mr Levashov required months of painstaking forensic work, close international cooperation between a host of law-enforcement agencies – and crucially the first use by the FBI of a law which authorises powerful search warrants to investigate cybercrime no matter where infected computers might be physically located. For its sheer complexity, this was the wake-up call for those yet to acknowledge the global scale posed by cyber criminals working across borders and territories.

Finally, let me talk for a moment about cyber threats to our democratic institutions. 36 hours before the French Presidential elections the political party and campaign nerve centre of the eventual winner, Emmanuel Macron – President Macron – was hit by a massive and coordinated hacking attack. The clear intention was to influence the outcome of the ballot. It failed – and in no small part due to the fact that President Macron's team was ready and prepared. In fact, they fought back.

When staff members received fake emails leading them to log-in pages hackers could use to record keystrokes – the classic phishing strategy to infiltrate a network - Macron’s digital team flooded those landing pages with fake passwords and other data, confusing the hackers and making it virtually impossible to gain access to the campaign’s emails. In the end, with perseverance and increased resources, the hackers succeeded in breaching the defences.

But by then it was too late, because France restricts all election campaigning, reporting and polling two days before the vote. And Macron's team mitigated the damage even further by immediately announcing what had happened – news which went global. This is proof that our adversaries waging information warfare in the shadows can be defeated by early warning and rapid exposure.

The circumstances of the attack are now the subject of a French criminal investigation but the finger has already been pointed at Russia. An adviser to the incoming president warned: “We will have a doctrine of retaliation when it comes to Russian cyberattacks or any other kind of attacks."

Another member of his team suggested a link between the attack and that suffered last year by the United States Democratic Party before the Presidential election.

I am not in the business of attribution – but I do listen to what our intelligence services, here in the UK and in other Member States, are saying. And I'm also aware of the constant attacks made against the European Commission – including a massive and coordinated attack made in three waves over two days last year, which our IT services successfully repelled.

We've seen the threat from state and non-state actors evolve from a situation a decade ago where cyber-attacks were used as a form of punishment – against Estonia in 2007 for moving a statue – through cyber as a non-military means of achieving a military objective – the 2010 Stuxnet attack on the Iranian nuclear enrichment programme - to one where they are used in Death Star-style demonstrations of power – the 2016 closing down of Ukraine's power grid.

The hackers may have failed with their French adventure but they haven't gone away.

There are elections across Europe: the French parliamentary elections and German elections in the autumn, to mention just some. This is perhaps the most challenging of all the cyber threats which I have discussed this evening – the ability and intent to disrupt and undermine our hard-won democracy. We need to be ready.

Taken together these different dimensions suggest our societies' dependence on connected technology is increasing faster than our ability to build defensive capabilities to protect it. Not only are we facing new cyber threats, but the threat surface – the exposure to existing threats – has also increased exponentially.

In the face of this threat we need to reduce the likelihood of cyber attacks and reduce the impact of cyber attacks when they happen. And we need to move beyond an approach based on Prevention to one that also encompasses Detection and Deterrence.

We also have to change our behaviour. This goes for you and me as individuals, for businesses and for public authorities. It is an often quoted – and therefore widely ignored – statistic that 80% of cyber attacks can be defeated by 20 simple actions.

Fighting cybercrime effectively requires more active cooperation across communities, from law enforcement to cybersecurity authorities and the private sector which owns and operates more than 90% of the infrastructure.

We need to improve criminal justice in cyberspace with a focus on cross-border access to electronic evidence. We also need to reflect on the role of encryption in criminal investigations. The new common thread between all of the security threats we face is cyber.

Our adversaries have a head start on us so our response to threats must be comprehensive and multi-faceted: not only strengthening resilience against cyberattacks, but also strengthening the fight against, detection and prosecution of those using cyber against us. And, of course, as you'd expect me to say sitting here this evening in the Royal Institute of International Affairs, the response needs to be rooted in international cooperation.

I hope that the UK will continue to be actively engaged, albeit from outside the EU, because when we stand together against these shared threats, we are better armed to resist and defeat them.

By Julian King

European Commissioner for the Security Union.

This article has been read 1,726 times