Europe’s cyber problem by Camino Mortera-Martinez
Cyber has become a buzzword in Europe. Just as both the migration crisis and the terrorist threat seem to have abated, a series of high profile cyber attacks in 2017, allegedly from both state and non-state actors, struck targets including national health systems, banks and electoral campaigns. These attacks have raised big questions about the European Union’s attitude towards cyber security and its ability to deal with security breaches. The increasing incidence of online crime and the aggressive cyber tactics of countries like Russia and North Korea mean the bloc must raise its game in this area. The EU’s cyber security plans cover three different things: cyber crimes (like child pornography or online fraud); cyber attacks (like disrupting a city’s transport network); and disinformation campaigns. Cyber crimes and cyber attacks sometimes overlap – like the ‘Wannacry’ ransomware attack attributed to North Korea, which blocked computers at large private companies and national service providers like the UK’s National Health Service. All three cyber threats can come from both state and non-state actors. Russia was allegedly behind a major cyber attack in 2017 (‘NotPetya’). Russian nationals have been indicted for meddling in the 2016 US presidential election. Drug dealers and other criminals make extensive use of the darkweb – websites which conceal users’ identities. Terrorists are also using the internet to wage their own online jihad. The EU has done well in dealing with more traditional cyber crimes, like identity theft. A
2013 directive harmonised national laws and penalties for cyber crimes and the EU will approve rules to tackle online fraud later this year. But obtaining digital evidence in cross-border cases is still difficult: member-states struggle to gain quick access to information stored in another EU country. This is even more problematic when evidence sits outside Europe. US tech companies like Facebook or Microsoft receive an average of 100,000 direct requests per year from EU governments. There is no law governing such requests so the whole system works on the assumption that internet companies will simply hand over information to law enforcement authorities. Such requests put firms in a difficult position, because they are also required to protect their customers’ privacy. This legal gap has already caused problems on both sides of the Atlantic. The US government is sueing Microsoft, which has refused to provide evidence stored on a server located in Ireland.