Towards a values-based European foreign policy to cybersecurity

Marietje

This is an unedited version of an article that was originally published in the first issue of the Journal of Cyber Policy, Volume 1, Issue 1, January 2016, pages 75-84.

The internet changes everything’ is a buzz phrase that promises to enable more rights and freedoms for people. However, it is hampered by the various ways in which states seek to strengthen their national security or control their populations under the guise of ‘cybersecurity’ policies. In closed societies with authoritarian regimes such as China and Russia, people's opportunities for greater access to information and freedom of expression are increasingly suffering from rigid ‘cybersecurity’ policies that treat the internet's infrastructure as an extension of the state. In open societies, the promise of a networked society that empowers individuals is hampered too by the conflation of cybersecurity and national security. As a result, the space to develop a values-based approach to cybersecurity, which focuses on (1) preserving and promoting the security and integrity of the open internet, (2) encouraging restraint of governments which want to adopt national security policies that negatively affect the security of the internet's network and (3) streamlining digital rights in its external policies is wide open. The European Union has the opportunity to take a leadership position both at home and abroad if it develops a clear cybersecurity that incorporates people's rights and freedoms.

1. Instrumentalising cybersecurity to preserve government control over information

The inventor of the term ‘cyberspace’ – science fiction author William Gibson – stated early on that cyberspace was an ‘evocative and essentially meaningless’ buzzword. Although this still holds true, it is hard to avoid the term altogether. The European Union’s definition of ‘cybersecurity’ does make clear what is actually at stake in our view when we talk about ‘cybersecurity’: striving to preserve the availability and integrity of the networks and infrastructure of the internet and the confidentiality of the information contained therein. The EU increasingly tends to take a ‘human security’ approach to security matters, which puts the emphasis on people first as a priority throughout its policies. We are now at a crucial point in time to make sure that ‘human’ security and a truly robust effort to ensure trust and security are not undermined by short-term cybersecurity measures and laws. Too often cybersecurity becomes a blanket argument to justify restricting people’s rights.

Increasingly, ‘information security’ is not an uncontroversial term either. In January 2015, China, Russia and four Central Asian states proposed an updated version of their ‘International Code of Conduct for Information Security’ to the United Nations. This code of conduct sees ‘information security’ not as the aim of defending information or data from unauthorised access, use or disclosure, but rather focuses on protecting the sovereignty and national security of the state against the use of information and communication technologies. While the aim of these states is presumably to control the information that people exchange over the internet, the collateral impact on fundamental freedoms, especially freedom of expression, is significant.

The trend of instrumentalising cybersecurity to improve a government’s control over its people is widespread. States have realised the disruptive impact of information technologies and of the global internet. As a response, they seek to bring digital infrastructures and over-the-top services back under national control. As a result, the full potential of the open internet and of endless connectivity between people and information worldwide risks being lost. A recent report by Freedom House that assessed ‘internet freedom’ in 65 countries demonstrated that half of these countries have been on a downward trajectory since June 2014. State authorities have jailed more users for their online writings, while criminal and terrorist groups too have made public examples by targeting those who dared to expose their activities online. Freedom House found that a remarkable 47 of the 65 countries were involved in online censorship of criticism of various authorities, reports of corruption, political opposition websites from diaspora communities, satire, social commentary, blasphemy and campaigns for social or political action. In many cases, these countries do not rank high on other indexes indicating people’s rights and freedoms either.

Two countries stand out due to their geopolitical importance and their role as norm-setters and as the driving force behind initiating the International Code of Conduct for Information Security: China and Russia.

In recent years, the Chinese government has continued to pursue an ‘Internet sovereignty’ strategy, which aims to tighten control of the internet. China’s vice Foreign Minister has stated that sovereignty in cyberspace is based on the idea that ‘national governments are entitled to making public policies for the internet based on their national conditions’. He added that no country shall use the internet ‘to interfere in other countries’ internal affairs or undermine other countries’ interests’. Managing information flows is therefore one of a country’s sovereign rights, according to the Chinese government. While many countries would oppose any interference in their internal affairs from other countries, this sovereignty argument does not justify the management of information that Chinese citizens exchange. It seems the facilitation of connectivity and openness are seen by more and more governments as a threat to their power. As such these policies directly contradict the very nature of the open internet, which was designed without territorial borders in mind, to connect anyone to anyone else connected to the network. More than states ‘using’ the internet to undermine other countries’ interests, the open internet apparently poses a threat to governments of states that seek to censor and control all information flows. In July 2015 the Chinese government adopted a new national security law that firmly cements the power of the state online. According to media reports, the law requires key internet and information systems to be ‘secure and controllable’ in order to protect national security. The latter term is so broadly defined that it would even cover ‘harmful cultural influences’ as a national security threat. This seems to extend the ‘national harmony’ doctrine which has been used as a precursor to stamp out different cultures that may challenge the central political leadership, from Tibet to East Turkestan. A senior official at the National People’s Congress (NPC) said that the new law provided a legal foundation for ‘the management of internet activities on China’s territory and the resisting of activities that undermine China’s cyberspace security’. One week later China released a draft cybersecurity law that would further tighten control over the domestic internet, including codifying the power to cut access during public security emergencies.

Given the interconnectivity that the open internet and the world wide web bring about, there is a mutual dependence between all those who are connected to this ecosystem. The impact of the actions of one state, or of one private company, and even of one individual, can have an impact on the entire network. The full potential of the internet as a network of networks is undermined by the restrictive actions of a few. When these restrictions are justified by claiming that they increase cybersecurity, it is essential to assess whether this is indeed a justified claim. The collateral damage on people’s rights and on the potential of the entire ecosystem should be taken into account when measuring the real impact of cybersecurity policies. There is a risk that measures in the name of cybersecurity, such as data localisation, are also applied by states to achieve other goals. Besides gaining a top-down grip on people, some cybersecurity measures are also fostering protectionism. China’s Great Firewall continues to block certain domain names, including widely popular services such as Facebook and Twitter. China intensified its crackdown on Virtual Private Networks that can be used to circumvent the Great Firewall. In the first six months of 2015, the government declared that it had deleted some 758,000 pieces of ‘illegal and criminal information’ from the internet. The Chinese government also employs more than two million people who monitor and censor social media discussions in real time. These policies do not only have an impact on people in China. The government has also been active in various multilateral internet governance forums to promote its view of ‘Internet Sovereignty’, in which cybersecurity is first and foremost understood as protecting the sovereignty and national security of the state. China has made two significant joint statements with the United States and the United Kingdom, in which the UK, the USA and China agreed ‘not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of providing competitive advantage'. Significantly, both statements would not rule out cyberattacks or espionage activities for national security purposes. While it is understandable that the USA and the UK seek to work with China to develop rules of the road for the behaviour of countries in cyberspace, there is a real danger that increased cooperation in this area will come at the expense of people’s online freedoms. It is not too far-fetched to imagine a future deal in which putting a halt to Chinese hacking to steal intellectual property from UK and US firms comes at the price of a Chinese demand to stop the promotion, funding or other support of measures for circumventing or hacking the Great Firewall. Short-term interests tend to push principles off the table. Increasingly, companies whose business models flourish with maximum freedom of expression opt to abide by the law of the land in order to gain market access. Such choices also restrict the potential of a more horizontal enjoyment of freedoms and rights, which the open internet in principle can facilitate.

It is not only information flows that are the subject of political interference. The technical infrastructure of the net has become a domain for states and their powers too. In their recent book The Red Web, Andrei Soldatov and Irina Borogan demonstrate how the Russian government increasingly seeks to control the technical infrastructure of the internet, in order to maintain power, control people and information. A number of measures illustrate how the online space for freedom of expression is shrinking in Russia as a result of this trend. A number of Russian intelligence agencies have the authority to block ‘content related to extremism’ without a court order. During its annexation of Crimea and Eastern Ukraine, Russia significantly expanded its blocking of online content related to the conflict in Ukraine and anti-government protests. Freedom House reported that the lack of precise guidelines for evaluating the legality of content sometimes leads internet service providers (ISPs) to ‘carry out the widest blocking possible so as to avoid fines and threats to their licences’. Currently 262,991 websites ‘have been accidentally blocked due to blocking orders carried out on the basis of IP addresses’. ISPs in Russia are forced to install SORM-3, which uses deep packet inspection technology in order to allow security services to intercept and monitor content in real time on all telecommunications networks in Russia. These inspections of data packages allow unlimited and unrestrained access to people’s communications, and centralised control switches make it possible to close down websites across all of Russia at the same time.

In September 2015 Russia’s data localisation law entered into force, which required foreign internet companies to store the personal data of their Russian users within the country’s borders. In 2014 the law was presented as a necessary security measure to protect against foreign threats and US spying. A new blogging law required any person whose online presence draws more than 3000 daily readers to register with a governmental agency, the Roskomnadzor, and to comply with mass media regulations that require bloggers to publish their names and contact details. The Washington Post quoted analysts who said that ‘the haphazard and seemingly personalised nature of the registration efforts may mean that Russia is not yet approaching a more total technical control of the internet, as is the case in China’. The combination of vague national security laws, forced registrations and data localisation laws are de facto forcing Russians to live in Russia as much digitally as physically. Instead of having access to the world wide web, they have access to an online environment that is as wide as Russian laws permit. In light of the heavy top-down control and information management that the Kremlin is seeking in the digital domain, the agreement between the USA and Russia on an Intellectual Property Rights (IPR) Action Plan to improve IPR-protection and enforcement is questionable and risks legitimising Russia’s repressive policies online.

2. The cybersecurity negligence of open societies

If we shift our attention to the behaviour of governments in more open societies, two worrying patterns emerge: the private sector domination of cybersecurity and the weakening of cybersecurity for national security purposes.

The knowledge about operating and securing data systems, software and networks is overwhelmingly in the hands of private ‘cybersecurity’ companies, which are used by governments to protect themselves against ‘cyberattacks’ and their citizens against various forms of cybercrime. The DigiNotar scandal illustrates why this two-fold dependency on private companies leads to serious concerns. The Dutch government relied on DigiNotar, a private company, to provide security certificates for most of the electronic services it provided, including sites which had been used for all online tax returns filed in the Netherlands. After the company’s infrastructure had been breached – allegedly by a Western democratic state – fake certificates were issued for hundreds of popular websites, which could be used to launch man-in-the-middle attacks. An investigation by another private company provided evidence that the false certificates were used to monitor the communications of approximately 300,000 internet users in Iran. After the attack, the company did not report the incident immediately, thereby jeopardising the security and privacy of not only Dutch internet-users, but millions of other internet users across the globe. How wise is a situation in which the security of our communications online depends on a cybersecurity company whose most critical servers contained malicious software that should have been detected by ordinary anti-virus software? Outsourcing our online security to private actors without clear oversight and control regimes amounts to negligence. This is not to say that governmental agencies have a better track record in due diligence. The hack of the United States' Office for Personnel Management (OPM) affected approximately 21.5 million people who had undergone background checks for security clearance. Yet no governmental agency has taken responsibility for properly securing OPM’s database.

Besides the privatisation of cybersecurity, we can witness another worrying trend in open societies. A wide range of real and perceived national security threats has resulted in new efforts to maintain and expand large-scale data collection programmes, both in the USA and in European Member States. The revelations that the US placed ‘upstream’ interception equipment directly at the backbone of the internet in order to monitor internet traffic has led to serious privacy and freedom of speech concerns. In March 2015 a broad group of organisations, including Wikimedia, the conservative Rutherford Institute, The Nation magazine, Human Rights Watch and the National Association of Criminal Defense Lawyers sued the US government, arguing that this type of surveillance ‘interferes with their abilities to do their jobs by violating the confidentiality of their communications and by making it more difficult to obtain crucial information from contacts and sources who communicate with them, often at significant personal risk’.

In Europe, the use of social media as a recruitment and propaganda tool by Daesh, the threat of returned foreign fighters from Syria and the terrorist attacks on Charlie Hebdo have created a new momentum for European governments to actively adopt laws that prioritise national security over cybersecurity. France adopted a sweeping new surveillance law in the summer of 2015 which requires telecommunications carriers and providers to install so-called ‘black boxes’, which would allow the French intelligence agencies to collect and analyse all traffic data. This analysis is done using algorithms designed to detect suspicious patterns of behaviour. The Netherlands, Belgium and Finland are contemplating laws to allow access to internet cable traffic passing through their respective territories, which are similar to the upstream programmes of the USA and the UK.

Partly as a result of this trend, tech companies have increasingly promised to implement end-to-end encryption in their products, which has led to a second ‘cryptowar’ between Silicon Valley companies and Western governments, especially the UK and the USA. In the latter’s view, end-to-end encryption results in intelligence and law enforcement agencies going dark, depriving them from an opportunity to monitor communications of criminals and terrorists. To preserve their investigative capabilities, these services are asking for special access into encrypted communications. However, cryptography and security researchers argue that any form of specialised access would make our communications infrastructure vulnerable to attack at its core. A company cannot provide special access to one government and oppose special access for others, who can use it for their own domestic goals. Work for one, work for all. Here too, national security policies neglect the collective security of the web. As a leading group of US cryptographers and information security researchers has stated:

The complexity of today’s internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard-to-detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally-deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
One of the key aims of internet governance should therefore be to strengthen the technology upon which the internet depends. Governments cannot seek to create backdoors to access data if doing so would make the internet less secure. Companies that store or transmit consumer data should assume greater responsibility for illegal intrusion, damage or destruction. And efforts by the internet’s technical custodians to incorporate human-rights-enhancing solutions in standards and protocols, especially end-to-end data encryption, should be encouraged. End-to-end encryption does not make the lives of law enforcement and intelligence officials easier, but at the same time we have to realise that in other areas, law enforcement and intelligence agencies have never had more access to new types of data, such as location data and other metadata.

When we talk about cybersecurity, or even security in general, it is important to know what it is we seek to defend: digital freedoms and our open societies. In a major policy speech in 2010, the then US Secretary of State Hillary Clinton highlighted internet freedom as a core issue for her foreign policy agenda. She argued that there was a need for a fifth freedom, on top of Franklin Roosevelt’s famous Four Freedoms, namely the freedom to connect – ‘the idea that governments should not prevent people from connecting to the internet, to websites, or to each other. The Freedom to Connect is like the freedom of assembly, only in cyberspace’. Taking the freedom to connect to its logical conclusion supports encryption, since it enables individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserves strong protection. The cybersecurity negligence of open societies has profound implications for the international credibility of any Western internet freedom strategy. In Russia and China, the Snowden revelations were seen as proof that the US hacks into Chinese and Russian companies, which in their view justifies restrictive laws that force companies to host data about Chinese or Russian users within China or Russia. European trust in the USA and its tech companies has been hit hard as well. The recent Safe Harbour judgement of the Court of Justice of the European Union resulted in the destruction of easy data transfers between American and European companies, which created legal uncertainty for small and medium-sized companies that used the Safe Harbour Agreement to transfer their data. Meanwhile, countries such as Germany and Brazil are taking steps to ensure that their data traffic circumvents US territory.

 3. Towards a values-based European foreign policy to cybersecurity: a call for EU action

The trends towards increased top-down control of the internet and the negligence in cybersecurity have only negative effects: on the security of the web as a whole, on our trust in each other, and on the foundations of our digital economies. The EU has a unique opportunity to fill the void that open societies have created by prioritising national security over cybersecurity and internet freedoms. The EU’s competences do not include national security issues, but it is responsible for the creation of a safe digital single market, where users can trust e-commerce services, and have access to all relevant information without any form of censorship. The EU can have an important role in preventing the Balkanisation of the internet and should further coordinate joint actions between EU member states. It should actively defend the security of the open internet in multilateral forums, and urge its member states to show restraint when national security policies threaten the collective security of the web.

The EU already has a cyber-security strategy, and the five principles that should guide it tick all the right boxes: (1) applying the EU’s core values as much in the digital as in the physical world; (2) protecting fundamental rights, including freedom of expression and the right to privacy; (3) striving for unlimited access-for-all to the internet and the free flow of information; (4) reaffirming the multi-stakeholder approach to internet governance and – most importantly – (5) ensuring a coordinated response to strengthen cybersecurity. The EU wants to ‘safeguard an online environment providing the highest possible freedom and security for the benefit of everyone’. However, the strategic priorities and actions lack focus, and their concrete implementation – especially in its international dimension – is not very advanced. It is time for the EU to finally develop an overarching international cybersecurity policy.

A number of proposed norms that were formulated by the UN Group of Governmental Experts should be actively promoted by the EU in multilateral forums, because they can be seen as measures of self-restraint during peacetime, and stress the importance of cybersecurity as opposed to short-term policies that focus on national security: (1) states should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure or the information systems of CERTs; (2) states should not use CERTs to engage in malicious activities; (3) states should take steps to ensure supply chain security, and should seek to prevent the proliferation of malicious ICT’s and the use of harmful hidden functions; (4) states should respect the relevant resolutions from the UN Human Rights Council and the UN General Assembly that are linked to human rights on the internet and to the right to privacy in the digital age; and finally (5) states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.

These UN-norms provide a basis on which the EU can build a strong values-based approach to cybersecurity. The focus on the independent role of CERTs is a strong indication that states at least acknowledge on a diplomatic level that there needs to be a clear separation between those who are responsible for national security and those who are responsible for internet security. The EU is in a unique position to defend in international forums – including, but not limited to, internet governance forums – that the internet’s core infrastructure should be a neutral zone in which governments, pursuing their national interests, are prohibited from interfering. An important report from the Netherlands Scientific Council for Government Policy argues the following:

It is imperative for the future of internet governance to determine which part of the internet should be regarded as a global public good – and thus safeguarded from improper interference – and which part should be seen as the legitimate domain of national states, where they can stake a claim and take up their role without harming the infrastructure of the internet itself.
The EU has grappled with these kind of questions before and is well placed to put this point on the agenda over the coming years.

Another element of the EU’s ‘international cyber policy’ is to promote ‘cyberspace as an area of freedom and fundamental rights’, including by ‘promoting corporate social responsibility’. It is time to turn these vague words into concrete actions.

There is a clear connection between cybersecurity risks and human rights violations as the market in ready-made surveillance and intrusion technologies is largely unregulated. This is remarkable for a retail market which was estimated in 2011 to have a value of around $5 billion a year. Many media reports over the past five years have demonstrated how various regimes have bought ready-made surveillance systems to spy upon journalists, human rights activists or other citizens. These ready-made systems are actively marketed and sold to government actors with dubious human rights records, often on the basis of contracts which include significant after-sales technical support such as software updates or troubleshooting.

Allowing the unregulated use of these systems also risks facilitating corporate espionage, data breaches and attacks on critical infrastructure. James Clapper, Director of National Intelligence warned in 2013 that "a handful of commercial companies sell computer intrusion kits on the open market. These hardware and software packages can give governments and cybercriminals the capability to steal, manipulate, or delete information on targeted systems. Even more companies develop and sell professional-quality technologies to support cyber operations – often branding these tools as lawful-intercept or defensive security research products. Foreign governments already use some of these tools to target US systems". The European Parliament has been very active in trying to increase the oversight and accountability of those companies which market and sell these surveillance systems across the world. The core idea is the following: European companies that are planning to sell certain surveillance systems outside a well-defined group of countries will need to ask for a licence from their local government; the appropriate export authority would then evaluate the human rights and security risks involved in such a sale before approving or denying it. If one export authority from a European Member State refuses to hand out such a licence, other EU Member States should do the same. In order to create a level playing field, the European Commission should set up and provide ‘know your customer’ guidelines on the basis of the UN’s ‘Guiding Principles on Business and Human Rights’ that help companies to assess whether their goods may be used for internal repression or human rights abuses. These guidelines can consist of a checklist of ‘flagging criteria’ that could indicate potentially suspicious transactions. On this basis, companies and export control authorities can assess the likelihood of their products being used to violate human rights before the sale is completed. If we don’t tackle this issue head on, the EU’s credibility as a foreign policy actor will be severely damaged. We cannot criticise human rights violations in countries like Sudan or Uzbekistan while allowing European companies to sell the same technologies that enable those human rights violations in the first place. Similarly, allowing the unregulated sales of systems used to undermine the EU’s security and interests is irresponsible.

The EU has a responsibility to position itself as a firm defender of digital freedom and ‘real’ cybersecurity. It should adopt policies that endorse restraint at Member State level, while defending the open internet and digital freedom in its foreign policy. The mutual dependence between various actors of the internet ecosystem must be an integral part of internet governance policies. Without unambiguous leadership to defend the open internet, there soon might be nothing left to lose. The promise of a networked society that empowers individuals and respects and protects fundamental rights online is threatened by governments that want to increase their control over the internet at the expense of the security of its networks and services. If government legislators keep seeing cybersecurity predominantly as a national security issue, we risk losing the open internet as we know it today.