V Berlíne sa 14. mája 2018 uskutočnila konferencia „Hybridné hrozby – sieťové reakcie“, ktorú zorganizoval nemecký Úrad na ochranu ústavy /Bundesamt für Verfassungsschutz BfV/. Na konferencii okrem iných vystúpil komisár Európskej komisie pre bezpečnostnú úniu Julian King. Jeho vystúpenie publikujeme v plnom znení.
* * *
Commissioner King’s remarks at the Symposium of the German Domestic Intelligence Service on Hybrid Threats
14 May 2018
_______________________________________________________________________________________________
Thanks for the invitation and the opportunity to discuss one of the most complex challenges facing us in the field of security.
Hybrid threats refer to a mixture of methods employed by hostile actors, both state and non-state, to achieve their goals without crossing the threshold of formally-declared warfare. By definition, and in practice, this includes cyber, and I’m going to focus mostly today on the cyber dimension.
Indeed, the digital world we now live in offers myriad new opportunities; but it also throws up new kinds of threat. Indeed, cyber-enabled attacks, a key component of hybrid threats, are easy to perpetrate and can be unprecedented in their reach, devastating in their effectiveness and extremely difficult to trace or attribute with any degree of certainty.
Those who seek to attack us have no respect for borders. They can operate from a safe distance, from a neighbouring country or even continent, and can attack multiple targets simultaneously.
Meeting this challenge requires cooperation – across sectors, public and private, across countries, across Europe, and internationally.
At the European level, we started to grapple with this challenge four years ago. Our 2013 Cyber Security Strategy, updated and broadened in 2017, was the starting point. The 2015 Network Information Systems Directive and the 2016 Communication on Hybrid Threats took the thinking further.
Together these proposals were designed to raise awareness, build resilience, prevent and respond to crises, and step up cooperation between the EU and partner organisations.
And a lot of good things have been done as a result – the EU Hybrid Fusion Cell was established in 2016 to provide detailed analysis on hybrid threats. Last year Finland launched the European Centre for Countering Hybrid Threats to encourage strategic dialogue and conduct research. We have also built better links with NATO, establishing a common set of 42 proposals to implement the seven areas of cooperation outlined in the EU-NATO Joint Declaration.
But two years is an awfully long time when it comes to cyber and hybrid. We have seen the threats develop in ways that we didn’t imagine at the time. Some elements of science fiction have become fact.
Two years ago also happens to be when Russia reaffirmed their military doctrine, setting out publicly their use of cyber and hybrid means. I think it’s safe to say that they are delivering on their promises.
And the attack surface has continued to grow. Almost every area of society, whether public or private, relies to some extent on the internet, computers and online data. From transport infrastructure and hospitals to businesses of all sizes, we depend on the benefits which flow from this digital revolution. And it’s not just computers and phones that are connected – the news we read, the social lives we lead, our politics, are all shaped by the internet.
Such dependence breeds vulnerability, which can in turn be exploited by those with the means. The digital world carries significant potential to do good but also harm. We are only now starting to wise up to how much.
Indeed, 2017 was arguably the year when the public lost its cyber innocence. The Wannacry and NotPetya attacks provided a wake-up call. The Cambridge Analytica revelations raised public awareness about another challenge: social media tools turbocharged for behavioural manipulation and disinformation.
When the main source of such manipulative disinformation was Pravda, it was possible to counter. What makes the 21st century equivalent harder to combat is that often the disinformation can come from trusted channels – when your favourite news feed suggests something for you to read, for example.
For too long we have perhaps been a little naïve about the challenge. But that naivety is disappearing fast. There is a growing public recognition of the dangers posed by the dark side of our digital world.
One example is the possibility to create deep fake videos. What started out as clever trickery to resurrect late actors in much-loved franchises – think Peter Cushing being digitally reborn in a recent Star Wars film – is now rapidly being turned into a deadly Weapon of Mass Disinformation.
That is what is facing us on today’s hybrid threat front line – the fight against a new kind of WMDs.
So what have we been doing at the European level to counter this threat? Last year the Commission brought forward a comprehensive package of proposals to reinforce our collective cybersecurity based around three pillars of resilience, deterrence, and international cooperation and defence.
First, we urgently need to become more resilient. We must make ourselves harder to attack, and be quicker to respond.
The mandate of the existing EU Network and Information Security Agency (ENISA) will be strengthened to transform it into a genuine European Cybersecurity Agency, making it a more effective partner for national cyber agencies and for Europol.
It will also be responsible for establishing and running an EU-wide cybersecurity standards and certification framework to ensure that products and services meet the highest standards of cybersecurity.
We need to promote „security by design“ to avoid a potentially disastrous situation where connected devices have little or no security protection built into them – especially with billions more such devices expected to come onto the market.
Making ourselves more resilient also means having the right skills and technological capacities.
Europe faces a „cyber security skills gap“ currently estimated to reach 350,000 people by 2022. Having this skills base is central to effective resilience, and so we need to mainstream and prioritise cyber in education and training.
We also need to invest in research to stay ahead of those looking to attack us. Currently, we have a cybersecurity public-private partnership in place with EU research funds which will trigger 1.8 billion euros in investment by 2020. This is a good start but we need to complement and continue that work – not least because the US invests $19 billion a year in security research.
We therefore need to make sure that the EU retains and develops essential capabilities to secure its digital economy, infrastructures, society and democracy. To achieve that, we are proposing to create a pan-European cybersecurity competence network to reinforce capabilities, so that European players are not left over reliant on critical technologies from outside the EU.
As well as resilience, we also need to create real and credible disincentives for those who might contemplate attacking us – be they criminals or hostile state or non-state actors. Simply put, that means dramatically increasing the chances of getting caught and attaching severe penalties to committing such acts.
Credible deterrence encompasses effective detection, traceability, investigation and prosecution. There are wider elements to deterrence. But one key element is for law enforcement to have the tools they need to tackle online attacks.
Law enforcement capacities need to keep pace with the fast-changing technological tools and modus operandi of cybercriminals. We must step up cooperation and the sharing of expertise and reinforce our cyber forensics and ability to monitor the Darknet – which enables crimes such as payment fraud, the sale of firearms and counterfeit documents, human trafficking, illegal immigration, dissemination of the worst kind of images and content and more.
To facilitate the investigation and prosecution of cybercrime and other cyber attacks in the civil space, we recently brought forward measures to make it easier for law enforcement and the judiciary to access financial information and electronic evidence, which is key but can be difficult to obtain quickly and efficiently, especially as it is often hosted in a different country.
So we were already doing a lot – but these measures were mostly aimed at the more traditional forms of cyber attack. And in the past, we tended to think of hybrid in terms of this classic cyber threat – attacks against infrastructure such as power grids, for example. That danger still exists, but the suite of tools at the disposal of cyber attackers has become much more sophisticated.
Those who wish us harm have been quick to exploit the possibilities created by social media and the ways in which we use them. We share huge amounts of personal data online. This opens up a new kind of vulnerability, including through the potential to target particular messages at specific audiences deliberately to amplify their impact, to influence and interfere in democratic debate.
We are taking a series of measures to better protect our personal data – the GDPR enters into force later this month. But we can’t just play defence here. We also have to be ready to go on the offensive, to counter cyber-enabled interference and behavioural manipulation.
It is time for platforms and publishers to sit up and take notice – for a long time they have been reluctant to act, but that needs to change. The scope for behavioural manipulation is too great.
Last month, the Commission proposed a range of measures against disinformation and fake news online. In doing so we sent a very clear and strong message to internet platforms – Facebook, Twitter and others – who make so much money from our online lives. They have the ability – and the responsibility – to play a key role in countering disinformation. And we want to work with them – to make rapid progress over the next few months.
We are not asking them to judge what is true or not, or to censor content. But we do want more transparency, traceability and accountability online, and the platforms need to help deliver this.
Our newsfeeds should tell us clearly when content has been paid for and by whom, when it has been distributed via bots rather than by people, and why we are being shown certain content.
At the same time, we will strengthen the work done by ‚fact checkers‘; we will support quality journalism and we will promote media literacy and critical thinking.
This is an urgent issue, especially in the context of upcoming elections such as the European elections next May. Much of the attempted interference we have seen around our democratic institutions and elections involves foreign actors. It is pertinent to be discussing this here in Germany, which has been the target of recent cyber attacks emanating from outside its borders: the Foreign Ministry in March, or the one which hit the Germany Institute for International and Security Affairs, the SWP. And the Bundestag has been hacked too.
We need to be clear, such outside interference through physical attacks, disinformation or manipulation is simply not acceptable.
The threat picture is complex and challenging. But there are practical steps we can take. The Directive on security of network and information systems, the NIS Directive, the first EU-wide piece of cybersecurity legislation, entered into effect last Wednesday. It will help Member States to better cooperate and to strengthen their capacities to prevent and react jointly to major cyberattacks.
And the Commission is making funding available to support national Computer Security Incident Response Teams as well as the operators of essential services and digital service providers across Europe.
It is through working together that we will be able better to counter these cyber and cyber-enabled threats to our collective security. As the threats continue to develop and evolve, we’ll need to evolve our response. Always firmly rooted in the values we share. The values we need to defend, together.
* * * * *
Zdroj: https://ec.europa.eu/commission/commissioners/2014-2019/king/announcements/commissioner-kings-remarks-symposium-german-domestic-intelligence-service-hybrid-threats_en
