Without much fanfare, the European Commission has published a new cybersecurity strategy. Although Commission President Juncker briefly touched on the issue in his State of the Union Speech, the document was published in the EU’s document database without a news release or press conference. It’s unclear at this point whether the document was published prematurely and an announcement is still to follow, or whether the Commission is intentionally keeping the strategy out of the spotlight.
Among some common-sense measures to increase cross-border collaboration and beef up the role of the EU’s IT security agency ENISA, the strategy contains a few curiosities.
As one cybersecurity measure, the EU commits itself to “encouraging the uptake of [the communications protocol] IPv6” since “the allocation of a single user per IP address” makes it easier “to investigate malicious online behavior” — a reasoning that’s at best oversimplified, as this ten-year-old report from the US Department of Commerce explains, and at worst betrays a dangerous form of thinking in which the complete surveillance of each individual’s online activities is the implied goal of cybersecurity policy.
The Commission also evokes worrying images of an expanding surveillance state when it lists facilitating “analysing video material” and “checking of identities” as reasons for “scaling up High Performance Computing infrastructure”. That it lauds strong encryption for its ability to “keep people’s intellectual property secure” is another odd choice of security priorities.
All things considered, the communication is most remarkable for what it does not contain: a whole host of measures that would actually make Europeans safer online, but on which EU action is lacking, if not actively counter-productive.
That’s why my colleague Jan Philipp Albrecht and I have gathered alternative proposals. Here are 10 measures that are missing from the strategy that would bring actual improvements in cybersecurity:
1. Right to tinker and repair
Users should have control over the technology they use in their daily lives. That’s why they need a right to use, modify and repair devices on their own. We must legalize the circumvention of DRM, or get rid of digital locks limiting our freedoms in the first place.
2. Provide regular updates …
Updates are the most important tool to ensure the sustained security and integrity of systems and networks we use. Last year, massive internet outage was caused when software vulnerabilities in legacy wifi routers, and other devices connected to the internet, were exploited.
Internet of Things devices need a Best-By Date during which manufacturers are required to provide updates, and reasonably quickly.
3. … or face liability!
If updates, or fixes for vulnerabilities aren’t provided within a reasonable timeframe after their discovery, manufacturers should be held liable. The EU needs to revise and extend product liability rules to that end.
When a manufacturer decides to abandon a product that is still in widespread use, they need to make sure that the public can take over the continuous development by making the source code and development tools public and re-usable.
4. Don’t jeopardise our security!
States and state actors must disclose vulnerabilities they find or acquire. Part of the reason for the WannaCry incident was that a software vulnerability that had been known to intelligence services for years had not been fixed.
5. No backdoors in encryption!
Similarly, Europe needs to make a commitment against building backdoors into encryption, thus weakening and threatening the integrity and security of all systems.
6. Invest into Free and Open Source Software
With the FOSSA project, I got the EU to start investing into the security and stability of our infrastructure — by having them conduct and finance audits of critical free and open source software and actively contributing to its development. Now, we need to make this a permanent item in the EU budget. Aside from security audits, the EU should also adopt and financially support free software as an inherently more secure alternative to closed-source software.
7. Public Money? Public Code!
Governments and public authorities need to act on their responsibility to keep our common infrastructure up to speed and secure. That is why they need to give precedence to free and open source software when procuring software. Buying software that can be modified, extended, and that is open to public scrutiny is in our shared interest as a society.
31 organisations now published a call to change public procurement rules for software throughout Europe. You can join them now by signing the open letter here!
8. Tools that protect fundamental rights
In its strategy, the Commission claims to understand how important it is for the exercise of our fundamental rights to be able to rely on strong encryption for private communication over a free and open internet that uses secure and reliable infrastructure software. It even points out that email encryption and Virtual Private Networks (VPN) can be helpful in that respect.
We must not stigmatise publicly accessible VPNs such as the Tor network by calling them “the darknet” when they promote, and in some countries are the only option for, the exercise of fundamental rights. That is why the EU must actively support those who face persecution for helping human rights activists use technology to protect themselves and others, such as Peter Steudtner, who was arrested with his Amnesty International colleagues in Turkey in July during a workshop in which he was instructing Turkish activists in IT security and non-violent protest.
9. Decriminalize the development and use of hacking tools
”Hacking tools“ are software that allows the assessment of the security and integrity of systems and networks. Ethical hacking, exposing flaws and insecurities are active acts of building resilience. That’s why the EU must stop its Member States from criminalising security research and development. One example that has contributed to legal uncertainty for security researchers is the German “Hackerparagraph”, a provision introduced into German criminal law in 2007.
10. No filtering obligation for platforms
Online platforms must not be obligated to automatically surveil all user-uploaded content. The complexity of that task creates an incentive for centralised monitoring and filtering, where a few dominant filter vendors become gatekeepers to our freedom of expression. Regardless of the justification for its introduction, establishing such monitoring technology is usually followed by its creeping expansion to ever-more ends. This is a grave threat to our right to privacy and the freedom of speech.