Cyber-terrorism, Cyber-crime and Data Protection

International Institute for Counter-Terrorism (ICT)

 17th Annual International Conference

September 11-15, 2017, Herzliya

1. Introductory remarks.

I would like to congratulate the organizers of this conference and express my strong appreciation to Professor Boaz Ganor for ‎the huge contribution ICT is assuring not only to a full understanding of terrorism but also to a close international cooperation needed to fight against this plague. 

I will try to explain how in Europe this cooperation is developing especially through the protection of data‎: probably the most critical and complex background for the success of strategies aimed at  web security, national Defence, fight against terrorist and organized crime. Protection of data will open up new, important chapters of cooperation between EU Member States and Israel both at Government and business levels. Given the quality of relations between Israel and Italy‎, let me underline the positive impact the new environment will have for both our countries.

2. Cyber space: a complex and unstable environment.

The threats, the agents, the tools used, the actors, the targets, the exact geographical location where the attack started and the one where the most devastating effects occurred, the assessment of the damage produced but above all the real assignment of responsibilities: these are some of the main elements that make the cyber space arduous, multiform and articulated and, on the other hand, legitimize the interest of the states – but not only.

Geopolitics and destabilization have become major playfields for cyber activities. In late May, hackers have allegedly infiltrated Qatari government news and social media sites. The disinformation cyber attack on Qatar is not unprecedented. In August 2012 the Indian government accused Pakistani hackers of trying to provoke communal violence. More recently, in June, hackers believed to be tied to the Vietnam  released transcripts of the talks between President Duterte and President Trump, and between Duterte and President Xi Jinping. There has been, up to now, little to stop similar influence operations. These tactics are cheap, and easily deniable. None of the victims — including the United States and its European allies — have come up with a way to impose significant consequences on the attackers. The Obama administration expelled Russian diplomats, seized diplomatic compounds and imposed sanctions in retaliation for the Russian hacking of the Democratic National Committee in 2016. Still Russian hackers are expected to return for other 2017 and 2018 elections in Europe and in the US.

Efforts to define international rules of cyber conflict lag far behind the use of attacks. Various proposals and initiatives to define and ban the development and deployment of cyber weapons have been launched over more than a decade at the UN General Assembly by Russia, Us and other major players. Due to geopolitical reasons, diverging interests, and above all because gap and asymmetries perceived among strategists of the main countries involved, a “Geneva-like” Convention to ban cyber weapons never went through. But the efforts to resuscitate this process were never abandoned. A group of government experts has been repeatedly convened, and agreed in principle that:

1. a) United Nations Charter applies in cyberspace;
2. b) cyberattacks on critical infrastructure should be off limits during peacetime. 

Unfortunately the most recent round of these negotiations was still unable to formally agree that international law applies to cyberspace. And many strategists believe it’s only a matter of time before a state’s response to cyberattacks or to massive violations of their own data networks  escalate into full-blown military conflict. There is little hope -for example- that competing states will ever be able to agree on how to define, much less limit, information operations. If attempts to advance the idea of a UN Convention to prevent wars in the cyber space have been around for more than a decade, for the time being the onus is on individual states to identify vulnerable targets, better defend them, and, if and when an attack succeeds, assess the damage, demonstrate resilience, clearly signal deterrence and response capabilities, and last but not least counter the spread of lies and disinformation. Countries should also work with like-minded partners to detail what types of interference will provoke what types of reactions, from sanctions to retaliatory cyberattacks.

The question weather cyber security should be a prerogative of critical infrastructures/private companies or is it a national security problem is easily answered. The State has the fundamental role. The well-being of a whole community, the prosperity of a country, its sovereignty depend on security in cyber space.  In that space State and non-State actors have easy and inexpensive opportunities to intercept data, manipulate public opinions, destabilize political systems and institutions, organize terrorist attacks, intervene militarily and even deploy cyber-weapons of mass destruction. Cyber space is the first dimension of our security. Protection of Data is therefore at the front line in this endeavor. That requires adequate public awareness, and support as stated by the UNGA Resolution on “The creation of a global culture of cybersecurity and the protection of critical information infrastructures”‎.

EU member States and institutions have recently made important steps in this direction.

3. A new European environment for cybersecurity.

The European Union has adopted in July last year a wide reaching set of rules in the fields of Data Protection and Network and Information Security. They are especially important for my country – Italy- which has been an active partner of other EU member States and Institutions in bringing the Regulation forward and have it adopted.

Starting May 25th 2018 the new rules will be directly enforceable by the European Authorities and Member States.

According to latest surveys only 46% of Italian companies assess their readiness to fully comply with the GDPR and NIS Directive by the target-date, while 88% estimate that technical, legal and organizational problems should be quickly addressed. Surveys in other major EU countries signal similar concern among local businesses and Authorities: procedures and infrastructures needed for data protection, verification and accountability, risk and impact assessment, prevention and inter-State cooperation are considered by EU and national  Authorities – Data Protection Authority-DPA; in Italy “Garante della Privacy”–among the weak spots to be  urgently cleared. The coming weeks and months will substantially transform the cyber environment in Europe and beyond.

There is, first of all, a new  Regulation- General Data Protection Regulation, GDPR- which bilds upon previous norms and reinforces the protection‎ of all Data: in coherence with growing security concerns on one side, and the need – on the other – to guarantee individual rights, freedoms, and the Rule of Law among the 28 Union Members. That implies a vast set of measures to be taken by Governments, companies and private citizens . Equally important is the Directive on security of Network and Information systems (the NIS Directive) adopted by the European Parliament on 6 July 2016.  Entered into force in August 2016, Member States will have 21 months – until May 2018- to transpose the Directive into their national laws and 6 months more- until November 2018- to identify operators of essential services.

For the first time there will be in Europe a unified information security framework under the responsibility of national authorities, with common security standards.

The NIS Directive will also require many businesses to apply procedures that will demonstrate effective use of security policies and measures. Failure to do so may result not only in loss of customer trust and damage to reputation, but also breach European data protection and information security requirements and enforcement actions.

1. General Data Protection Regulation, GDPR.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC.

It is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. As such, the Regulation is intended to significantly improve national security and strengthen prevention, deterrence, resilience and response to cyber crime and terrorism.

Why GDPR will have a transformative effect on the European cyber-environment? Because:

*  it also applies to organisations outside  the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects, as well as to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location;

*  it foresees: penalties for non-compliance can be up to 4% of annual global turnover for breaching GDPR or €20 Million for the most serious infringements: e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts;

*  it contains a tiered approach to fines: e.g. a company can be fined 2% for not records in order, or not notifying the supervising authority and data subject about a breach, or not conducting impact assessment;

*  its rules are applied to both controllers and processors – meaning “clouds” will not be exempt from GDPR enforcement;

*  breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach;

* part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose;

*  privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition;

* also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

1. NIS Directive.

The “structural element” in the transformative strategy of the European Union specifically gives priority to operators in the following sectors:

– energy: electricity, oil and gas;

– transportation: air, rail, water and road;

– banking: credit institutions;

– financial market infrastructures: trading venues, and systemic institutions

– health: healthcare settings;

– water: fresh water supply and distribution

and provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

*  member States preparedness, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;

*  cooperation and exchange of information about incidents and risks among all Member States, by setting up a CSIRT Network;

*  a  culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

* national identification of businesses operators of essential services which must take appropriate security measures and notify serious incidents to national authorities;

*  key digital service providers (search engines, cloud computing services and online marketplaces) who comply with the security and notification requirements under the new Directive;

*  enhanced cross-border cooperation in case of a major cyber-incident;

*  a new mandate for the European Union Agency for Network and Information Security (ENISA);

*  strengthened and streamlined cybersecurity cooperation across different sectors of the economy, including training and education;

*  a national strategy of network and information security. This includes designating a national authority for information security and setting up a computer emergency response team (CERT) for handling incidents and risks;

*  competent authority may decide to inform the public of the incident. The significance of the incident should take into account the number of users affected, duration of the incident, its geographic spread;

*  use of NIS standards for the implementation of the security requirements on market operators;

* national authorities to be given powers to investigate cases of non-compliance of public bodies and market operators with the NIS Directive.

For the first time in the EU, there will be an information security regulatory framework governed by national authorities on the basis of wide European security standards.

The NIS Directive also requires businesses to apply procedures that will demonstrate effective use of security policies and measures. Failure to do so may result not only in loss of customer trust and damage to reputation, but also breach European data protection, of information security requirements and enforcement actions.

4. Transformative impact.

The new measures aim at strengthening public-private interaction by setting clear rules for risk assessment, prevention, resilience, response capacity.
General Data Protection Regulation – GDPR- and Network Information Directive- NIS-   will have a direct impact on EU Security, Defense, and Counter-terrorism. For the first time in sixty years the Union is not only activating a common, enforceable policy for the cyber space; it is also establishing an advanced architecture which implies new EU approaches in intelligence sharing, security strategies and priorities.

The purpose is for the Union to recover the time lost, and to become a reliable and competitive player in the cyber dimension.
There are some reasons why the EU adaptation and response to now days cyber reality seems to have been slower if compared with US, Russia, China, and Israel. These four  countries  have become leaders  in a cyber space, while other State actors have also developed significant capacities, aggressive behaviours-like DPRK or Iran- and have probably engaged already in massive intrusions, development of cyberweapons, and may be able to sustain cyber wars.
The reasons why adaptation and response to cyber security challenges have been for the EU slower than for other major military and economic powers can be summarized  in three aspects:

1. A) nature of the Union. In sixty years of existence the EU has achieved extraordinary results towards the objective of economic and monetary integration, in the creation of a common space of Justice, Freedoms, social and economic rights, and the Rule of Law. However, the path towards political integration has been disappointing for those who were aiming at a common Federal State for all  EU members. And Brexit has evidently amplified the hurdle. Foreign policy, security and defense have remained mostly a prerogative of each individual Member State. Insufficient intelligence sharing among EU member States, inadequate empowerment of EU security Institutions, weaknesses in the creation of common bodies, delays in setting up procedures and  infrastructure did , until recently, slow down decisions which were essential to gain capacities in the cyber field already existing among major players such as t US, Russian Federation and China. GDPR and NIS should be seen and perceived as levies to generate quite different and more positive dynamics;

1. B) intelligence. With all the burden represented by a closely guarded control of national prerogatives in this field, the EU has nevertheless created multiple structures in order to facilitate operational cooperation and information exchange with regard to intelligence, law enforcement and justice. There is the recognition at the EU level that the plethora of different information systems is not helpful and interoperability is proposed as the way to increase more coherence. If we consider systems such as Europol’s Secure Information Exchange Network Application (SIENA), we have to realize that not all Member States have the right infrastructure to operate the system. Moreover the amount of information fed into these information systems also differentiated among the Member States. Data sharing through these systems is mainly of reactive nature, e.g. in reaction to an attack. In addition, it has also been pointed out that SIS II and Focal Point Travellers (FPT) are useful for the purpose of investigation, but not well suited to, for instance, prevent the travel of (potential) foreign fighters.

The information systems have been developed as a “solution for particular problems in specific areas”. Certain purposes for which, for instance the Schengen Information System II (SIS II), is now in demand (investigation and prosecution) were not foreseen at the outset. In addition, as can be observed on the basis of the legal mandates: certain systems have been designed explicitly for law enforcement goals [SIS II and the Passenger Name Records (PNR) system] while others have been repurposed for this end [European Dactyloscopy (EuroDac) and the Visa Information System (VIS)]. Another aspect to this is the organisation of cooperation and exchange with third countries. Measures like the sharing of the Passenger Name Record -PNR- for the purposes of counter-terrorism took years before getting the green light from the European Parliament. By setting a different speed and scope in the wide area of data protection, GDPR and NIS Directive will have a considerable impact on these different aspects of European Security;

1. C) internet was born in the US. The American scientific and technological lead in ICT’s was therefore a fundamental aspect in all efforts for mastering cybersecurity and cyberdefence. Although history of Internet security dates back to the early ‘80’s, the opportunities opened by a fast spreading of ICT technologies were seized in the first place by the Defence and the Intelligence community since the very beginning of ARPANET, not differently from what had   happened at the inception of the Nuclear Age.

The Reagan Presidency marked the first time that an american President and a White House Directive discussed what would come to be called “cyber warfare”. Ronald Reagan tasked the National Security Agency of securing all computer servers and networks in the US, with the prohibition of spying on Americans.

As Fred Kaplan wrote in his recent work “Dark Territory-the secret history of cyber war” civil liberties advocates in Congress were not about to let a presidential decree blur this distinction. “And so the issue vanished… it emerged a dozen years later, after a spate of cyber intrusions during the Bill Clinton presidency… shocked the senior officials of the day – who didn’t remember Reagan’s NSA Directive- by the nation seemingly sudden vulnerability to this “new threat”, which was all but new!… The election of George W. Bush, the issue receded once more, at least to the public eye, especially after September 11, 2001… few cared about hypothetical cyber wars when the nation was charging into real ones with bullets and bombs… But behind closed doors, the Bush administration was weaving cyber war techniques with conventional war plans, and so were the military establishments of several other nations, friendly or otherwise… During Barack Obama presidency, cyber warfare took off, emerging as one of the few sectors of the defense budget that soared while others stayed stagnant or declined… In the first three years- from 2009- the newly created Cyber Command tripled its budget from $2,7 billion to $7 billion, plus another $7 billion for cyber activities in the military … while the ranks of the attack teams swelled from 900 personnel to 4.000 to 14.000 foreseen at the end of the decade. The cyber field swelled worldwide. By the midpoint of Obama presidency, more than twenty nations had formed cyberwarfare units. Each day brought reports of cyber attacks mounted by China, Russia, Iran, Syria, North Koreaand others against computer networks of not just the Pentagon, and defense contractors, but also banks, retailers, electric power grids, …”

An even condensed overview of more than thirty years of history of cyber security and cyber warfare shows the constant, close interdependence in the public and political debate between individual rights and freedoms on one side, and security considerations on the other. The value of living in a liberal democracy governed by the Rule of Law by far supercedes the challenges that Governents have to face in adapting security policies to their fundamental principles and values. These can be, on the contrary, easily ignored in countries whose regimes are not accountable to the people. It is against this background that cyber security is discussed in Europe, and in my country. Nato members have contributed to a significant advancement in the decision making process concerning cyber security, in the framework of the Rule of Law and democratic freedoms. A useful example is the Tallinn Manual.

The original focus of the Manual was on the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self- defence, and/or occur during armed conflict. Tallinn Manual 2.0 adds a legal analysis of the more common cyber incidents that states encounter on a day-to-day basis, and that fall below the thresholds of the use of force or armed conflict.

As such, the 2017 edition covers a full spectrum of international law as applicable to cyber operations, ranging from peacetime legal regimes to the law of armed conflict. The analysis of a wide array of international law principles and regimes that regulate events in cyber space includes principles of general international law, such as the sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialized regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law are examined within the context of cyber operations.

Another important example is NATO’s Cooperative Cyber Defence Centre of Excellence -NATO CCD COE-, a NATO-accredited knowledge hub, research institution, and training and exercise facility. It focuses on interdisciplinary applied research, consultations, trainings and exercises in the field of cyber security. NATO CCD COE is the home of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The Centre organises the world’s largest and most complex international technical cyber defence exercise Locked Shields and the annual conference on cyber conflict, CyCon.