The Honorable Giulio Terzi, Former Minister of Foreign Affairs, Italy, remarks from ICTs 17th World Summit on Counter-Terrorism: Keynote address on Cyber-terrorism, Cyber-crime and Data Protection
1. Introductory remarks.
I would like to congratulate the organizers of this conference and express my strong appreciation to Professor Boaz Ganor. ICT is contributing not only to a full understanding of terrorism but also to a closer international cooperation in this field.
I will try to explain how in Europe this cooperation is developing. Data Protection has emerged as one of the most promising backgrounds for web security, cyber defence, fight against terrorism and organized crime. It will bring significant opportunities for R&D cooperation between EU and Israel both at Government and business levels. Given the quality of relations between Israel and Italy, the new environment will have a positive impact for both our countries.
2. Cyber space: a complex and unstable environment.
Geopolitics have become a natural -and worrisome- playfield for cyber activities. In late May, hackers have allegedly spread fake information among some Qatari media and social networks. The disinformation on Qatar was all but unprecedented. In August 2012 the Indian government accused Pakistani hackers of trying to provoke communal violence. More recently, last June, hackers believed to be tied to the Vietnam released transcripts of the talks between President Duterte and President Trump. There has been, up to now, little to stop similar operations. These tactics are cheap, and easily deniable. None of the victims - including the United States and its European allies - have come up with a way to impose significant consequences on the attackers. The Obama administration has expelled Russian diplomats, seized diplomatic compounds and imposed sanctions in retaliation against the hacking of the Democratic National Committee in 2016. Still Russian hackers are expected to be back on the scene of the other elections in Europe and in the US.
Efforts to define international rules for preventing cyber conflicts lag far behind the proliferation of attacks. Various proposals have been launched over more than a decade at the UN General Assembly by Russia, Us and other major actors. But geopolitical reasons, diverging interests, and above all gap and asymmetries have prevented a "Geneva-like" Convention to ban cyber weapons.
Even the most recent round of negotiation was still unable to formally agree that international law applies to cyberspace.
Strategists believe it’s only a matter of time before a state’s response to cyber attacks or to massive violations of their own data networks escalate into full-blown military conflict. There is little hope -for example- that competing states will ever be able to agree on how to define, much less limit, intelligence or disinformation activities.
For the time being the onus is on individual states to identify vulnerable targets, better defend them, and, if and when an attack succeeds, assess the damage, demonstrate resilience, signal deterrence and response capabilities, and last but not least counter the spread of lies and disinformation.
Countries should work with like-minded partners to detail what types of interference will provoke reactions, such as sanctions or retaliatory cyber attacks. A significant step was the G7 Declaration in Lucca and endorsed by the G7 Summit in Taormina last June.
The Declaration should become a negotiating platform on cybersecurity between EU, North America, Russia and China.
International law provides - according to Lucca's Declaration- a framework for States’ responsibility and responses to wrongful acts that do not amount to an armed attack but may include malicious cyber activities, also by proxies.
The question weather cyber security should be a prerogative of critical infrastructures and private companies or a national security problem is easily answered. The State has the fundamental role. The well-being of a whole community, the prosperity of a country, its sovereignty depend on security in cyber space. EU member States and Institutions have recently made important steps in this direction.
3. A new European environment for cybersecurity.
The European Union has adopted in July last year a wide reaching set of rules for Data Protection and Network and Information Security. They are especially important for my country - Italy - which has been an active partner of other EU member States and Institutions in bringing the Regulation forward and have it adopted. Starting May 25th 2018 the new rules will be directly enforceable by the European Authorities and Member States.
According to latest surveys only 46% of Italian companies assess their readiness to fully comply with the GDPR and NIS Directive by the target-date. 88% estimate that technical, legal and organizational problems should be quickly addressed.
Surveys in other major EU countries signal similar concerns for local businesses and national Authorities - Data Protection Authority-DPA; in Italy "Garante della Privacy"- .
Among the weak spots to be urgently cleared are: procedures and infrastructures needed for data protection; verification and accountability; risk and impact assessment; prevention and inter-State cooperation.
The coming weeks and months will substantially transform the cyber environment in Europe.
There is, first of all, a new Regulation- General Data Protection Regulation, GDPR- which builds upon previous norms and reinforces the protection of all Data: in coherence with growing security concerns on one side, and the need – on the other – to guarantee individual rights, freedoms, and the Rule of Law among the 28 Union Members. Equally important is the Directive on security of Network and Information systems (the NIS Directive) adopted by the European Parliament on 6 July 2016.
For the first time there will be in Europe a unified information security framework under the responsibility of national Authorities, with common security standards.
The NIS Directive will also require many businesses to apply procedures that will demonstrate effective use of policies and measures. Failure to do so may result not only in loss of customer trust and damage to reputation, but also in enforcement actions.
I. General Data Protection Regulation, GDPR.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC.
It is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. As such, the Regulation is intended to significantly improve national security and strengthen prevention, deterrence, resilience and response to cyber crime and terrorism.
Why GDPR will have a transformative effect on the European cyber-environment? Because:
* it also applies to organizations outside the EU ;
* it foresees penalties for non-compliance;
* its rules are applied to both controllers and processors;
* breach notification will become mandatory, within 72 hours, where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
II. NIS Directive.
The “structural element” in the transformative strategy of the European Union specifically gives priority to operators in energy, transportation, banking, financial markets, healthcare, water supply and distribution. The Directive provides measures to boost the overall level of cybersecurity by ensuring:
* member States preparedness, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;
* cooperation and exchange of information about incidents and risks among all Member States, by setting up a CSIRT Network;
* national identification of businesses operators of essential services and key digital service providers;
* enhanced cross-border cooperation in case of a major cyber-incident;
* a new mandate for the European Union Agency for Network and Information Security (ENISA);
* a national strategy and authority, and a computer emergency response team (CERT) for handling incidents and risks;
* mandatory standards for market operators;
* powers to investigate cases of non-compliance.
For the first time in the EU, there will be a regulatory framework governed by national authorities on the basis of wide European cybersecurity standards.
4. Transformative impact.
The new measures aim at strengthening public-private interaction by setting clear rules for risk assessment, prevention, resilience, response. GDPR and NIS will have a direct impact on EU Security, Defence, and Counter-terrorism. For the first time in sixty years the Union is not only activating a common, enforceable policy for the cyber space; it is also establishing an advanced architecture which implies new EU approaches in intelligence sharing, security strategies and priorities. The purpose is for the Union to recover the time lost, and to become a reliable and competitive player in the cyber dimension.
The reasons why adaptation and response to cyber security challenges have been for the EU slower than for other major military and economic powers can be summarized in three aspects:
A) nature of the Union. Foreign policy, security and defence have remained mostly a prerogative of each individual Member State. Inadequate empowerment of EU security Institutions, delays in setting up procedures and infrastructures did slow down decisions essential to gain capacities comparable to those of other major players such as US, Russian Federation and China;
B) intelligence cooperation has remained a weakness for the Union. The EU has nevertheless created multiple structures in order to facilitate operational cooperation and information exchange, law enforcement and justice. Still the plethora of different information systems doesn’t help and data sharing is mainly of reactive nature.
By setting a different speed and scope in data protection, GDPR and NIS Directive will have a positive impact on all aspects of European Security;
C) Internet was born in the US. The American scientific and technological lead in ICT’s was therefore a fundamental aspect in all international efforts for mastering cybersecurity and cyber-defence.
An overview of the last thirty years shows the interdependence in the public and political debate between individual rights and freedoms on one side, and security considerations on the other. The value of living in a liberal democracy governed by the Rule of Law by far exceeds the challenges of fighting terrorism. Safeguarding human rights and freedom can be easily ignored in countries whose regimes are not accountable to the people, but it represents the essential background in Europe, and in my country.
NATO members have contributed to significant steps in this direction, making sure that cyber security develops in the framework of the Rule of Law and democratic freedoms. A useful example is the Tallinn Manual. Its 2017 edition covers a full spectrum of international law as applicable to cyber operations, ranging from peacetime legal regimes to the law of armed conflict. The law of state responsibility, which includes the legal standards for attribution, is examined at length.
Another important example is NATO's Cooperative Cyber Defence Centre of Excellence, a NATO accredited knowledge hub which focuses on interdisciplinary applied research, consultations, trainings and exercises in the field of cyber security.
A Pew Research poll published in August on main priorities and risks perceived by the public opinion in 38 countries gave the following results: 60% of persons interviewed answered that their main concern remains terrorism; same percentage emerged for climate change; 55% expressed their concern for risks of cyber activities eventually leading to cyber wars. It is noticeable that terrorism and cyber threats did both rank above other important risk factors such as economic and financial concerns.
The public is aware that bad actors are using the internet for terrorism, political destabilization, theft and other crimes. However too often web users do not care enough. Internet has been around for about 40 years and hasn’t lived up to its enormous potential as a decentralized global system powered by trust. Cybersecurity is a critical part of industry and consumer applications but all too often it’s still an afterthought.
Internet of Things (IoT) devices, for example, are designed without basic security in the hardware. Corporations delegate cybersecurity to people in the IT department instead of making it a matter for the board of directors. Consumers ignore warnings about software vulnerabilities until it’s too late. This mindset must change. At a fundamental level, cybersecurity is the trust component that allows the internet to be used as a business tool, as well as a tool for everyday life. Creating a culture of trust is challenging. At company's as at the Institutional level Data Protection needs an integrated, holistic approach. There couldn't be a better playfield for cooperation between Israel and Italy.