IMCO

Committee on Internal Market and Consumer Protection

With the spread of digital tools, individuals are becoming more vulnerable to cyber attacks and hijacking of their personal data, especially when they lack basic information about their dangers. How can the European Union help its citizens to be better prepared to safely use NTIC?

Chairpersons : Emilie Deyres (FR) and Vafa Ahmadova (AZ)

Subject introduction

One of the main cyber-risks is to think they do not exist.” – Stephane Nappo

With the development of information and network technologies and enhanced global interconnectivity, the risks associated with online communication have risen. Breaches of sensitive data, cyber espionage and cyber attacks are no longer threats but real events that affect individuals and businesses. 2016 marked a turning point in the offensive use of cyber power: there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cybersecurity incident. Ransomware blocks the user information and demands a ransom fee with the average demand being $1,077 per victim.

In June, 2017 Europe was hit by a massive cyber attack called ‘Petya’ that affected companies in countries including the UK, Russia, Spain, France, Denmark and Norway1. Most attacks are motivated by profit, but there is also an increasing number of politically-motivated incidents. In fact, for many countries, as well as terrorist groups such as Daesh or al-Qaeda, cyber tools offer an attractive weapon: cheap, effective, high-impact, difficult to predict and hard to trace.

Moreover, with the fast development of Internet of things (IoT) hundreds of thousands of people become more vulnerable to cyber crime through their wirelessly connected devices, connected toys which mostly have low built-in security. In 2016, a massive attack that brought down the Dyn Domain Name System (DDNS) service illustrated the vulnerability of certain platforms to attacks aimed at the IoT. During that incident, the cyber criminals managed to deny access to major platforms like Twitter,
Netflix and Facebook for some hours. It was made possible through harnessing poorly protected household devices such as security CCTV and baby monitors which still had the factory password programmed or no built-in security.

In spite of the ongoing cyber attacks, individuals in Europe do not feel sufficiently informed, or prepared for cyber threats, according a study published in 2017 by the “Express” newspaper. The diagram below shows the European Union (EU) citizens’ answers to the question: ‘How well informed do you feel about the risks of cybercrime?’

Because of low risk awareness, many users of IT systems do not invest enough in security although the fees a company has to bear after being affected by cybercrime by far exceed the costs it had to incur for security reasons. Apart from the awareness problem, the time lag between cyber intrusions and their detection is estimated to be three times longer in Europe than in the rest of the world. One of the reasons for this is lack of digital skills which poses a challenge for the future: demand for highly skilled ICT staff exceeds availability in the labor market. According the European Political Strategy Center, 41% of EU enterprises who recruited or tried to recruit ICT specialists in 2015 reported difficulties in finding suitable applicants.2

The costs related to cybercrime and data breaches are significant and growing fast as digitisation spreads into all spheres of our lives. A 2014 study estimated the economic impact of cybercrime in the Union to stand at 0.41% of EU GDP (i.e. around €55 bn) with Germany being the most affected Member State (1.6% of GDP). Europol currently estimates the cost at €265 bn euro per year.

Furthermore, the economic impact of cyber crime is set to rise, and the difficulties in estimating the exact financial costs of cyberattacks and helping companies prevent them is due to the refusal of these companies to share information concerning the number and type of attacks faced, and the fear of reputational damages. In the light of this issue, a call for mandatory data breach reporting for all private companies was made by UK’s Shadow Defense Secretary. Making it a legal requirement for companies in the EU to report serious attacks on their networks would help to tackle the complacency that exists within many organisations today.

In addition to the conflicts described above, Member States have different cybersecurity systems which constitutes a barrier to effective collaboration. The European Commission plans to publish a proposal for a ‘cooperation blueprint’, encouraging Member States ‘to make the most’ of the collaboration mechanisms mentioned in the Directive on Security of Network and Information Systems (NIS Directive) in order to be able to handle large-scale cyber incidents on an EU level.4 Problems such as design of new digital technologies without security in mind and European  dependence on external technologies from USA and China are also to be addressed by European Commission.

Leaks can be found everywhere in the world digital system. With the number of cyber attacks increasing all over Europe, the techniques of hijacking become more and more complex as well. The legislations and regulations in place are not enough to face the threat in the form of cyber crime. Cybersecurity needs to become a political priority. Strong policies and improvement of Europeans’ skills in this area should form solid foundations for protection of Member States and their institutions, organisations, businesses and citizens.

1. T. Parfitt, Petya ransomware sparks world computer meltdown spreading rapidly, Express, June 27, 2017, https://www.express.co.uk/news/world/821927/cyber-attack-hacking-ransomware-Norway-UkraineRussia-India-Petya
2. Building an Effective European Cybershield, European Political Strategy Centre, 8 May 2017, https://ec.europa.eu/epsc/sites/epsc/files/strategic_note_issue_24.pdf
3. Ibidem.
4. Ibidem.