MEPs are pressuring the European Commission to propose new cyber crime rules on hacking vulnerabilities, encryption and information sharing between EU countries, ahead of a legal overhaul planned for September.
Member states should exchange “best practices” about circumventing encryption and invest more to protect critical infrastructure like energy and transport networks from cybersecurity attacks, according to a report that passed Tuesday (11 July) in the European Parliament’s Civil Liberties Committee (LIBE).
The report is not legally binding but outlines MEPs’ views on controversial cybersecurity issues that will be part of the Commission’s proposals this autumn. It was approved with 54 votes in favour, 4 against and 2 abstentions.
Greek New Democracy lawmaker Elissavet Vozemberg-Vrionidi (EPP), the author of the report, told MEPs before the vote that it would send a “very important political message”.
“The Internet goes faster than legislation so we have to try to work ahead of criminals,” Vozemberg-Vrionidi told EURACTIV.com.
Her report sets out measures for how the EU and national governments should respond to major cybersecurity attacks that “destabilise” societies, like the WannaCry attack in May that affected hospitals, train lines and internet networks across Europe. It also includes guidelines for how private companies should prevent crimes targeting internet-connected devices.
“The lines between cyber crime, cyber espionage, cyber warfare, cyber sabotage and cyber terrorism are becoming increasingly blurred,” the report says.
The European Commission will publish a new EU cyber security strategy in September that officials say is needed because the Internet of Things, the name for devices with internet connections, has grown quickly since the executive sealed its last EU-wide cyber security plan in 2013.
Other announcements planned for September include a new legal framework and budget for ENISA, the Athens-based EU cyber security agency, and an EU labelling system that ranks devices based on how strong their cyber security features are. All of those plans are underpinned by an overarching ambition to align how EU countries respond to growing cyber security threats.
Last year, the EU passed its first-ever piece of cybersecurity legislation, the network and information security directive. It requires critical infrastructure operators to report cyber security attacks to authorities and asks national watchdogs in EU countries to share information on threats. But EU officials say the directive still needs to be bolstered with more cyber security measures.
Vozemberg-Vrionidi’s report calls for businesses to inform authorities when they are hit with cyber security attacks, and to fix security failures. It also recommends a trust label for internet-connected devices as a voluntary measure. Commission Vice-President Andrus Ansip announced his labelling plan in May but did not specify whether it will be a voluntary or legally binding security certification scheme.
The Parliament report sets out some guidelines for how member states should respond to cyber security breaches and asks national governments to create rules detailing how they carry out their own offensive attacks. “Lawful hacking must be a measure of last resort,” it reads.
An EU-wide legal approach to the Internet is “a matter of priority”, according to the report. Union legislation should help police access so-called e-evidence, or data from tech companies, even if it is stored in a different member state from where they are investigating. The Commission announced last month that it is drafting a legislative proposal on cross-border data access, separately from the cybersecurity announcements expected in September.
Vozemberg-Vrionidi’s resolution also asks national governments to share any plans they have for accessing encrypted data. The report does not suggest a legal solution for creating access. But it asks governments to promote “security measures” like encryption technology, while also referring to criminals’ “growing misuse” of encryption.
“It’s controversial among the political groups,” Vozemberg-Vrionidi said. “Encryption is very strong and very useful but on the other hand it’s the way some criminals find a weapon to enter cyberspace,” she added.
Ansip has insisted that there will not be an EU-wide law that could weaken encryption. Politicians across Europe have called for so-called backdoors to give police access to encrypted data. Critics and cyber security experts—including ENISA, the EU agency—argue that backdoors would only weaken a device or software’s security standard across the board and make it more vulnerable to attacks.
German Green MEP Jan Philipp Albrecht said Vozemberg-Vrionidi’s report references police access to data, but “this doesn’t mean you need to circumvent encryption by technological means or get the legal instruments to do that.”
“It means you have to discuss the question of how proportionate it is that if you get into one person’s device, you weaken the whole infrastructure,” Albrecht added.
Several MEPs from different political groups have pushed back against calls to weaken encryption technology. The European Parliament’s draft of the ePrivacy regulation, a law affecting telecoms services, specifies that “decryption, reverse engineering or monitoring of such communications shall be prohibited”. That bill is still in negotiations.