Europe needs ‘digital border controls,’ industry chief says

Deutsche Telekom's cybersecurity centre in Bonn, Germany. [Deutsche Telekom]

This article is part of our special report Finding digital freedom in a crowded world.

Europe should consider establishing a ‘digital border control,’ as a means of obstructing internet access to hostile actors in the event of a serious cyberattack, the head of Deutsche Telekom’s cybersecurity division has told EURACTIV.

“In Europe, there’s no way of to shield ourselves in the case of an attack emanating from Asia or the Americas on our infrastructure here,” Thomas Tschersich, Head of Group Security at Deutsche Telekom said. “Sitting in the middle, we’re connected to all entities around us. We don’t have a clue how to disconnect without switching off the whole infrastructure in Europe as well.”

Tschersich added that the state of play across the Atlantic offers US citizens an equal balance of freedom and security, when faced with a potentially debilitating cyberattack.

“In the US, for example, you have just 11 connection points to the global Internet. If you cut that off, the inner US network will function well. The main infrastructure would be up and running fine.”

The EU's search for tough cybersecurity standards

Appearing before MEPs in the European Parliament’s Industry Committee last week, the new head of the EU’s cybersecurity agency said he hopes the EU’s recently adopted cybersecurity framework will become the “the new global standard for trust.”

Protecting the internal market

Tschersich added that a political debate needs to happen in Europe, to discuss how the continent would confront a potential cyberattack and that it is vital to “protect the functionality of the internal market” in the event of a hostile infiltration of Europe’s network infrastructure.

As part of the European Commission’s newly distributed portfolios, French nominee Sylvie Goulard, will acquire control of “building a real single market for cybersecurity,” and be responsible for “implementing rules on security of network and information systems [and] rapid emergency response strategies.”

Cybersecurity is an area where France have long sought to impose their influence  – most recently signalling their commitment to the Indo-French Roadmap on Cybersecurity and Digital Technology, on the sidelines of the G7 talks in Biarritz.

Moreover, the country has been forthcoming in their reading of international law on cyberspace norms, having produced a government report in which they reserve the right to respond to cyberattacks, in addition to attribution, according to researcher Lukasz Olejnik.

Germany's cyber defence strategy discussed behind closed doors

Germany is currently preparing a new cyber defence strategy. An internal concept paper of the German government foresees the use of so-called hack-backs and changes to the German Basic Law. But the change is happening and the general public is being excluded from the discussions, experts criticise. EURACTIV Germany reports.

Internet shutdowns?

Tschersich’s notion that Europe should consider closing-off access to certain parts of the internet has drawn criticism. EURACTIV caught up with Guillermo Beltrà, policy director at the digital rights group Access Now, to hear his thoughts on the proposals.

“Shutting off the internet, even if only parts of it, should never be the default policy tool at hand,” he said.

“Establishing policies that include internet shutdowns and network separation is not the best approach to create effective, resilient cybersecurity models that put users’ interest at the forefront.”

Moreover, EURACTIV also heard from MEP Patrick Breyer, who sits with the Greens in the European Parliament. He had some even tougher words to say. “Kill-switch capacities could be abused by hackers and make the Internet less safe. Scare stories about terrorists wanting to shut the Internet down are mostly fairy tales. We shouldn’t use the same means that we deplore,” he said.

Nevertheless, Tschersich was adamant that he would never advocate the obstruction of internet services.

“I’m not talking about blocking access to services,” he said. “I’m talking about blocking massive attacks coming from the outside Europe, trying to harm us. The question is how we are prepared.”

Tschersich went further in referencing the 2017 cyberattacks on Ukraine – which saw several ministries, banks, metro systems and state-owned enterprises hit by a series of cyberattacks. The offensive, Tschersich says, “more or less, switched off the Ukraine economy for two days…and there was no protection at all.”

In this scenario, a ‘digital border control,’ could be switched on, hostile foreign access to the affected areas blocked, with the inner network still functioning, Tschersich says, adding that there would inevitably be a restriction of access to external services, but that would be a price worth paying.

Access Now’s Beltrà thinks that the EU should instead push for better coordination among national information security and incident response agencies, and use legislative instruments currently at its disposal, including the Network Information Security (NIS) Directive.

An industry insider told EURACTIV, that the notion of a digital border control sounds rather “drastic,” as dealing with the more sophisticated cyber attacks of the future will require “more targeted, concerted efforts.”

EU backs cyber sanctions regime, following Dutch and UK pressure

Under new EU rules, individuals and groups conducting cyber-attacks from outside the bloc may be hit with potential sanctions, including travel bans and asset freezes. But the measures announced on Friday will be applied only to “persons and entities” and not to national governments.

Wannacry

One of the most severe attacks to hit critical infrastructures in Europe occurred as part of the 2017 Wannacry ransom-wear attacks.

The attack is said to have been one of the principal determinants in cyber threats being identified as the most pressing risks for the bloc in the World Economic Forum’s Regional Risks to Doing Business report that was published last year.

The study asked more than 12,500 executives around the world to select the global risks that pose the most significant concerns to doing business within the next 10 years.

“2017 was a tipping point in the prevalence of cyberattacks in the EU,” the lead author of the report, Aengus Collins, recently told EURACTIV. “The most significant of which was, of course, the WannaCry ransomware attack.” Europol described the WannaCry attack as “unprecedented” in scale, after it had struck 200,000 computers across 150 countries.

The hit infected systems with a ransomware which targeted Microsoft Windows operating systems, with targets including the UK’s National Health Service and German rail infrastructure.

For Tschersich, attacks on the scale of WannaCry or Petya are indications that Europe finds itself helplessly exposed in cyberspace – reliant on access to external services while also attempting to present itself as serious on cybersecurity.

And regardless of well-intentioned efforts in the field by a handful of individual member states, he is clear that this is a question for Europe as a whole. “It can’t be done by nation states alone, it needs to be done on a European level,” he said.

Subscribe to our newsletters

Subscribe

Want to know what's going on in the EU Capitals daily? Subscribe now to our new 9am newsletter.