Focus on the DMA: Europe’s Cybersecurity after Russia’s Invasion of Ukraine

March 11, 2022

Paul MacDonnell, Executive Director, Global Digital Foundation
 

Our world has changed. The holes in Europe’s military security have been recognised and the Union’s leading nations are taking immediate action to build their defence capability. We have known for some time that there are threats to Europe's digital infrastructure from Russia. Recently that threat seems a lot less virtual.

What is at stake?

As a way of getting things done the digital platform is just getting started. It is the most efficient architecture for distributing non-physical stuff—reducing the marginal cost of communicating, sharing, buying, selling, and paying effectively to zero. If you look around, and not just in the developing world but even in the EU, you will see that most human activity that does not rely on moving or manipulating physical objects, and material and which therefore could be platformized, remains unplatformized. We are at the beginning, not in the middle, of a change in economic organisation. Platformization is economic evolution in action, eating through systems of business and social interaction like Daniel Dennett’s universal acid. ‘Universal acid’ was coined by Dennett to represent his profound realisation that natural selection is a universal principle affecting all change, including change wrought by human behaviour. Behaviour—like the use of digital platforms—that lowers costs or increases income responds to platforms’ affordances. And, so, this behaviour will be selected for. The platform is a universal acid eating its way through business and social processes. It’s just getting started.

We don’t think of our educational establishments, government services, or financial institutions as part of the domain of digital platforms but their evolution draws them towards it. As well as positive the platform brings negative affordances. If it gives us opportunities to socially and economically interact at a lower cost, it also offers opportunities for new kinds of crime. Perpetrators of fraud such as ransomware attackers operating from unfriendly states, can easily take advantage of our reliance on platforms which, it turns out, are easy places to deceive and be deceived.

What does this tell us about Europe’s wider security priorities in a world where the digital platform model is destined to dominate? Russia’s invasion of Ukraine in early 2022 has triggered a Damascene security conversion in the EU. Since World War II up until now Europe has not paid for its own protection, relying instead on the United States to do most of the work. Also, in recent years, Europe has become over-reliant on Russia for its energy. This has gifted important political leverage to an authoritarian regime which, given that it has recently threatened Europe with a nuclear attack, we can assume is prepared to use any and all means to threaten disruption against digital platforms and their users in Europe. This could make what is already a serious problem (in 2021 $400m—74% cent of all ransomware payments went to Russia) much worse.

The EU has already taken steps to establish the foundations of a strong cybersecurity regime. Its current Cybersecurity Strategy and Network and Information Security (NIS) Directive (2016/1148) form the basis for developing more robust defences against potential threats to digital platforms in Europe. But more is needed. The original NIS Directive was published in 2016 and a lot has changed since then. During recent years, attacks on Europe’s digital infrastructure have become more frequent and more likely. Given Russia’s invasion of Ukraine in 2022 and the consequent deterioration of its relationship with the EU we should assume that the cyberthreat to Europe is greater than ever. Accordingly, the EU’s proposal, in December 2021, for an updated NIS Directive (NIS2) is timely.

NIS2 proposes to specify requirements specifically to deal with cyber attacks on EU digital infrastructure. These will include: enhanced supply chain security, incident response and reporting, and the disclosure of network vulnerabilities. Also, Member States will be required to impose fines for breaches of good risk management practice or failures to report incidents. Crucially NIS2 expands the scope of existing rules to include additional sectors. These include: public administration, drinking water supply and distribution, energy, transport, banking, financial market infrastructures, healthcare, and digital infrastructures.

Implementing NIS2 will require communication and consultation with public and private sector actors together with an open non-threatening approach to enforcement and reporting. Private sector companies are, by nature, reluctant to admit that they have been subject to cyber attacks or even threats of such attacks. It is right for EU authorities to demand, on pain of penalties, openness about breaches and threats on the part of the Union’s private sector. But authorities must, in addition to firm insistence on compliance, adopt a tone of cooperative encouragement that diminishes incentives to hide or minimise problems. The task of improving the EU’s cybersecurity will succeed if its participants are encouraged to act in the public spirit. When a political power feels threatened it is easy for it to fall into the trap of threatening, in turn, those whom they govern. EU authorities must avoid this mistake.

In particular, the practical implications for managing cybersecurity threats must be discussed in the light of interaction between a number of crucial EU directives and regulations, notably: the Digital Markets Act, the Data Governance Act (DGA), the Data Act, the GDPR, the AI Regulation, and the ePrivacy Directive.

The EU needs to keep in mind what it was founded to prevent as well as to achieve.

Views expressed in this article are those of the author and not those of Global Digital Foundation which does not hold corporate views.