There is one aspect of what the European Parliament is calling the ‘surveillance scandal’ that is not to my mind being sufficiently addressed in Britain: what is GCHQ’s involvement in European hacking and surveillance doing for Britain’s standing in Europe?
While there is a relatively open and wide-ranging debate over the NSA in the US, there is virtually nil debate over GCHQ in the UK. The reason is basically twofold: firstly, the UK government has run a very successful campaign in keeping the lid on things (a combination of refusing to say anything, denying that anything wrong has been done, and bullying/persuading the media to say little or nothing about it); and secondly, the apathy of the British public is legendary. So long as it doesn’t directly affect us, we Brits just don’t care — and spying on foreign Europeans does not directly affect us.
It is all helped by the European Treaty that says that national security is national concern. The British government can and simply does say to Europe, ‘what GCHQ does is none of your concern, and it is not our policy to talk about what our intelligence agencies do.’
The result is that the man in the British street has no idea of what is actually happening in Europe, nor the dismay with which Britain and the British are now considered abroad.
Yesterday I asked Jan Philipp Albrecht, an elected member of the European Parliament and a leading light in its Civil Liberties, Justice and Home Affairs committee, how Britain is now viewed in relation to GCHQ. (You can get more details here: Exclusive: Jan Philipp Albrecht Speaks to Infosecurity Ahead of Calling Snowden as a Witness.)
My question was this:
What does Britain spying on fellow members of the EU do for the future relationship between the UK and the rest of Europe?
His reply, verbatim:
It is already today a huge damage to the relationship between UK and the rest of Europe. The attacks of the GCHQ on TelCom services like Belgacom and on servers on huge internet companies are illegal cyberattacks which come near to the notion of cyberwar. The involvement of issues not covered by national security like economic spying splits the Union and throws it back to the fight between national economies in the last century. It will harm the economies in Europe including the British and the trust in the institutions as well as the digital market severely.
It is worth considering this. Firstly, between the lines, there is clear anger. Secondly, he comes as near as dammit to accusing Britain of waging cyberwar against its allies. Thirdly, he brushes aside the notion that the surveillance is based on national security and anti-terrorism, and includes the accusation of ‘economic spying’. And lastly he likens that economic spying to the situation of twentieth century Europe; a century in which economic rivalry led to two world wars. This is what Europe thinks of Britain and the British today.
Does it matter? Too damn right. Despite our aloofness, we don’t actually want to leave Europe. Prime minister Cameron has promised to renegotiate Britain’s relationship with Europe. This is what most Brits want; but what Cameron wants is to eliminate Europe from those areas that limit his freedom to do what he wants. His main aims, which he will sell to the British public in terms of maintaining British sovereignty, is to limit data protection and eliminate the jurisdiction of the European court. These will benefit big business and GCHQ; but be bad for the people.
But — and this is the point — because of the surveillance scandal, he may be in for a surprise. He will threaten Europe that unless he gets what he wants, Britain may leave the Union. And the rest of Europe will simply say, ‘Good riddance.’
The problem with the news is that it is usually generated by parties with a vested interest. When the news comes from government, it is because government has an axe to grind. When the news comes from a security firm, it is because that firm has a product or service to sell.
Usually this vested interest is well disguised and hidden behind actual facts. Sometimes, however, the truth is so far distorted that you simply have to comment. And here’s an example: a missive from a PR company that states, verbatim:
EU Cyber Security Directive Could Cost Organisations Billions
The new EU Directive on Cyber Security is going to have a huge impact on all organisations that trade in the EU. The Directive states that any organisation that does not have their cyber security in order and suffers a security breach will face extremely heavy fines of up to 2% of their annual global turnover. This means for large enterprises or banks, fines could run into millions or billions of pounds…
…recent research… has revealed that many industries are seriously behind in terms of IT security and risk facing extremely heavy fines when the Directive comes into action.
This is simply wrong. It demonstrates either an abject failing to understand EU processes, or a conscious attempt to mislead.
The European Commission proposes the laws that the European Parliament votes to accept or reject. It has two vehicles: a Directive and a Regulation. Regulations are European laws that become national laws verbatim. Directives are more like a statement of intent — individual nations are able to transpose Directives into national law in accordance with local practice and requirements.
There are two relevant EC proposals right now: a cyber security directive, and the general data protection regulation. Time and again security firms get these separate issues muddled in a manner that is either ignorance of European processes, or an intentional attempt to mislead.
The cyber security directive lays down no specific sanctions — these are left for the individual nation states to specify themselves.
Member States shall lay down rules on sanctions applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.
EU cyber security directive
It is the regulation that imposes the 2% maximum sanction — under specific personal data loss conditions (and for smaller companies, that may well turn out to be less than the current maximum fine that can be levied by the UK’s Information Commissioner).
The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of cooperation with the supervisory authority in order to remedy the breach…
…The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently etcetera, etcetera
EU proposal for a general data protection regulation
And remember that passage of the GDPR into law is still far from certain. However, by conflating these two separate proposals:
- government is able to suggest that the EU proposals will place an unacceptable burden on national business (in reality, it is almost entirely the UK that takes this approach, largely because the Data Protection Regulation will impose unacceptable burdens on GCHQ’s current free rein in electronic surveillance)
- security firms are able to frighten industry into spending ever more money on ever more weird and wonderful security products. A risk based approach to security will probably show that the actual risk is far, far less than the warnings from the security industry.
The tragedy in this particular instance is that two good names are dragged into the mire: Tripwire and Ponemon. I would suggest that if you see news articles over the next couple of days saying that industry is being faced with massive fines for not having adequate security, you take a step back and consider the actual EU proposals before rushing out to spend 2% of your annual income on security products.
This example does the security industry no favours whatsoever.
“Establishing a European Public Prosecutor’s Office – A federal budget needs federal protection,” says Viviane Reding today.
She’s talking about the formation of a European Public Prosecutor’s Office, “to fight fraud against the EU budget and to uphold the rule of law across the Union.”
I like the idea of fighting fraud.
I distrust the concept of the ‘rule of law’ – it’s just a political concept devised to say, ‘you Pleb, me Lord, you do what I say, always, no arguments.’
But that’s not the point here. “It is a federal budget. If we don’t protect it, nobody else will do it for us,” says Reding.
Federal budget? Did I miss something? When did the European Union morph into the European Federation?