Good afternoon, and thank you for the opportunity to speak to you today – I’m hoping we can avoid a complete ‘security meltdown’, despite the title of today’s event.
It’s good, of course, to be back at the Munich Cyber Security Conference. In the past 12 months, the cyber threat landscape has changed significantly. The security challenges we face from cyberattacks and other cyber-enabled threats have evolved and grown. We find ourselves battling to prevent our elections from being interfered with; combatting attempts at manipulation through the malicious use of disinformation. I will speak about these later.
But the topic which has grabbed the most headlines in 2019 so far is, in some ways, an even bigger issue – how best to protect our digital critical infrastructure – an issue that goes beyond the question of whether or not we should allow Huawei to build our 5G networks.
Rather, we need to think in terms of strengthening our digital resilience as a whole. Digital resilience is crucial for protecting government information, industrial research, intellectual property, business plans, elections and democratic institutions, as well as personal data. To do that we need to protect the digital infrastructure – the essential plumbing of our modern connect lives: as well as 5G, this means things like the Cloud and Artificial Intelligence.
At present, European companies collectively have about 30 per cent of the 5G market — but they are more expensive than their competitors. Meanwhile, more than 90 per cent of our IT devices are made in Asia, notably China, and China controls 70 per cent of the global supply of the critical raw materials you need to make them. US and Chinese investment in AI also dwarfs that in Europe. For example, France is investing €1.5bn; a single city in China, Tianjin, is investing €13.5bn. This kind of dependency creates risks and vulnerabilities.
The U.S. has moved to protect its own cutting-edge technologies, often using the Committee on Foreign Investment in the US screening process. It has reacted to the new Chinese National Intelligence Law, which obliges Chinese companies to work with Chinese Intelligence, by banning US government agencies from using Huawei or ZTE, and is encouraging other countries to do so too. China for its part has long guarded and controlled access to its domestic market, while vigorously pursuing international expansion in infrastructure, real as well as digital.
So it is time for Europe to make some choices. It is time to discuss whether we want to continue, as now, to see our own cutting edge technologies sold off one after another. We also need to consider whether it makes sense for individual countries to let out their 5G spectrum with little information or coordination on what others are doing — which risks allowing one dominant supplier to emerge across the continent. Better coordination would also help our collective investment in AI and other vital technologies such as quantum computing and cryptography to be more than the sum of its parts.
These issues raise challenges around national decision-making which won’t be easy to resolve. Trying to protect everything won’t work. We need to decide what really matters in terms of the digital ecosystem and whether greater transparency around suppliers, supply chains and foreign investment is enough to offset the security risks. It may be that some pieces of backbone digital infrastructure are simply too critical to risk.
Again, these issues are inherently geopolitical, so the solutions need to reflect Europe’s particular perspective — based around keeping markets open and trade fair. Security concerns are not an excuse for arbitrary protectionism. But, equally, they cannot be ignored. These aren’t issues that can be settled overnight. We will need time to debate and develop a comprehensive approach. But we should also ask what can be done already now in terms of concrete action, using existing instruments?
First, the Cybersecurity Act, which was approved by the European Parliament and Council in December, reinforces the mandate of the EU Cybersecurity Agency to better support Member States in tackling cybersecurity threats and attacks. The Act also establishes an EU framework for cybersecurity certification, boosting the cybersecurity of online services and consumer devices. I think we can expect 5G infrastructure to be an important part of the agency’s work.
Second, under the Directive on Security of Network and Information Systems, the NIS Directive, all Member States have to adopt a national strategy in this area, defining the objectives and appropriate policy and regulatory measures. This includes designating at least one competent authority to monitor the application of the NIS Directive at national level and to nominate a single point of contact to liaise and ensure cross–border cooperation with other Member States.
Third, the Foreign Direct Investment Screening Regulation, once in force, will allow the Commission and Member States to cooperate in their assessment of security risks and raise specific concerns posed by foreign investments, including in digital infrastructure.
Fourth, the EU’s rules on procurement do not differentiate between EU and non-EU companies, but they do include a number of safeguards, including measures to protect essential security interests. Reciprocity is another key issue – the EU is actively pursuing new opportunities for European companies by ensuring reciprocity in international procurement markets.
The rules do not, however, cover the provision of communication networks – only the equipment used to build them.
Fifth, the European Electronic Communications Code, agreed to by the European Parliament and Council last June, will boost investment in very high capacity networks across the EU – including facilitating the roll out of 5G by making co-investment rules more predictable, promoting sustainable competition, and again security.
These instruments give Member States scope to take action to better protect critical digital infrastructure where necessary – but this is something that also requires the political will to act.
It is important to consider all these elements if Europe is face up to this immense challenge – as far as the Commission is concerned our work in this area will continue, in close cooperation with the Member States.
Meanwhile, however, we are faced with another pernicious threat – the use of disinformation and the manipulation of data and behaviour. This is particularly important in relation to election security. Malicious actors, both state and non-state, are increasingly using digital tools to interfere in our democratic processes and manipulate public opinion. The European Parliament elections, just a few short months away, present a particularly tempting target.
That is why we called on internet companies back in April last year to take urgent action, through a voluntary Code of Practice. The Code was eventually agreed in September. We followed that up with the Action Plan on Disinformation in December.
In the longer term, we need to ensure media diversity and build critical awareness. We also need to improve media literacy, for example through tools like the NewsGuard browser plug-in, which utilises a team of journalists to check the credibility of news media against a transparent list of journalistic criteria in order to give more credible sites a green tick, and potential sources of disinformation a red cross. This helps to give users a sense of the provenance of what they are seeing.
But we also need immediate action. We need to see an improvement in how we detect and call out disinformation, notably through the StratCom task forces and the EU Hybrid Fusion Cell. We need to better protect elections by working with Member States on cyber-enabled threats, including through the new disinformation Rapid Alert System. And we need to see the internet platforms step up and make real progress on their commitments, including those they signed up to in the Code of practice.
These commitments include urgent improvement in how adverts are placed online, greater transparency around sponsored content, the rapid and effective identification and deletion of fake accounts, clearer rules around bots, the more effective promotion of alternative narratives and greater clarity around algorithms.
All of this should of course be subject to independent oversight and audit.
Last month, we published a report on the progress made by the internet companies under the Code – and while recognising the work they had done, we had concerns about the slow pace of progress. We made it clear that they need to go further and faster if their efforts are to have the required impact ahead of the elections in May.
We are reporting monthly to maximise the use of the time remaining – February’s results will be published in the coming days.
We are also continuing to implement our proposals of September 2017 to address ‘classic’ cybersecurity threats targeting systems and data. We are rolling out the new EU cybersecurity strategy in order to build our resilience, strengthen our deterrence and support Member States in cyber defence. This includes the creation of a genuine European Cybersecurity Agency, as I mentioned earlier, as well as a network of competence centres to improve our resilience.
And we have taken important steps on deterrence, to create real and credible disincentives for those who might contemplate cyberattacks, including improving law enforcement access to electronic evidence.
We have put in place a set of measures for a joint EU diplomatic response to malicious cyber activities, the cyber diplomacy toolbox, which includes working together with third countries and – if necessary – restrictive measures.
And we are in the process of developing a cyber sanctions regime, and working to enable better attribution of cyberattacks.
Our efforts to strengthen cybersecurity in the EU – whether in the short, medium or long term – will continue, no matter what happens in the European elections, and whatever happens around Brexit. The malicious actors who seek to harm us are certainly not going anywhere, and it is only by working together – including at European level – that we can successfully tackle these threats, and avoid a true ‘security meltdown’.