The new European Commission vowed to make Europe “fit for the digital age” one of its priorities. Speaking in front of the European Parliament in her inauguration speech, Commission President Ursula von der Leyen contended that the EU needs to have “stringent security requirements and a unified European approach” when it comes to cybersecurity.
So far the Commission has been unable to make significant progress, mostly due to being bound by member states’ right to decide on security issues. The bloc also lacks digital enterprises both in number and scale, making it dependent on foreign – predominantly American, Chinese, and Korean – companies for information and communications technology (ICT).
Against the backdrop of mounting anxieties about the need for increased cybersecurity and cyber sovereignty, the coronavirus crisis forced the world to a halt, moving many to work online. European leaders were also quick to adopt the use of video conferencing platforms to facilitate remote working. News and Twitter were overrun with pictures of EU leaders holding online summits to manage the crisis. And the new normal has quickly shown how unprepared the EU is for addressing arising cybersecurity concerns.
The Zoom scandal
As the COVID-19 crisis has been escalating, Zoom, an American video conferencing app, has seen an unprecedented explosion in traffic. But as the number of users started growing, so did concerns about online privacy. Experts voiced security concerns about Zoom, calling it a “privacy disaster” and “as bad as malicious software”. Zoom misleadingly advertised itself as using end-to-end encryption. The company also forwarded user data to Facebook for advertising purposes. But maybe the most notorious privacy breaches were cases of “Zoom-bombing” – uninvited people crashing Zoom calls by pre-generating meeting IDs. And these are only the issues that emerged in March.
Seemingly, the initial security concerns were not enough to deter leaders from using Zoom. When on 31 March, Prime Minister Boris Johnson tweeted a picture of a Zoom call between high-level UK officials, it prompted concerns whether leaders understood the risks of their actions. The next day, the government reassured the public that sensitive or classified information would not be discussed over Zoom. In the same statement, they also contended that according to the National Cyber Security Centre (NCSC) “there is no security reason for Zoom not to be used for meetings of this kind”.
In April, a report published by The Citizen Lab, an interdisciplinary laboratory at the University of Toronto, raised concerns about Zoom distributing encryption keys through servers in China. They also highlighted that Zoom’s software development processes are conducted by Chinese subsidiaries.
Zoom did not address the problem of some of their servers in Beijing having access to the encryption keys. But the company admitted that in an attempt to keep up with the spike in demand, it routed some Northern American and European calls through China – with no end-to-end encryption. And while the company said that this only happened in a few cases, they did not disclose the actual number.
While the China threat seems to work better to convince decision-makers than just regular privacy concerns, both EU institutions and the UK government are struggling with deterring staff members from using Zoom. EU institutions contended that Zoom does not comply with data protection regulations and issued internal guidelines for staff to avoid using the platform for work purposes. But some staff members find it difficult to completely ditch Zoom. Without giving away specific details, they quote experiences of running into technical difficulties with other platforms, ultimately having to fall back on Zoom as a backup solution. In the UK, in mid-April, NCSC reportedly advised against using Zoom “to talk about things detrimental to the interests of China”. But sources from the same article mention complaints within Westminster that “the warning was not always being taken sufficiently seriously”.
The Huawei debate
Anxieties about Chinese espionage have been looming over the continent for years now, particularly the case of Huawei and its involvement in building the European 5G networks. Huawei is a top player in 5G, and while it is not technically a state-owned company, there are concerns about the financial and political influence the Chinese government has over it. Some European decision-makers fear that allowing Huawei to build 5G networks would mean the Chinese government could potentially have access to information and data running through them. This makes Huawei a high-risk vendor.
Despite the concerns, Huawei will participate in building the 5G networks in both the UK and the EU. In January 2020, the UK government announced that it would allow the use of high-risk vendors’ equipment in building its 5G network. But they would restrict these companies’ access to critical infrastructure and locations and cap their market share at 35 percent. A day after the UK announcement, the European Commission published a 5G toolbox – a set of recommendations for member states on how to mitigate risks related to 5G and high-risk vendors. The decisions caused friction with the US government, which has been aggressively lobbying for the past two years to sway Europe on Huawei.
But European approaches towards China and Huawei might change as the COVID-19 crisis escalates. In April, British intelligence services warned the UK government that it needs to reassess its relations with China as they expect the country to grow more assertive after the crisis ends. Intelligence services raised concerns especially about Chinese takeovers of tech companies working in areas like ICT and artificial intelligence. Both MI5 and MI6 still support allowing Huawei to build parts of the British 5G network, but there are voices in Westminster pointing towards the need for more diverse suppliers in 6G and 7G. Although the 5G dispute is far from being over, Europe and Huawei might soon find themselves in the same predicament when it comes to building the 6G networks.
If the EU wants to put its money where its mouth is and be cyber resilient, it needs to think ahead. Achieving digital sovereignty will not be an easy endeavor, but it should try nonetheless. Now is the time to implement new measures that will make a difference for the future and allow Europe to efficiently address its fears of Chinese espionage.
The bloc needs to actively work towards having a comprehensive approach to cybersecurity. The 5G toolbox is a small step, but it is a step. And we need more of them. The EU needs to prioritize developing an efficient cybersecurity ecosystem.
In the long run, the EU should support European tech companies and foster European research and innovation at an unprecedented level. This could also help resuscitate European economies following the coronavirus paralysis. One of the ways to go about this would be increasing R&D support for Nokia and Ericsson. The companies have all the potential to become European champions.
The EU should also not overlook the potential in European tech start-ups and SMEs for laying the foundations of a European digital ecosystem and establishing a reliable European supply chain.