2013-12-02
Abstract
Wout de Natris urges parliamentarians to facilitate cooperation across borders and asks: why is it necessary, in 2013, to give up a little bit of sovereignty and territoriality?
Copyright © 2013 Virus Bulletin
A few years ago, it was common when discussing anti spam enforcement with international colleagues to hear the despairing cry: ‘It’s the Internet, so we cannot do anything!’. This is what I heard straight after a presentation I gave to EU colleagues in which I showed that having an effective anti-spam law – i.e. one with an agency behind it that can act, enforce and punish – can be successful; and, worse, during training on how to investigate and enforce ‘the spam law' (to be accurate, art. 11.7 of the Telecommunications Act (May 2004)) successfully.
In autumn 2013, it seems that parliamentarians in 11 EU Member States are failing to grasp today’s reality – their reaction has been similar to that described above, and in drawing the yellow card against an EU public prosecution office, they have moved backwards instead of making a leap into the future [1]. It’s almost as if to say: ‘We do not want to act.’
But why is it necessary, in 2013, to give up a little bit of sovereignty and territoriality?
The proposed EU prosecution office was only concerned with a very specific topic: fraud committed with EU funding or embezzlement of EU funding; away to follow up on audits that have shown that something has gone terribly wrong; a way to prosecute from the same place the funding came from, i.e. Europe. This is a very specific proposal in the ‘old’ world.
I do not want to go into discussions as to whether the nation state as we know it is on its last legs because of the power of the Internet. There’s no way of predicting this.
What I do want to look at is whether the developments that are going on around us, and which are quickly becoming a part of our daily lives and routines, should force representatives of nation states to look at sovereignty and territoriality with a broader perspective than they do currently.
Over the past few years, we (at least those of us that are connected to the Internet – which in The Netherlands is said to be 94% of the population) have moved into a ‘new’ world. The way in which physical and digital lives have converged allows for policy makers to stop making the distinction between the two. ICT improves the quality of our lives considerably, and our dependence on ICT is growing by the day. In fact, the digital realm has become such an integral part of our daily lives that the difference has become moot when we talk of cybercrime and ‘regular’ crime. At present, people are even being connected directly to the Internet through chips placed inside their bodies: there are apps on cell phones that measure the body’s functions (and share these with whom?) and implanted medical devices that control insulin injections and regulate pacemakers. So, what happens if the chip inside someone is hacked – there is no security by design in there – and it fails to share crucial, life saving data because the chip is in the middle of a massive DDoS attack against a website or a nation state? Hypothetical? Just remember why former US Vice President Cheney disconnected the chip in his pacemaker from the Internet [2] – which was the exact function that could potentially save his life. We are only at the beginning of this revolutionary development.
It is not necessary at this point to go into how the Internet can be used for nefarious purposes. This is what we live with and read about every day. Added to this is the fact that nation states are spying on the world at large. The point that is important to make here is that there is a race for power and control in the physical world, far beyond the realm of anti-terrorism. Just look at the individuals, public and private, who were spied upon, and it becomes clear that anti terrorism is not the sole objective. Let’s not kid ourselves that the US is the only nation state doing this.
The above does put a different perspective on the reaction of national parliamentarians to the proposal for a very small EU prosecutor's office. The creation of EU institutions that can actually make the Internet safer for the EU as a whole by empowering these EU institutions accordingly, is effectively being blocked by national sentiments. Can the EU afford not to have institutions of this sort?
The cry ‘it’s the Internet, we cannot do anything’ is easily countered. No matter how many digital borders are passed, or how many different actors ‘elsewhere’ are involved, the crime is ultimately committed on somebody’s doorstep, from somebody’s device – in a nation state, with an agency responsible for an investigation. The challenge here, of course, is in gathering all the pieces of evidence together when many actors in different states are involved. Often this challenge is overwhelming, and the crime is ignored as a consequence.
Looking at the European Union, the reflexes discussed in this article go all the way back to the Treaty of Westphalia [3] – an age in which government officials travelled to international treaty conferences on horseback or by horse drawn carriage, over pot-holed dirt roads. Officials and messengers often travelled for days or even weeks to reach the negotiations over distances that are now travelled physically in a few hours at most, and digitally covered in fractions of a second. The fact that, in 2013, EU institutions such as EC3, Eurojust and ENISA can still effectively do nothing decisive where fighting cybercrime and equally where defending cyber resilience and security are concerned, and that the institution of a European prosecutor’s office is anathema to most western European countries, is a reflex that seems to have no grasp of today’s reality. Let us not forget that these organizations are seldom if ever in a position to debate their predicament to parliamentarians or civil servants. They have lawful tasks to execute, it is not their role to debate (international) politics. It is here that coordinating bodies at a higher level than a nation state come into play, and could make a difference.
We live in an age in which decisions that truly matter to citizens and nation states alike – e.g. how the Internet works, where data is stored, the voluntary adoption of standards that secure all end-users, the storage of sensitive privacy data, the (in)security of devices, the development of security by design, the Internet of things, etc. – are neither made nor truly influenced by governments. Instead, these decisions are made by multinational corporations and by self regulatory bodies around the Internet, and even in the attic of a home in Laos, where a 15-year-old creates the next killer app – without security by design. National borders don’t have anything to do with the decisions made here. Neither do criminals observe borders as we know them. Politicians and governments seem to be the only ones looking at borders. It is time for them to focus on where they can (and want to) have influence. (Many do, I know from experience.)
One step would be to provide for prior conditions necessary for cybersecurity, e.g. enforce a duty of care or create a level playing field for all actors that allows a smooth adoption of standards. Another would be to protect public interests by truly enforcing the rule of law. If that becomes nearly impossible to achieve effectively at the national level due to the nature of the Internet, one of the most obvious solutions is to allow international coordination on the topics of cybercrime, cybersecurity and spam and malware enforcement. (This article is mainly about the digital domain. The same argument can, of course, be made for international organized crime in the physical world.) The obvious place to start this experiment is at the EU level. And, yes, that means that small parts of sovereignty and territoriality would be surrendered. If a country truly strives to battle cybercrime successfully, there is no other option. The issue is digital, so by its very nature involves other nation states and actors in other countries. In complex, cross-border cases, EU bodies in the near future ought to be able to take the initiative in investigations and create teams consisting of representatives from involved national institutions to gather intelligence and to investigate cases, or solve security crises together. It is a mistake to think that any case or threat in 2013 is a national affair. It almost never is. If the Member States of the EU can’t solve this issue – and do so soon – there is not much hope for fruitful cooperation with countries outside of the EU. Note, I speak here of coordination. The judicial actions, and with that democratic oversight, can remain in place just as they are today.
Consider a mediaeval castle, the Dutch Waterline or the Maginot Line – they have all become outdated because of the modernization of attack techniques. New lines of defence are necessary in the digital age, and to look at them only from a national level (even just from a governmental point of view) is an ancient reflex. International coordination and cooperation is necessary and it is needed now.
The Internet has become an integral part of our lives. The difference between the physical and digital worlds is disappearing fast. Now it is also time to take necessary steps in the governance of nation states. An EU prosecutor's office is just the sort of institution needed here. Giving coordinating powers to EU institutions is about coordination and initiative, about bringing the right people together. It’s about solving crimes, diminishing threats and catching perpetrators. It’s about true cooperation across borders with urgency and effectiveness. It is not about national prosecution in the end phase of a case. Every second wasted is another successful attack. The decision as to who takes someone to court and where, is another discussion. This does not have to change at all. But this topic is about the future. It is time to act accordingly. Are there truly any other options?
