The great awakening: Europe's need for cyber-sovereignty

Europe has been lulled into a false sense of security. Christian Have at Logpoint reflects on cyber-sovereignty and explains why there are some fundamental challenges to achieving it completely

 

Barely a month after the National Cyber Security Centre (NCSC) issued a warning that the SVR, Russia’s Foreign Intelligence Service, is actively exploiting vulnerabilities, its CEO, Richard Horne, has stated the cyber-threat is “widely underestimated” and that nation state actor activity has “increased in frequency, sophistication and intensity”.

 

He highlights the “UK’s growing dependency on technology and adversaries who are conspiring to use it against us” which really cuts to the heart of the matter: can we trust the technology we use?

 

It’s not just the prospect of our technology coming under attack but also being used to surveil us. There’s now much greater awareness of the potential for foreign powers to infiltrate society through technical infrastructure, with governments stripping out Chinese equipment from telecoms and CCTV networks, for instance.

 

The EU Commission and the UK has banned TikTok on government devices and in parliament citing similar concerns. But threats are also materialising across the pond among our allies.

 

Surveillance concerns

Section 702 of the Foreign Intelligence Surveillance Act (FISA) grants American intelligence agencies far-reaching surveillance powers and can be used to monitor vast quantities of emails, text messages and phone calls without a warrant. Earlier this year it was extended both in terms of time and scope for a further two years. Because FISA enables these authorities to collect, use, and disseminate electronic communications stored by U.S. organisations it contravenes GDPR. 

 

Transferring personal data outside the EU is permissible only if the receiving country offers an "adequate" level of protection therefore FISA renders such data transfers potentially illegal. It’s an issue that was raised during the Schrems II case, which invalidated the Privacy Shield framework, a previous attempt to regulate transatlantic data flows.

 

The Data Privacy Framework (DPF) which succeeded the Privacy Shield has already been criticised for failing to address FISA. That means a "Schrems III" challenge may well be on the horizon, which could again disrupt U.S.-EU data transfers.

 

The US elections have only added further fuel to the flames. Trump’s win means a protectionist agenda is set to dominate geopolitics over the course of the next four years as he pursues policies that put American interests first. The expectation is that he will choose to impose trade tariffs on foreign goods, although this could prove detrimental to big tech, and to reduce military support for Ukraine.

 

Ultimately, these moves along with FISA and a possible relaxation on spyware are likely to erode trust between the US and Europe.

 

Concepts as casualties

In this new era, new lines will be drawn. We’ve already seen Microsoft admit that it can no longer guarantee that data from the Scottish police service over its Azure and Microsoft 365 platforms will be held in the UK, for instance, despite this being a legal requirement. This could prove a slippery slope that compromises the concept of data sovereignty which is key to cyber-resilience.

 

These draconian regulations, geopolitical tensions and the dominion of big tech will compel businesses to take a long hard look at how their data is stored and protected. There will be a growing demand for technology to be supplied and managed on a regional basis as organisations seek to exert control over their cyber-security, a drive that is now being referred to as cyber-security sovereignty.

 

Digital infrastructure is essential to modern economies and protecting that will require governance over the tools we use. But achieving cyber-security sovereignty will not be easy.

 

Many of the core solutions businesses rely upon such as Security Information and Event Management (SIEM) come from US vendors, for instance, which typically dominate the industry. These vendors would be compelled under FISA to hand over data regardless of whether this is in the best interests of the customer or if doing so contravenes data privacy regulations.

 

What’s more, procuring technology and services from US vendors not only puts the organisation’s data at risk, but also that of its customers, users and partners. 

 

Homegrown security

Looking to European cyber-security vendors is the only sustainable way to minimise exposure to US and other third country surveillance risks and to protect data. These solutions are designed with EU data protection regulations, like GDPR, in mind and are not subject to FISA. In addition, the organisation can elect to use an on-premise solution to ensure they have full control over their data.

 

Taking such steps will require the business to conduct a thorough audit of the estate to determine where dependencies lie, if those systems have access to other parts of the infrastructure and the sensitivity of the data they can access. It may prove difficult to remove all dependencies, necessitating a risk-based assessment to identify the systems which are the most critical.

 

Swapping out those solutions for alternatives that can be locally managed and maintained can then be considered. While initially disruptive, this will provide real gains in terms of enhanced data security, regulatory compliance, and independence from foreign surveillance.

 

The UK and Europe have been sleepwalking through cyber-space, unaware of the risk posed by nation state actors and their dependency on foreign tech. The hope is that the NCSC’s warning will not fall on deaf ears but will instead act as a wakeup call to our respective economies and the businesses they rely upon to protect our data. 

 

---

 

Christian Have is CTO at Logpoint

 

Main image courtesy of iStockPhoto.com and gorodenkoff