It’s not just Russian tanks and missiles that threaten Ukraine and the Western alliance. Its Russian cyberattacks.
Western democracies need to react against this danger with a common approach to tech regulation.
On January 13, 2022, Microsoft spotted a massive malware attack against Ukrainian government agencies, civil society organizations, and IT organizations. Fake ransomware appeared. File corrupter malware spread. The next day, attacks hit 70 entities, including the Foreign Ministry, the Cabinet of Ministers, and the Foreign and Defense Council. In February, a well-coordinated Distributed Denial of Service (DDoS) attack disabled Ukrainian defense agencies and banks.
From the type of organizations and agencies targeted, one must conclude that these were Kremlin-inspired attacks. More can be expected to follow. For the past decade and a half, cyberattacks have been part and parcel of Russia’s arsenal of hybrid warfare, not only against Ukraine but against the entire West, from foreign ministries, parliaments, to think tanks, all the way to WADA, the World Anti-Doping Agency.
The stakes are enormous. Cyberattacks damage economies, paralyze governments, and endanger human lives. In the mid-term, what goes for Russia goes all the more for China, its partner-in-crime in countering democrats and democracies.
Democracies must resist and make cybersecurity a central element of transatlantic security cooperation. This goes far beyond building NATO cyber centers of excellence such as in Tallinn. It encompasses general tech regulation. The old antagonism between Europe’s insistence on data privacy and consumers’ rights and US emphasis on low regulation and freedom of speech needs to add a third perspective: security, as the grand old man of German diplomacy, Ambassador Wolfgang Ischinger, has written.
The EU’s Strategic Compass highlights the dangers of cyberattacks, disinformation, and malign influence. What needs to happen now is the next logical step: a concerted effort at ‘security proofing’ not only products and services, but also in EU legislation.
This is where the current state of EU regulation is wanting. By compelling tech companies to share data with competitors, the bloc’s Digital Markets Act (DMA) and the Digital Services Act (DSA) pose severe security risks. The obligation to make digital infrastructure accessible to all actors, in the name of non-discrimination will, if nothing changes, include the malevolent actors from Europe’s proven cyber adversaries Russia, China, Iran, and elsewhere. Browser companies should be able to ‘discriminate’ against criminals and hostile state actors – that’s in everybody’s interest.
There is considerable room for improvement in the way the US and the EU handle cybersecurity. Instead of playing up their differences in tech regulation, Europe and US must seek common ground, placing security and defense of democracy at the center of our efforts. Governments and businesses must also seek new forms of public-private partnership in the digital domain.
The real Bad Guys in the motion picture unfolding before our eyes, are not US Big Tech companies. It is the axis of authoritarians, led by Russia under Vladimir Putin and China under Xi Jinping. Democracies need to shape up against them.
Toomas Hendrik Ilves is former President of Estonia and a former Member of the European Parliament. He is a Nonresident Fellow at the Center for European Policy Analysis
Roland Freudenstein is Vice President of GLOBSEC, a Central European think tank.
February 22, 2022