Written by Etienne Bassot,
In 2017, Russian influence campaigns orchestrated via US-based social media continued to arouse deep anxiety in Western democracies. The scope of the Kremlin’s interference in the 2016 US presidential election campaign was steadily revealed throughout 2017. A declassified US intelligence assessment from early 2017 said that the Kremlin had used professional ‘trolls’ (internet warriors) and Russian state broadcaster RT ‘as part of its influence efforts’. A year on, social media giants finally revealed to US lawmakers that pro-Kremlin players had bought and published divisive advertisements, amplified by bots and algorithm-enhanced human interactions. Aimed at influencing both liberals and conservatives, these adverts succeeded in reaching up to 126 million Americans on Facebook alone. Furthermore, a number of EU Member States – including the United Kingdom and Spain – have accused Russia of interfering in domestic elections and/or referendums, and the pressure on tech giants to share information and assume greater responsibility for content keeps mounting.
EU steps to curb influence campaigns
In the light of these developments, the EU High Representative, Federica Mogherini, has faced growing pressure – including from the European Parliament in a 2016 resolution on counteracting anti-EU propaganda by third parties – to reinforce the East StratCom task force. Since its creation within the European External Action Service (EEAS) in 2015, the task force has relied on seconded staff and a network of volunteers to collect disinformation stories (more than 3 300 examples in 18 languages to date), which it analyses, debunks and publishes in its weekly newsletter. Mogherini is expected to ask for more resources for the StratCom team in early 2018, despite warnings from the Kremlin that boosting StratCom could further strain EU-Russia ties. The 2018 EU budget, approved by the Parliament in November 2017, includes the Parliament-initiated €1.1 million pilot ‘StratCom Plus’ project, to be implemented jointly by the European Commission and the EEAS. It aims to increase EU capacity on fact-checking disinformation in and beyond the EU, by boosting the skills of staff (at Commission representations in Member States, and EU delegations in Eastern Partnership countries and in the Western Balkans), who will report to the EEAS and to the StratCom task force within it.
In June 2017, the Parliament passed a resolution on online platforms and the digital single market, stressing the ‘importance of taking action against the dissemination of fake news’. Subsequently, the Commission launched a public consultation on ‘fake news and online disinformation’ and set up a high-level group of experts representing academia, online platforms, news media and civil society organisations. The results of the public consultation and a related Eurobarometer survey will be published in March 2018, and a report from the high-level group is expected in April. The Commission plans to publish a communication on fake news and disinformation in spring 2018.
Growing international cooperation amid increased hybrid threats
EU-NATO cooperation increased in 2017, in accordance with the July 2016 global strategy for EU foreign and security policy, which envisaged stronger ties and cooperation with NATO, as well as the July 2016 EU-NATO joint declaration. Following the April 2016 joint communication by the Commission and the High Representative on a joint framework on countering hybrid threats, a European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) was inaugurated in Helsinki in October 2017. The decision by 10 EU Member States (Germany, Estonia, Spain, France, Latvia, Lithuania, Poland, Finland, Sweden and the UK), Norway and the United States to open the centre is in itself seen as a sign that tensions produced by Russia through its influence campaigns can no longer be ignored. Both the EU and NATO have been invited to support the steering board, and participation in the centre’s work is open to all EU Member States and NATO allies. The centre maintains close contact with the EU Hybrid Fusion Cell, set up within the EU Intelligence and Situation Centre structure and fully operational since May 2017. Whereas other centres have been established under NATO auspices in EU Member States, such as Estonia, Latvia and Lithuania, the one in Helsinki is the first to link NATO and the EU. This unprecedented level of EU–NATO cooperation is set to continue in 2018 in addressing hybrid threats, in line with the July 2017 joint report on the implementation of the joint framework.
Cybersecurity: a shift towards increased regulation
In 2017, the EU and the world continued to face multiple evolving cyber-threats, with ransomware attacks of unprecedented scale and massive data breaches hitting the headlines. It is estimated that, every day, over 5 million data records are lost or stolen and more than 4 000 ransomware attacks are launched. Europol’s Internet Organised Crime Threat Assessment (IOCTA 2017) warns of a growing number of such attacks against critical infrastructure, such as hospitals, law enforcement agencies and transport companies, causing severe disruption. In addition, ongoing digitalisation has opened new doors for cyber-attacks targeting elections, which, according to the IOCTA, can take multiple forms: denial-of-service attacks against campaign websites or online electoral services, attacks against voter registration or voting machines, or exfiltration of data. In whatever form, they aim to undermine the integrity and credibility of elections. Ahead of the European elections in 2019, the European Parliament faces the risk of becoming a target of both influence campaigns and cyber-attacks.
Against this backdrop, some analysts expect governments to intervene further and demand more responsibility from businesses. At the EU level, two key legal instruments will enter into force in May 2018: the Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR). The NIS Directive will require companies identified as operators of essential services to take appropriate security measures and report serious incidents to national authorities. The same requirements will apply to digital service providers (search engines, cloud computing services and online marketplaces). Under the GDPR, businesses will have to notify both customers and authorities about data breaches. Fines for non-compliance can reach up to €20 million or 4 % of annual revenue.
The EU’s efforts to step up action in this field translated into the adoption, in September 2017, of a new overarching approach to cybersecurity in the form of a package aimed at increasing cyber-resilience, enhancing criminal law response and reinforcing international cooperation. Under the ‘resilience’ pillar, the package includes a legislative proposal – a ‘cybersecurity act’ – to strengthen the European Union Agency for Network and Information Security, ENISA, and to transform it into an EU cybersecurity agency with full operational capacities. In October 2017, MEPs adopted a resolution on the fight against cybercrime, urging Member States to invest more in cybersecurity to prevent attacks aimed at destroying critical infrastructure and destabilising societies. MEPs also advocated improving information exchange through Eurojust, Europol and ENISA, and investing in education to address the lack of qualified IT professionals working on cybersecurity.
Read the complete in-depth analysis on ‘Ten issues to watch in 2018‘ on the Think Tank pages of the European Parliament.