The European Union is poised to adopt sweeping new powers against abuse of internet technologies, including measures to ensure the rapid removal of online terrorist message and an overhaul of regulations designed to counter cyber security threats.
The shift from relying on self-policing by the web giants to remove material that promotes extremism, incites violence or orchestrates plots to a mandatory scheme that would impose punishments for any failures to take action, represents a decisive break with past policies.
The proposal by the European Commission, expected to be unveiled in the coming weeks, will require internet giants like Facebook and Google to remove terrorist content within one hour of publication. Failure to take rapid action after receiving a notification will result in penalties for the providers.
What constitutes a “terrorist” message will be left for individual countries own parliaments. Each member state will be expected to set up a national authority responsible for identifying such content and flagging it to the relevant company, who in turn will be responsible for dealing with it.
“While several platforms have been removing more illegal content than ever before – showing that self-regulation can work – we still need to react faster against terrorist propaganda and other illegal content, which is a serious threat to our citizens' security, safety and fundamental rights," said Andrus Ansip, the vice-president for the Digital Single Market, as EU leaders promised further action earlier this year.
David Ibsen, the executive director of the Counter Extremism Project (CEP), said on Tuesday that it was vitally important that Brussels includes measures to prevent abuse of services provided by cloud computing providers such as Dropbox. “With the EU preparing to launch new legislation on the mandatory flagging and removal of terrorist content next month, now is the perfect time for EU officials to consider the broader online environment and specifically address the terrorist content on cloud computing services,” he wrote on the website EuroNews.
“CEP research shows that terrorist content which has been identified on Dropbox, Google Drive, Microsoft One Drive, as well Amazon Cloud Drive is often removed in approximately one to two days, but is sometimes available for longer. In that amount of time, these often violent propaganda materials can be seen and shared hundreds, if not thousands of times.”
The initiative is part of a wider drive by Europe to tackle the technological crime spree. Separately the EU parliament is expected to vote next week on European Commission proposals on a new collective framework on cyber threats. Jean Claude Juncker, the president of the body, has said the passage of the new laws is a priority for the new term of the parliament.
Alongside the new disposition on terrorism-related content, the Cybersecurity Act seeks to set a framework to prevent the misuse of the tens of billions of connected digital devices expected to circulate by 2020. The interconnection of everyday devices – known as the Internet of Things (IoT) – brought about ever-increasing security challenges, which in 2016 translated into around four thousand ransomware attacks per day.
In some member states, cybercrimes amount to half of all crimes committed every year.
The proposed Cybersecurity Act envisages a number of concrete measures to further strengthen the EU’s cybersecurity structures, including an EU-wide certification scheme that will standardize the safety of products and digital services as well as a blueprint on how to respond quickly, effectively and in unison to large scale cyber-attacks.
The bloc’s cybersecurity agency – ENISA – is expected to come up with the EU-wide system for certifying the security level of internet-connected devices. Its mandate, originally scheduled to expire in 2020, will be extended and its authority and financial stability strengthened.
The framework includes the deepening of cooperation between the EU and NATO and the setting up of a cyber-defence training and educational platform to provide training to companies – 69 percent of which were found to have no basic understanding of their exposure to cyber risks, according to data published by the European Council.
At an IT security conference in San Francisco in April, Mr Ansip highlighted the importance of cooperation between the EU and the US. “We are in the same boat here: If Europe is the target today, the United States could easily be under attack tomorrow,” he said. “This should be a good basis to discuss and make sure that our cyber standards are aligned on both sides of the Atlantic.”
A first EU cybersecurity law went into effect on May 9, requiring firms running “essential” services – including water, energy, transport, health and banking operations – to inform national authorities if they are hit with serious cybersecurity breaches.
Europeans realised the scale of the impact of ransomware attacks on civil infrastructure in May 2017, as thousands were turned away from hospitals. The WannaCry outbreak infected 200,000 across 150 countries.
In the UK alone, more than 80 NHS organisations were affected, resulting in almost 20,000 cancelled appointments and 600 GP surgeries postponed.
Sectors like transport, energy, health and finance have become increasingly dependent on network and information systems to run their core businesses.
Security incidents across all industries rose by 38% in 2015 – the biggest increase in the past 12 years.
Recent figures showed that digital threats are evolving fast. The economic impact of cyber crime rose five-fold from 2013 to 2017, and could further rise by a factor of four by 2019. A recent report has estimated that a serious cyber-attack could cost the global economy more than €100 billion (Dh367 billion).
“The WannaCry ransomware attack in May was a wakeup call for everyone” Mr Ansip said in its aftermath. "Extremists and hackers looking for vulnerabilities to exploit will have to find new, unpatched flaws."