The Corona pandemic has revealed shortcomings in the IT security of the European Union institutions, according to a report by the European External Action Service (EEAS) circulated to member states in May. (Read the report in full here.)
For the more than 40,000 employees of the EU institutions and diplomats, there is no unified channel for secure communication. In many cases, internal coordination between EU staff is carried out via unencrypted e-mails or free services such as WhatsApp and Zoom.
Cyber attacks over past weeks
Over the past weeks, security concerns within the EU institutions have mounted. High Representative Josep Borrell said that amid the pandemic, the EU and member states were targeted by cyber attacks.
The attacks and malicious activity by unknown perpetrators included „significant phishing and malware distribution campaigns, scanning activities and distributed denial-of-service (DDoS) attacks“.
The internal report by the EEAS, which netzpolitik.org obtained through an access-to-documents request, calls for „urgently improving the protection of the EU’s information and communication networks“.
The paper has the title „COVID-19: implications for EU security and defence“. It addresses a range of issues including „hybrid threats“ combining different methods by hostile actors such as foreign countries to undermine the European Union.
„The COVID–19 crisis has also exposed vulnerabilities related to untested and unsecure technologies used for teleworking, as different actors, including State actors, are leveraging the pandemic for malicious cyber activities“, the report says.
Stuck in the Zoom loop
The novel use of video conferences for high-level meetings in the pandemic has highlighted the lack of reliable tools. In April, Maltese finance minister Edward Scicluna caused concern among observers when he dialled in to a Eurogroup meeting using Zoom.
The video-call service has attracted criticism for security and data protection issues. The EU institutions are discouraged from using Zoom until the concerns have been addressed, the Commission said last week.
Earlier this year, the Commission has told staff to use the app Signal as „safer alternative for instant messaging“ amid widespread use of WhatsApp in EU communications.
Privacy watchdogs and activist have long voiced concerns over WhatsApp, a service owned by Facebook. „The metadata goes directly to Facebook and therefore also to the American intelligence services“, says Austrian activist Max Schrems.
While WhatsApp denies passing on metadata to Facebook, the German data protection authority has used the likelihood of such transfers as explanation when it recently told official not to use the app.
IT upgrades and a mystery platform
Asked for comment by netzpolitik.org about vulnerabilities in the EU’s internal communications, EU spokesperson Virginie Battu-Henriksson said that „the EU is fully aware of the increased risks following the significant increase in teleworking.“
Battu-Henriksson said that the External Action Services was implementing „a major IT programme aiming to offer a full mobile working capacity to its users with the same level of security as from the office. This programme is already used by a majority of EEAS staff, working from home due to the ongoing coronavirus situation.“
The EU’s foreign service uses its own platform for secure communication, but has been reluctant to share any details about it.
It has admitted in a recent reply to MEP Moritz Körner that it uses „a proprietary instant messaging solution“ hosted on its own servers as part of a larger system for sharing classified communication.
However, it declined to provide details about the software used, its origin or encryption methods.
„The public release of such details would compromise the security as it would be exploited by adverse actors to the EU and thereby making the system more exposed to cyber-attacks“, the EEAS said in a reply to another access-to-documents request by netzpolitik.org.
Jan Penfrat, a policy expert with the NGO European Digital Rights, finds it „strange when a public authority like the European External Action Service tries to hide which chat software is used internally.“ Penfrat says that the EEAS should be open about its infrastructure instead of relying on „security through obscurity“.
The pandemic has demonstrated the need for more secure infrastructure, says Moritz Körner, an MEP for the German liberal party FDP.
„In the first few weeks of the Corona crisis, European legislation would probably have come to a standstill without the commercial, not entirely safe apps Zoom and WhatsApp. No EU institution can afford to rely on patchy and unsecured communication technologies any longer.“