PEGA-UntersuchungsausschussStaatstrojaner gefährden die IT-Sicherheit von allen

Am 26. Oktober waren zum zweiten Mal Vertreter:innen der Tech-Branche zu Gast im Untersuchungsausschuss, außerdem die EU-Agentur für Cybersicherheit und das Computer Emergency Response Team der EU. Wir veröffentlichen ein inoffizielles Wortprotokoll der Anhörung.

Jo De Muynck, Vertreter der Agentur der Europäischen Union für Cybersicherheit (ENISA), spricht vor dem PEGA-Untersuchungsausschuss.
Jo De Muynck, Vertreter der Agentur der Europäischen Union für Cybersicherheit (ENISA), spricht vor dem PEGA-Untersuchungsausschuss. – Alle Rechte vorbehalten Europäisches Parlament

Am 26. Oktober hörte der Staatstrojaner-Auschuss zum zweiten Mal Vertretende der Tech-Branche. Dabei waren diesmal Google, die Agentur der Europäischen Union für Cybersicherheit, das Computer Emergency Response Team der EU, sowie CyberWayFinder.

Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.


  • Date: 2022-10-26
  • Institution: European Parliament
  • Committee: PEGA
  • Chair: Jeroen Lenaers
  • Experts: Shane Huntley (Google), Jo De Muynck (ENISA), Saad Kadhi (CERT-EU), Rosanna Kurrer (Cyberwayfinder)
  • Links: Hearing, Video
  • Note: This transcript is automated and unofficial, it will contain errors.
  • Editor: Julien Schat

Big tech and spyware 2

Jeroen Lenaers (Chair): All right, dear colleagues, it’s 9:06, so I think we should start the meeting. I see all of the most important colleagues are here, so that’s always good. I’m not sure why Sophie is waving now, but thank you anyway. Welcome to everybody. All the fullness of suit members, just two announcements. First three announcements. Actually, we have interpretation in the languages. German, English, French, Italian, Dutch, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian. We are also being selected as the guinea pig for the real time speech to text and machine translation tool, which will facilitate accessibility for the deaf and hard hearing. You have all received the information in your mailbox, but I would like to to highlight it to you anyway. You can download this from your personal device. Should you should you wish you. It’s a pilot. It’s a pilot phase. So we are going to test this and then it might be implemented in the whole parliament. And then we have decided after also the input of the coordinators to even though there are not many formal points to discuss, we still have a coordinators meeting at 11:00 this morning. So for the coordinators and the rapporteur, please, please keep that into mind. Then I look at the agenda. If there is no comments on the agenda, I consider it adopted. Mr. Zoido, 1 seconds.

Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. But I thought that there wasn’t a coordinator’s meeting and so I’m supposed to be speaking. Conference outside the parliament. Initially I thought that I wouldn’t be able to go because I had the coordinators meeting and now I was planning to go because I thought there wasn’t a coordinator’s meeting. So could you just tell us precisely.

Jeroen Lenaers (Chair): Yes, indeed, it is all my mistake, by the way. But I cancelled the coordinator’s meeting because we didn’t have any formal points to adopt. However, then there were a number of coordinators who wanted to have a regular exchange of views on some running issues without necessarily having a formal agenda. So I decided if that’s the case, then let’s just do that. And people can we can discuss some of the long term issues that we are we are dealing with without having a formal agenda. So there is I’m not sure if you could be there for part of the meeting, Mr. Zoido, or it’s completely impossible for you, but it won’t have to take long, I think.

Juan Ignacio Zoido Álvarez (European People’s Party): Well, I could be there at the beginning, but I would need to go after about 20 minutes if that wouldn’t be problematic for you. I could get my colleague to replace me after the first 20 minutes.

Jeroen Lenaers (Chair): Thank you, Mr. Zoido. Thank you. Then we start with our hearing. The main point on our agenda this morning is the hearing on big tech and spyware. It’s a follow up of a first hearing we already had. We organise it in in June to discuss the work of big tech companies with regard to their fight against spyware. The second hearing will not only allow us to deepen our understanding of the work of big tech companies, but also discuss with European actors on the current cybersecurity landscape. So we have in our panel today Mr. Shane Huntley, the director of Google Threat Analysis Group, who will speak to us remotely. We have Mr. Jo De Muynck, head of Operational Cooperation Unit at ENISA. We have Mr. Saad Kadhi, Head of CERT EU and we have Mr. Rosen CURRER, Co-Founder and Managing Director of Cyber Wayfinder. So without further ado, I would like to start with our first speaker. I am going to check whether Mr. Huntley is connected remotely and ready to take the floor.

Shane Huntley (Google): Yes, I’m here.

Jeroen Lenaers (Chair): Excellent. Thank you very much for joining us. And you’ve got about 10 minutes to make a first presentation. You have the floor.

Shane Huntley (Google): Good morning. My name is Shane Huntley and I am the director of Google’s Threat Analysis Group. Or Tag. Tag is the team inside Google that analyses and counters serious threats to Google and our users, including government backed attackers, serious cyber criminal enterprises and information operations. TAG is only one part of Google’s large investment in making the Internet more secure. We work with many other teams within the company, including Project Zero. Thank you very much for inviting me to appear before you today. I appreciate the opportunity to explain to the committee how the commercial spy industry is unfortunately thriving, creating risks to Europeans and Internet users across the globe. The business model of commercial spyware vendors is to make money by providing comprehensive and sophisticated cyber espionage capabilities to foreign governments, including both the exploits to gain control of the device and the spyware software itself, which can collect all sorts of personal information. While the vendors claim to vet their customers and usage very carefully and with the promise that they work is used to target criminals and terrorists. What we have observed is consistent with others reporting that again and again. These tools are found to be used by governments for purposes antithetical to democratic values. Targeting dissidents, journalists, human rights workers and political opponents. NSO Group is the most prominent actor offering commercial spyware, often delivered via sophisticated exploits. And with others, we have been working for years to counter this threat and to mitigate the damage. In 2017, Google’s Android was the first mobile platform to warn users about NSO groups Pegasus spyware. At the time, our Android team released research about this spyware that was used to target an attack on a small number of Android devices. We notified the users, remediated the compromises and implemented controls to protect all Android users. In 2019, we quickly fixed a vulnerability in Android, discovered by examining examining some leaked marketing material from NSO. In December 2021, our Project Zero team published research about novel techniques used by the NSO group to target iMessage users. This was a zero click exploit, meaning iPhone users could be compromised by receiving a malicious iMessage text without ever needing to click a malicious link. We assessed this to be one of the most technically sophisticated exploits we had ever seen. NSO is not the only actor in this space. Tag is actively tracking more than 30 vendors with various levels of sophistication and public exposure, selling exploits or surveillance capabilities to government backed actors. We have publicly taken action to discover and counter exploits and malware produced by Equus, Citrix Kangaroo and Arcs Labs. And countering these threat actors is becoming a bigger part of our work. In 2021, we identified nine zero day vulnerabilities used by government actors, and seven of these were originally developed by commercial surveillance vendors. The proliferation of commercial hacking tools is making the Internet less safe and threatening our digital society and our national security. That is why Google is working collaboratively with civil society groups like the University of Toronto Citizen Lab and industry peers with companies like Apple to counter threat actors through actions like working to patch vulnerabilities and proactively warning users about attempts to infiltrate their accounts. In this debate, I.

Jeroen Lenaers (Chair): Interrupt for one second. If you could speak a little bit slower, it’s easier for the interpreters to translate you into the other languages.

Shane Huntley (Google): Thank you. All right. My apologies. We are also active in this debate in Europe. Only yesterday, our president of global affairs and Chief Legal Officer Kent Walker was in Brussels where he discussed these issues with the chair and commissioner, your server and civil society representatives. In addition to our direct work to counter these threats. We also work to develop and deploy security features and protections to protect our users across our products. This includes specific programmes targeted for high risk users and programmes such as the Advanced Protection Programme and Project Shield, which is defending sites of over 200 news and humanitarian organisations in Ukraine from online attacks. EU policy team is at your disposal if you wish to learn more about these initiatives. We appreciate the committee’s focus on this issue and welcome EU efforts to counter threats from foreign commercial spyware. We also urge the European Union to lead a diplomatic effort to work with the governments of countries who harbour problematic vendors and those who employ these tools to build support for measures that limit time. But this industry, while we continue to fight these threats on a technical level, the provider of these capabilities operate openly in democratic countries. Thank you for convening this important hearing. Google is committed to leading the industry in detecting and disrupting the threats posed by commercial spyware. And I look forward to answering the committee’s questions.

Jeroen Lenaers (Chair): Thank you very much, Mr. Huntley. I immediately passed the floor to my left to Mr. De Muynck, the head of Operational Cooperation Unit at ENISA, which is of course the European Union Agency for Cyber Security, headquartered in Greece. You also have 10 minutes.

Jo De Muynck (ENISA): Thank you, Chair, and also thanks for inviting me here. Please say when I’m also speaking too fast because I have this tendency. So the European Agency for Cyber Security, ENISA is dedicated to achieving a high common level of cybersecurity across the EU. It advises the on the EU cyber policy implementation and enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes. Cooperation with the Member States and the EU bodies and thereby helps you to prepare for future cybersecurity related challenges. It focuses on a number of things, but the most relevant relevance to to this is knowledge sharing, capacity building, awareness raising and cooperation with key stakeholders amongst others. Operational cooperation. Then ENISA regularly publishes good practises, studies and reports covering key topics of cybersecurity and also some recent related public related publications. Rather, are the yearly threat landscape reports that we publish and dedicated reports on, for example, ransomware and supply chain risks. Good practises on Iot, smart infrastructures, but also various studies on the topic of vulnerability disclosure, including also good practises there. As part of this, ENISA has previously also published a detailed report about the economics of vulnerability disclosure since the economic aspects of this. Similar, our abilities is often overlooked and poorly understood. So the report intends to help and explain why some vulnerabilities are disclosed responsibly, while others are kept secret and possibly sold via vulnerability brokers. Important stakeholder engagement is through the facilitation of the European Sea Source Network. So there is a technical level and the newly formed and Networked Cyber Crisis Liaison Office of Network, rather the cyclone which will be institutionalised within this tool directive. ENISA stimulates this cooperation because it facilitates also effective cooperation information exchange for faster response and proper coordination efforts at all levels of strategic, operational, technical and communications. Following to a certain extent outside of the these direct lines of of work within the mandate of ENISA. We also have published together with Europol, a publication which highlights the importance of finding the balance between cyber security and law enforcement approaches, and specifically on the importance of proportionality of the use of intrusive investigative tools. The statement specifically underlines the importance of the selection of of the least intrusive measure to achieve the investigative objective. Now, Pegasus issue highlights some challenges connected to mainly mobile security from a technological perspective and connected to the ability of private sector offensive actors to produce and sell products like Pegasus. It goes without saying that the security of mobile devices remains far from optimal. I could also give you some numbers, but in I mean, in June 2022, for example, there were roughly 10 million mobile adware, Trojans that were downloaded. So that gives you a little bit of the scope of things. Providers of mobile app stores have been very swift to remove the malicious applications. However, they often remain for a very long time. Undiscovered. Also, the targeted mobile malware continues to be a very important threat throughout 2021 and 2022. Now, when it comes to the private sector offensive actors, we have observed an overall increase of this offensive actors worldwide and the existence of a more significant commercial surveillance industry within the last years. As part of its current threat landscape, let’s threat landscape or other such hacker for higher threat actors, we refer to them as axis as a service markets, and they are mainly comprised of companies that offer offensive cyber capabilities. The market around the so-called zero click mobile hacking continues to thrive, with additional publicly known companies, as well as several suspected entities offering similar frameworks as the one as Pegasus easier accessibility of computer intrusion technologies such as surveillance systems may make. It’s increasingly difficult to regulate the proliferation proliferation of such tools in order to protect societies for alleged illegitimate use. Vulnerabilities are clearly at the basis of this issue and of these attacks. So a villain to be a vulnerability is called a zero-day as long as no security breach, no security patch reader is available. And so we see that these numbers of similar abilities are growing yearly with also important, vulnerable and important vulnerabilities, rather being seen out in the wild. So where do the solutions lie in the EU and ENISA? We are taking actions already to enhance civil society security. So in order to mitigate the risk, I think we need to look at it from different angles. So one side, we strongly recommend and encourage the application of coordinated responsibility, vulnerability, disclosure practises. This is basically a structured manner and a process through which vulnerabilities are reported to organisations in a manner allowing that organisation to take actions to diagnose and remedy the vulnerability at hand and then publish it together with the patches. So this effective tolerability management and disclosure increases the product’s security and helps to reduce the attack surface of IT products. I think this needs to be paired also with regulatory measures such as the Radio Equipment Directive and the upcoming Cyber Resilience Act. This Cyber Resilience Act. So the Commission proposal on this regulation is basically a key in this and it is basically taking a new approach by calling upon manufacturers to invest more in the cybersecurity of their products, by bolstering cybersecurity rules and adopting clear cybersecurity by design and security by default configurations. And. It has the potential, I believe, to greatly impact the proliferation of spyware like Pegasus, since, for example, the maintenance of system access may not be kept up as easily for these offensive actors I mentioned previously. Over a longer period of time. Now, in terms of solutions, there is no silver bullet. And this can only be a combination of elements and the balance of considerations. The elements are known. It’s about implementing the rule of law and in certain cases establishing it’s using import export, licencing and dual use legislation wisely. But it’s also about promoting transparency, making sure that users are aware. So awareness raising and active information exchange in the EU, such as through the CE source, network and cycle. Vulnerabilities are widely used in software. Vulnerabilities in widely used software and hardware can cause immense societal societal harm, rather which undermines the trustworthiness of its products. Hence, we need to up the bar in the EU and the legislation such as the certification framework, but also the upcoming Cyber Resilience Act, will enable, I think, the EU to find the right balance and only by promoting. Cybersecurity by design. Privacy by design. Making the products and IT Devices we buy and use resilient to these cyber attacks and intrusions. And by embracing the coordinated vulnerability disclosure reporting and by seeking proportionate use of the technology, we can set the economic incentives needed for tackling an increasing commercial spyware markets and prevent the further undermining of the trust in ICT products. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. De Muynck. We immediately move to our next speaker, Mr. Saad Kadhi. I hope I’m pronouncing that correctly. Head of Cert EU, which is a computer emergency response team for the EU institutions, bodies and agencies. You also have the floor for 10 minutes.

Saad Kadhi (CERT-EU): Thank you. Good morning and thank you for inviting me here to speak about this very important issue. So let me explain what CERT-EU is, and then I’ll delve into how this is of concern to us and to the EU institution bodies and agencies. So CERT-EU is the cyber defence entity of all the EU situation bodies and agencies? We protect the 88 different EU institutions, bodies and agencies that are located all over Europe. So including the European Commission, the European Parliament, the European Centre for Disease Control, European Medicines Agency and so on. We also cover the civil missions of the European External Action Service. Sorry. So with that, we have a footprint of about 100,000 users spread again all over Europe and ranging from very mature institutions such as the European Parliament or the European Central Central Bank or the European Commission, for instance, to very small entities. I think the smallest agency that we cover is the European Institute, European Union, Institute for Security Studies located in Paris. These are 20 people. So our mandate give us a role in to do two things, basically to act as this cybersecurity information exchange hub of all these institutions, bodies and agencies between themselves, but also with the external world, including this is our network that your has mentioned before. We are a member of this network, so we collaborate very closely with the cyber defence entities of the Member States, the national and governmental systems and search, but also with, I would say private partners such as Google or Microsoft and others and peers from outside of the EU. So that’s one side of our mind. And the second side is we act as the incident response and coordination centre for all of these 88 institutional bodies and agencies. So you can see us as a non-commercial managed security service provider, enter into Channel one that provide its services a wide range of services to all the EU ibus as we call them. So for example, we do preventive services, so we provide preventive services such as offensive security, what we call offensive security, which has nothing to do with offensive spyware. So this is basically doing phishing exercises, raising awareness, doing penetration, testing regime exercises with of course, the full agreement of the EU institutions, bodies, agencies that would like to benefit from such services. In addition to that, we also provide incident response capabilities, forensic capabilities, and we do also monitoring threat monitoring for more than 60 of them because our service catalogue is available to all. But they can pick and choose what they want out of it. So let’s take the example of the European Commission of the European Parliament. They have already, I would say, very serious cyber capabilities. So the US on mostly cyber threat intelligence. So our capabilities regarding that are deemed to be world class according to virtually the institution bodies and agencies in our peers. So we have started building this capability since 2013. And for example, for the midsize and the small sized institutions, we provide most of their cybersecurity needs in terms of prevention, detection and response. Now, let me give you a perspective on what we kind of like deal with on a regular basis, at CERT-EU. And then we move into the topics, the topic of today. So let me give you some figures, actually. So in 2019, sorry, 2018, we have dealt with one significant incident. So what we call a significant incident is something that took us weeks, if not months of investigations in including with the victim and sometimes with the law enforcement in person partners from all over the world. But so we distinguish between significant incident and normal incident. So let me go back to the normal incident. So these are traditional I.T incidents, including sometimes also social media impersonations. So between 2019 and 2020, we had to deal with with double the number of incident that we used to deal with from 2020 to 2021. The number of incidents has increased by a mere 7%. So this was not an epiphany moment due to the pandemic, but it is a kind of like a trend that that is here to stay. But aside from that. So if we look at the number of incidents, so doubling between 2019 and 2020 and then increasing by 7% from 2020 to 2021, if we look at the evidence we need to investigate. I would say overall, the incident, they have more than tripled between 2019 and 2020. So the number of incidents has doubled. We have to deal with triple, more than triple, actually multiplied by three, five, exactly the number of events that we have to look for. Why? Because the once the breach a network, the threat actors move very quickly doing what we call lateral movement, trying to infect as many machines as they can, etc.. And if we look at the statistics from 2020 to 2021, while again the number of incidents has increased by only 7%, the number of events that we have to look for has again been multiplied by three or two. So between 2019 and 20, 24, 21 was the number of incidents mostly double doubled. So we had to deal with six times, six times the evidence that we normally do that with back in 2019, with, of course, the same resources you can imagine what strain that force on on us into victims. Yes. Okay. So sorry. So the now with this picture, let’s move again to the significant incident. So in 2018, as I said, we had one significant incident affecting one EU institution, body or agency or EU EBA. I use this term from now on. In 2019 we had eight significant incident. In 2020, we had 13. In 2021, we had 17. And in 2021, we had, for example, one of the biggest attack in our history. And it involved 45 cybersecurity experts working over the course of seven months, seven months. Non-stop to deal with one significant incident. So this was just kind of like show you the capabilities that certain threat actors have. And if we count the number of institution bodies that you just see that have had significant incidents since the beginning of 2019, we have more than one third of these 88 organisations that experience at least one significant incident. But here’s where it becomes complicated, because what I’m speaking about here is traditional incident and some social media impersonations. But the problem is that while we have got two very good capabilities in terms of monitoring the threats on computers, on laptops, on servers, on routers, in normal LTE infrastructure that we we have had for a number of years, these capabilities are not on the same level when it comes to detecting, okay. Commercial spyware or tools provided put there by the private sector offensive actors, because as you has explained. So these devices require, I would say, more work in terms of looking under the hood interim integration in our threat monitoring capabilities. So we would very much appreciate if in the future we would have the capability to have a better integration of these devices into our threat monitoring capabilities. Of course, we don’t do nothing. We in the wake of the biggest, I would say, issue, we have issued guidelines. We have issued tools to the EU institutions, bodies, agencies to help them detect after the fact the installation of Pegasus. Of course, this is by no means a complete or flawless because we also depends of indicators of compromise and information provided to us by the either the private sector or our peers in the member states, or also through ENISA, because we have a very strong structural cooperation in other, I would say, entities. And we also work very closely with the European Parliament, European Commission and other institutions to beef up our capacities in terms of detection and response. But we are still not there. So if I could make a pledge today for before this committee is, I would really, really encourage you to look into making it easier for incident responders such as us, the capability to detect and respond to incidents involving these smartphones. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Kadhi. I will now give the floor to Ms.. Rosanna Kurrer, who is the co-founder and managing director of Cyber Wayfinder and was also Cybersecurity Personality of the year 2021 in Belgium. I would like to ask the colleagues who would like to participate in the Q&A afterwards to indicate it. Now, during the presentation of Ms.. Caruso, we can close the speakers list. Ms.. Kurrer, you also have the floor for 10 minutes.

Rosanna Kurrer (Cyberwayfinder): Thank you. Thank you so much for inviting me here. It’s really an honour, but also I’m happy to really a message from both from private sector cybersecurity. Just to give you a context of my background, so I’m a co-founder of Cyber Wayfinder and what we do is since 2000, we started in 2016 but launched our programmes in 2017, we’ve been engineering career transitions, so helping non-tech profiles enter the career of cybersecurity. So we’re mission driven and our mission is really diversity. So increasing diversity in cybersecurity teams. Okay, now I go just to give you the context and now I go to my presentation. So first we have to understand why are we doing this? Why do we need to protect and our why is actually connexion. We need these connexions not only for political reasons, economic reasons, but also social reasons. So technology gives us something wonderful that we actually do want to advance. We want to advance in in all technological innovations. But there are roadblocks. And one of the main roadblocks is insecurity. We have increasing cyber crime. It’s getting the bar to to hack into any kind of organisation is actually easier. You don’t even need a deep expertise in technology. Like my colleague said, there are ransomware as a service. It’s you don’t need to to be qualified a computer science genius in order to hack into organisations, public sector and private sector organisations. So you see it cost $10.5 trillion. This is an estimate, but probably it could be more because most victims actually do not come forward and inform of when they are breached or when they have lost control of their systems. So and it’s it’s going to increase now that we have increasing tech. Energy. More connexion possibility. Faster connexions. That means 5G, for example, will will enable the Internet of Things, which we actually also say the Internet of vulnerable things, because these are usually devices that we cannot patch or we cannot update the firmware. Sorry, difficult to update. So even if these manufacturers are conscious now of security, there’s no you know, it’s very difficult for them once consumers have bought these devices to update them. So what gives us headaches and this is where really what I’m pushing for is, is the cybersecurity skills gap is what they’re saying. And we’ve been talking about this now for more than five years. There is a lack everywhere, whether the global lack, as they say, 2.7, five foot 2.7 million open positions that are not being filled globally. Some people say it’s 3 million in Europe. They say it’s 200,000. Some people say it’s 300,000 jobs not being filled. So there is really a gap in in our cybersecurity landscape. We don’t find the people to to to address all these incidents that we have or even prevent these incidents from happening in our organisations. And this is public sector and private sector as well. So 3.5 unfilled jobs. This is to quote some people in the ISO working group on cybersecurity. This collectively adds up to a threat to an appreciable threat to a nation’s overall economic well-being and by extension, that of society. So the threat of not having enough people to protect our organisations is one of the top risks actually that are facing a lot of cheap chief information security officers off of organisations and on top of that, because teams are now overloaded with incidents. Cybersecurity burnout amongst professionals in the field is also increasing. So if you attend cybersecurity conferences, there’s usually one or two speakers talking about burnout and the mental health of cybersecurity professionals. So how do we do this? What do we do? So I think also that part of the problem is that we have an image problem. When you say cybersecurity, people think that you need to code, you have to be able to have a computer science background and all that. And it does it is helpful, however, because the scope and complexity of the problem has increased that we are facing, you know, a complexity of threats that cannot just be solved by technology. So to quote a CEO here, the war over cybersecurity talent is creating a new scenario. The haves who are armed with a deep bench of experts and the have nots who are understaffed and overwhelmed. And these are what I call the low hanging fruit that for cyber criminals, it’s very, very easy to to exploit. So cybersecurity as a career path, it has an image problem. And that leads to, I would say, the cybersecurity skills gap. So what can we do? So if you see this is a mind map that shows all the different domains in the cybersecurity profession and it goes from governance to risk. There’s training and awareness to security, architecture and security operations, threat intelligence, third party risk assessment or penetration testing. There’s a plethora of skills that we need. So if you think of our cybersecurity team, one amongst them is the incident response team, for example, or threat intelligence team. But you have the security awareness team. You have governance, risk and compliance. You have security architecture that makes sure that systems are designed to be secure. And there’s also career development. So, you know, it’s like having a company within a company. You know, so your security team has almost all the functions because with security awareness, you do need communication and marketing skills and you have to be strategic with your risk assessment so that the budget that you have, you are able to use wisely according to the risks that your organisation is exposed to. And we are in a knowledge economy, so we have to understand what are the skills we need. Technology is one of them, but there’s also problem solving abilities, curiosity, lifelong learning and strong communication skills. So we have to think about that as well. And to answer that, we we we have been busy with for the last six years is really enabling career transitions of people already in the workforce, people who understand your organisational structure, the processes who your stakeholders are, they understand how an organised organisation functions. If you train them to understand how to protect and secure systems, then they have an advantage. They’re bringing in a skill set into your cybersecurity teams that normally don’t exist. So teams with diverse skillset, I think is one of the ways to address this cybersecurity skills gap. And so you have to think of all the stakeholders that we are working with. There are the people who are we call the career transitioners, how to make them understand that it’s possible that actually their skills from wherever they’re coming from, whether it’s marketing, finance or legal background, that these skills are necessary to protect our our organisations. And so they just need to upskill or reskill themselves. And so you need trainers, mentors and coaches who know how to teach people, starting from the basic levels of cybersecurity and the technology behind all our systems and networks. And we need hiring managers and team managers who are willing to take a risk on atypical profiles, or you would say do not have a tech background, do not have I.T. skills, but are able to contribute with their transferable skills. So how do we find opportunities for all of these stakeholders in order to come together to build up our teams? And so this is the end of my presentation, but we are cyber Wayfinder so we are active in Brussels, in Luxembourg, and we’ve had a lot of successes. In the first four years of our organisation we were actually women focussed, meaning we only had women in our classrooms. The pivot point for us was during COVID and now we have a really diverse cohorts ranging from age diversity to ethnic diversity, cultural diversity, and even people who are in their forties and fifties who are looking for career transitions coming in with their diverse skillset. So I would say my message is, is that we need to help our our teams become more diverse. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Kurrer. I move immediately to the question and answer session of this hearing. We will take the questions one by one. So if the speakers also indicate if there is a question for a specific panellist or just in general, and we start as as usual with our rapporteur, Sophie in ’t Veld.

Sophie in ’t Veld (Renew): Thank you, Chair. And I would like to thank the speakers. And I would like to start by a small practical question if we can get the speaking notes of Mr. Huntley because he was saying a lot of interesting and relevant things, but very rapidly. And I want to make sure that I that my, my, my notes are okay. I have to say I was a bit surprised by the interventions of ENISA and Serge because you seem to your talking the whole time about private sector offensive actors. Yeah. I’m sure they’re evil individuals out there who are hacking our phones. But, you know, what we are talking about here is EU governments spying on their citizens and hacking the phones of citizens. It’s not quite the same. And I’m sure that there are all sorts of technical ways of protecting ourselves against, you know, evil rich individuals. But I mean, how many European citizens, individuals can afford buying spyware in order to spy on on others? So that’s that’s simply not the case we’re looking at. But I would like to ask you two things, which do go back to some of the points that you made. One is I’d like to hear a little bit more about the vulnerabilities in the exploit, because we know that there’s very lively trade in vulnerabilities and exploits. And that, on the other hand, and this is a trade, let’s say, connected to the vendors. They are interested, of course, in in buying this stuff. But we know that, on the other hand, public authorities, law enforcement authorities, intelligence agencies, they are stockpiling these vulnerabilities and thereby increasing the risk for our cyber security. I mean, there is a clear there is a clear paradox there or a dilemma. I like to know a little bit more about both, about the trade in vulnerabilities, the stockpiling, and how we are going to regulate that, if not downright banning it. And then the second thing is, and maybe specifically to Mr. Kadhi, is you say you’re you’re able to to trace the attacks to the infections. Does that mean that if you are going to check the mobile phones of those commission officials who have been targeted, in particular the ones where the infection succeeded, will you be able to to identify where that comes from? Because the commission has so far been very, very reluctant to give us any information. They have sort of very grudgingly admitted that there have been infections, but they refused to say how many. We we we hear in the corridors that there may be as many as 60 infections. Have you investigated that? Have you been requested to investigate that? Are you able to investigate it? Can you say a little bit more about that? Because we are not talking about about just any external actor like dark forces, you know, attacking us. We are talking about EU governments. Attacking our citizens and our EU institutions. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Sophie. Let’s take the questions in the order. So maybe first, Mr. Huntley on on the notes. And also you could say something about the vulnerabilities. And then we moved the floor here to the panel in the room of Mr. Huntley.

Shane Huntley (Google): Yes. Thank you. We’ll be more than happy to provide the notes, of course, and will do so after the hearing. The issue of vulnerabilities is very important to us. And, you know, our goal as a company and as a platform provider and we believe this very strongly, is that we do need to build more secure systems and that the as you say, the sort of unchecked trade of spot stockpiling vulnerabilities and its focus on developing and hoarding vulnerabilities is of a real harm to society because it increases risk. And we’ve seen this over and over again where exploits have leaked out from governments who have been holding exploits or they’ve been mis misused. And we’re also seeing that this trade of exploits, where we see threat actors such as NSO and others, are willing to provide these capabilities to a range of governments, not just EU, but around the world. And many governments that do not represent, do not respect human rights. And I think that is of great risk. We saw an exploit against iPhones, the one I mentioned is the most sophisticated ever, and that was a real danger to every iPhone user on the planet. If anybody who was willing to pay NSO was able to hack every iPhone user, then that is a risk to our whole society and we need to clamp down on that.

Jeroen Lenaers (Chair): Thank you. And maybe Mr. Kadhi on first the question on the member states as perpetrators and also the investigations you have done or not on the funds of the European Commission.

Saad Kadhi (CERT-EU): You know, thank you. So on the member states, as for personal infrastructure, I am not representing the member state or by like I work with them as in part of the cybersecurity teams. So I’m not in that area at all. I’m protecting the EU institution bodies and agencies. So as a private citizen, I would say yes, it is indeed a very important debt. Our civil society is protected against what I still call private sector offensive actors and those who buy from them, software that would compromise those devices on the, the, the, the work with the commission and others, etc.. I’m not the Commission again, so I cannot comment on this specific issue for the Commission. However, what I can say is that, sir, to you, when requested to investigate, I would say mobile phones, let’s say for example, we can do that. We have capabilities. Again, as I said in my presentation, they are far from perfect. They are not matching the capabilities that we have on traditional equipment because it’s quite hard to integrate them in our internet monitoring systems. And most importantly, it’s also the indicators of compromise, the thing that we need to kind of like look for the detection and for the response when private sector offensive actor tools are deployed by governments or by wealthy nations, Detroit actors. So these are hard to come by. And I would say in comparison to normal indicators of compromise on computers and laptops, and also when we get those, basically we beg them into guidance into also what tools that we provide to all the institutional bodies and agencies. And in that regard, for example, as I said in my presentation, we cooperate very closely with the European Parliament, but also with European Commission and others in order to make sure that we are able to detect, if possible, and also to investigate. But I’m sorry, I would say you have to ask the question regarding the number of infections and the what’s happened in the commission to the commission, not the commission. Thank you.

Jeroen Lenaers (Chair): Thank you. Mr. De Muynck.

Jo De Muynck (ENISA): Unfortunately, I can only concur with the first on the first question with, uh, with my good colleagues. So I try to answer and to bring this 10 minutes and focussed on the mandate of ENISA. So our mandate is to up the cybersecurity of in the EU. I think looking at the Pegasus, the root cause here is is zero zero-day vulnerabilities. And so I try to look at it from this perspective on how can we as an EU protect ourselves against this huge issue that is there, the zero-day vulnerabilities. And I think then there are different angles, as I mentioned in my intervention on how we can cope with that. And I think trying to deal with that problem, which is the root issue here at Hannes, I think will make only that both these private entities that are making products like Pegasus, but also the state actors that then potentially make use of these or wrongly use these, these frameworks that they have the hardest time possible in doing that.

Jeroen Lenaers (Chair): No, of course. Of course you may. I will pass it for just maybe to clarify, because. Of course, in India you have explained your rules. But I think the question also was, do you consider that such a Pegasus attack or an attempt at an infiltration of a commissioned civil servant or a commissioners phone? Is that deemed to be a computer emergency in your mandate? Is that something that you have the mandate to investigate? And have you done so? Has the commission asked you to to come and help them in investigating this, regardless of whether it was a member state or whether responsible? But I mean, your task is to protect the European institutions. Here we have a case of a European institution or parts of a European institution being targeted. So what was your role in that and what did the Commission ask you to do, if you could just clarify also what your mandate is in that regard?

Saad Kadhi (CERT-EU): Yeah, sure. So I cannot comment on this specific matter, but I can again tell what my mandate is, is to investigate incidents, is to act as an incident response and coordination centre the Cybersecurity Information Exchange hub of all the institution bodies and U.S. So what does this entail? Is that when there is an incident either that we detected ourselves or that is notifiable by OTI institution, by border agency, we can step in, we can investigate and we can help to the best extent possible. So there have been several incident where indeed we worked very closely on with the affected victims. Some of our public, such as the European Medicines Agency incident or the European Banking Authority incidents where cert you was at the forefront of investigating the incident in collaboration with law enforcement. But again, I cannot comment on this specific issue of whether we contributed or not to the investigation. Regarding would to private sector offensive actor tools because again this is not okay CERT-EU look at the incident in everything inter regarding the incident belongs to the affected victim. So if the affected victim kind of like wants to speak about it, it’s up to them otherwise kind of like they can also kind of like give us a kind of like lockdown the ability or the mandate to speak about the incident publicly.

Jeroen Lenaers (Chair): Okay. Please.

Rosanna Kurrer (Cyberwayfinder): Yeah. I just wanted to add from a private sector point of view that when we do when we practise cybersecurity, that there are threat actors, whether they’re coming from public sector actors, government actors or private sector. At some point when you do your threat modelling, it doesn’t make a difference. So you see your threat actors and each person who is vulnerable will have different threat actors targeting them. So I think on this level, you should build awareness on on your vulnerabilities based on your role and your responsibilities and who are the threat actors. And so understanding this helps you create a sort of risk assessment and assessing what are the risks. And all I’m talking about is all of this is done in the objective to prevent such attacks. The incident response team is there once that attack has already been made or is underway and then they detect it. So I’m just saying that this whole level of protecting an organisation, there are several teams working that the governance team creating the policy, the risk team, and then you have the security by design. And an incident response usually is for incident detection. So it is more than just monitoring. And, and I’m just trying to build that awareness that prevention is also something that people should think about and not just once they’ve been already attacked and exploited what to do. That’s your incident response. But there’s a lot to do in preventing that, actually.

Jeroen Lenaers (Chair): Thank you so much to the EPP, Mr. Zoido.

Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. First of all, I’d like to thank all of the speakers in today’s hearing. You’ve touched on very complex issues, and there are a great many questions, really. That’s all I have to say. First of all, the Google representative, I’d like you to clarify, if possible. A few points I have. First of all, when you spoke to the Intelligence Committee in the US Congress in July, you talked about ecosystems of hackers for hire in India, Russia and so on. So I’d like you to go into greater depth, if you could, greater detail. About Russia. What sorts of software spyware is being offered by these hackers for hire? What kind of risks do they suppose and what are the main victims? Are they European bodies or governmental institutions? Also, could you say perhaps if you’ve seen an increase in activity or demand for their services following the Ukraine invasion? Secondly, what is your evaluation of the cybersecurity of vulnerability investigators and their role in businesses and other types of institutions? They are they also a vector for attacks? I think they are because they are in have been involved, for example, in the attacks on North Korea. So how can we make sure that they are not a weak link in this whole chain? And finally, I’d like to ask you about the United States. When you spoke before in the States, you said the United States would become an example of transparency for other governments showing the use of these tools over history. What are you talking about? What kind of transparency tools should the United States put into action, and how could we use these to. I’d also like to ask you a few questions or I’d like to ask a few questions to the ENISA representative. And Issa, I’d like to ask you what degree of cooperation or collaboration you have with the U.S. big tech in terms of protecting us against vulnerabilities? When I say protecting, protecting us as a European institution and citizens and European companies, is it a greater or lesser than that offered to other big technological companies in Europe? Do you have the right technology to promote this cooperation? Should there be more responsibility from the institutions or from the companies? That’s all for my question. Thank you.

Jeroen Lenaers (Chair): Thank you. Will also take those in the in the order of questions. So first, Mr.. Mr. Huntley, there were a number of questions for you. You have the floor to answer them.

Shane Huntley (Google): And thank you for the very insightful questions there. The first question, I believe, was about Russia and the capabilities there for hacking, for hire. And in general, I’d say my team, as I mentioned, covers three main areas of threats, which is sort of the government backed sort of government spying, the cyber crime efforts, and also information operations or disinfo efforts. And I would say that Russia is a serious threat actor in all three of those areas and a serious threat. They have significant capabilities which they governments use for national security reasons against countries all over the world, including across Europe, but not limited to Europe by any stretch of the imagination. And the United States has seen attacks and as has many other nations around the world, they are also a very much a centre of the cybercrime ecosystem, including ransomware, including many other kind of commercial efforts. And this hack for hire effort that we spoke about of the if you want to have something illegal done on the Internet, there will be a Russian provider that will provide that service on the dark web. And we’ve also seen limited information operations efforts of where they’ve attempted to push their propaganda on networks, especially regarding the Ukraine war. What we have observed and we have published a number of blog posts on this is that we have been observing very closely the efforts of Russia and other countries targeting Ukraine and Eastern Europe during this war. Much of what we saw was actually more a shift of focus by these countries rather than a total increase of capability. And it’s definitely, as we’ve seen generally as there is any kind of major international events, there is a lot of focus of intelligence agencies and hackers around the world trying to exploit that. There has also been a lot of efforts by cybercriminal actors to take advantage of the situation and use these events to push forward their cybercrime efforts. The second issue wasn’t clear totally. I believe the question was about are the investigators or security people also a vulnerable vulnerability in the investigations? Did I get that question right?

Jeroen Lenaers (Chair): Yes.

Shane Huntley (Google): Yes, I would I would say that that is something that I know we take very seriously and we have to be very careful of because security people and security systems are very trusted. And they do represent a, you know, a mechanism that needs to be secured. And we have seen threat actors go after security providers. And we published, I believe it was last year that North Korea was targeting specifically researchers and security researchers in order to steal zero-day exploits. So that is something that, you know, it is not one way. Security researchers are not immune in some ways. They are targets in their own right. And I believe the third question was about a comment I made about transparency in the United States and having trouble remembering the exact context. But I believe it was regarding vulnerabilities, equity’s process, and the storing of exploits and hoarding of exploits. And, you know, my position is that we want to do this at the minimal level possible and keep things more secure. But what I have seen over the last number of years in a number of places, including the U.S., is they have published and how they are doing what they call the equities process of how to decide whether to fix a vulnerability or whether to use it for their efforts. And they are increasing their transparency around how they are making those decisions. And I commend them on doing that and wish there was more transparency about how different nations were making the decision of when to make something more secure and when they are willing for something to be insecure for their national security reasons. And I think transparency in this place, but also making sure we have real conversations about the real cost of insecurity when we do make those decisions.

Jeroen Lenaers (Chair): Thank you. Mr. Huntely. The second question was to Mr. De Muynck.

Jo De Muynck (ENISA): Thank you. So the question was, if we do cooperate with U.S. big tech. The short answer is yes, yes, yes. The longer answer is that we are as a these are setting up a programme which we call the trusted network of vendors and suppliers. So we want to do this cooperation in a more structured manner. Also, the EU member states, they have such collaborations with US big tech companies. But I believe that if we go to these companies as the EU as a whole, that we have more leverage also to get the information that we need from from them, especially during incidents. So the main angle for this, a trusted network, is that we want to use this for a better situational picture at the EU level and also for CPI purposes. So I believe that indeed there is more incentive, I believe for this for these companies to work, to cooperate with their with or US counterparts. But if we do this as a whole and also with leveraging, for example, the sea search network and going to these companies as the EU, that that will probably trigger even better cooperation that we already have now. Thanks.

Jeroen Lenaers (Chair): Thank you. Mr. Khadi would you want to add anything to any of the questions. Nope. Then we move to Ms.. Guillaume for S&D.

Sylvie Guillaume (Socialists and Democrats): Thank you very much. Thank you to all of our guests for what they’ve said. I’d like to go back to a number of points that have been made. Not everybody is obliged to address these, but I do think we need to to really gauge the social damage caused. What about the spyware? Do we have an idea of exactly when this has taken place? Can we put a sort of timeline on it? I think we need probably to have one. Secondly, it’s spyware. I’d like to go back to this idea and ask if you could develop a bit more this idea of how we can know these sort of where these actors are based. You know, in this committee, we’re particularly interested in what governments are using spyware, but private actors, too. Do we have an idea exactly how criminal networks may use these in future and the sort of geographical share out? That’s something that could be developed in the future. And finally, security incidents you mentioned before. There’s been a large number. Has gone up threefold. I’d like to have some exact figures. Maybe you don’t have the exact figures, but is this because they’ve become more numerous, or is it just easier to detect them or because there are more actors? Or is it a combination of these three? Thank you.

Jeroen Lenaers (Chair): Thank you very much. There was not necessarily concrete questions to either of the panellists, so we take them in maybe the reverse order this time. And we start with Ms.. Kurrer.

Rosanna Kurrer (Cyberwayfinder): Yeah. So with regard to the incidents increasing, of course there is that that we say that it’s easier to enter, they are more organised. In fact when you look at the criminal organisations they it’s not unusual to to see that criminal organisations are actually working with what we call like nation state actors. So, so this is something that of course makes it more difficult because usually nation state actors have more resources and can, can, can organise attacks that go for a longer term and have more resources to to acquire these tools that maybe criminals don’t have. But working together is certainly something that that has increased. You have, yeah, multiple threat actor actors working together. So I think what we have to understand is each organisation or each person or entity should understand what would be the motivation of not of all the threat actors on themselves. And I think that’s one way to really build awareness on, on, on, on the fact that they’re more organised. They work together. Resources are unlimited if it’s a state actor, but also that even if you’re not targeted, that you could be a victim of collateral damage. So that we saw a few years ago they’re not targeted, but because the malware spreads over the system, you could be a victim. So I would say that the stakes are higher. The more we the more we depend on on our businesses and our business processes and activities go digital. Then our digital systems are by default insecure. So. So yeah. So that’s why I can say in this.

Jeroen Lenaers (Chair): Thank you, Mr. Kadhi.

Saad Kadhi (CERT-EU): If it’s okay. I will answer in French.

Saad Kadhi (CERT-EU): Thank you very much for the question concerning the date line for this phenomenon. Off the top of my head, I think this goes back to. Well, from 2004 onwards, there’s a French company called VPN Security, which is no longer up and running, which was set up at the time to trade in Zero day vulnerabilities. So these new vulnerabilities that are currently unknown now, this company continued to operate in France up until 2015, if I remember rightly, and the company ceased trading. Because there were. A lot of warnings made to the company. And they were being watched, too, by the intelligence services, the government. And a nondemocratic governments were involved there. And in 2015, they set up a new company called Zero Deum. Was continues to work to this day. I think it’s known in the U.S. and they are particularly specialised in setting up. And recovering and selling. Zero days for different platforms. For example, in 2018, if I remember rightly. They have a new zero vulnerability was brought out for apple iphones at about $500,000 that was selling at the time. Just to have an idea of what that could represent today. Because from my point of view, these are getting rarer and rarer because the security of those platforms, really iOS and so on, are increasing as far as the share out or the distribution of the different actors is concerned, I don’t know. I don’t think we can have access to figures on that. Either privately or publicly on the markets. They are part of networks which are spread all over the world. We could list the different events that have occurred that we’ve seen in the press, for example. And I think I can say that there were a lot of purchasers. Of state. State level bias. Non-Democratic states. What about the aspects you mentioned? It’s really all three together. Just to give you an idea of what we do. We have increased our detection capabilities. There’s a certain maturity increase majority in organisations in the EU that we’re helping. We also have more resources available, but of course there is an enormous amount still to be done and that’s why there’s a regulation currently under discussion from Council and Parliament to look at increasing the capacity and maturity of E.U. organisations. But also because since this was a setup, we’ve seen three phases. First of all, set up in 2011, 2011, 2012. There was a lot of data. Thanks. And set EU was set up as an organisation to increase maturity and the figures pretty much levelled out. And then this sort of was there was less interest for a few years. And then from 2019, that started to spike again. So they’ve not had two attacks on their. Uh, ransomware, for example. I don’t think anybody would put taxpayers money towards ransom wear. But what we’ve seen basically is linked to spyware. Spyware is the big thing here. So we can see very clearly there’s a very particular intention by certain non-democratic states, but also cybercriminal groups to acquire data, steal data, and to enter into negotiations with these and to sell them. Certainly the ones that are sold in France are used really to to bolster their strategies. Thank you.

Jeroen Lenaers (Chair): Mr. De Muynck.

Jo De Muynck (ENISA): Good to come after Saad. So you already answered most of what I wanted to answer, but I’m going there maybe specifically on the on the cyber criminals. So in in my view, the more we have backdoors and zero day vulnerabilities and unpatched vulnerabilities, the more the or the higher rather the chances that cybercriminals also get a handle on this and they do get a handle on it. So I think that’s also part of the societal impact that that that the larger problem of the vulnerabilities has. So I agree that this is also a different angle to to this.

Jeroen Lenaers (Chair): Very briefly. Sure.

Rosanna Kurrer (Cyberwayfinder): Just briefly, because you ask about the timeline and why it’s so important to increase awareness is usually the entry point of these attacks are social engineering entry point. So whatever you share on social media that will be used in order to get into your device or to get into your laptops, your network. So what you share on social media makes you vulnerable. And the more they know about you, the more they can do targeted attacks. And once they’re in and they’re in your system or in your devices, maybe they don’t use it. They will wait until somebody comes along and says, Can I buy you access to this person? So it’s a business. People who enter systems and people who exploit the systems and then who take who take out data out of these systems could be several different companies. So maybe one company is in charge of social engineering. They get into the system and then they sell this and then somebody else exploits it and they go and buy. Or maybe they say, I will buy it to another another hacking company that actually has interest in that sector that you’re working. So you have to think of it, they’re like enterprises that they’re either profit driven, usually profit driven or there’s geopolitical reasons. So.

Jeroen Lenaers (Chair): Thank you very much, Mr. Huntley.

Shane Huntley (Google): I think there’s been covered pretty well so far. I think the only thing I would say and I’ve been doing this in 12 years, four in Google, and over that time, I’d say the biggest trends of what’s changing and why is, as I mentioned, more nations want to do this hacking capability because they see it works. And to tie to the specific topic of this committee. One of the things that’s most worrying about this is these spyware vendors are enabling more and more countries to get in and have the top level capabilities without having to develop. Very small countries with very poor records of human rights are able to get top tier capabilities because companies like NSO will sell it to them. And I think this sort of activity is actually leading to one of the big rise in attacks against individuals, because this capability is now for sale. Generally, attacks have increased overall because as more of the world and more of the economy moves online, there is more money to be made. As more information moves online, there is more stuff to spy on, so there is more incentive for attackers. But also there has been great advances in defences and my team has grown, Google’s efforts has grown and we are fighting this constant sort of like catch up and battle to sort of hold the attackers at bay.

Jeroen Lenaers (Chair): Thank you very much, Mr. Arłukowicz.

Bartosz Arłukowicz (European People’s Party): Thank you very much to the speaker from in this. And sir, to you, I have questions for you. I’ve listened very carefully, particularly, Mr. Cohen, to what you said, particularly when you said that there are a lot of possibilities to do these cyber investigations and how they can be done with different information and the way forward. But you also said that here I can’t say anything about this because it’s secret. But I mean, this is this is a committee that’s been set up specially to talk about this. So the answer is what we’ve been talking about. You know how. We’re not saying who spied on Commissioner Reynders. We’re talking about how we can improve this situation, what kind of action you can do and what have you done. This is what we’re here to investigate. This is what we’re doing today, Mr. Carney said. Okay. We could carry out a cyber investigation, but at the same time, you are also saying that you can only do this when a victim says, Wait, I’ve been hacked. So you carry out actions only when the victim comes to you and says, I think this has happened to me. I don’t think that’s the right way. I think a defence has to be stronger. Question to both of you. The same question to both of you gentlemen. How did they know? How is it known that these spy systems were being used in the EU countries? What actions have you taken to get that information and to know that Pegasus is being rolled out across Europe? What institutions or member states said that there was a threat such as Pegasus? Who did they speak to you? Mr. Kadhi said that you’re looking for these programmes in non-democratic states. Okay, but, Chairman, let me tell you that Pegasus has been in my country. It’s been used in Poland, and Poland is a democratic state. So I would like to know, you know, have been used by government agencies against the prime minister, against the head of the opposition, against the public prosecutor. These are Democratic states. This you know, the same has happened in Greece, democratic countries. So once again, I understand your role and you have to take action. So my question is, what actions have you undertaken? What information, who have you investigated, what investigations have you undertaken and what have you done vis a vis the attack on Commissioner Rendus, who is one of the many people, has been spied on by Pegasus, one of the most important figures in Europe. And there’s a war going on next door. I don’t know whether you’ve noticed, but we need to know information as to whether these systems are being used. You know, the EU is applying sanctions against Putin. We don’t know if Putin’s spying on us right now. So please, this is something that needs to be done. Can you answer, please?

Jeroen Lenaers (Chair): Your most questions were directed at ENISA and CERT-EU, a follow up on previous question. So if you would like to start. Mr. Kadhi Yeah, sure.

Saad Kadhi (CERT-EU): Thank you for the question. I think there is a deep misunderstanding here. So let me just clarify two things. CERT-EU is not the CERT for the European Union as a whole. We don’t cover the member states. We only cover the EU institutions, bodies and agencies. Okay. So if I would say for only information regarding Poland, what happened in Poland, there is a system, a cybersecurity information incident response team in the country that is in our country their their prerogative. So CERT-EU is not the CERT of all the European Union, including the member states. This member states have this sovereignty. We don’t have any kind of like clue or kind of like a prerogative to investigate what’s happening in a member state. However, so we only address 88 organisations, as I said, the European Union institutions bodies. It is not the European Union governments are like let’s say Poland or Spain or what have you. So this is a fundamental thing that we need all to understand here. In addition. So I’m sorry if I was not clear in my answer or like there was a misunderstanding, we don’t wait, okay? For somebody to walk in and say, Hey, by the way, I have been hacked. Can you look into my device? There are either, I would say institutions, bodies or agencies of the EU. Again, this 888 EU situation, bodies issued. I was speaking about that are my constituent and the only one that I am looking for and looking after. So there are either two, two cases. Either we have threat monitoring capabilities that are deployed on their networks and basically this allows us to detect things when they happen using what we call in our technical lingo, indicators of compromise. So these are like source IP addresses, technical data, etc.. For example, Citizen Lab and Amnesty International have provided lots of these indicators of compromise that we use, but we also use other indicators of that persons, partners all over the world sometimes share with us. And a second case, because, again, search. You cannot force any institution, borders, agency, because they are autonomous, as you know, by the treaties to use our detection systems, they can deploy their own detection systems and if they do so, etc. So that means that we don’t have a foothold or luck, that we are not monitoring the threats for them. They are doing them death by, by themselves. And if they did something, then they can walk to us and say, we need your help. Okay? This is not kind of like mandatory. It’s on request. So there are two cases. Either we have an agreement which said institution bodies to deploy our capabilities and monitoring of threats, including on mobile phones or either they are not using our threat monitoring services and they are doing them by themselves all through the private sector if they want. And then they can always rely on us to do investigation if needed. So we are proactive when it comes. To those with our systems. And we are reactive for those who kind of like they take things by themselves and knock on our door to help them. Now again, getting back to the question of the commissioner and the commission, etc.. So this is again a big hit in our mandate. We cannot comment on these issues because our constituent is the one that is entitled to get this information from us, the help from us, etc.. So we investigate whenever required the incident with them and we provide all the information to them. It’s up to them to kind of like speak about it publicly, keep it private, or instruct us to give information, for example, through the sister network where any of those also is to the member states. So basically the sister network is the forum that is has been set by the nice directive with all the national and governmental cyber defence teams of the EU plus. So to you, who protects only the institution bodies and agencies? So the 88 organisations that I have mentioned and dear, if we have, for example, incident, etc., and we are allowed to share the information which is mostly the case, we will share that. And then again, something that I would like to make very clear in that I referred to in my presentation, I said that we have good two very good capabilities in detecting out a malicious threat, actors attacks on traditional I.T. assets, bit laptops, the servers, be it network devices, etc.. But our capabilities are also subpar when it comes to detecting threats on mobile phones because as you said in his intervention from ENISA, we need more transparency, we need more have the ability to look into these devices very easily. It’s quite complicated actually to acquire evidence, etc. and I can tell you how it is difficult because to get at least because for example, if we need I need to investigate a phone, I would need I would need it for at least 3 hours. Okay. To grab the evidence from it, to grab the image or a forensic image for it and start looking. But it is very rare that a senior manager or somebody with our kind of like a I would say, profile official of the EU may give us their phone because they are dependent on it on so many things for 3 hours. So we need also the capabilities to be able, as we do currently on the laptops and servers and network equipment, to the ability to grab the evidence very quickly or have capabilities with the with Google, with Apple, etc., to be able to to look into the devices much, much easier than today. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Muynck.

Jo De Muynck (ENISA): Thank you. To to add on that, maybe also to clarify for all. So we are also not the sister for the EU and as Saad already mentioned there are national computer emergency response teams in every single member state and they are grouped in the sea in the U.S. source network. Now we as et ENISA, we facilitate that. And so we we provide the CERT search network for the platform ways of communication. We also provide the Secretariat to make sure that this information sharing is going on. And on top of that, we also have a role in situational awareness, but trying to get like the bigger picture and then also bringing that to the to the next level. We do have under the Cybersecurity Act, a provision that enables member states to ask for additional supports to to the agency. But this is on a token voluntary basis. So there is no member state that is member there is no mandatory way where we can also intervene in the investigations in the member states. And I think that’s that’s right. The member states do have, however, the opportunity and the possibility to ask for additional supports to us in in in times of need. But I can confirm that there has been no such requests vis a vis any Pegasus incidents.

Jeroen Lenaers (Chair): Thank you very much. Mean it’s slightly concerning, but it’s maybe for another hearing that the capabilities to detect mobile phone attacks is subpar, especially given the fact that, you know, we are so dependent on our phones that we can’t even give them up for 3 hours, that that should that should be something to think about, I guess. Madam Novak.

Ljudmila Novak (European People’s Party): Good morning, everybody. Mr. De Muynck, you have been talking about how ENISA is spreading good practises. Could you perhaps give me a specific case of a good practise? And Mr. K.G. you have been talking about. Solving many cases of incidents and attacks. So I would like to know the following. Could you perhaps investigate who is the author of the incident? In how many cases have you managed to research the issue successfully, potentially speaking, and how can you protect yourself from having inside moles or let’s call them traitors within your company who would be spreading information, how you are dealing with these issues?

Jeroen Lenaers (Chair): Thank you, Mr. De Muynck.

Jo De Muynck (ENISA): Thank you. So we recently published and we tried to update this every now and then a kind of a cyber hygiene good practises. But it’s, it’s all about things that are widely known so. Patching regularly, patching on time. Not clicking on links from when you receive an email or a WhatsApp message from someone that you you don’t know necessarily. So all these kind of things I can circulate perhaps afterwards also the like the full manual that we, we, we put together because I think there are many things that you can do, but we try to put it together in like 10 to 15 good practises that, that are in our view the most useful ones. So maybe I can afterwards share this link as well with you. Absolutely.

Jeroen Lenaers (Chair): Thank you, Mr. Kadhi.

Saad Kadhi (CERT-EU): Yes. Thank you for your question. So regarding the authors of Incident. Again, all the significant instances I have mentioned in my presentation. So sir, to you it does not do attribution by itself as we don’t formally attribute an attack to a specific threat actor or cybercriminal group. We rely on a huge network of fierce partners, including the private sector, people like the team from of Mr. Huntley. So we will tag and address, etc.. And so the what I can say regarding this is that if you remember, I told you that in 2018 we had one significant incident in back in the day. We said we it is like there is no certainty, of course, as you know, in this field. But it is highly likely due to a nation state threat actor from a non-democratic state. Okay. So in 2019, when we had this eight incident, we had most of the more due to nation state threat actor and one of them was due to a cybercriminal group. Yet two we don’t know. It is the first time in 2019, it was the first time that to you found itself in a position where we could not say who was behind the attack. Why? Because since 2019 and it has looked, it has been growing as the number of unknowns, as a number of authors that we don’t know who they are. If you remember, for example, in 2021, we had a record of 17 significant incidents, including this incident that I have mentioned that was involved, 45 people working seven months to just to deal with it. So we have seen a growing number of we don’t know why because the attackers are very smart, they are sophisticated. They improve over time. In the end, it’s true that they need to blur, I would say, the cards, for example, to disable mechanism that the EU has, such as the cyber diplomacy toolbox that would attribute attacks in sanction, I would say attackers. So why? So we have looked into it in actually the using something that we call you know, we were living off the land. What they do is basically they use VPN, commercial VPN services such I would use or you would use, etc. once they are in a network like they use, for example, of security, vulnerability or even kind of like in for an embassy because there is an infected system, they are moving very quickly, as I said. So they can compromise as much as they can without deploying in our case, without deploying really malware. So they use whatever they find on the network. So this is what we called Living of the land. So actually, for example, CERT-EU has very little cases where I would see specific malware is created for the purpose of breaching an EU institution. But it is they use whatever they find on the network like normal I.T tools and things like that. Now getting back to your second question regarding insider, so I’m not running a company, I’m aronian. I would say a new entity that is part of the EU and all our staff are, most of them are a commission, I would say staff or some of them are again the two for example from the European Parliament. They are all required to have the EU secret level clearance and they have all about abide by the staff regulations of the EU. Aside from that we are also having a tight oti governance with CERT-EU and I would say we work only on a need to know basis. So we have strict protocols in making sure that only the people that have to know about specific incident or things have that in place. We also, I would say in addition, we consider ourselves our own customer. Like if I use I would say a commercial word, but we call them constituent because we would say we do not make profit. We are part of the EU, so we consider ourselves our own constituents. So we deploy our own capabilities that we use to detect threats in the institution. Bartosz iss we deploy them inside CERT-EU to make sure that indeed we, even though we all have EU secret clearance level, we are all part of the EU as a, I would say, officials and contract agents from the Commission and elsewhere. So this is kind of like we have prevention, we have detection, and we have the ability to respond to cases. And I can tell you, since Sochi was created back in 2011, we haven’t had a single case of an insider.

Jeroen Lenaers (Chair): Thank you. Then we move on to Mr. Halicki.

Andrzej Halicki (European People’s Party): Thank you, Mr. Chairman. I would like to continue the question asked by Mr. Arłukowicz several minutes ago. Maybe I was switching to publish and the answer could be given in English, of course, and also directed to Mr. Kadhi, because I would like to focus on the European Security first. Generally speaking. So, what I wanted to ask is about collaboration to create shared cyberspaces. We’re always going to be exposed to threats. And these are not just going to be occurring through use of mobile phones, but also much more widely. To a certain extent, we’re very exposed. You’ve talked about the limited capacity that we have. And your limited mandate and that you’re only actually mandated to protect the institutions, not the entirety of the European Union. But we. I think need to look at what is happening at national level in the European context, because there are, for example, different for different agencies in Poland, which are the equivalent of the EU cert for different ones which would be involved in the event of any cyber attack. So presumably it would be much easier for you if your interlocutor was one single agency. But I wonder what the thinking is in the European Union. Are you thinking of trying to create a coordinated structure so that you interact with one centre in each European member state for prevention purposes, for exchange of information purposes and generally, so that you can exchange best practise. So that advice and consultation is available and so that there is a common approach, potentially a more common structure, because we feel that we’re very far from secure in terms of what’s happening out there in cyberspace, in the information economy. And I had understood that that certainly U.S. involvement would be much more extensive. I do understand that it is responsible for the institutions and the agencies and so forth, but it also should be able to carry out preventive and predictive work. And it should be able to be giving advice, I would think, to the agencies, but it would be very helpful if it could do this more widely. And that’s why I’d like to know whether there is any thinking in your agency about trying to create a more integrated, coordinated structure in Europe? Because I think that the member states would benefit hugely from it, and I imagine that it could also be useful to you. I imagine that ENISA. Being the. Brains behind much of the work goes on. Would also benefit from a coordinated approach. So I would really like to know whether you’ve had requests from other Member States, whether the Commission has received such requests, or even whether the Member State authorities have received requests for more coordination, a better coordinated structure. So because I think it would be mutually advantageous. I do understand that this is not really the central point on our agenda today, but nevertheless, I’m very interested in doing what your thinking is. And I do think that it should be one of the conclusions that this committee reaches, that we should have much better integration across the member states and the institutions. Thank you.

Jeroen Lenaers (Chair): Thank you. Thank you very much. Mr. Halicki. I pass the floor to Mr. Kadhi. There is no other members taking the floor any more after this. So please answer the question of Mr. Halicki, but also feel free to make some concluding remarks and I offer the same opportunity to the other panellists afterwards. You have the floor first.

Saad Kadhi (CERT-EU): Thank you. Thank you for this question. Actually, we we have already got a very strong basis for our cooperation, and indeed, we should do more. So the basis of cooperation is that we. So you has told told you about that. And I also mentioned in my introduction in some of the answers I provided to earlier questions. So we have called this something called the sister network. So the sister network has been, as I said before, it has been established by the in this directive. And again, it’s a forum where ENISA acts as its secretariat to facilitate information exchange best practises, including sharing of indicators of compromise and data on specific incident to help everybody through this research network. So there you have not only to you, but also the national and governmental cybersecurity incident response team from all the 27 member states. Okay. So sharing there is on a voluntary basis. And in 2019, in early 2019, when I joined Sir to you and I started being involved in this network, I had experience in other communities before I found it, kind of like I didn’t serve on the sharing to be as evolved as I would have expected. Both since then. Kind of like the but the kind of like this network was back then pretty new but now thanks to also ENISA facilitated a lot of the work in the information exchange, etc. So I’m very happy with what’s happening there because the members share best practises. We don’t reinvent the wheel. For example, once you go to you look into the wake of Russia’s invasion on Ukraine because of the commission, the council, the parliament and other entities from the EU have issued sanctions. So we feared that indeed Russian threat actors might come after our institutions much harder than they used to. So we provide prepared guidance with ENISA and we shared, I would say, the guidance publicly with all what we promoted all over Europe. But before that we gave it to our peers in the member states too, with more details than the public, ones with more concrete, pragmatic information, and even asked them for feedback to enhance that. The thinking, actually some of them provided feedback that allowed us to enhance. So this was a I would say, a really nice collaborative effort also on several incidents in the past, for example, there is something we call Casa of, say, SolarWinds. In others the collaboration was very, very good, as in sharing the information on incident, what’s happening, etc. and including on the RTD said were that the Russia has started, the collaboration has been extremely, extremely good. Now should we do more? Should we integrate more so and back last year. So yeah, it was last year. Joe, correct me if I’m wrong. So there was the recommendation from the, the, the commission to create a joint cyber unit. The idea behind a joint cyber unit is to bring not only the civilian community, which I represent with the other members of this, the Security Network and ENISA, together with the law enforcement, together with the military defence, together with the diplomatic side, etc.. And so I would say really, look, I wish this to happen even though we work on, I would say different levels because as you certainly know, when there is an investigation by law enforcement and there is a case. So I would say it is very the information is very strictly protected when an intelligence agency investigates something as well, it is very difficult to share it, etc., and not run in an investigation. So it’s about breaking these walls as much as we can while preserving the prerogative of the various OSCE actors. So the so that’s on the technical level, I would say there is also the operational level as described in the blueprint. And you is hearing their version mentioned, for example, the cyclone, which will be the equivalent of this certain network, but on an operational level, again, to share on an operational side instead of a technical side. And this will be restated thanks to the initial directive. So definitely, I would say in the last four years plus sharing between ourselves have has increased tremendously. Of course it’s a we there are, I would say, member states that are very mature in this and beside others that are less mature. And we saw ENISA is working also on capacity building and also try to help them to get the maturity in to to foster the sharing. But again, this is on a voluntary basis because the member states are sovereign. And also, I would say the institution bodies that are also autonomous by the treaties. Sorry. There’s nothing. Well, yeah. So the corporation is again are correct me if I’m wrong. If I’m wrong, the cooperation is some sort of extent obligatory as part of the initial directive in the creation of this network. So we all have to have a representative there. We all have to contribute to the best extent possible. But I don’t I don’t I’m not be enforcing because kind of like in our community, particularly in the civilian, I would say cyber defence community. So it works much better when you show the example, you’ll be open on sharing etc. So you create traction and you get the others to do the same. And this is exactly what I have observed firsthand happening in this network. As for I would say my sorry president, my concluding remarks. Okay. Yeah. So as for my remark and again, kind of like the also something you pointed out when when we introduced you to your question. So the most important thing for me, if I just like one, one, one one important thing is the ability to investigate these things much better is the ability to integrate these things much better in our the ecosystem of detection, etc. than it is currently is the also I would say I’m seeing this as like a triangle where we have prevention, detection and response. So in terms of prevention, so we should look into kind of like making better software, creating, using secure development life cycles, maybe consider liability for those vendors, commercial vendors that do not do the due diligence or like they provide phones that they could be hacking maybe easily. Okay. They’re also kind of like we need to have the ability to configure them much better or in a very, very simple way like you. Well, I’m sure you had this case you receive like you have a new application and sometimes they say, hey, please accept this permission to to look at that. So why so I should be kind of like have so of course, fatigue, just like because I’m doing something else. I just click and now the application can spy on whatever I’m doing on the on the phone. So we need a way to use this in a much simpler way than today. Also, in terms of detection, as I said, seamless integration in our in the threat monitoring landscape, in the capabilities, etc., and the ability to cooperate and share. And when, for example, let’s say a member state or CERT-EU or any other entity has a case with Pegasus or another tool from a private sector offensive actor, we should be able to get the indicators of compromise, the technical data that would allow us to look into the devices and kind of like scorch massive with the device. Also, we have also to consider that most of these devices, I would say, of course, they are copper devices, but also personal devices. And currently what many companies and organisations give you the possibility to use your personal phone to install an application to get your your professional email. This also look a privacy angle to it. So how can we investigate personal devices which safeguarding your personal data in privacy but looking after what the data you have recuperated because you are using, I would say, a professional application for emails or what have you. And the third. But so the last but not least I would say side of the triangle, which is response is also the ability to take evidence as quickly as possible. I think kind of like why? Why today I have the ability to connect remotely to a laptop, for example, that is suspicious, that is kind of like acting suspiciously, that might be compromised. Grab all the investigation over it if it is over the wire without disturbing the user. Actually, while for this, I still have to request the device, take it for 3 hours to grab the evidence and maybe have back and forth. Yeah. Thank you.

Jeroen Lenaers (Chair): Thank you very much. Mr. De Munck, Mr. Kadhi asked to correct him if he should have been wrong on a number of issues, so please feel free to do so. And also some concluding remarks if you if you choose to do so.

Jo De Muynck (ENISA): I don’t think that you were on wrong, so I will not correct you. Just maybe to add on what you were saying, maybe there was a small gap in which you were saying the indeed the cycle. It will be institutionalised with the needs to, but there already exists and it’s already operating informally. And I think that’s together with the creation of the you see service network were very important. The steps that we already took for the users network, it’s up to the member state to nominate the representative or representatives because some member states indeed nominate more than one representative. But I think the challenge here for the for the U.S. service network, but also for other networks like the cyclone, is trust. And so how do you create a strength, an incentive? It’s the information sharing across all the member states. The more people are in the room, typically the less information is being shared. But I think that we are heading in the right direction there and from a personal viewpoint. So I’ve been in this network since the beginning, not only as an ISA, but also as a representative of the Belgium National Sea Search. I see that this information sharing is much better now than it used to be. A couple of a couple of years ago. I think an additional challenge is to make sure that all these building blocks that we we do have now like to see such networks like long, but also the institutions, bodies and agencies that this all works well together and that this is a well-oiled machine. I think that’s also part of the role of ENISA to to make sure that we indeed, as I mentioned, we we try to build up capacity, but at the same time also exercise. How do we cooperate and share information in a crisis or in large scale cross-border incidents? And then maybe just as as a final note, and it’s basically what I already said, I think that the issue at hand, you can’t solve it with one measure. There are a multitude of measures that that need to be taken. And still you will not. Make sure that this goes completely away. But I think so from my perspective, the main focus would be on this coordinator vulnerable vulnerability, disclosure and promote that really at an EU level to regulate security by design and then also invest on capacity building and awareness raising. I think those there are other factors as well, but for me those are the most important factors.

Jeroen Lenaers (Chair): So thank you very much then. Ms. Kurrer, if you have any concluding remarks.

Rosanna Kurrer (Cyberwayfinder): Yeah, for me it’s just that we remember that it’s easier to attack an organisation or an institution rather than to defend it. So defending is is a hard job and we have to understand that that’s a huge and complex challenge. We need to strengthen our defence defence by also building up the skills and beefing up our teams. And this is one way we can address the what I’d like to say the war on talent. So right now, there is a war on talent. There are a lot of organisations hiring. There’s not enough skills going around. So this I think is a major risk that we also have to address. And I think that bringing in diverse skills into our teams is one way to go. Thank you.

Jeroen Lenaers (Chair): Thank you very much. And then we move for the final conclusion word to Mr. Huntley You have the floor.

Shane Huntley (Google): Now, I’d just like to say thank you very much for allowing me to speak today and for the great questions. I’d like to do a very quick plug for White Paper we just released on enhancing cybersecurity and digital resilience in Europe, which we will provide to the Secretariat and also, along with my testimony, opening remarks. I would say that, you know, despite the real challenges we’re facing in this area, I’m very happy to see that, you know, democratic governments around the world, especially in Europe and in the US, are really taking this area, this issue seriously and understanding how central these devices are to our world, how important security is. And this is super important because this isn’t going to be solved by just technical measures in big tech companies. It’s not going to be solved solely by government or by experts or any or civil society. It’s actually going to be the combination of all these factors coming together with a goal to make things more secure and bringing all of our strengths and making sure that we work together, share information, and have a common goal. And I believe that these hearings and servicing these issues are one step along that path. So thank you again.

Jeroen Lenaers (Chair): Thank you very much, Mr. Huntley, and thank you to all the speakers. I’d like to echo your last comment. And indeed, in order to properly solve this, we need a cooperation from all sides, from a tech sector, from governments, from NGOs, etc., etc.. Our experience with Swiss government so far has not been too optimistic in this particular regard. With regards to Pegasus, maybe they are more positive examples and other are not affected. So we will also try to try to continue to play our part and our role in this. So thank you all very much. Thank you to all the speakers for taking the time to be with us. It is amazing that even though we had a panel of four speakers, we still managed to two and on the docks at 11:00 if I stop now. So thank you very much. We meet at 3:00 again. I would ask the coordinators to stay behind for the coordinates. Meeting now at 11. Thank you very much.

No Tracking. No Paywall. No Bullshit.

Unterstütze auch Du unseren gemeinwohlorientierten, werbe- und trackingfreien Journalismus.

Die Arbeit von netzpolitik.org finanziert sich zu fast 100% aus den Spenden unserer Leser:innen. Werde Teil dieser einzigartigen Community und unterstütze jetzt unsere Arbeit mit einer Spende.

Jetzt spenden

0 Ergänzungen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.