Der Staatstrojaner-Untersuchungsausschuss im Europaparlament hat am 16. März gleich zwei Anhörungen durchgeführt. Der erste Teil behandelte die Geopolitik von Staatstrojanern und setzte das Thema aus dem Februar fort.
Die französische Journalistin Rosa Moussaoui arbeitet für die Tageszeitung L’Humanité. Nachdem sie berichtet hat, dass Marokko Journalist:innen mit Pegasus überwacht, wurde auch ihr Smartphone mit dem Staatstrojaner infiziert. Im EU-Parlament beschreibt sie diese Erfahrung:
Überwachung mit Staatstrojanern ist beängstigender als physische Überwachung – denn sie ist unsichtbar, nicht nachweisbar. Ich habe dieses Gefühl der Gewalt und des Eindringens erlebt, das mich persönlich und meine Angehörigen betraf. Es ist, als ob man ausgeraubt wird oder einfach nur feststellt, dass jemand einem etwas weggenommen hat.
Der Journalist Madjid Zerrouky arbeitet für die französische Tageszeitung Le Monde und war Teil des Pegasus-Projekts. Er machte deutlich, dass Überwachung durch Privatunternehmen mittlerweile ein ungeheures Ausmaß angenommen hat:
Wir erleben eine Uber-isierung der Überwachung. Es gibt immer mehr Unternehmen, die mehr oder weniger im Verborgenen arbeiten und Dienste anbieten, die früher ausschließlich in die Zuständigkeit von Staaten fielen. Das sind Dinge, die früher nur Spionen und Geheimdiensten vorbehalten waren.
Im zweiten Teil der Anhörung ging es um Staatstrojaner und Telekommunikations-Unternehmen. Der Ausschuss hatte mehrere Telekommunikations-Anbieter eingeladen, aber kein Unternehmen wollte aussagen.
Stattdessen kam Rowland Corr, Vizepräsident für Regierungsbeziehungen bei ENEA – einem Unternehmen „für die Cybersicherheit von Telekommunikationsnetzwerken“. Er bezeichnete Staatstrojaner als „Spitze des Eisbergs bei der Überwachung von Mobiltelefonen“. Angreifer nutzen viele weitere Schwachstellen in Mobilfunknetzen aus:
Was die Angriffe betrifft, so ist es wichtig zu verstehen, dass sie über bloßes Abhören hinausgehen. Abhören bedeutet, dass Personen nur dann ins Visier genommen werden können, wenn sie ihr Gerät aktiv benutzen. Heutzutage sind die Privatsphäre und die persönlichen Daten der Teilnehmer jedoch nicht nur bei Anrufen oder beim Senden und Empfangen von Nachrichten gefährdet.
Wir veröffentlichen ein inoffizielles Wortprotokoll der Anhörung.
- Date: 2023-03-16
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Experts Hearing 1: Rosa Moussaoui (Journalist at L’Humanité) and Madjid Zerrouky (Journalist at Le Monde Maghreb)
- Experts Hearing 2: Rowland Corr (Vice President for Government Relations at ENEA)
- Links: Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editors: Jan Lutz
Hearing 1: Geopolitics of Spyware II
Jeroen Lenaers (Chair): Dear colleagues, we are still expecting some colleagues to arrive, but since we have a small timing issue today, I would like to start as soon as possible. Given the fact that the the plenary services in all their wisdom have decided to put our debate on the oral question during the same time as our meeting here today, we have less time than we originally anticipated and I think it is important to give our our guests all the opportunity to make their contributions and also to have a proper time for a Q&A session.
So without further due, I would like to start we have translation interpretations already in German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.
If there are no comments on the agenda, I consider it adopted and we can start immediately with the continuation of our hearing on geopolitics and spyware, which we held on the 9th of February 2023. You will remember that the first panel we had dedicated to the situation of relations from Morocco. Three speakers were remote, it remotely connected, but there were some problems with the connection and the interpretation where because of that we had to suspend the panel and in order to avoid the repetition of that situation, two of the three panellists are here now today with us in person.
So we will have perfect technological connections and interpretation, which I’m very happy about, and thank you very much for your flexibility and your willingness to meet us here in in Strasbourg. I am very pleased to welcome Rosa Moussaoui, who is journalist at L’Humanité, and Mr. Madjid Zerrouky, who is a journalist of Le Monde. I will first give the floor for 10 minutes to each of the guests and then we will open the floor for questions and answers. Those colleagues who would like to take the floor please indicate so.
So without further delay, given the time constraints, I will first start with Mrs. Rosa Moussaoui, who was a journalist at the French Media L’Humanité, who writes regularly in Morocco and was targeted by Pegasus in relation to our coverage on Morocco. So please, you have the floor.
Rosa Moussaoui (Journalist at L’Humanité): Thank you very much, Chair. First of all, I would like to thank the members of this committee for the opportunity that I have been given to talk about cyber surveillance, which, as you know, hinders the work of journalists. I am a reporter. I have been working on, let’s say, topics related to Northern Africa since 2010. I have written about Algeria, Tunisia and Morocco and reported on these countries. And when I was reporting on Morocco and the Western Sahara, I always received organised, targeted attacks, defamation linked to the press of Moroccan origin. And this was, of course, compounded by the use of social media.
I have been to Morocco several times and I was there in 2014 for the Ashraf trial. So (incomprehensible) was on trial in 2016. I was there to cover the repression in 2017 against protests and I was systematically targeted by close visible surveillance during my reporting to intimidate me. The police intimidation was documented in a report authored by our Reporters Without Borders, and this surveillance was continued and we had to deactivate localisation options on our phones to try and avoid being surveilled. I was also covering our macrobiotics work on a violation of human rights on land grabbing, and he was unjustly sentenced to six years in jail. And then in 2021, Amnesty International revealed in a report that the Israeli spyware Pegasus had infected his phone. And this triggered repressive fury against this man who was accused of spying of attempt against the stability of the state. And I carried out with (incomprehensible).
I investigated this case and this created a reaction. Considerable tension and reactions. And in the course of this, we were subjected to pressure, pressure and an anonymous intrusion on the part of anonymous individual during a video conference with one of our sources in Morocco. I began at that point to see, starting in the end of summer 2019, some malfunctioning in my phone, and in winter 2019, I was covering the contested elections in Algeria. These applications were automatically switched on. My phone was overheating and it was practically impossible to use my internet browsers because then I noticed in March 2020 my phone was blocked. It was impossible to use it. I sent it to the software company to reinitialize it and I lost a considerable amount of data. I talked about this intrusion during a video conference and I realised that some sources were familiar with the the details of conversations, confidential exchanges with other sources. So I reinitialized my phone. I actually bought a new one to get rid of that.
In spring 2021, I was contacted by the journalists from Forbidden Stories who told me that spyware had probably infected my phone. I gave them my mobile phone so that it could be examined by a group of experts in Amnesty International’s security lab. Nothing seemed to be untoward, but in July, before revelations on the Pegasus Project has re contacted by a Forbidden Stories journalist indicating that I was a potential target of this Israeli spyware. And this was a list drawn up by the security services of the Moroccan state, including number of number of journalists. I ended up finding that it was impossible to locate, let’s say, the actual use of this spyware. I was at that point forced to denounce this. And I would like to point out that, yes, cyber surveillance continued.
And this it is more terrifying than physical surveillance because it is invisible, undetectable. And I experienced this sense of violence and intrusion which affected me personally and my loved ones. It’s like being robbed or just finding that somebody has taken your possessions. And this is the result of having investigated the authoritarian regime. Obviously, when we work with sources, we cannot endanger them. And in this case, there’s a clear threat against my sources. And this obviously means that in the in future, it’ll be very unlikely that I will be able to establish contact with sources because there would be too many risks involved. The very existence of a surveillance system triggers a sense of fear and silence on the part of the sources with whom, in most cases I’ve lost contact. Journalists are extremely vulnerable and we will never be able to ensure that there is an active barrier against these authoritarian regimes or these forms of surveillance. Whatever the protocols to protect our sources, we will continue to be vulnerable. And this enhanced level of attention that we are forced to have hinders the role of all of us as reporters because it involves a loss of time and energy and creates a heightened sense of anxiety.
In the course of my reporting, I take all the necessary precautions and I use very basic phones without GPS, so without the possibility of connecting to the Internet. But I really didn’t think that I would ever have to do something like this while I was in France and in Europe. And the incredible thing is that attacks against freedom of the press and confidentiality of sources can be carried out anywhere in any part of the world. And we have to ban this form of technology which dictatorships use against those who voice dissent. And as there are international forms of bans against weapons. Well, I think spyware should be included because it is an attack against freedom and sanctions ought to be adopted against those states that use, to this end spyware.
And we know that obviously there are links with terrorism that are being claimed. We know that this type of spyware should also be examined in order to consider as accountable those who developed it and use it. And we have to also add that the Moroccan government and the police actually crossed all the red lines of Moroccan journalists exiled in France who are threatened, harassed while they are in France. And in the face of this Pegasus spyware scandal, France has remained silent, members of the government and the president of the republic.
I am concerned it has been that I would like to end by referring to a case which actually. It’s significant when we consider that journalists refuse to bend to propaganda. I’m talking about the kingdom of Morocco’s case against French media that covered Pegasus: Le Monde, L’Humanité, Mediapart (incomprehensible in part) and fortunately, the prosecutor’s office rejected this request against which the Moroccan kingdom has appealed. And as a lawyer who is specialised in, let’s say, working to support multinationals and industries against journalists and this obviously impacts the work of journalists, we are therefore looking forward to the direct the proposed directive to safeguard whistleblowers, militants, journalists against abusive forms of recourse to legal action on the part of states and influential entities. Obviously, I think this directive would really be fundamental to guarantee freedom of the press. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mrs. Moussaoui. Thank you very much for your your personal story and your wider reflections. Like I said before, we have heard throughout the work of a committee many, many victims of of Pegasus and every story is has its own impact. Thank you very much for sharing yours with us today. And I’m sure there are many questions from our colleagues for you after we also hear from Mr. Madjid Zerrouky, who was also a journalist at Le Monde covering the Maghreb region, and also worked extensively in the investigations in the forbidden stories of operation. So please, you have the floor as well for 10 minutes.
Madjid Zerrouky (Journalist at Le Monde): Thank you very much. Good morning, everyone, and thank you for having invited me here for this committee. Well, I am Madjid Zerrouky. I work at the international service at Le Monde. I work on countries in the Middle East and North Africa and specifically Algeria. Which brought me to take part in the Pegasus project. Because this is something that concerned states and victims in the Middle East and in Northern Africa with the participation of the kingdom of Morocco.
So in 2021, we worked with 16 of the media entities and with the laboratory of Amnesty International and the expertise provided by the Toronto Citizens Lab. And we worked on the piece of spyware produced by NSO called Pegasus. And this involved thousands of targeting of victims. This was done at the time for about a dozen countries. We identified the numbers of 180 journalists, 600 male and female politicians, human rights defenders, 500 entrepreneurs out of about 3500 phone numbers. We were able to identify on a list of some potential 50,000 targets. We weren’t able to verify everything. We reached a definitive list of targets of 3500 and about 50,000 potential targets.
In 2019, there was already an alert that was launched about Anderson Pegasus. Four people had been subjected to espionage. This was following an internal issue at the time. The company concerned submitted a complaint. This was WhatsApp and recently Apple did. So There were some revelations about a great number of victims, as you know.
Now, what has our data analysis shown?
You know, it shows that a large chunk of NASA clients. Concern terrorism? Well, actually, terrorism and combating crime is actually a very small part of the people concerned. It’s mostly journalists, human rights defenders, lawyers who have been the main targets of this spyware. And Pegasus has been used completely outside the law, even outside the national law of the countries concerned. And of course, this is only the tip of the iceberg because, as you know, there are other companies and pieces of spyware used and being sold to a number of states out there.
Now when it comes to journalists, you have heard what Rosa Moussaoui just said. She herself was a victim of this. She was targeted and we believe this was done. By a server and a client controlled by the Kingdom of Morocco. This is what we hear when we go and see victims ourselves. This very much corresponds to what we’ve seen as part of our work. We see the impact it has on their lives and the impact it has on our lives as journalists.
Now, I myself can tell you an anecdote, a very worrying one. About how I was confronted with this piece of spyware during this inquiry at the end of 2021. This was the end of the inquiry. I went to see a high level Algerian diplomat who does not wish to be identified. This is someone who’s a member of an international institution, and we knew that the number had been selected by Pegasus in a number of occasions between February and April 2019. But first of all, I wanted to make sure this was the case. I want to warn them that they have been targeted by a state. Warn him and then convince him to hand over his phone in order for us to analyse it. This was no mean feat. We were attempting, you know, convincing a high level diplomat to hand over the phone to a journalist from Le Monde. „Hello, Sir: Could you give us your phone with everything that’s in it for us to analyse it and determine whether a certain piece of software might be installed?“ Well, he finally accepted. I think it was a monday. It was a monday. First of all, he’d asked me for a bit of time to think. We’d set up a communication protocol between ourselves using landlines not directly linked to our Identities. And two years, two days later, he accepted that we have a look at his phone. And of course, I had told him that this conversation had to remain private, that this was extremely sensitive, that any release of information might threaten our own inquiry. And we were dealing with a very dangerous and changing situation. So he accepted the that our phone his phone be analysed and we realise I have been infected two days after my visit. So years after the first infections.
So what happened is maybe he talked about it with someone in his government and that means he was detected. So of course, I can can’t demonstrate that there’s a direct causal link between my visit and the fact that his phone was infected the next day. But you can imagine that there might be some causation there. This was at the very end of the inquiry. So I didn’t have a direct impact on our inquiry. But imagine that it had happened a few months before. And what if we journalists had been targeted ourselves, then they would have caught wind of our inquiry and we would have been under surveillance. We wouldn’t have been able to carry out the inquiry successfully, and it would have had an impact on our work and the safety of our sources.
Of course, this is something we raised already and as a journalist at Le Monde who decided not to be identified and not to make a formal complaint, even though we did determine that her phone had been targeted by Pegasus. We attributed this attack to Morocco and she chose not to talk about it because she was afraid to lose her sources and her source’s trust. So this is something that’s having a real impact. And she’s not the only one in that position. I know other journalists who decided not to have their identity revealed in France and abroad. And this is still going on because there have been promises from a number of states who claim that they’re going to clean up their act. But it’s nothing really, as we saw in Mexico last year.
Now, what can we as journalists conclude? Journalists who carry out this inquiry. What does this all mean for Europe? Given the existence of this type of company, this type of software, and the fact that states are making this use of it. First of all, we were able to determine that the use of these subcontractors by surveillance services isn’t new. But what we’re really witnessing is an Ubernization of espionage. There are more and more companies that are more or less covert that are providing services that used to be the exclusive competence of the state. It’s stuff that only used to belong to spies, Intelligence services. But here we’re talking about things that are quite cheap for NSO. It’s a few million euros to give you an idea, depending on the client. So it’s something that’s much more accessible and much less costly. That what some major states had to invest into the Cold War for surveillance or even intelligence missions. This is available to pretty much everyone now.
These companies are also very handy screens because. Countries are then able to deny any involvement. And since the sales conditions of this type of spyware are completely opaque or even secretive, states are able to deny ever purchasing these services. For example, Morocco claims it was never a client of NSO. And here I quote a former member of the French territory surveillance service published in the (incomprehensible). You used to work for France, but then worked for a Gulf country, and he was contacted or had a contact with NSO in 2016 as part of this. And this is what he says: „What NSA every time offered was to do away with the legal requirements for surveillance with a country, Israel,were NSO is based, that imposes no rules for the sale of this spyware. You can go somewhere and say you want to listen to so-and-so, no one will ever be the wiser.“ You can listen anywhere in the world. And that is what NSO was selling. So that’s the approach that NSO had with their clients.
Another thing is that we had sometimes difficult exchanges with the French government. Because after some revelations of victims, human rights defenders and lawyers had been targeted by this in France and also some politicians, some ministers and even maybe the French president. Well, we asked the authorities what was going on. But what we found out is that these companies and so and others were subjected to less scrutiny by French counter surveillance services. They admitted that if targeting of some individuals had escaped their attention, that’s because they tend to focus on other states, but they underestimated the ability for private entities to supply this type of software.
Now there’s someone I won’t quote directly. She worked for the French intelligence services, and at the beginning of the inquiry, he told me, I don’t believe in this, these zero click pieces of spyware. This is a fantasy. This is a novel you’re writing here. That’s the first reaction we have. Disbelief. And a further point I could discuss is that, you know, this is a new market for companies who have the possibility to to offer these tools to governments who are already suspected of violating freedoms. You have Morocco, the UAE, etc. So that’s for countries outside of Europe.
And finally, to conclude, I could talk about Europe. What about Europe? What about the tolerance of Europe for systems that threaten public freedoms? Two points I can mention here. You’ve worked on the most problematic cases, and I’ve looked at them, Poland and Hungary. And recently we’ve had Spain and Greece as well. Now personally. And I think at Le Monde many of my colleagues would agree. Say we can only agree that there’d be a moratorium on the use of these pieces of software we owe the EU, after all. And maybe the states could be allowed to use them if they show that there is a legal framework for the use of those tools and that it is abided by and that fundamental rights are protected and that this legal framework is actually applied. And of course, states have to show that they have carried out serious inquiries on suspicions of legitimate use in the past. I can also agree with what Rosa said. At the end of her speech.
And there’s also the problem posed by the European Commission. The commission, who is the guardian of the treaties, after all, amongst which we have the Charter of Fundamental Rights. It doesn’t seem to actually monitor the implementation of those rights, whereas it should. I think recently they defended themselves in a certain way. Perhaps they’ve changed their mind, but they said they were talking about how this would be a national competence because it would be about national security. But the issue is that we’ve seen that for two states. You do have journalists or politicians who have been targeted and therefore the argument of national security ss rather difficult to put forward. And finally, we thought that was a very weak response from EU member states and the EU itself. Regarding targeted surveillance of EU citizens by non-EU states because our inquiries have shown that it’s not.
There’s no retaliation against the U.S., China or Russia, but it’s retaliation against people who are citizens or residents of the EU. And this raises the question of the weakness of the EU in this regard. And finally. We at Le Monde are wondering about the ability of the EU to enact sanctions against these companies or the CEOs of companies who carry out actions that target EU citizens or EU residents or EU states. I think we should define the legal basis for such retaliation, even though this also brings about the embarrassing question of the use by Member States themselves of this type of software. And sometimes the software is also put on the market by European companies themselves, which doesn’t make the situation even more complex. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Zerrouky, for your contribution here, but also for everything else you have done. Because of course, without investigative journalists like yourself, we might not even have heard about the abuse of Pegasus or equivalent spyware in the European Union and beyond. So this this committee would not probably even have existed without the work of you and your colleagues. So thank you for that. And on the question of the sort of the functioning of the Commission and the EU member states in this regard. I think many colleagues will share your your concerns and your criticism. We’ll have a debate later this morning in the plenary about specifically this issue, because we need, I think, also more cooperation from both the Commission and the Member states. If we want to do something about what you call the imposition of of spyware, I think that’s a very, very eloquent way to put it. So thank you. Thank you very much. We will open the floor for questions and answers given the time. We’ll take all the questions in one go. There is no other option, unfortunately. We’ll start with our rapporteur, Sophie in ‚t Veld. Everybody else who wants to take the floor, please indicate so.
Sophie in ’t Veld (Renew): Thank you, Chair, and thanks to our two guests of today. I think your account underlines very well how this is not just it’s a big problem, a big violation of individual rights. Oh. Okay, So your account underlines not just very well how this is not just a grave violation of individual rights, as some people like to think, but that it’s also a big threat to to democracy when you are holding the Moroccan authorities to account, when you’re talking back to power, that you’ve become the target of spyware. So this is very much a problem of democracy and the rule of law. And I hope that your account is going to convince more people that we need to act, because not everybody is yet convinced.
Couple of questions in random order. So given that Pegasus can only be sold if the Israeli authorities issue marketing and export licenses, this means that they have issued those licenses for Morocco and that apparently they don’t consider that Morocco has a problematic record when it comes to human rights. Now, when the story broke in July 2021, the United States immediately puts the NSO Group, Candiru and some other companies on a blacklist. The European Union has so far failed to do so. What do you think about that?
Second question, which maybe also explains the first question is: I get the impression that Member States have very little appetite to tackle the exports issues because many of them are actually export hubs or even exporters themselves. Maybe you can say something about the French vendors of spyware, some of which have been taken to court by human rights organisations. They have been exporting to model democracies such as Libya and Egypt and some other places, and exports have taken place from Greece, Cyprus and Bulgaria to places like Sudan, Madagascar, Bangladesh and others. Are you together with colleagues from those countries investigating in those countries as well? I mean, other than Morocco, are you in other words, are you visualising the impact of the fact that the European Union is serving as an export hub of spyware to such countries?
Thirdly, do you know anything perhaps about the the the state of progress of the magisterial investigations that were launched in France and Spain? Um, and then in particular to Mr. Zerrouky: Le Monde has been reporting regularly about this, but given the the immense threat and also the role of EU countries, including France, I would expect that there would be even more and that this is not just a an issue of technology, but that this is a frontal attack on on democracy. My final question to you is, when you spoke to (incomprehensible), you said and we know that he is also looking into the issue of active privacy, so non-state actors. But I was surprised to hear you say that somebody from the French Secret Service said, well, this escaped our attention because we never expected non-state actors to engage in this business. But I understood that you mentioned that in the context of the spying on the French president and members of the government. But I always understood that it was actually the Moroccan government. So a state actor and not a non-state actors spying on the French government. But maybe I misunderstood. Those would be my questions.
Jeroen Lenaers (Chair): Thank you, Mr. Sikorski.
Radosław Sikorski (European People’s Party): To spy on citizens is one thing. To react when this activity is revealed is another. Could you possibly tell us the ranking of government reactions to your revelations, where you think the reaction was correct and where you think it was inadequate or downright hostile to civil liberties? I’m thinking of places where these revelations have caused the governments crisis and those places where all cooperation with those revealing the scandal and even official bodies such as this body has been denied. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Heide.
Hannes Heide (Socialists and Democrats): And thank you very much indeed to both of our guest speakers. My questions seek to obtain greater clarity in relation to a number of the details. My first question is the use of Pegasus in Morocco has been proven. Even though Morocco itself says that they’re not a customer. Which authorities and institutions in Morocco have used the software then? And like the rapporteur, I too would like to come back to the fact that non-state actors could obtain this software. Private persons. Could you clarify that for us? And how about the target group in Morocco? Could you tell us more about who these people are? And how about Morocco’s activities in European countries, in particular Spain? You didn’t mention Spain. And then a further question What is Morocco trying to obtain knowledge and experience? And what is the role of the Western Sahara in all of this? Thank you.
Jeroen Lenaers (Chair): Mrs. Bricmont.
Saskia Bricmont (Greens): Thank you very much. Thank you also for telling us about your experiences. It’s great to be able to meet with you. It’s true that we’ve heard from victims before, but you give us this additional dimension about foreign interviewer interference by third countries in relation to EU citizens. I very much regret. That our colleagues who work on this committee of inquiry, uh, and that others often can test some of the data that we need to base our inquiry on, and it would have been nice for those colleagues to hear it from you directly. Of course, we are not receiving any information from the government. So it’s really useful to be able to hear from you.
That said. I would have the same question about governments reactions. There’s a complaint which has been lodged by Moroccan authorities against your newspapers. Is there any support as a reaction from French authorities in this case? And what is your interpretation of the fact that governments, the French government in this case, I’m not really reacting much at all. Qatar Gate. Morocco gate. Israel gates. You would think that that would prompt a different reaction. This is all the extension of what was happening with Pegasus and other spyware. That is foreign interference, basically. And it doesn’t seem to be jolting governments into reacting. So what about the lack of reaction then on the part of the EU? By EU I mean the member States and the Commission. It doesn’t seem to be much of a reaction at all to all of this. And are you continuing with your investigations then? To see whether European affairs and and foreign affairs are taking up this particular point with Moroccan authorities, or is that an area where you don’t really do much work? I’ll leave it at that for now. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Puigdemont
Carles Puigdemont i Casamajó (Non-attached): Thank you. And I would like to thank our guests for their participation. And both Ms. Moussaoui and Mr. Zerrouky have indicated that journalists have to go undercover, almost given the atmosphere of silence and violence. You’ve described a situation that is similar to what has been described by other witnesses who were attacked by an authoritarian, not by authoritarian country like Morocco, but victims of the same form of attacks in Europe. So I’m wondering how we would evaluate the attacks perpetrated by governments that we believe have the necessary tools and European states which do exactly the same thing and generate the same form of silence and violence vis a vis dissidents, journalists and so on and so forth. And that was my first question.
Second question. According to your investigations, according to the information at your disposal, would it be possible to establish a link between the use of the spyware by on the part of the government and the changes that we’ve seen in the Spanish government vis a vis Western Sahara? Because there is some evidence or at least some credible indication that the software may have actually played a role in terms of political decision making with respect to what we’ve seen in the European Union. Thank you.
Hannah Neumann (Greens): Thank you, Mr. Chair, and thank you to both speakers who are here today. And I would first like to ask you one questions as basically being victims of espionage. I mean, there was a spyware attack on you as French citizens that was infringing your fundamental rights. And in by concept, the French government is in charge of protecting you from this kind of attacks. So I wonder very much in line with the question of Mr. Sikorski, do you feel that the French state is doing enough to protect its citizens, including you, from this kind of attacks and to do enough if they prove to be true? Well, to stop it.
And then my second question goes to us as journalists, because there has been at the same time in like it done most likely by Morocco, an attack on the French president and Mr. Macron, but also and also now within the French system and maybe other parts of the government. And it’s not just the personal issues. So it’s not an attack of Morocco against Macron, but it’s an attack of Macron and the French state and its institutions. So for me, the question is, would you say that they defended themselves enough? So basically Macron didn’t have to defend the French state of this attack from a third country. So here I would just like to hear your own assessment and well, if your conclusion would be they didn’t do enough to protect you as a victim and they didn’t do enough to protect French state institutions, who should who should be the ones then stepping in?
Jeroen Lenaers (Chair): Thank you very much for all the questions. That was the end of our speakers. There’s a problem, Mrs. Guillaume?
Sylvie Guillaume (Socialists and Democrats): No problem. But I thought I’d been included in the list of speakers to ask questions. Okay, then I’ll be very, very brief then. And of course, a number of the points I wanted to raise have already been raised by my colleagues, of course. But there are two things I had in mind. Following what’s just been said: You described the French surveillance services as being almost prehistoric, although pre-Internet. But I wanted to know if you had an answer from the government. About your situation and that of your colleagues. And I have to apologise to Ms. Moussaoui. I arrived a bit late. You mentioned a gag or complaints or SLAPP suits. Well. What would you be requested regarding those for the future European legislation? Thank you and sorry for hitting the floor so late.
Jeroen Lenaers (Chair): No, thank you. I missed I missed your your request of the floor address you would have given immediately, Of course. Thank you all. We will request you to answer the question so you can. There were quite a few of them. So we’ll continue to to make your best effort. Thank you very much. And we first past the floor. Unless you want to have a different sequence. Yes, Mr. Zerrouky.
Madjid Zerrouky (Journalist at Le Monde): I think that’s a lot of questions that were asked. I’m going to try and give a bit of clarification first. First of all. About what the former member of the French intelligence services told us and what we heard off the record when they were talking about surveillance, they were talking about the company and the software, not the Morocco or state. I suppose what they were recognising that they had underestimated the ability of those private companies who are linked to a military industrial complex, actually, you know, former Israeli intelligence officers, etc. But despite that, they had underestimated? Well, to begin with, the capabilities of the software and the ability of the software to provide capabilities to states. Now, of course, this was said off the record and it’s the views of individuals and it doesn’t necessarily represent the views of the majority within the French security apparatus. That’s always the problem when you have comments off the record, of course.
Another thing really is the lack of reaction or transparency that we have come across from the French authorities when we raise the question of institutions under attack of French politicians being targeted. When we raised those questions, we journalists were told: „We’re taking what you write into account, What you’re talking about is extremely serious. And if it did happen, it’s very serious and we’re going to look into it.“ But the results of these inquiries are things that we hear off the record once again. Our colleagues from Mediapart have indicated there were at least two, three, four serving ministers who were, it emerged, targeted by Pegasus on the phones. But this is stuff we heard off the record. So out of 15 ministers and state secretaries, four were targeted by the Pegasus software. But we’re not getting clear answers.
When it comes to the French defence capabilities: What we know what’s happening, but we don’t know what’s what’s actually happening. We know that there have been official meetings and there have been some conversations perhaps, around you on a bit of a difficult conversation between France, Israel and Morocco. We know that France has taken measures to make it so that French phone numbers cannot be targeted by NSO or other Israeli software. Allegedly, Israel made some assurances to that effect, but these are all guesses that we’re making. We also suppose that Morocco no longer has the means to do what we were still doing three years ago, that its capabilities have been restrained somewhat. But does it really still have those capabilities or not? We don’t really know. We thought that things did happen. Might have happened at a bilateral level and that those have constrained democracy capabilities somewhat. What we’re seeing is that states are trying to solve all of this bilaterally. That goes for France and maybe for others. But the questions, the question would have to be asked to countries one by one.
Regarding other software in other countries. We’re talking a lot about Morocco here, but there are others. We’ve had inquiries by other journalists. The French software is used in Libya and Egypt. It’s the same thing every time there is an investigation. But we can feel that on the French side and on the side of the French justice system, there’s no willingness to really investigate. Because there’s a bit of an omertà going on, you know. A lot of silence on the French side because French interests are at stake, because this is a French company we’re talking about. So you can see what the picture looks like. And this is an issue. When it comes to the other investigations: Pegasus, etc. This was some a dozen countries, including India, and a number of media outlets, looked into it.
I’m going to try and answer the question asked by Mr. Puigdemont. Well, no. For us, there’s no difference between a legitimate surveillance carried out by an authoritarian country or a democratic one. If anything, it’s even more serious if it’s carried out by a democratic one. These pieces of software are digital monsters, and they contaminate our democratic spaces. And they have emerged in countries that we thought were immune from this type of excess. But this demonstrates that it’s not the case and that there is total lack of control within states themselves. And when some states allow themselves to go this far. Then within the union, we should ask ourselves how we can limit member states folk from going that far. How can we do that? Maybe at European level. In the present and the future. And according to the level of gravity of those infractions. This is a question we should look into and transposition.
Rosa Moussaoui (Journalist at L’Humanité): There is a question on the use of software developed by European companies in the case against a number of French journalists. And the Humanité article actually covers previous uses of software, spyware, on the part of Morocco. And the first documented use actually targeted the (incomprehensible) that began during to operate during the movement of June 2011. And this was spyware developed by (incomprehensible), an Italian company. And you will recall that the export authorisation was withdrawn after the death of Giulio Regeni, the young Italian who was tortured to death in Egypt. So obviously there’s no doubt as to the use of the spyware. The question is whether the French government has done enough to protect us. I actually believe that the French government has done absolutely nothing to protect us.
On the 15th of February 2019 in Paris, a number of Moroccan human rights defenders, exiled journalists, mainly from the Moroccan Association of Investigative Journalism, organised a conference to defend freedoms in Morocco. And this was in a room only minutes away from Paris, in the Republic and Paris. And this conference was suddenly interrupted by members of the regime, supporters of the Moroccan regimes. They produced a blackout, chairs was overthrown, and there was no follow up given to this incident, despite the fact that it was reported to the police. And this was the case despite the alerts launched by us time and time again, we were told basically that we shouldn’t in any way say do anything that might trouble the Moroccan authorities. And this was done when an attempt was made to act against the representative of the security services. This investigating judge was invested with the case and this individual was convened. This triggered a diplomatic crisis. And as a result, the protocol of the judiciary of agreements between Morocco and France was actually amended to prevent this from happening. He was an officer from the Moroccan intelligence services.
And so clearly there is some common interests between Paris and Rabat, which are based on a very well established relations. And so when Morocco is involved, there is no reaction. And there’s something that was as one sentence has been repeated, if this had happened, it would be very serious indeed. And this is something that was used as a as an expression by representatives of the inter-parliamentary group for friendship between France and Morocco. And this was echoed in the media in Morocco. And the explanation was that this was an unacceptable attack against Morocco. And these investigations were based on, let’s say, uncorroborated charges on the part of journalists. And therefore, they this really ended up by trying to discredit the investigations carried out by 17 media outlets. And we’re seeing this with the Morocco gate situation, some in the political scenario in France. Actually, in part succeeding in, let’s say, setting this aside, in the case of the Pegasus case, it really took a long struggle before an investigation was launched.
And so this is the situation we’re faced with at a political level. The only thing that was negotiated was the exclusion of, let’s say, the use of Israeli produced spyware. This was done by the UK as well, and it happened in the U.S. But there’s no, let’s say. Impact with respect to Israel or a full ride with Morocco. And there was a question with regard to the Western Sahara. Well, I think that the latest events that occurred in the European Parliament have actually brought to light this peddling of influence that really stops at no, let’s say, method whatsoever, including criminal actions to ensure that Moroccan positions may prevail at a diplomatic level. And we know that obviously this is relevant to with respect to the Sahrawi people and the right to determine self-determination.
And we’ve seen instances of aggressiveness and the use of spyware means obviously being able to examine what goes on in people’s private sphere. But it also means, let’s say, identifying elements that can then bring to light aspects that could lead to blackmail and could actually silence any attempt at protesting. I know that in France, some of the French elite is completely aligned with the positions of Rabat. Whatever they may be will have used this method repeatedly, and it’s very hard to sort of pick out the threads of this intricate web. Thank you.
Madjid Zerrouky (Journalist at Le Monde): Just to come back to the complaints that have been made against our media, where we do have some protection in France on the French law and the French case law, which stipulates that. Morocco triggered that case-law. But as the Court of Cassation in France, whereby it is stated that journalists cannot be attacked for defamation. But certain cases, we’ve brought four in total, I think, two still pending, so four cases. But that was covered by the French case law. Now. Why are proceedings being brought? Well. I think the lawyers knew from the outset they weren’t going to win. But of course, they want to occupy the media with this. They’re saying we’re taking them to court. And they are doing this so that they can fill the media with reports about calling into question our work. This is a case of defamation. They’re not reporting on this correctly.
But, of course, we, Le Monde, Radio France, we’re not small media outlets, so we can afford lawyers. We know that this the French case law that protects us. So they’re not really coming after going after us, really. But they’re still trying to intimidate by bringing these proceedings and they’re intimidating media outlets which might not have the same means to defend themselves as we do and media in other countries. We’re protected. In France, of course, I don’t know what the situation is elsewhere in the other countries, even European countries. But I know the legislation differs from country to country in particular when it comes to cases of defamation and so on. So in France, we ourselves, when it comes to Pegasus are not really at any great risk. But I don’t know whether the same is true elsewhere.
Rosa Moussaoui (Journalist at L’Humanité): In closing, then. On this very point, we’re not at risk in this particular case because this is case law that stops foreign powers from attacking French journalists for defamation. But of course, these proceedings are brought to make us waste time. We need to put resources towards this to defend ourselves. It keeps us busy, of course. We could be using our energy to carry out our profession and go about our work. But of course, it also needs to self-censor on the part of journalists. Some journalists will think, well, even though we’re sure of our investigation, you know, proceedings take a long time. It takes up a lot of energy and time, and we’d rather not have to deal with that. So journalists will shy away from making certain points vis a vis multinationals or countries, because I think we’re just getting ourselves into difficulties. They’ll bring a defamation suit and it’s going to lead to a lot of waste of time and energy on our part. Now, what protects us in France is case law in relation to foreign countries, but it doesn’t cover multinationals, for example. So it would be useful to have a European framework that grants protection to journalists or whistleblowers and our sources. And that way we can continue going about our profession without having the Sword of Damocles hanging above, above our heads and without us being muzzled. And that way we would have great progress for media freedom if we could have that framework in place. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. I mean, it’s it was a pity that we had to suspend the meeting last month. But I’m very happy after today that we managed to to hear from you directly here in the room. And you were able to answer all the questions that the colleagues posed. Think it was very, very informative and very useful for the work that we want to do. And I would also like to invite you to to keep a close eye on the work that we do and to proactively also remain engaged with the work that we do, which would normally come to an end in the next in the next months. With the adoption of the report and the recommendations under the leadership of our rapporteur. So thank you very much. And due to time constraints, I would like to move immediately to the next panel. So I would like to invite Mr. Rowland Corr to come to the the podium so we can continue with the next. I thank you very much. Thank you. Yes. All right.
Hearing 2: Spyware and telecommunication companies
Jeroen Lenaers (Chair): So we’ll continue with the next point of our agenda, which is an exchange of views on spyware and telecommunications companies, which was requested by many of our colleagues and to exchange with us today. I am pleased to welcome Mr. Rowland Corr, who is the vice president of government relations of ENEA, and they are active in the field of software for telecom and cyber security, and they offer solutions to connect and secure services for mobile communications for for many, many companies and many citizens that rely probably without even noticing on your on your software. So thank you very much for being with us. I would like to also give you the floor for for about 10 minutes and then we open the floor for some questions and answers with the with the members of the parliament. Thank you very much.
Rowland Corr (Vice President of Government Relations at ENEA): Thank you, Chair and members, for this opportunity to speak before the committee. My name is Rowland Corr and vice president of government Relations at ENEA, which is a publicly listed company, a multinational headquartered in Sweden. ENEA specialises in telecommunications and cyber security software solutions relevant to the focus of the committee, as has been highlighted by the Chair. And it has received industry recognition as a leader and innovator in mobile telecoms security for protective solutions, research into vulnerabilities and contributions to the development of industry guidelines. And a core area of our business indeed is securing telecoms networks and subscribers against unauthorised intrusions of the kind I want to speak about today.
Jeroen Lenaers (Chair): Just for the interpretation to speak a little bit slower.
Rowland Corr (Vice President of Government Relations at ENEA): Certainly. Thank you. Thank you. I would like to preface my intervention by quoting a remark made by committee rapporteur Ms. in ‚t Veld upon presentation of the draft report to the effect that the challenge presented is about more than spyware. Referring to the many different entities, aside from spyware vendors which have agency in this issue, not only are there other actors to reckon with, there was other spying executed over mobile networks. That is relevant to the committee’s purpose of gathering information on the extent to which Member states or third countries are using intrusive surveillance to the extent that it violates rights and freedoms enshrined in the Charter of Fundamental Rights of the EU, unquote.
There are three key points I wish to make for members to take away. Firstly, spyware is the tip of the iceberg in mobile telecoms surveillance in that there is much besides that remains on scene where vulnerabilities in mobile networks and gaps in governance in various contexts enable in access are exploited by threat actors to execute unauthorised intrusions with impunity. Secondly, EU based infrastructure is exposed to use by third country actors. Often, along with infrastructure, they control in other regions globally as a tool to conduct surveillance in multiple regions worldwide, including within the EU. Thirdly is this area of risk is neither widely enough understood, well enough recorded, nor indeed well enough integrated into national frameworks where a critical infrastructure protection, cybersecurity and national security intersect. The key to improving resilience arguably lies in emphasising capability over compliance on the part of stakeholders, be they operators, regulators, cyber agencies, for example.
The potential for access to EU based infrastructure to be used by attackers as a tool for surveillance, separate from the use of spyware, is the scope of my remarks. There is significant parallel between these issues and mobile telecoms security most fundamentally in the affects achievable which, taken together, implicate a similarly systemic threat. The committee has highlighted potential systemic risk attached to the international trade in vulnerabilities and spyware exploits. Here, too, there is an important parallel. The other side of the coin, that is the trade in exploits, could be called commerce and access to telecom infrastructure within the EU. This area of telecoms vulnerability is mobile telecoms signalling and the abuse of access to sector and infrastructure.
To put this vulnerability into context for you as an area of surveillance risk, we might say that where the use of mobile spyware weaponizes the personal device of the victim, the use of mobile signalling weaponizes the networks surface. Subverted in the hands of attackers, the surface becomes the cyber weapon and the surveillance. The key term here is interconnection. The mobile telecoms interconnection model, originally developed in the mid 1970s, was based on assumed trusted access. Over time, additional functionality and additional protocols were developed. This led to the creation of interoperable global infrastructures that could offer attackers should they be able to gain and exploit access: immense potential utility for surveillance purposes.
This is because there was comparatively little, indeed: scant focus, on security as mobile technology and services advanced. And this has been marked by ENISA importantly, the cybersecurity agency for the EU, who also highlights the comparative ease with which access to signalling systems can be gained through commercial agreements. This has been enabled in the first place by deregulation and opening of telecom markets, where that has been an important business enabler and service enabler for consumers. It also allowed non-state actors to acquire a level of surveillance capability that had historically been the preserve of governments.
But what has also happened over time is that state actors have come to make use of non-state actors not only as proxies, but as partners in execution of surveillance efforts. Such as the environment and ecosystem, particularly for Europe. But this state level surveillance threat can involve cooperation between a state actor on the one hand and multiple non-state entities on the other. In the first place, these being cyber surveillance providers who are contracted to conduct targeting activities by nation state entities. In this scenario, the cyber surveillance provider will typically partner with a telecom service provider who often have themselves leased their access in turn to resources and infrastructure from mobile network operators.
With so many degrees of separation, it is important to note that the operators, whose resources and infrastructure may be exploited in this way, may be unaware of the abuse of access. Such partnerships enable threat actors to extend their capabilities to acquire infrastructure in different countries around the world and to remain hidden. We estimate that today, mobile infrastructure and resources from more than 50% of EU countries is exposed to utilisation and attacks by third country actors. Through the combined exploitation of the openness of markets, absence of controls on top of vulnerabilities, themselves in mobile signalling and a deficit in capability to detect threat.
As to the attacks, aside from spyware, it is crucial to understand that these go beyond mere eavesdropping. Eavesdropping implies that individuals might only be targeted when they’re actively using their device. Today, however, subscribers privacy and personal data is not only at risk during calls or when sending or receiving messages. Mobile signalling enabled surveillance also involves invoking communications where attackers send commands into the core mobile network of targeted networks for the purpose of prompting the return of information to the attacker about the subscriber. This enables exfiltration by attackers of unique identifiers associated associated as well with victims such as mobile phone number, which of course qualifies as personally identifiable information. Also location, acquisition and tracking while incorporating the defence evasion. This in addition to interception of calls, credentials and messages which importantly include SMS one time passcodes, for example. Most people use for authenticating social media accounts and even bank accounts.
Furthermore, threat actors continue to innovate and experiment to find more effective attack techniques within the functionality of these legacy protocols, such as their continued utility and importantly, also the projected utility into the future. They do so by crafting commands in unusual ways. Attackers innovate by crafting commands in unusual ways. This offers practically boundless variations to exploit threat data and to bypass protections. An important element of this activity is the intelligence that can be gained by attackers regarding the level of protection in different networks. This so important, in fact, that it constitutes an observable line of effort in its own right for attackers, which is network reconnaissance. The most advanced attackers probe networks all over the world. Not only to determine which are vulnerable, but how they’re vulnerable, how they handle or rather how they mishandle unexpectedly constructed or righted commands which should not be authorised.
We estimate that such reconnaissance may target 70% to upwards of 90% of operator networks globally in any single instance re-occurring at intervals of short a several weeks today. Such activity is masked, but it is never indiscriminate. It is always delivers. With different countries targeted with different volumes and types of traffic.
Different countries are exposed to different levels of risk. What is important for all to consider is that there should be a capability to be able to determine the level of exposure and to be able to respond to any changes. Operators should strive to implement as many GSMA recommendations on interconnect security as they can. But at the same time, this is not rely on that compliance as a guarantee of resilience. Attackers move beyond guidelines, and that’s where defenders and defence needs to be as well. Accordingly, operatives should have the capability to check for leakage of information, as it is termed, from their networks around, and despite protection that they have in place and where discovered, they should be able to determine the likelihood that it was deliberately induced.
I’ve mentioned that the security environment is not static. An important factor in this is that operator networks themselves do not remain. Static nodes are replaced, policies are updated, and attempts to infiltrate a network which fails today from an attacker could succeed tomorrow, even if they do nothing different, even absent innovation. That is why when it comes to mitigation, it is important to emphasise capabilities over compliance. Signalling security, the security of interconnections in electronic communications, has been described by ENISA as a critical area in electronic communications. Because we still use this legacy set of protocols to assure the interconnection between providers. This conclusion, published in 2018, is all the more true today.
As 5G continues to be adopted worldwide, the need for secure into working between protocols, between network elements across generations of technology and the need for secure interconnection nationally and internationally presents an increasingly complex and critical area within electronic communications. Threat actors ability to acquire access primarily through leasing arrangements from EU operators. Their ability to exploit vulnerabilities inherent to the telecom protocol’s interconnection. And the ability to identify vulnerable networks and bypass defences combine to make this legacy security issue a very current surveillance threat. Thank you for your attention. Happy to take questions.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Corr. And just to to for the interpreters have a very, very important and also very challenging job translating what we say in 11 of the languages. And if we speak too fast, which I’m always a perpetrator of myself, it becomes even more difficult. So that’s why we always ask to to try and and speak not to too quickly. We will now go into the Q&A session. I will start with our rapporteur, Sophie in ‚t Veld, and the other members who would also like to take the floor. Please indicate so we can add you to the speaker list. Sophie.
Sophie in ’t Veld (Renew): Yes, Mr. Corr. Thank you very much for your for your testimony. My first question would actually be very practical one. Is it possible to get your speaking notes so that we can sort of read it again and digest it with a bit more, more calm? Because I think it was very dense, but also one of the most alarming testimonies we’ve had so far. I think we focusing very much on spyware and on what governments are doing, but we are becoming increasingly aware of the role of telecom networks in in all of this.
I have a series of questions in random orders. Order. You you’ve highlighted the weaknesses, vulnerabilities, the problems that telcos are facing. We know that traditionally states have always demanded, let’s say, backdoors in telecommunications networks. I mean, from the time that the telephony was invented. Yes, there’s there’s always been a legal obligation for the providers to provide access to to state authorities, like deliberate vulnerabilities, if you want. And there there’s, of course, a dilemma. If if state or state actors or like the European Union, a political entity, wants to protect its system, but at the same time keep access itself because states are doing the same as some some other actors, but maybe with different intentions. Can you say something about those deliberate vulnerabilities?
Um, we had invited also telco providers to appear before PEGA, but they’re not terribly keen. Well, your view, your explanation for that.
Third question: Do you see better awareness and better knowledge, better understanding in the United States than in Europe? Um. Then do you have an estimate? I mean, you’ve been saying a lot also about the standards recommended by ENISA. Can you say something about how many providers in your view would actually meet those standards? And isn’t it so that they’re already struggling to provide a basic level of security, never mind security against this kind of very invasive and highly technological spyware then? Is it let’s say that there’s one member state in which there are some very weak networks or networks with very weak protection: What does that mean for access to to targets in other member states? In other words, could it be that if in one member State there are weaknesses, that that will also jeopardise people in other member states, or that indeed people in one country having access to SS7 or Diameter as it’s called, i.e. via their ownership of a telco company, if they can spy on somebody in other countries? Um. Yeah. I’ll stop here.
Jeroen Lenaers (Chair): Maybe since these saw quite a number of questions already. Take these first and then if anybody else wants to take the floor, please indicate.
Rowland Corr (Vice President of Government Relations at ENEA): Thank you for your questions. First, of course, we’d be happy to provide speaker notes. And then to your question on the phenomenon of deliberate backdoors, as I think you have characterised it. There’s a role, of course, for telecoms operators and service providers in supporting law enforcement activities. I think the area of risk here is how these vulnerabilities and the openness that I referred to, the ability for state threat actors to gain commercial access to interconnection systems, to signalling systems around those frameworks actually, so without the need for any agreement at all, beyond the agreement that gives the the the threat actor the ultimate end use and effect of the use of those resources by a telecom service provider. As I have said, or operators who may be unaware of the actual abuse.
So I think that separation between the end user of the surveillance, as it were, the intelligence gained and the actual access that’s exploited can occur in a really important way and a really dangerous way around that actual phenomenon, separate to the phenomena of backdoors and all of that entails, where governments are engaging with operators for access, for investigative purposes or whatever other. And really the context as to why participants may not be keen. I mean, I would be called upon to speculate there, and perhaps I shouldn’t. Well, yeah, no, I think I shouldn’t.
As to how many providers haven’t been, what level of protections. When it comes to those that can put together a threat picture, I think it’s fair to say there was no private company and there was no competent authority that can offer or can put together a perfectly exhaustive threat picture. And I think for that reason, the picture of any one individual provider that has one is going to be misrepresentative to some degree. And that’s why we have sought to emphasise the structural conditions and the nature of the ecosystem that we’re aware of. Rather than speaking about individual countries, because it could be it could be misrepresentative and just for that reason alone, if they left, it was not appropriate or was more appropriate, more useful ultimately to keep the focus on the environment itself.
And then there there was a question on…. Is collective security only as good as the weakest link? If I’m paraphrasing one of your questions. There is. There’s a lot of moving parts. Of course, there’s a lot of complexity in interconnection. But the interconnected nature, of course, of telecom systems, infrastructures. Those are low for vulnerabilities in one network to afford attackers use in attacks. It is not, of course, always straightforward either, whether there are other factors, but it is that can be true in some circumstances. And if I missed the question, please remind me.
Sophie in ’t Veld (Renew): No. One question and half the question that came up from your answer, the question about if there is greater awareness and understanding in the in the US. But as you confirmed that the fact that there is a whole ecosystem that all these networks, the national networks, are connected. Would you agree with me that let’s say a government gets a majority share in the ownership of a national telecom provider? In a just random hypothetical example, Hungary? Would you consider that that is a risk? I mean, that through that network they could gain access to targets in other countries? Is that possible?
Rowland Corr (Vice President of Government Relations at ENEA): I’ll take the question on the U.S. Based on the amount of messaging and reporting in the U.S., there’s clearly a strong knowledge, I think, an awareness of these specific vulnerabilities. That’s also true in the in the European context. I referred to ENISA reporting. You know, these vulnerabilities have been acknowledged and progress has been made in protections. The problem is actually one of implementation. So the question of whose knowledge is stronger, I think a more important and better question is how are we able to implement and execute.
And your question on the risk, I mean, again, I think it’s better to speak about the environment as a whole. Any any entity that can send out direct access, unfettered access to telecom networks and knows how to use them, because that’s another thing. Can, of course, abuse that access or can use it within or without the scope of legislative frameworks if if that is even within their capabilities. So there’s no threat or answer to that. And again, I think it’s better to focus on the environment itself and the scope for access to be abused by by any anti whether it’s direct access or through multiple layers of proxies, which I have spoken to, rather than speak to individual cases which which I can’t.
Jeroen Lenaers (Chair): Thank you very much. Róża Thun.
Róża Thun und Hohenstein (Renew Europe): Thank you very much. For being here and sharing with us. You have knowledge, experience of many years, a niche expertise and basing on this. I would like to ask you how many telcos in the EU and not only in the EU, also globally have implemented this baseline security measures for each category of networks. I mean, 3G, 4G, 5G, and how many telcos in the EU have achieved the third, the third security standard. And maybe if you could, the if possible, in a simple way describe the levels of of those security standards referred to to those ENISA guidelines, the basic one, the industry standard and the state of the earth, if if possible. And continuing on the question of Sophie, who has access to those seven the communication to the SS7 communication protocol, it is this we spoke about foreign activities. Are those foreign entities monitored or their activity? The the the activity of foreign entities is somehow monitored. Is it controlled? And how if you could maybe say a few words about this. Thank you very much.
Jeroen Lenaers (Chair): Thank you very much, Mr. Corr.
Rowland Corr (Vice President of Government Relations at ENEA): Thank you. I get the question on how far different categories of protection have been implemented across Europe. But the data to actually answer that question is in so many different quarters and the position of so many different stakeholders beyond any individual company. That question can really only be answered, I think, collectively, cooperatively between the public sector and private sector stakeholders who actually have all the pieces of the puzzle because there’s not a lot of data to to put that together. Who has access? Well, yes, to your question, I think touched on the the nature of the I think the telecom providers who I mentioned are contracted for access by cyber surveillance providers.
There are different types and companies come and go. Services can change and evolve. And even the particular technologies that are involved also change. That is why we felt the most meaningful and useful term is to describe or is telecom service providers where interconnection access is a part of the service delivery. There was this this is, as I as I mentioned, fundamental to so many services used by consumers. It enables mobility that we rely on day to day. So it is ubiquitous. This level of interconnection, the point being that its use of operators assets by telecom service providers contracted in that model that I aligned, which is one model, but an important one by cyber surveillance providers who are in turn, of course. Contracted by nation state entities in the first place. I hope that answers your question. Thank you.
Jeroen Lenaers (Chair): Thank you, Miss Delbos-Corfield.
Gwendoline Delbos-Corfield (Greens): Yes. Since the beginning. And you’ve partially answered now? Since the beginning, I’ve been wondering because you gave this alarming number that Sophia alluded to that you mentioned 50% of telecoms network have been under attack by third countries actors. You get this in full by the ENISA, I didn’t. What is your capacity, the academics working on this or those those working on this, what is the capacity to exactly know all of this? Because you said it. It’s in each corner. It’s stakeholders. Companies come and go. Are they always very open in what is happening? Exactly. You also have state companies. So wouldn’t the national security protects come in and all of this. So what’s exactly the the quality of what you can know and not know. And what exactly can we see in these attacks? That would be my first question.
The second question is that if the number is so big would do, what could we propose would, given this big security gap, should we have a collective approach in the EU to close security vulnerabilities? And then my third question is, is related also to to Sophie’s question, because, of course, we all have in mind the the Hungarian situation, the this this four countries indeed attacking. But we also have seen in the (incomprehensible) that in fact a number of member states themselves are spying on the people, being activists, journalists or opponents if they were to do it for their own telecom, national telecoms, you, we would have no way of knowing.
Jeroen Lenaers (Chair): Thank you, Mr. Corr.
Rowland Corr (Vice President of Government Relations at ENEA): Thank you. Regarding the estimates that you referred to initially over the period, actually, for clarity sake, we estimate that mobile infrastructure. And resources from more than 50% of EU countries is exposed to utilisation in attacks by third country actors. So I’m talking about the use of infrastructure to conduct unauthorised intrusions in multiple regions globally, and this also occurs within the EU.
To your question as to what do we see that goes to intelligence, of course, a very sensitive area, but we obviously are unauthorised intrusions. We see the direction of traffic and commands that are. That should not be authorised and that are illegitimate, that they’re not legitimate commands, and that these cause effects in the invulnerable networks which return information on subscribers and on the networks to entities that based on our intelligence, we are able to assess so where the knowledge or the confidence is hand on to be threat actors. And this is based of, this is based on many years of experience and of course, having a threshold of global coverage. Because I did refer to the global scope of threat actors activity. That’s one of the it’s called identifying characteristics of the threat activity that I’m speaking about and which we observe on an ongoing basis.
Can we close the gap collectively? Absolutely. I mean, I think that’s not the only way there’s a role for public private partnership. All stakeholders, I think, can achieve much willingly coming together and cooperating. I mean, it is often said in these contexts and is often recommended better information sharing and intelligence sharing. Of course, that’s key that that’s important, too. But that presupposes that the intelligence can be generated adequately to reflect the threat picture the actual threat landscape in the first place. That’s why we’ve sought to emphasise capabilities. Is there sufficient visibility of threats? Our stakeholders are individual EU member States sufficiently capable of evaluating their level of exposure. I think through through that we can move towards some measurable, meaningful indicators of resilience collectively.
Jeroen Lenaers (Chair): Thank you very much. There are no further questions. So I’d just like to take this opportunity to thank you, because that’s so in itself, rightly said not all the representatives of telecommunications companies that we invited to exchange with our committee were willing to to appear before us. So that the fact that you have done is is very much appreciated. We also very much appreciate your offer to to share your speaking notes with us, because I think it’ll be very interesting for those people present here today, but also the ones that were present to to be able to read them back in in in full. So it was very informative. Thank you. Thank you very much for your contribution also for allowing us to and within a reasonable time so we can all make our way to the plenary debate for the oral question on the principle of sincere cooperation with regards to the PEGA committee, which we will start around 11. Normally just for the members of our committee.
The next meeting we have foreseen is on the 27th of March at 3:00 in Brussels. Before that, we will have the mission to Spain, Monday and Tuesday of next week. This just to inform you, this mission has been slightly more complicated because of the debate and the vote on a motion of censure of the Spanish government that will also take place on the Tuesday and Wednesday. So we’re working very hard to, in these circumstances, still have a good agenda and meet as many interlocutors, relevant interlocutors as we possibly can. So we’ll keep you informed on that. But I look forward to to see quite a few of you on Monday afternoon in Madrid on the 27th of March in Brussels for a full committee hearing again. So thank you all very much. And for those who are travelling back today, have a safe journey. Thank you very much once again, Mr. Corr.