Translated Article: Further Wrangling in the Council of Ministers over Competences for Europol
Weiter Gerangel im Ministerrat um Kompetenzen für Europol by Erich Moechel for fm4.ORF.at
A majority led by Germany and France does not even want to give Europol the power to initiate transnational investigations itself in the event of a major cyber attack.
On Monday the EU Council of Ministers decided on an approach for a new cybersecurity strategy. A network of “Security Operation Centers” across Europe will form an early warning system against attacks, and a new “Joint Cyber Unit” will be responsible for crisis management. In addition, they want to promote strong encryption methods together – but with back doors for law enforcement officers.
Whether this collection of buzzwords will actually become an EU-wide implemented strategy is very much in question. The ongoing discussions in the Council of Ministers about the planned new powers of Europol give little cause for optimism. As it currently stands, Europol will not even have the power to initiate transnational investigations itself f.ex. in the event of a major cyber attack.
No coordinating role for Europol
Both the Council heavyweights France and Germany, but also Romania, Hungary and the Czech Republic have in principle spoken out against Europol being able to commission transnational investigations of its own accord, even if the offence itself falls directly under Europol’s mandate. This includes all serious crimes that affect more than two member states, which is typical, for example, of the attacks by international encryption blackmailers which have been rampant for years.
In Romania’s submission, for example, it says: “Authorization to initiate investigations would exceed the limits of the Europol mandate because Europol would have a coordinating role in it.” In the leaked compilation of the Council of Ministers, only Spain could be identified as a dedicated supporter. “In this sense, we see the initiation of investigations covered by Article six of the Europol mandate, so an amendment to the regulation is not necessary”.
Sovereignty, technical expertise
Romania also considers an expansion of Europol’s powers to “fight crime in connection with the Internet”, in particular the coordination of the defence against cyberattacks, as inappropriate, especially since, in its opinion, these are not included in Europol’s mandate. The Czech Republic can at least imagine that Europol will exercise such a coordinating role, albeit only after a request from a member state. Spain, on the other hand, refers in connection with “large-scale cyber incidents” to a recommendation of the EU Commission from 2017 and suggests that if “an incident of such high technical or political significance” occurs, it should be regarded as a crisis situation, “which requires timely coordination and countermeasures at Union level. “
As it is easy to see from the statements made by Spain, this delegation apparently has enough technical expertise to realistically assess the facts and, above all, the requirements in cyberspace. With the best will in the world, this cannot be said of the other known country positions, because the insistence on one’s own sovereign rights reigns, even if exercising them in the event of a concerted cyberattack is simply an illusion.
“Cyber intelligence on a voluntary basis”
“Even if national security falls under the sole responsibility of each member state”, strategic cooperation in the area of “intelligence” is indispensable within the framework of the joint strategy, according to the statement by the Council of Ministers adopted on Monday. The member states are therefore invited to contribute to the INTCEN working group through their competent authorities. It is about situation reports and threat analyzes, which national services for “intelligence reconnaissance” contribute which and how much information is not known. That seems to not be particularly satisfactory because the Council is also considering “exploring a proposal for the possible establishment of a working group of the member states on cyber intelligence.” All of this “on a voluntary basis and without exerting influence on the jurisdiction of the member states.”
That reads about as convincingly as the position of the Council on the security of encryption formulated under the German Council Presidency, which is now included as a mantra in every second Council resolution on security issues: “Security through encryption, security despite encryption.” Which translates to “End-to-end encryption, which is not end-to-end encryption ”.