The Committee on Security and Defense (SEDE)

The United States’ inability to detect and disrupt the interferences in the 2016 presidential election was a demonstration of how new information technologies might affect our decision-making. How should the EU and its Member States work against information warfare and ensure the stability of our democracy?

By  Iona Lindsay (UK), Thea Tjolle (UK) 

1. The topic at a glance 

With some proclaiming an “information world war”, the dangers of election hacking and cyber warfare are not confined to the Russian tampering of the US 2016 presidential election. European democracies, including the UK, the Netherlands and Italy have also been targets of cyber warfare originating from third party hackers. These threats come in a variety of forms, including cybersecurity breaches and digital tampering with the outcome of the vote and, most dangerously, disinformation campaigns. 

Furthermore, in this digital age, the EU is becoming ever more vulnerable to cyber attacks. The advancement of digital and audio technology makes it easier than ever to make fake news sources seem credible, and with many Member States investing in online voting platforms, the risk of election hacking is distinct. The EU has been highly criticised for their lack of effort to prevent information warfare, in particular with its inaction during the 2019 European Parliament elections. It is, therefore, imperative that the EU and its Member States now take serious action to defend themselves against information warfare to ensure the integrity of European democracies.

2. Key Actors and Stakeholders 

Social media platforms: Create an environment for fake news to spread exponentially. Many political/respected figures have a platform to spread fake news because of their social media following.

Local media platforms: there can be problems with media platforms being particularly biased. These have a strong effect on the way people vote and can often lead to increased polarisation.

The European Union Agency for Cybersecurity (ENISA): contributes majorly to EU cyber policy and improves the reliability of user products, services and processes with cybersecurity certification schemes. The agency also works effectively with Member States and EU bodies to help Europe prepare itself for future cyber challenges.

Member States: Member States have primary  responsibility for their own nation’s cyber-security.

The European Commission: Draws up proposals for new European legislation. In the past, it has proposed guidelines to help Member States, such as the Joint Communication on the new EU cybersecurity strategy in 2017.

3. Key Conflicts 

Democracies rely on open information that can be trusted and require robust mechanisms to ensure this credibility. However, information warfare attacks are a major threat to this ideal, now more than  ever as new technology allows the propagation to be wide spread, and happen both rapidly and cheaply. Attacks can occur in any number of ways, including the manipulation of voters through disinformation; the targeting and destruction of particular candidates; or the creation of inauthentic groups to create or worsen conflict. 

Cyber Attacks are very difficult to defend against. Attacks are difficult to predict, very tricky to trace and can come from every possible platform with past examples ranging from slipping into private communications (as China was discovered to have been doing with internal EU messages in December 2018), to funding fringe candidates. With attacks on all fronts, the EU has been forced to act responsively, meaning future problems cannot be planned for. 

Disinformation is widely propagated on social media sites. The algorithms used by these sites only exacerbate the problem by creating an “Echo Chamber” of disinformation as consumers are led to similar links. However, for the most part companies (including Facebook, Google and Twitter) have failed to take satisfactory remedial steps. Insufficient cooperation makes it difficult to monitor and, therefore, solve the issue of fake news on these sites. Moreover, tech companies are currently not legally liable for what occurs on their platforms. This makes it near impossible to hold sites propagating fake news accountable.

In addition, European Analysts are forbidden from calling out or debunking propaganda produced by European websites or media, a limitation that is intended to guard against creeping infringements on free speech. However, this allows foreign threats to use European websites and social media accounts to post propaganda and disinformation. This poses a serious challenge for regulating information warfare. 

Finally, since formal responsibilities in this field are shared between multiple authorities, meaningful results will only be achieved if all the relevant actors cooperate. However, such international co-operation is difficult to achieve due to tensions between nations. Countries are constantly accusing each other and working against, rather than with, each other.

4. What has been done so far? 

– To tackle disinformation, the EU set up ‘EU vs DisInfo and clarified a definition of disinformation so that fake news could be more easily classified. In 2019 Member States were asked to monitor disinformation and to share their findings with others through a ‘Rapid Alert System’: an early warning system which could warn countries about a potential wave of fake news. But most countries have failed to contribute and the network is now an unorganised archive of unanalysed information.

– To improve cybersecurity, the EU has implemented two major directives. The 2016 Network and Information Security directive was the first piece of EU legislation specifically aimed at improving cybersecurity throughout the EU and the Regulation on the statute and funding of European political parties was revised to increase the recognition, effectiveness, transparency and accountability of European political parties and European political foundations.

– In July 2020, the EU announced it was enforcing sanctions, including asset freezes and travel bans on hacker groups believed to be responsible for three major cybersecurity incidents that have affected European countries in the last 10 years. While it only covers activity in the EU,this being the first time the EU has issued sanctions for cyberattacks makes it  a great turning point for the EU.

A Code of Practice on Disinformation created by the EU has been signed by online platforms Facebook, Google, TikTok and Twitter, as well as by advertisers. The self-assessment reports from these companies indicate comprehensive efforts to implement  the Code’s commitments over the last 12 months. 

– France introduced a controversial law banning online fake news during election campaigns, giving judges the power to remove disinformation. Germany has introduced fines of up to €50M on social networks that host illegal content, including fake news and hate speech and Irish lawmakers introduced a bill to criminalise political adverts on Facebook and Twitter that contain intentionally false information.

5. Further links

Combating Disinformation and foreign interference in Democracies: Lessons from Europe (gives details of measures introduced by individual EU countries) 

EU Strategies to secure the EU cyber space and critical infrastructure against hackers- a speech by ENISA’s Executive Director 

Information Warfare: How the Russian’s interfered in the 2016 Election

Protecting Democracy in an Era of Cyber Information War

Securing free and fair European elections- A contribution from the European Commission