Sir Julian King, EU Commissioner for the Security Union
It is an honour and indeed a great pleasure for me to be at the MacGill Summer School once more. I don’t get enough opportunities to visit this loveliest part of the country and, as Paul Brady, a Tyrone man, often sings: there’s no place on earth like it.
I’m going to talk about the security threats that Europe faces and what we are doing to counter them. On Friday I was in Nice for the first anniversary of a terrorist attack in which 86 people were killed when a 19-tonne lorry was deliberately driven into crowds of people celebrating France’s national day. Ten of the victims were children.
Half of the people killed in that terrible attack were from 18 countries other than France – including Italy, Germany, Estonia, Poland, Romania and Belgium. An Irish and a British citizen were among the injured. Unfortunately since the Nice attack we have been reminded repeatedly that the security of one Member State is the security of all of us – with other attacks using the same modus operandi in Berlin, Stockholm and twice in London.
In fact the UK has recently endured four terror attacks in less than three months – the last perpetrated by a lone wolf from the far-right against Muslims ending their Ramadan prayers at Finsbury Park Mosque. One of the Borough Market attackers – Moroccan-born Rachid Redouane – was carrying an Irish identity card and had lived in Dublin for a period of time. On a positive note, Joanne Saunsbury, from Wexford, saved the life of a victim of the Westminster Bridge attack – thanks to her fast-thinking and first aid training she was able to give CPR to a man who had been driven over by the attacker Khalid Masood.
Another five terrorist plots have been foiled since March and 18 thwarted since 2013. And with another, fortunately failed, attack in Brussels it’s clear that the tempo of the threat is unprecedented. And we should always remember: Da’esh don’t discriminate between different Member States – the UK leaving the Union will make no difference to Da’esh’s murderous ambitions.
EU security chiefs are united in their warnings that there is more overseas influence from terrorist groups than ever before, using an internet which provides those who want to do us harm with an unprecedentedly powerful global recruiting platform.
A DIFFERENT KIND OF TERRORIST THREAT
The internet is the X Factor – the connecting tissue which explains the transformation of so many elements in our crowded and complex security landscape and which links all those who wish to do us harm, including terrorists, cross-border criminal enterprises and state and non-state actors. On how it has influenced the evolution of terrorism, let me give some context.
Last year there were 142 failed, foiled and completed terrorist attacks in the EU – the figure comes from Europol’s latest EU Terrorism Situation and Trend Report. But Europe has actually faced periods of more frequent terrorism. Between 1970 and 2015 more than ten thousand people were killed in more than 18 thousand attacks and the deadliest of those were in the 1970s and 80s. At its peak there were ten attacks a week across Europe.
What makes the current terrorist threat we are facing different is that it is global – linked to a transnational religious movement which, over a number of evolutions – from the Afghan rebels fighting the Soviets in Afghanistan through Al Qaida and to Da’esh, the so-called Islamic State of today – has broadened the battlefield to the extent that it can rely on a brand, a franchise and thousands of amateur wannabe terrorists. The puppet masters upload instructions to the internet to pick up a kitchen knife and get into a vehicle and suddenly terrorism is within the reach of anybody with a grudge, a violent temperament or in search of a cause to fill the existential void.
What is the outcome? While the absolute number of attacks is down, the lethality of terrorism has increased sharply in the last two years. Perhaps remarkably, between 1970 and 2014 there were no fatalities in more than half of terrorist attacks worldwide, but in 2015 the number of lethal attacks rose by eight per cent – and the number of people being killed in each attack is also increasing.
The spectacular attacks once practiced by Al Qaida – for example the Twin Towers – have been replaced by the medieval atrocities of Da’esh, beheading and burning to death victims, forcing children to carry out executions for the purposes of online propaganda.
WHAT ANTI-TERRORIST MEASURES ARE WE TAKING?
So let us be under no illusion – this generation of Jihadi terrorists seeks to destroy our values and our way of life. Given the indiscriminate and unpredictable pattern of attacks – the challenge for our open, liberal democracies is to successfully counter a threat of this order without jeopardising our own hard-won values and way of life – which is, after all what we are defending.
So what are we doing about it? We are squeezing the space in which terrorists – and the crime that supports them – operate. We have strengthened our ability to control our external borders, and to exchange information between our law enforcement and security agencies. Real progress is being made – from establishing the European Border and Coastguard Agency to revising the Schengen Border Code and to improving the effectiveness of our databases inside our borders.
We are making it harder for terrorists to travel, to train, to finance themselves and to acquire weapons and explosives through our new counter-terrorism Directive. Travel to and from combat zones, training for the purposes of fighting and the financing of such activities will now be criminalised across the EU. Some Member States already have such rules in place, but our collective security is only as strong as our weakest link, so it is essential that there are rules and standards in place in all EU countries – and that these are fully implemented.
And because beating the terrorists will take more than tightening our borders, improving our legal frameworks and databases, we are tackling the root causes of radicalisation through supporting civil society projects on the ground and working with grassroots organisations.
We are also working with Internet and communication service providers to identify pernicious propaganda, take it down and stop it spreading. The Internet is forcing us to change our security focus. In May Damon Smith was convicted at the Old Bailey of trying to explode a rucksack bomb on the London Underground. Smith built the device with shrapnel and a £2 clock from Tesco after Googling an al-Qaeda article on bomb making. He was still a teenager, evidently a troubled soul, at the time of his failed attack. But the consequences had his device exploded, are too horrific to contemplate. In fact we don’t have to imagine those consequences, because only a few weeks earlier a bomb on the St Petersburg metro killed 14 people.
In Smith’s case, even Da’esh did not have the temerity to claim him as one of their “soldiers” – and the police did not charge him under anti-terrorism offences because they said there was insufficient evidence of a political motive. But in every other aspect, this young man’s actions were in imitation of examples posted on the web, instruction manuals and twisted campaigns disseminated in the digital world.
THE INTERNET IS FERTILE TERRAIN
Terrorist groups such as Da’esh have devoted huge amounts of time and effort to churning out online material at an alarming rate.
This material includes threats and hate speech, training manuals, advice on how to obtain and import weapons, instructions on how make bombs and how to kill, and elaborate footage showing the most brutal and the most sickening torture and execution of their victims. Our youngest, most vulnerable citizens – particularly the disaffected or those who feel alienated – are susceptible to be tempted by such messages of violence.
Given that the Internet is such fertile terrain for radicalisation, we need the cooperation of social media and Internet providers to help to detect those being radicalised in their bedrooms.
We have set up the EU Internet Forum to ensure that illegal content, promoting Da’esh for example, is taken down by Internet companies. The Internet Referral Unit at Europol has referred tens of thousands of posts to Internet companies and enjoys a higher than 80% takedown rate.
Indeed, the growing success of this approach is such that there is now evidence that Da’esh is developing its own social media platform – its own part of the Internet to run its agenda.
THE CYBER THREAT
Which neatly brings me to a conclusion – namely that the new common thread between all of the security threats we face is cyber. If it were not for the shocking immediacy of each and every terrorist attack visited upon us – and the increasing tempo of these attacks – I would confidently assert that cyber threats are the greatest danger that we face today. Technology is having a fundamental and lasting impact on the way that those who wish to do us harm operates.
Cyber threats have grown in importance in two ways. Firstly, by becoming strategic because they endanger our critical infrastructure and democratic processes. Secondly, by becoming endemic as the threats permeate and spread from IT networks into vital operations of other business sectors.
Criminal business models are changing dramatically. In a recent article in the Financial Times, I wrote about how striking it is that bank robbery has become such an un-kinetic activity. When I was growing up this was an activity involving ‘blaggers’ with stockings on their heads brandishing sawn-off shotguns. This seems to have become a faded vocation. Nowadays, as the FBI puts it, crooks are more often ‘sitting at home in their pyjamas, robbing banks online’. Indeed, in Italy physical bank robberies were down 90% last year while the level of financial loss suffered by the banks remained constant.
It is an obvious truth that while there remains little or no chance of getting caught, cybercrime will remain a very attractive option for criminals of every description. Our democratic institutions and large-scale infrastructures are also the target of shadowy forces.
36 hours before the French Presidential elections the political party and campaign nerve centre of the eventual winner, Emmanuel Macron – President Macron – was hit by a massive and coordinated hacking attack. The clear intention was to influence the outcome of the ballot. It failed – and in no small part due to the fact that President Macron’s team was ready and prepared. In fact, they fought back. I am not in the business of attribution – but I do listen to what the intelligence services of our Member States are saying. And I’m also aware of the constant attacks made against the European Commission – including a massive and coordinated attack made in three waves over two days last year, which our IT services successfully repelled.
We’ve seen the threat from state and non-state actors evolve from a situation a decade ago where cyber-attacks were used as a form of punishment – against Estonia in 2007 for moving a statue – through cyber as a non-military means of achieving a military objective – the 2010 Stuxnet attack on the Iranian nuclear enrichment programme – to one where they are used in Death Star-style demonstrations of power – the 2016 closing down of Ukraine’s power grid.
So the hackers may have failed with their French adventure but they haven’t gone away. With further elections in Europe this year, this is perhaps the most challenging of all the cyber threats we face – the ability and intent to disrupt and undermine our hard-won democracy. We need to be ready.
The Cybersecurity Strategy for the European Union was adopted in early 2013. Since then, I am sure that many of you in this audience have replaced the smartphone in your pocket at least once. In technological terms, 4 years is a lifetime ago. Certainly the cyber threat we face has changed significantly since then.
True cybersecurity is not just the work of governments; it has to involve everybody, from the Member State authority to the internet operators, from the retailers to the consumers; we need to look at our cyber resilience and bridge the cyber skills and habits gap.
A big first step would be if we all practiced good cyber-hygiene by regularly updating our passwords. The days of skating by on “1234” and “password” are well and truly over. We have to change our behaviour. It is an often quoted – and therefore widely ignored – statistic that 80% of cyberattacks can be defeated by 20 simple actions.
We also need to develop a common understanding of what a minimum level of cybersecurity looks like: one aspect of that is overcoming fragmentation and poor security provisions for connected devices. There is a need to move to a ‘security by design approach’ for products and systems, to ensure that they are secure and privacy-aware from the research and development stage to final manufacturing.
I doubt that I would get out of this room alive if I didn’t mention the elephant. As a former UK ambassador to Ireland and a Director General of the Northern Ireland Office, I am acutely conscious of the role played by the European Union in the Peace Process and its continuing importance. I can only echo what Michel Barnier said when he addressed the Oreachtas recently about his approach to the Brexit negotiations: nothing should put peace at risk. I strongly agree with him.
In terms of the wider negotiations that are only just starting, I hope that the closest cooperation on security will continue in the future because when we stand together against these shared threats, we are better equipped to resist and defeat them.