Connect with us

Intelligence

Big data and the Future of Democracy: The Matrix world behind the Brexit and the US Elections

Published

on

Authors: Hannes Grassegger and Mikael Krogerus

Aegean theater of the Antique Greece was the place of astonishing revelations and intellectual excellence – a remarkable density and proximity, not surpassed up to our age. All we know about science, philosophy, sports, arts, culture and entertainment, stars and earth has been postulated, explored and examined then and there.

Simply, it was a time and place of triumph of human consciousness, pure reasoning and sparkling thought. However, neither Euclid, Anaximander, Heraclites, Hippocrates (both of Chios, and of Cos), Socrates, Archimedes, Ptolemy, Democritus, Plato, Pythagoras, Diogenes, Aristotle, Empedocles, Conon, Eratosthenes nor any of dozens of other brilliant ancient Greek minds did ever refer by a word, by a single sentence to something which was their everyday life, something they saw literally on every corner along their entire lives. It was an immoral, unjust, notoriously brutal and oppressive slavery system that powered the Antique state. (Slaves have not been even attributed as humans, but rather as the ‘phonic tools/tools able to speak’.) This myopia, this absence of critical reference on the obvious and omnipresent is a historic message – highly disturbing, self-telling and quite a warning.” – notes prof. Anis H. Bajrektarevic in his luminary book of 2013, ‘Is there like after Facebook? – Geopolitics of Technology’.

Indeed, why do we constantly ignore massive and sustain harvesting of our personal data from the social networks, medical records, pay-cards, internet and smart phones as well as its commercialization and monetization for dubious ends and disturbing futures.

Professor Bajrektarevic predicts and warns: “If humans hardly ever question fetishisation of their own McFB way of life, or oppose the (self-) trivialization, why then is the subsequent brutalization a surprise to them?”

Thus, should we be really surprise with the Brexit vote, with the results of the US elections, and with the forcoming massive wins of the right-wing parties all over Europe? Putin is behind it !! – how easy, and how misleading a self-denial.

Here is a story based on facts, if we are only interested to really grasp the Matrix world. The Iron Cage we constructed ourselves.

On November 9 at around 8.30 AM., Michal Kosinski woke up in the Hotel Sunnehus in Zurich. The 34-year-old researcher had come to give a lecture at the Swiss Federal Institute of Technology (ETH) about the dangers of Big Data and the digital revolution. Kosinski gives regular lectures on this topic all over the world. He is a leading expert in psychometrics, a data-driven sub-branch of psychology. When he turned on the TV that morning, he saw that the bombshell had exploded: contrary to forecasts by all leading statisticians, Donald J. Trump had been elected president of the United States.

For a long time, Kosinski watched the Trump victory celebrations and the results coming in from each state. He had a hunch that the outcome of the election might have something to do with his research. Finally, he took a deep breath and turned off the TV.

On the same day, a then little-known British company based in London sent out a press release: “We are thrilled that our revolutionary approach to data-driven communication has played such an integral part in President-elect Trump’s extraordinary win,” Alexander James Ashburner Nix was quoted as saying. Nix is British, 41 years old, and CEO of Cambridge Analytica. He is always immaculately turned out in tailor-made suits and designer glasses, with his wavy blonde hair combed back from his forehead. His company wasn’t just integral to Trump’s online campaign, but to the UK’s Brexit campaign as well.

Of these three players—reflective Kosinski, carefully groomed Nix and grinning Trump—one of them enabled the digital revolution, one of them executed it and one of them benefited from it.

How dangerous is big data?

Anyone who has not spent the last five years living on another planet will be familiar with the term Big Data. Big Data means, in essence, that everything we do, both on and offline, leaves digital traces. Every purchase we make with our cards, every search we type into Google, every movement we make when our mobile phone is in our pocket, every “like” is stored. Especially every “like.” For a long time, it was not entirely clear what use this data could have—except, perhaps, that we might find ads for high blood pressure remedies just after we’ve Googled “reduce blood pressure.”

On November 9, it became clear that maybe much more is possible. The company behind Trump’s online campaign—the same company that had worked for Leave.EU in the very early stages of its “Brexit” campaign—was a Big Data company: Cambridge Analytica.

To understand the outcome of the election—and how political communication might work in the future—we need to begin with a strange incident at Cambridge University in 2014, at Kosinski’s Psychometrics Center.

Psychometrics, sometimes also called psychographics, focuses on measuring psychological traits, such as personality. In the 1980s, two teams of psychologists developed a model that sought to assess human beings based on five personality traits, known as the “Big Five.” These are: openness (how open you are to new experiences?), conscientiousness (how much of a perfectionist are you?), extroversion (how sociable are you?), agreeableness (how considerate and cooperative you are?) and neuroticism (are you easily upset?). Based on these dimensions—they are also known as OCEAN, an acronym for openness, conscientiousness, extroversion, agreeableness, neuroticism—we can make a relatively accurate assessment of the kind of person in front of us. This includes their needs and fears, and how they are likely to behave. The “Big Five” has become the standard technique of psychometrics. But for a long time, the problem with this approach was data collection, because it involved filling out a complicated, highly personal questionnaire. Then came the Internet. And Facebook. And Kosinski.

Michal Kosinski was a student in Warsaw when his life took a new direction in 2008. He was accepted by Cambridge University to do his PhD at the Psychometrics Centre, one of the oldest institutions of this kind worldwide. Kosinski joined fellow student David Stillwell (now a lecturer at Judge Business School at the University of Cambridge) about a year after Stillwell had launched a little Facebook application in the days when the platform had not yet become the behemoth it is today. Their MyPersonality app enabled users to fill out different psychometric questionnaires, including a handful of psychological questions from the Big Five personality questionnaire (“I panic easily,” “I contradict others”). Based on the evaluation, users received a “personality profile”—individual Big Five values—and could opt-in to share their Facebook profile data with the researchers.

Kosinski had expected a few dozen college friends to fill in the questionnaire, but before long, hundreds, thousands, then millions of people had revealed their innermost convictions. Suddenly, the two doctoral candidates owned the largest dataset combining psychometric scores with Facebook profiles ever to be collected.

The approach that Kosinski and his colleagues developed over the next few years was actually quite simple. First, they provided test subjects with a questionnaire in the form of an online quiz. From their responses, the psychologists calculated the personal Big Five values of respondents. Kosinski’s team then compared the results with all sorts of other online data from the subjects: what they “liked,” shared or posted on Facebook, or what gender, age, place of residence they specified, for example. This enabled the researchers to connect the dots and make correlations.

Remarkably reliable deductions could be drawn from simple online actions. For example, men who “liked” the cosmetics brand MAC were slightly more likely to be gay; one of the best indicators for heterosexuality was “liking” Wu-Tang Clan. Followers of Lady Gaga were most probably extroverts, while those who “liked” philosophy tended to be introverts. While each piece of such information is too weak to produce a reliable prediction, when tens, hundreds, or thousands of individual data points are combined, the resulting predictions become really accurate.

Kosinski and his team tirelessly refined their models. In 2012, Kosinski proved that on the basis of an average of 68 Facebook “likes” by a user, it was possible to predict their skin color (with 95 percent accuracy), their sexual orientation (88 percent accuracy), and their affiliation to the Democratic or Republican party (85 percent). But it didn’t stop there. Intelligence, religious affiliation, as well as alcohol, cigarette and drug use, could all be determined. From the data it was even possible to deduce whether someone’s parents were divorced.

The strength of their modeling was illustrated by how well it could predict a subject’s answers. Kosinski continued to work on the models incessantly: before long, he was able to evaluate a person better than the average work colleague, merely on the basis of ten Facebook “likes.” Seventy “likes” were enough to outdo what a person’s friends knew, 150 what their parents knew, and 300 “likes” what their partner knew. More “likes” could even surpass what a person thought they knew about themselves. On the day that Kosinski published these findings, he received two phone calls. The threat of a lawsuit and a job offer. Both from Facebook.

Only weeks later Facebook “likes” became private by default. Before that, the default setting was that anyone on the internet could see your “likes.” But this was no obstacle to data collectors: while Kosinski always asked for the consent of Facebook users, many apps and online quizzes today require access to private data as a precondition for taking personality tests. (Anybody who wants to evaluate themselves based on their Facebook “likes” can do so on Kosinski’s website, and then compare their results to those of a classic Ocean questionnaire, like that of the Cambridge Psychometrics Center.)

But it was not just about “likes” or even Facebook: Kosinski and his team could now ascribe Big Five values based purely on how many profile pictures a person has on Facebook, or how many contacts they have (a good indicator of extraversion). But we also reveal something about ourselves even when we’re not online. For example, the motion sensor on our phone reveals how quickly we move and how far we travel (this correlates with emotional instability). Our smartphone, Kosinski concluded, is a vast psychological questionnaire that we are constantly filling out, both consciously and unconsciously.

Above all, however—and this is key—it also works in reverse: not only can psychological profiles be created from your data, but your data can also be used the other way round to search for specific profiles: all anxious fathers, all angry introverts, for example—or maybe even all undecided Democrats? Essentially, what Kosinski had invented was sort of a people search engine. He started to recognize the potential—but also the inherent danger—of his work.

To him, the internet was a gift from heaven. What he really wanted was to give something back, to share. Data can be copied, so why shouldn’t everyone benefit from it? It was the spirit of Millenials, entire new generation, the beginning of a new era that transcended the limitations of the physical world. But what would happen, wondered Kosinski, if someone abused his people search engine to manipulate people? He began to add warnings to most of his scientific work. His approach, he warned, “could pose a threat to an individual’s well-being, freedom, or even life.” But no one seemed to grasp what he meant.

Around this time, in early 2014, Kosinski was approached by a young assistant professor in the psychology department called Aleksandr Kogan. He said he was inquiring on behalf of a company that was interested in Kosinski’s method, and wanted to access the MyPersonality database. Kogan wasn’t at liberty to reveal for what purpose; he was bound to secrecy.

At first, Kosinski and his team considered this offer, as it would mean a great deal of money for the institute, but then he hesitated. Finally, Kosinski remembers, Kogan revealed the name of the company: SCL, or Strategic Communication Laboratories. Kosinski Googled the company: “[We are] the premier election management agency,” says the company’s website. SCL provides marketing based on psychological modeling. One of its core focuses: Influencing elections. Influencing elections? Perturbed, Kosinski clicked through the pages. What kind of company was this? And what were these people planning?

What Kosinski did not know at the time: SCL is the parent of a group of companies. Who exactly owns SCL and its diverse branches is unclear, thanks to a convoluted corporate structure, the type seen in the UK Companies House, the Panama Papers, and the Delaware company registry. Some of the SCL offshoots have been involved in elections from Ukraine to Nigeria, helped the Nepalese monarch against the Maoists, whereas others have developed methods to influence Eastern Euripean and Afghan citizens for NATO. And, in 2013, SCL spun off a new company to participate in US elections: Cambridge Analytica.

Kosinski knew nothing about all this, but he had a bad feeling. “The whole thing started to stink,” he recalls. On further investigation, he discovered that Aleksandr Kogan had secretly registered a company doing business with SCL. According to a December 2015 report in the Guardian and to internal company documents given to Das Magazin, it emerges that SCL learned about Kosinski’s method from Kogan.

Kosinski came to suspect that Kogan’s company might have reproduced the Facebook “Likes”-based Big Five measurement tool in order to sell it to this election-influencing firm. He immediately broke off contact with Kogan and informed the director of the institute, sparking a complicated conflict within the university. The institute was worried about its reputation. Aleksandr Kogan then moved to Singapore, married, and changed his name to Dr. Spectre. Michal Kosinski finished his PhD, got a job offer from Stanford and moved to the US.

Mr. Brexit

All was quiet for about a year. Then, in November 2015, the more radical of the two Brexit campaigns, “Leave.EU,” supported by Nigel Farage, announced that it had commissioned a Big Data company to support its online campaign: Cambridge Analytica. The company’s core strength: innovative political marketing—microtargeting—by measuring people’s personality from their digital footprints, based on the OCEAN model.

Now Kosinski received emails asking what he had to do with it—the words Cambridge, personality, and analytics immediately made many people think of Kosinski. It was the first time he had heard of the company, which borrowed its name, it said, from its first employees, researchers from the university. Horrified, he looked at the website. Was his methodology being used on a grand scale for political purposes?

After the Brexit result, friends and acquaintances wrote to him: Just look at what you’ve done. Everywhere he went, Kosinski had to explain that he had nothing to do with this company. (It remains unclear how deeply Cambridge Analytica was involved in the Brexit campaign. Cambridge Analytica would not discuss such questions.)

For a few months, things are relatively quiet. Then, on September 19, 2016, just over a month before the US elections, the guitar riffs of Creedence Clearwater Revival’s “Bad Moon Rising” fill the dark-blue hall of New York’s Grand Hyatt hotel. The Concordia Summit is a kind of World Economic Forum in miniature. Decision-makers from all over the world have been invited, among them Swiss President Johann Schneider-Ammann. “Please welcome to the stage Alexander Nix, chief executive officer of Cambridge Analytica,” a smooth female voice announces. A slim man in a dark suit walks onto the stage. A hush falls. Many in attendance know that this is Trump’s new digital strategy man. (A video of the presentation was posted on YouTube.)

A few weeks earlier, Trump had tweeted, somewhat cryptically, “Soon you’ll be calling me Mr. Brexit.” Political observers had indeed noticed some striking similarities between Trump’s agenda and that of the right-wing Brexit movement. But few had noticed the connection with Trump’s recent hiring of a marketing company named Cambridge Analytica.

Up to this point, Trump’s digital campaign had consisted of more or less one person: Brad Parscale, a marketing entrepreneur and failed start-up founder who created a rudimentary website for Trump for $1,500. The 70-year-old Trump is not digitally savvy—there isn’t even a computer on his office desk. Trump doesn’t do emails, his personal assistant once revealed. She herself talked him into having a smartphone, from which he now tweets incessantly.

Hillary Clinton, on the other hand, relied heavily on the legacy of the first “social-media president,” Barack Obama. She had the address lists of the Democratic Party, worked with cutting-edge big data analysts from BlueLabs and received support from Google and DreamWorks. When it was announced in June 2016 that Trump had hired Cambridge Analytica, the establishment in Washington just turned up their noses. Foreign dudes in tailor-made suits who don’t understand the country and its people? Seriously?

“It is my privilege to speak to you today about the power of Big Data and psychographics in the electoral process.” The logo of Cambridge Analytica— a brain composed of network nodes, like a map, appears behind Alexander Nix. “Only 18 months ago, Senator Cruz was one of the less popular candidates,” explains the blonde man in a cut-glass British accent, which puts Americans on edge the same way that a standard German accent can unsettle Swiss people. “Less than 40 percent of the population had heard of him,” another slide says. Cambridge Analytica had become involved in the US election campaign almost two years earlier, initially as a consultant for Republicans Ben Carson and Ted Cruz. Cruz—and later Trump—was funded primarily by the secretive US software billionaire Robert Mercer who, along with his daughter Rebekah, is reported to be the largest investor in Cambridge Analytica.

“So how did he do this?” Up to now, explains Nix, election campaigns have been organized based on demographic concepts. “A really ridiculous idea. The idea that all women should receive the same message because of their gender—or all African Americans because of their race.” What Nix meant is that while other campaigners so far have relied on demographics, Cambridge Analytica was using psychometrics.

Though this might be true, Cambridge Analytica’s role within Cruz’s campaign isn’t undisputed. In December 2015 the Cruz team credited their rising success to psychological use of data and analytics. In Advertising Age, a political client said the embedded Cambridge staff was “like an extra wheel,” but found their core product, Cambridge’s voter data modeling, still “excellent.” The campaign would pay the company at least $5.8 million to help identify voters in the Iowa caucuses, which Cruz won, before dropping out of the race in May.

Nix clicks to the next slide: five different faces, each face corresponding to a personality profile. It is the Big Five or OCEAN Model. “At Cambridge,” he said, “we were able to form a model to predict the personality of every single adult in the United States of America.” The hall is captivated. According to Nix, the success of Cambridge Analytica’s marketing is based on a combination of three elements: behavioral science using the OCEAN Model, Big Data analysis, and ad targeting. Ad targeting is personalized advertising, aligned as accurately as possible to the personality of an individual consumer.

Nix candidly explains how his company does this. First, Cambridge Analytica buys personal data from a range of different sources, like land registries, automotive data, shopping data, bonus cards, club memberships, what magazines you read, what churches you attend. Nix displays the logos of globally active data brokers like Acxiom and Experian—in the US, almost all personal data is for sale. For example, if you want to know where Jewish women live, you can simply buy this information, phone numbers included.

Now Cambridge Analytica aggregates this data with the electoral rolls of the Republican party and online data and calculates a Big Five personality profile. Digital footprints suddenly become real people with fears, needs, interests, and residential addresses.

The methodology looks quite similar to the one that Michal Kosinski once developed. Cambridge Analytica also uses, Nix told us, “surveys on social media” and Facebook data. And the company does exactly what Kosinski warned of: “We have profiled the personality of every adult in the United States of America—220 million people,” Nix boasts.

He opens the screenshot. “This is a data dashboard that we prepared for the Cruz campaign.” A digital control center appears. On the left are diagrams; on the right, a map of Iowa, where Cruz won a surprisingly large number of votes in the primary. And on the map, there are hundreds of thousands of small red and blue dots. Nix narrows down the criteria: “Republicans”—the blue dots disappear; “not yet convinced”—more dots disappear; “male”, and so on. Finally, only one name remains, including age, address, interests, personality and political inclination. How does Cambridge Analytica now target this person with an appropriate political message?

Nix shows how psychographically categorized voters can be differently addressed, based on the example of gun rights, the 2nd Amendment: “For a highly neurotic and conscientious audience the threat of a burglary—and the insurance policy of a gun.” An image on the left shows the hand of an intruder smashing a window. The right side shows a man and a child standing in a field at sunset, both holding guns, clearly shooting ducks: “Conversely, for a closed and agreeable audience. People who care about tradition, and habits, and family.”

How to keep Clinton voters away from the ballot box

Trump’s striking inconsistencies, his much-criticized fickleness, and the resulting array of contradictory messages, suddenly turned out to be his great asset: a different message for every voter. The notion that Trump acted like a perfectly opportunistic algorithm following audience reactions is something the mathematician Cathy O’Neil observed in August 2016.

“Pretty much every message that Trump put out was data-driven,” Alexander Nix remembers. On the day of the third presidential debate between Trump and Clinton, Trump’s team tested 175,000 different ad variations for his arguments, in order to find the right versions above all via Facebook. The messages differed for the most part only in microscopic details, in order to target the recipients in the optimal psychological way: different headings, colors, captions, with a photo or video. This fine-tuning reaches all the way down to the smallest groups, Nix explained in an interview with us. “We can address villages or apartment blocks in a targeted way. Even individuals.”

In the Miami district of Little Haiti, for instance, Trump’s campaign provided inhabitants with news about the failure of the Clinton Foundation following the earthquake in Haiti, in order to keep them from voting for Hillary Clinton. This was one of the goals: to keep potential Clinton voters (which include wavering left-wingers, African-Americans, and young women) away from the ballot box, to “suppress” their vote, as one senior campaign official told Bloomberg in the weeks before the election. These “dark posts”—sponsored news-feed-style ads in Facebook timelines that can only be seen by users with specific profiles—included videos aimed at African-Americans in which Hillary Clinton refers to black men as predators, for example.

Nix finishes his lecture at the Concordia Summit by stating that traditional blanket advertising is dead. “My children will certainly never, ever understand this concept of mass communication.” And before leaving the stage, he announced that since Cruz had left the race, the company was helping one of the remaining presidential candidates.

Just how precisely the American population was being targeted by Trump’s digital troops at that moment was not visible, because they attacked less on mainstream TV and more with personalized messages on social media or digital TV. And while the Clinton team thought it was in the lead, based on demographic projections, Bloomberg journalist Sasha Issenberg was surprised to note on a visit to San Antonio—where Trump’s digital campaign was based—that a “second headquarters” was being created. The embedded Cambridge Analytica team, apparently only a dozen people, received $100,000 from Trump in July, $250,000 in August, and $5 million in September. According to Nix, the company earned over $15 million overall. (The company is incorporated in the US, where laws regarding the release of personal data are more lax than in European Union countries. Whereas European privacy laws require a person to “opt in” to a release of data, those in the US permit data to be released unless a user “opts out.”)

The measures were radical: From July 2016, Trump’s canvassers were provided with an app with which they could identify the political views and personality types of the inhabitants of a house. It was the same app provider used by Brexit campaigners. Trump’s people only rang at the doors of houses that the app rated as receptive to his messages. The canvassers came prepared with guidelines for conversations tailored to the personality type of the resident. In turn, the canvassers fed the reactions into the app, and the new data flowed back to the dashboards of the Trump campaign.

Again, this is nothing new. The Democrats did similar things, but there is no evidence that they relied on psychometric profiling. Cambridge Analytica, however, divided the US population into 32 personality types, and focused on just 17 states. And just as Kosinski had established that men who like MAC cosmetics are slightly more likely to be gay, the company discovered that a preference for cars made in the US was a great indication of a potential Trump voter. Among other things, these findings now showed Trump which messages worked best and where. The decision to focus on Michigan and Wisconsin in the final weeks of the campaign was made on the basis of data analysis. The candidate became the instrument for implementing a big data model.

What’s Next?

But to what extent did psychometric methods influence the outcome of the election? When asked, Cambridge Analytica was unwilling to provide any proof of the effectiveness of its campaign. And it is quite possible that the question is impossible to answer.

And yet there are clues: There is the fact of the surprising rise of Ted Cruz during the primaries. Also there was an increased number of voters in rural areas. There was the decline in the number of African-American early votes. The fact that Trump spent so little money may also be explained by the effectiveness of personality-based advertising. As does the fact that he invested far more in digital than TV campaigning compared to Hillary Clinton. Facebook proved to be the ultimate weapon and the best election campaigner, as Nix explained, and as comments by several core Trump campaigners demonstrate.

Many voices have claimed that the statisticians lost the election because their predictions were so off the mark. But what if statisticians in fact helped win the election—but only those who were using the new method? It is an irony of history that Trump, who often grumbled about scientific research, used a highly scientific approach in his campaign.

Another big winner is Cambridge Analytica. Its board member Steve Bannon, former executive chair of the right-wing online newspaper Breitbart News, has been appointed as Donald Trump’s senior counselor and chief strategist. Whilst Cambridge Analytica is not willing to comment on alleged ongoing talks with UK Prime Minister Theresa May, Alexander Nix claims that he is building up his client base worldwide, and that he has received inquiries from Switzerland, Germany, and Australia. His company is currently touring European conferences showcasing their success in the United States. This year three core countries of the EU are facing elections with resurgent populist parties: France, Holland and Germany. The electoral successes come at an opportune time, as the company is readying for a push into commercial advertising.

********

Kosinski has observed all of this from his office at Stanford. Following the US election, the university is in turmoil. Kosinski is responding to developments with the sharpest weapon available to a researcher: a scientific analysis. Together with his research colleague Sandra Matz, he has conducted a series of tests, which will soon be published. The initial results are alarming: The study shows the effectiveness of personality targeting by showing that marketers can attract up to 63 percent more clicks and up to 1,400 more conversions in real-life advertising campaigns on Facebook when matching products and marketing messages to consumers’ personality characteristics. They further demonstrate the scalability of personality targeting by showing that the majority of Facebook Pages promoting products or brands are affected by personality and that large numbers of consumers can be accurately targeted based on a single Facebook Page.

In a statement after the German publication of this article, a Cambridge Analytica spokesperson said, “Cambridge Analytica does not use data from Facebook. It has had no dealings with Dr. Michal Kosinski. It does not subcontract research. It does not use the same methodology. Psychographics was hardly used at all. Cambridge Analytica did not engage in efforts to discourage any Americans from casting their vote in the presidential election. Its efforts were solely directed towards increasing the number of voters in the election.”

The world has been turned upside down. Great Britain is leaving the EU, Donald Trump is president of the United States of America. And in Stanford, Kosinski, who wanted to warn against the danger of using psychological targeting in a political setting, is once again receiving accusatory emails. “No,” says Kosinski, quietly and shaking his head. “This is not my fault. I did not build the bomb. I only showed that it exists.”


KrogerusAbout authors:
Hannes Grassegger and Mikael Krogerus are investigative journalists attached to the Swiss-based Das Magazin specialized journal.  The original text appeared in the late December edition under the title: “I only showed that the bomb exists” (Ich habe nur gezeigt, dass es die Bombe gibt). This, English translation, is based on the subsequent January version, first published by the Motherboard magazine (titled: The Data That Turned the World Upside

Continue Reading
Comments

Intelligence

National Security of PakistanPost 9/11: A Critical Review

Published

on

Pakistan’s troublesome decades preceding the millennium mark all boiled down to significant events of the morning of September 11, 2001, coupled with its prevailing traditional animosity on its eastern borders. The years following 9/11 all put Pakistan’s security apparatus in an unprecedented situation unlike any faced before, especially on the internal security domain with the external security paradigm remaining unchanged. The blowback of the Afghan crisis (from the 1980s-1990s) had poised itself to strike following Pakistan’s alignment towards its American ally. This new myriad of security issues ignited a destructive trial and error process for the Pakistani state, dealing with challenges unknown to it, and through that trial and error process emerged solutions: both material and ideational. The first 8 years of the millennium can easily be described as a roller coaster: starting from military rule and ending with a shift towards democratic civilian rule and filled with internal power play of politics, starting with the after-effects of the turmoil of Kargiland ending with the ill-fated Mumbai attacks along with encompassing the 2002 Military standoff which put South Asia on the brink of all-out war and lastly starting with the ill-fated menace of the 9/11 after impacts seeing no end in the 8 years.

Identifying National Security Threats & Issues

Foreign Interests:one of the core threats to Pakistan’s national security emanate from the interests and actions of foreign powers, precisely the United States. The United States initiated war on terrorism starting from 2001 in Afghanistan had compelled Pakistan to be an ally. An as an ally, Pakistan had to face the brunt of war more than the American as Pakistan shares a physical border with Afghanistan and cannot escape from the ripple effects of conflict in Afghanistan.

Lack of Direction on the PoliticalLevel: The top echelons of the Pakistani state to date have not defined any or laid out a policy for National Security or National Defense policy. The lack of such a policy framework on defense and security issues starts of a domino leaving the “purpose for war” undefined. The lack of broader political end made this whole war a seemingly futile effort as the national security issues remained unaddressed.

Religious Extremism: Pakistan’s toughest domestic national security threat at that time was the religious extremism. Pakistan had faced severe challenges from extremism in the early 2000s. Extremism is the fringe element to hijack our noble faith, steal the Quaid’s vision, jeopardize our economic well-being, undermine our moderate outlook, and hurt our international standing. He regarded this fight against extremism and terrorism as a battle for the very soul of Pakistan.Mushrooming of Madrasas in the 1970s and 80s was the tactic used to increase the morale of fighters against the Soviets. This cause is still preliminary in the Madrasas to promote religious extremism.

Baluchistan Insurgency under the Musharraf government had been again the major threat to the national security of Pakistan. The Baloch people have always shown antagonism to the military ruler because of their confrontation with the Bloch people in the previous insurgencies and that’s why the uprising in Baluchistan took more strength after a few years of Musharrafgovernment. The events that triggered the violence in the province include the murder of Nawaz Akbar Bugtiand the enforced disappearance and extrajudicial killing of Bloch people. The volcano of Baloch eager erupted after the death of Nawab Akbar Bugti and an organized rebellion started.Baluchistan Liberation Army was the deadliest liberation party in the province. They have done many violent actions in the province such as rocket attacks, suicide missions, spreading rumors, create uncertainty, in the minds of people, terrorize people, hit electricity pylons, blow up gas pipelines, etc.   

Another issue regarding the Balochistan insurgency was the division of Balochistan between ‘A’ areas and ‘B’ areas. B areas were considered to be the areas where police had no jurisdiction and had given no right to police to investigate and interrogate any immoral activity in the ‘B’ region. Only 5% of Balochistan was an ‘A’ area and the rest 95% was a ‘B’ area. This ‘B’ area was the hub of all insurgents and liberation parties.

Another important national security issue was the lack of police reform to fight effectively against the threats of different nature that emerged after 9/11. Former IG Sindh ShoaibSuddle asserted in an interview, that there must be a reform in the police department so that it become adaptive and agile to the emerging threats.

Means and Methods Adopted For Dealing with National Security Threats

Counter-Terrorism Department

Punjab Police in the early 2000s had taken an initiative to counter the terrorist threats i.e. formation of a new department called Counter-Terrorism Department (CTD). Its motto is “To fight terrorism in all its manifestations” CTD registers and investigates all terrorism-related cases at the newly established CTD Police Stations. The creation of Counter-Terrorism Force (CTF) within CTD was another landmark initiative. Highly educated corporals (1200 in number) had been inducted and given the most modern training with the collaboration of the armed forces and friendly countries. These corporals had been deployed all over the Province to perform their mandated tasks. State of the art gadgetry and equipment have been provided to CTD and its infrastructure is being improved.CTD has varied functions which include Collection, collation, and dissemination of information regarding terrorism, violent extremism, Detection, and investigation of offenses of terrorism and terrorism financing under the Anti-Terrorism Act 1997.

Police Order 2002

Another method government of Pakistan had taken to cope up with national security issues was the police order 2002. The police Order 2002 was promulgated on 14 of August 2002 as Chief Executive’s Order No. 22 of 2002 and it replaced the police Act of 1861 (Vof 1861). It contained 19 chapters, 188 articles, and 4 schedules. Its primaryobjective was to reform the police in such a way that it could “functionaccording to the Constitution, law, and democratic aspirations of the peopleof Pakistan”

Forensic & IT Support

This was the decision taken by the government to provide forensic and IT support. In doing so, the Government hired different IT experts to sort the computer technology challenges and related cases. On the other hand, the government hired different staff and scientists for forensic matters. 

Conversion of ‘B’ Areas into ‘A’ Areas

To eliminate the terrorists and insurgent threats, the government of Pakistan had converted all the Balochistan area into the ‘A’ areas. And then the police department had jurisdiction overthe whole of Balochistan.

Counter Insurgency Operation

In the timeline of 2000-2008, the government of Pakistan had decided to carry out full-fledged military operations against the terrorist and insurgents sentiments. First Battle of Swat; Operation Rah-e-Haque was the first suchoperation carried out. It was the battle fought between October 2007 and December 2007.

Strategy to Eradicate Extremism

To combat extremism, Khalid Kasuri asserted that we are pursuing a multi-pronged strategy with military, political,and economic tracks. The strategy hinges on rejection of violence, enforcement of therule of law, broadening of political participation, spread of education, and expansion ofeconomic opportunities. An elaborate FATA Development plan for the Tribal areas ofPakistan has been designed, including initiatives like Reconstruction Opportunity Zones(ROZs). The effort is to wean vulnerable people away from the appeal of extremism.

Decision Making Process and National Security Interests/Objectives

The key decision-makers were as follows, in order of importance regarding decision-making powers

Pervez Musharraf: who was at the time President and Army Chief was the key decision-maker regarding issues overall and national security.

Corps Commanders Conference: the meeting of top leadership of the Pakistan Army.

National Security Council: Meeting of the top leadership consisting of government institutions and military. Includes the Prime Minister/ service chiefs and ministers.

It is important to notice that during the timeline of 2000-2008, the importance of the Corp Commander Conference outweighed National Security Council in decision making, even though the latter consisted of senior officials. Moreover, the decision-making process by military command pursued a narrow tunnel vision approach towards the national security issues. This happened due to the lack of trust in civilian authorities by military officials.

Conclusion

The first eight years demonstrate a disparity amongst the top grand strategic level and the operational and tactical levels. The security apparatus of the country has adopted to deal with the changing nature of threats but the lack of consensus and political will prevent to see through that the kinetic/operational success combine to form an overall strategic victory. To cultivate success on the national level, the top echelons of leadership need to demonstrate sincerity in dealing with issues otherwise all the costs paid in securing and defending the country will all have gone in vain. 

Continue Reading

Intelligence

The Nature of Islamist Violence in France

Published

on

France faces a persistent jihadist threat, and all indications suggest the violence afflicting the country will continue. France has been targeted for upwards of three decades, but the frequency of attacks has increased quite dramatically over the past ten years or so. There are several reasons why it is distinctly fertile territory for jihadist activity and why militants have declared France an enemy and priority Western target. France is a European hub of jihadism and has been hit particularly hard in recent years. It has the largest Islamic population in Western Europe and, recognizing this, militant organizations devote time, effort, and resources to media production aimed at existing supporters and potentially receptive elements within French society. While only a small percentage of this varied demographic is involved with jihadist activity, individuals residing in France conduct most attacks. In other instances, militants travel to France and gain entry prior to committing violence. The country’s population profile is important to consider but does not explain why some are willing to kill and die for their cause on French soil.


Historically, much of the Islamist violence against France has been motivated by French interference in Muslim lands. This was true of the Algerian Armed Islamic Group (GIA) in the 1990s and is largely the case with al-Qaeda and the Islamic State (IS) today. Jihadists have consistently made this clear in their propaganda and martyrdom statements. In addition to this, militants have struck religious targets and there has been imported conflict related to external events.


The 2015 attack on Charlie Hebdo’s offices and recent series of blasphemy-motivated incidents represent a marked typological development for jihadism in France. In response to the public’s demand for action, French President Emmanuel Macron has announced measures to fight “Islamist separatism” and has been working with European and international partners on matters of border security. Macron’s statements and announced policies have evoked outrage from some within France and internationally. Jihadists are capitalizing upon this and propagandizing Macron’s strategy in a way that hardens the enemy distinction of France, framing it as a nation that is waging war against Muslims at home and abroad. This is a very potent narrative for inciting violence.

National Security Profile
Emmanuel Macron has been criticized for his strategy as well as his comments about Islam being “in crisis”. Macron’s remarks are particularly noteworthy given the composition of French society. Islam is the second largest religion in France and Pew Research Center estimates there are 5,720,000 Muslims living in the country, accounting for 8.8% of the total population. Other sources place this figure closer to 5 million. Macron is accused of over-generalizing and stigmatizing the nation’s Islamic population in response to the actions of a comparative few.


The veracity of Macron’s claims can be debated, and the efficacy of his plan is unknown at this time but there is significant public pressure on the government to address the momentum of militant violence. The attacks have spurred discussion about strengthening French border security and immigration policy. Macron has called for the “refoundation” of the Schengen area and has urged Europe to do more to prevent illegal immigration, citing threats posed by trafficking networks with terror links.
 The global context saw tremendous geographical expansion and numerical growth in Islamist militancy over recent decades. These broader international trends have notably affected the European jihadist landscape and associated ideological currents have influenced some elements within France. France is as well a site of militant network formation and there is a degree of interplay between domestic and international dynamics.
In 2018, the Center for Strategic and International Studies estimated the number of “Sunni Islamic militants” worldwide to be around four times higher than on September 11, 2001. A study by the Dutch General Intelligence and Security Service (AIVD) found that France was the Western nation most often attacked from January 2004 to December 2018, accounting for 27% of all incidents. The AIVD says the first jihadist attack on French soil during this period was in 2012 and since then, the country has experienced frequent violence. Additionally, the Program on Extremism estimated that France has been the target of 35% of all combined attacks conducted in Europe and North America since 2014.


Several other assessments have illuminated the scale of France’s security troubles. In 2017, European Union anti-terror chief Gilles de Kerchove warned there were 17,000 militant Islamists living in the country. Following the December 2018 Christmas market attack in Strasbourg, France 24 reported that approximately “26,000 people who are believed to pose a danger to France are currently categorised as fiché S,” and “roughly 10,000 of those are believed to be religious extremists who have been radicalised, some in fundamentalist mosques, some online, some in prison and others abroad.” Upwards of 2000 French nationals have reportedly joined the Islamic State and in 2016 the French government estimated that 1,400 prison inmates were “radicalized”.


Foreign Policy
From the Armed Islamic Group in the 1990s to al-Qaeda and the Islamic State today, France’s enemies have been forthright about what motivates them to conduct attacks. French intervention in Muslim lands has fueled decades of Islamist resentment. Jihadist leaders continually reiterate this in their messaging, as do attack perpetrators in their martyrdom statements and claims of responsibility.


France had various degrees of involvement in the Algerian Civil War, the Gulf War, the War in Afghanistan, the Libyan Civil War, and the conflict in Mali. France has deployed 5,100 military personnel to the Sahel and has around 1,000 more troops stationed in Iraq. It maintains a military presence in Mali, Chad, Niger, Ivory Coast, and Burkina Faso as part of Operation Barkhane. This is France’s largest operational military footprint in Africa since the 1950s. France has also played a highly visible and multifaceted role in fighting the Islamic State in the Middle East.


Jihadist propaganda frames the country as an aggressor, foreign occupier of Muslim lands, and a crusader state waging war on Islam. Following 9/11 and entry into the War in Afghanistan, France and other coalition nations were increasingly portrayed in this way. Al-Qaeda propagated similar narratives following the 2013 launch of Operation Serval in Mali.
The development of media campaigns specifically geared towards Western audiences has increased the reach and traction of jihadist narratives within these societies. Incorporating this approach into the overall military strategy against their enemies helped bring the war to the streets of Western cities. Al-Qaeda’s propaganda efforts in the 2000s and early 2010s had some success with incitement, but the Islamic State drastically increased the offensive tempo against the West in 2014. Although there were jihadist plots in the 2000s, militants did not have a great deal of operational success on French soil again until the turn of the decade. France notably refrained from the 2003 War in Iraq and seemingly avoided much of the violent backlash associated with it. The general growth of Islamist militancy since 9/11 is another contextual trend to consider.


The Islamic State demonstrated its capabilities through its sweeping military victories, caliphate, unprecedented propaganda infrastructure, and vast global reach. When the US-led coalition intervened against the organization in Iraq and Syria, IS harnessed its robust media apparatus to launch targeted campaigns against participating nations. The Islamic State’s top leadership declared France an enemy and the organization produced specialized French language video, audio, and online print materials. IS has also been very effective in its use of social media and messaging applications.    


The Islamic State’s spokesman at the time, Abu Muhammad al-Adnani, released a statement in September of 2014 that tracked with the evolving trends of jihadist violence in the West. Adnani was very explicit in his instructions, “If you can kill a disbelieving American or European – especially the spiteful and filthy French – or an Australian, or a Canadian, or any other disbeliever from the disbelievers waging war, including the citizens of the countries that entered into a coalition against the Islamic State, then rely upon Allah, and kill him in any manner or way however it may be.” He provided simple tactical advice to streamline the attack process, “If you are not able to find an IED or a bullet, then single out the disbelieving American, Frenchman, or any of their allies. Smash his head with a rock, or slaughter him with a knife, or run him over with your car, or throw him down from a high place, or choke him, or poison him.”


Blasphemy
There had been demonstrations against Salman Rushdie in the late 1980s and against the publication of cartoons depicting the Prophet Muhammad by Denmark’s Jyllands-Posten in 2005, but not lethal attacks of this nature over such things on French soil. The recent surge in these kinds of incidents and the animosity over Emmanuel Macron’s plan to fight “Islamist separatism” have added dimension to France’s jihadist threat. Militant propaganda has focused on blasphemous acts by French citizens and has framed Macron’s strategy as a direct attack on the country’s Muslim population.


 There were several warning signs leading up to the 2015 Charlie Hebdo attack. A 2010 issue of al-Qaeda in the Arabian Peninsula’s (AQAP) Inspire magazine featured a timeline of events related to depictions of the Prophet Muhammad from 2005 to 2010, which included explicit mention of Charlie Hebdo. Anwar al-Awlaki warned, “If you have the right to slander the Messenger of Allah, we have the right to defend him. If it is part of your freedom of speech to defame Muhammad it is part of our religion to fight you.” Awlaki wrote about “the hatred the West holds towards Islam and the Prophet of Islam”. He called for retaliation and claimed that “Defending the Messenger of Allah is a greater cause than fighting for Palestine, Afghanistan or Iraq; it is greater than fighting for the protection of Muslim life, honor or wealth.” Awlaki focused on Western insults towards the most sacredly held beliefs of many Muslims, sanctified anger over these offences, and gave the greenlight for reprisal.


A subsequent 2013 issue of AQAP’s Inspire included a section about the “French crusader intervention in Mali” and a wanted poster featuring individuals accused of insulting Islam. Charlie Hebdo’s Stéphane Charbonnier was among the designated figures. On January 7, 2015, brothers Said and Cherif Kouachi conducted a raid on Charlie Hebdo’s offices that killed 12 people, including Charbonnier. The shooters had trained in Yemen, identified with AQAP, and executed the attack in retaliation to the magazine’s depiction of the Prophet Muhammad.
Blasphemy-motivated violence has reemerged with intensity in recent weeks, sparked again by the republication of these cartoons. Events transpired rather quickly with the high-profile Charlie Hebdo trial, the stabbing near the magazine’s former offices, the announcement of Emmanuel Macron’s plan, the beheading of history teacher Samuel Paty, and the church attack in Nice. Leaders of Muslim nations have scorned Macron, anti-France protests have erupted across the Islamic world, consumer boycotts have been promoted against French products, and there was a stabbing and subsequent Islamic State-claimed bombing targeting French diplomatic personnel in Saudi Arabia. Jihadist organizations and their online supporters have been actively stoking hostilities, celebrating the attacks, and calling for more violence. They have focused on Macron as a figurehead for insults to Islam and the Prophet Muhammad. The French government is accused of enabling and even encouraging blasphemy.

France is faced with a complex threat from independent actors as well as militants directed, guided, and inspired by jihadist organizations. France is in a precarious position and faces potential violence if a certain foreign policy decision is made, a citizen blasphemes, the state enacts a security measure, or an external event occurs in some foreign flashpoint. This reality informs the French desire to assert national sovereignty. France’s security environment is showing signs of deterioration and there is nothing to suggest the violence will subside anytime soon. It is clear the French people want meaningful action and time will reveal if Emmanuel Macron’s approach will have any real impact.

Continue Reading

Intelligence

Europe’s Cyber Resilience

Published

on

In today’s world, no organization or enterprise is completely safe from cyber-attacks or their possible consequences. In fact, one may even argue that the effects of Cyber Security incidents on our increasingly interconnected world have the potential to negatively affect every single individual on this planet. As a result, and aided by a progressively complex landscape of regulatory and legal requirements in this field and beyond, raising awareness of Cyber Security threats and, by extension, building Cyber Resilience, have developed from a traditionally rather technical matter into an increasingly important strategic topic for businesses, on the one hand, and into a critical diplomatic challenge for States, on the other hand.

The EU Network and Information Security Directive was the first piece of EU-wide Cyber Security legislation and aims to enhance Cyber Security across the EU. The national supervision of critical sectors, such as energy, transport, water, health, and critical digital service providers, including online market places, as well as the enhancement of national Cyber Security capabilities and facilitation of cross-border collaboration, are the key topics covered by the NIS Directive.[1] Moreover, the NIS Directive is part of the EU Cyber Security Strategy, which states “achieving Cyber Resilience” as one of its five priorities.[2] However, the fact that the NIS Directive was only adopted in 2016, with a deadline for national transposition by EU member States as recent as May 9, 2018, illustrates that Cyber Security and Cyber Resilience are relatively new topics in international collaborative efforts surrounding security and stability in Europe. One may argue that this recency inherently implies a certain lack of preparation for Cyber Security incidents; thus, vulnerability.

“The technology of today serves not only a Weberian predictability imperative – to further rationalise society. It makes society less safe and its individuals less free” – recently stated my former professor Anis H. Bajrektarevic discussing the EU cyber-related legislation.[3]Hence, a preparation, in other words – strategic investment in preventative measures and resources, is considered an essential aspect of Cyber Security as well as critical to Cyber Resilience. While Cyber Security is primarily concerned with the protection of information technology and systems,[4] Cyber Resilience aims to ensure the effective continuation of an organizations operations and to prevent demobilization of business- or organization-critical functions in the event of security incidents.[5] To be more specific, it is “the ability to prepare for, respond to and recover from cyber attacks” and other security incidents, such as data breaches, that is commonly referred to as Cyber Resilience.[6]

In this context, it has been argued that the creation of a resilience-conscious culture is a key element of successful Cyber Resilience strategies.[7] Creating such a cyber resilient culture involves raising awareness of Cyber Security threats, such as phishing and malware, and communicating ways to minimize risks stemming from them to people outside of Cyber Security functions.[8] The main goal here is to facilitate a cyber resilient mindset through awareness-building measures, leading to the question: If promoting awareness of Cyber Security threats ultimately enhances Cyber Resilience, how can we, first of all, assess the status quo of Europe’s Cyber Resilience and subsequently, monitor the progress and effectiveness of such awareness building measures, in order to better understand, compare and ultimately enhance the Cyber Resilience of individual States and Europe in its entirety?

This essay will argue that “a false sense of security” in the private sector is a warning sign regarding the Cyber Resilience of States, hence, a warning sign regarding the status quo of Europe’s Cyber Resilience. Moreover, it will argue that “a false sense of security” can serve as a valuable indicator for the effectiveness of, and increased need for Cyber Security awareness measures. This will be accomplished through the following approach:

Firstly, the essential need for and feasibility of active preparation for seemingly unlikely crisis situations, will be emphasized. To illustrate this point, the controversy surrounding the classification of the COVID-19 pandemic as “black swan event” will be discussed. Secondly, the discussion of several recent Cyber Security related incidents and their implications, will highlight that businesses and governments worldwide must, more than ever, and especially due to the C-19 related acceleration of digitalization, improve their Cyber Resilience. The main goal here will be to draw attention to the worldwide existing deficiencies regarding Cyber Resilience and, based on this, illustrate the need for and value of finding new ways to assess Cyber Resilience, but also key aspects of Cyber Resilience. Thirdly, current insights from the recently published study “Cyber Security in Austria”[9] will be discussed and contrasted with the respective risk assessment from The Global Risks Report 2019[10] to illustrate apparent discrepancies in security related self-perception in the private sector versus the reality of the risk situation. It is important to note here that “a false sense of security” means feeling safe in an unsafe environment. Therefore, such discrepancies represent “a false sense of security”. As a final step, possible implications and limitations of the presented ideas will be discussed.

A black swan event is an unpredictable, highly improbable and rare event that has serious and potentially catastrophic consequences. One main characteristic of black swan events is the widespread insistence that their occurrence was obvious in hindsight; thus, should have been foreseen.[11] In the recent past, this concept, which the Lebanese-American philosopher, professor and former Wall Street trader, Nassim Nicholas Taleb, developed and already described in 2007, has, in connection with the C-19 pandemic, again become a topic of conversation – not least because of social media, such as Twitter (#blackswan). While there seems to be general disagreement as to whether the ongoing C-19 pandemic constitutes a “real” black swan event, Taleb himself stated in an interview that the eventual outbreak of a global pandemic with all its consequences was, in fact, a predictable “white swan” event, arguing that companies, corporations and especially governments, had no excuse, not to be prepared.[12]

Regardless of swan color, however, in connection with the aforementioned ability to prepare for cyber attacks, it can be argued that a particularly relevant consequence of the C-19 pandemic, in terms of Cyber Security and subsequently, security in Europe, has been the acceleration of digitalization throughout the world, affecting the public and private sector, as well as the private sphere of people’s homes. Exit restrictions and other social-distancing measures imposed by governments worldwide, in an effort to curb the spread of the virus, have caused the global demand for remote working technologies to skyrocket within a remarkably short period of time. For example, the video conferencing solution provider Zoom experienced, within just a few weeks, a surge from around 10 million daily active users at the end of December 2019, to over 200 million daily active users in March 2020.[13] It was not long before data privacy and data security related problems with Zoom became apparent: “Zoom bombing” or video hijacking, which refers to the unwanted and disruptive intrusion of a person into a Zoom video meeting, a lack of end-to-end encryption and, in this regard, misleading information advertised on part of the provider, along with various IT security related vulnerabilities that allowed hackers, among other things, unauthorized remote access to end user’s Mac computers – including webcam and microphone access, Zoom’s deployment of in-app surveillance features, as well as questionable handling and alleged trade with the obtained user data were, already by April 2020, seen as a considerable cause for concern, leading security experts to describe Zoom as “a privacy disaster”, and “fundamentally corrupt”. Moreover, Arvind Narayanan, associate computer science professor at Princeton University, was quoted as saying: “Zoom is malware”.[14] The most memorable piece of news concerning Zoom was, however, arguably about the British prime minister Boris Johnson accidentally posting sensitive information, including the Zoom meeting ID and the login names of several participants, when sharing a screenshot of his first-ever digital cabinet meeting via Twitter.[15]

The example of Zoom illustrates how companies, organizations, governments and private individuals benefit to an unprecedented extent from the advantages of digitalization, especially in the context of the ongoing C-19 pandemic, but also beyond such global crisis situations, while at the same time being faced with the considerable challenges and security risks brought about by the new technologies of what is known as the Fourth Industrial Revolution. This Fourth Industrial Revolution, being “characterized by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres”, is changing the ways we live, work and interact,[16] resulting in significant risks to the privacy of natural persons, as well as to security and stability in general.

Several recently occurring or publicly emerging Cyber Security incidents underpin the scope of these risks: A cyber-attack on the British airline EasyJet, in the course of which personal data including email addresses and travel plans of 9 million EasyJet customers and additionally, credit card details of over 2,000 customers, were stolen, became known in May 2020.[17] This once again demonstrates that companies of all kinds can at all times become targets and victims of cyber-attacks. Costly penalties for violations of the General Data Protection Regulation (EU) 2016/679 (GDPR), as well as claims for damages and lawsuits by those affected and, last but not least, the loss of reputation often caused by such security incidents, pose significant challenges for companies under any circumstances. These challenges can, however, easily become existence-threatening, especially in view of the C-19 induced crisis situation, in which particularly the aviation industry currently finds itself in, as recently highlighted, when Austrian Airlines received EUR 450 million in financial aid from the Austrian government.[18]

On the one hand, the EasyJet security incident illustrates that Cyber Resilience has, in recent years, developed from a formerly predominantly technical matter into a business-critical strategic topic and, in today’s world, competitive advantage for companies, whereas on the other hand, the case of Austrian Airlines requiring millions of Euros of state aid to continue their operations, illustrates how crisis situations faced by private companies can and do affect States. 

As a matter of fact, we live in a time where the vulnerability of critical infrastructure is a real concern among security specialists[19] and States, as illustrated by the following example: A joint memo, sent out in May 2020 by German intelligence and security agencies, warned German operators of critical infrastructure against hacker attacks. The memo included a description of the hackers’ approach as well as information indicating long-standing compromises in corporate networks of companies operating in the energy, water and telecommunications sector,[20] in other words, critical sectors covered by the EU Network and Information Security Directive 2016/1148 (NIS).

It is in light of security incidents like these, that the results of and contradictions arising from this year’s “Cyber Security isn Austria” study (KPMG, 2020),[21] may be perceived as especially worrying: According to the study, 27% of 652 companies surveyed place great trust in their Cyber Security measures, while 58% “rather” trust their Cyber Security measures. At the same time, 57% of participating companies became victims of cyber attacks in the past 12 months, of which 74% where phishing attacks.[22] It is important to note here, that, when it comes to the prevention of phishing attacks, security experts consider regularly training employees on security awareness, essential.[23] In the context of such Cyber Security awareness measures, it seems especially interesting that the study highlighted the significance of employees in the detection of cyber attacks, as opposed to merely focusing on employees as a potential weakness: 79% of companies stated that they had become aware of a cyber attack through their own employees, while internal security systems ranked second (72%) as a means of detection. Awareness building measures must, therefore, remain a high priority for companies.[24]

Furthermore, the study established that one third of companies believe it would take them 1 to 4 weeks to safely remove attackers from their systems, while a fourth of companies even believe it would merely take them between 2 and 6 days. These findings are in direct contradiction with the considerably longer and demonstrably increasing average “dwell time” (100 to 170 days) of attackers in corporate networks.[25] Regarding Cyber Resilience, it is worth noting here, that although 69% of companies surveyed invest in awareness and security monitoring to protect themselves against cyber attacks, only 25% prepare for possible damage through cyber insurance coverage.[26] Also, the study found that 82% of companies would like to see established a government agency dedicated exclusively to Cyber Security issues and 77% would like to be supported more by the State, while at the same time, 57% state that they do not trust the authorities when it comes to Cyber Security. Additionally, it was found that the primary expectation (64% of companies) companies have toward the State is the provision of information and EU-wide support as well as exchange between experts from the State and private sector, in order to learn from each other.[27] Considering the companies’ expectations regarding the exchange of information between experts, it seems particularly striking that about 90% declined to comment on the effects that past Cyber Security incidents had in terms of damage caused to their reputation. Based on this finding, it was concluded that a trustful exchange of information must be encouraged and observed, that changes to the existing legal framework would help facilitate open communication on cybercrime.[28]

All in all, it was concluded that Austrian companies mistrust others, but do not protect themselves sufficiently, that they demand cooperation, however, shy away from open communication and that they feel more secure than they are.[29] In other words, “a false sense of security” in the Austrian private sector, emerged as a key finding.

It was already established earlier that “a false sense of security” means feeling safe in an unsafe environment. Therefore, it seems only logical to look in more detail at the threat environment, also known as risk environment, in which businesses in today’s world operate in. For the sake of coherence and comparability, the following section will, first of all, examine Austria’s situation before briefly considering the global risk environment:

The “Risks of Doing Business 2019” report (World Economic Forum) rates cyber-attacks as the most critical business risk in Austria (46.7%) and data fraud or theft as second critical (34.1%).[30] Taking into account the previously discussed findings regarding levels of trust companies place in their security measures (27% trust “greatly”, 58% “rather” trust)[31] and unrealistic company estimates of attacker “dwell time” in corporate networks, “a false sense of security” clearly reemerges. The top Risks of Doing Business 2019 on a global scale are fiscal crises (28.9%), closely followed by cyber attacks (28.2%) as the second critical risk and unemployment or underemployment (28.2%) as the third critical risk, while data fraud or theft ranks seventh (22.4%),[32] firmly establishing technological risks among the most critical risks globally.

Overall, and especially against the background of the global risk environment and increasing interconnectedness of the public and private sector, “a false sense of security”, or to be more precise, “a false sense of Cyber Security” in the private sector must, therefore, be considered a significant threat for the security of private companies and, consequently, the security in Europe, a warning sign regarding the status quo of Europe’s Cyber Resilience and, one may argue, valuable instrument in assessing the effectiveness of Cyber Security awareness measures.

While the scope and purpose of this essay did not allow for an in-depth analysis of how “a false sense of security” may practically be translated into a quantifiable, clearly defined key performance or risk indicator, it may serve as a starting point in doing so. Also, it may rightfully be argued that any indicator of performance or risk must be evaluated in the context of already established key performance and risk indicators, as well as existing efforts, procedures and best practices in the field, in order to fully assess its value and usefulness. Again, the scope of this essay did not allow for an in-depth analysis in this regard. Nevertheless, it may prove useful as a starting point in doing so. Other limitations and challenges arising from the scope, purpose and choice of approach as well as ideas advanced in this essay, include the risk of bias when generalizing from Austria to Europe and the risk of response bias (demand bias) when utilizing survey questions to identify “a false sense of security” with the same participants.

Nevertheless, despite these limitations, it seems possible to derive the following conclusions from the analysis conducted in this essay: a) the security and stability in Europe depend on the ability of States to continuously improve and maintain their Cyber Resilience, b) Europe’s Cyber Resilience is closely tied to the Cyber Resilience of each States’ private sector and, as a result, the actors operating within them, c) improving cooperation and trust between the public and the private sector as well as between States is necessary to improve Europe’s Cyber Resilience and, d) an organization with the appropriate authority, financial and professional capacity as well as reach, such as, one may argue, the OSCE, must act as the initiator and governing body of projects aiming to utilize “a false sense of security” to assess Europe’s Cyber Resilience and existing security awareness measures.

All in all, one may conclude that in order to ensure and enhance security and stability in Europe in our increasingly interconnected world, especially in the face of rapid technological progress, new technologies and the recent acceleration of digitalization, an urgent need to continuously improve and monitor Europe’s Cyber Resilience exists. This will call for more and more cooperation between the public and private sector, as well as between States and will, consequently, likely even heighten the significance of international organizations, such as the OSCE, in initiating, financing, overseeing and supporting Cyber Resilience initiatives in Europe.


[1] ENISA. NIS Directive. n.d. https://www.enisa.europa.eu/topics/nis-directive (accessed June 25, 2020).

[2] European Commission. EU Cybersecurity plan to protect open internet and online freedom and opportunity. February 7, 2013. https://ec.europa.eu/commission/presscorner/detail/en/IP_13_94 (accessed June 25, 2020).

[3]Bajrektarevic, Anis. Twinning Europe and Asia in Cyberspace: the EU GDPR Legislation and its Transformative Power.January 2019. Diplomat Magazine (Hague-Brussels)

[4] RSI Security. What is cyber resilience and why is it important? August 14, 2019. https://blog.rsisecurity.com/what-is-cyber-resilience-and-why-is-it-important/ (accessed June 25, 2020).

[5] De Groot, Juliana. What is Cyber Resilience. February 4, 2019. https://digitalguardian.com/blog/what-cyber-resilience (accessed June 25, 2020).

[6] IT Governance Ltd. What is cyber resilience? n.d. https://www.itgovernance.co.uk/cyber-resilience (accessed June 25, 2020).

[7] Hughes, Mark. Beyond awareness: Create a cyber resilient culture. September 2019. https://thrive.dxc.technology/2019/09/10/beyond-awareness-create-a-cyber-resilient-culture/ (accessed June 6, 2020).

[8] Hughes. Beyond awareness: Create a cyber resilient culture. September 2019.

[9] KPMG. Cyber Security in Österreich. Study, Vienna: KPMG Security Services GmbH, 2020.

[10] World Economic Forum. Risks of Doing Business 2019. 2019. https://reports.weforum.org/global-risks-report-2020/survey-results/global-risks-of-highest-concern-for-doing-business-2020/ (accessed June 25, 2020).

[11] Chappelow, Jim. Black Swan. March 11, 2020. https://www.investopedia.com/terms/b/blackswan.asp (accessed June 25, 2020).

[12]Taleb, Nassim Nicholas, interview by Bloomberg TV. Taleb Says “White Swan” Coronavirus Was Preventable (March 31, 2020).

[13]Fuscaldo, Donna. Zoom’s Daily Active Users Surged to 200 Million in March… and That’s Part of the Problem. April 2, 2020. https://www.nasdaq.com/articles/zooms-daily-active-users-surged-to-200-million-in-march…-and-thats-part-of-the-problem (accessed June 25, 2020).

[14] Paul, Kari. ‘Zoom is malware’: why experts worry about the video conferencing platform. April 2, 2020. https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing (accessed June 25, 2020).

[15] futurezone. Netzpolitik: Boris Johnson postet aus Versehen sensible Infos.April 1, 2020. https://futurezone.at/netzpolitik/corona-boris-johnson-postet-aus-versehen-sensible-infos/400800110 (accessed June 25, 2020).

[16] Schwab, Klaus. The Fourth Industrial Revolution: what it means, how to respond. January 14, 2016. https://www.weforum.org/agenda/2016/01/the-fourth-industrial-revolution-what-it-means-and-how-to-respond/ (accessed June 25, 2020).

[17] Hauser, Christine. EasyJet Says Cyberattack Stole Data of 9 Million Customers. May 19, 2020. https://www.nytimes.com/2020/05/19/business/easyjet-hacked.html (accessed June 25, 2020).

[18] Hodoschek, Andrea. Wirtschaft: AUA-Rettungspaket steht: 450 Millionen Euro Staatshilfe.June 8, 2020. https://kurier.at/wirtschaft/aua-rettungspaket-steht-450-millionen-euro-staatshilfe/400934555 (accessed June 25, 2020).

[19] Allianz. Cyber attacks on critical infrastructure. n.d. https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html (accessed June 25, 2020).

[20] Tanriverdi, Hakan. Kritische Infrastruktur: Behörden warnen vor Hackerangriffen.May 27, 2020. https://www.br.de/nachrichten/deutschland-welt/kritische-infrastruktur-behoerden-warnen-vor-hackerangriffen,S0CJ1JP (accessed June 25, 2020).

[21] KPMG. Cyber Security in Österreich. 2020.

[22] KPMG. Cyber Security in Österreich. 2020: 6.

[23] Lord, Nate. Phishing Attack Prevention: How to Identify & Avoid Phishing Scams in 2019. July 12, 2019. https://digitalguardian.com/blog/phishing-attack-prevention-how-identify-avoid-phishing-scams (accessed June 25, 2020).

[24] KPMG. Cyber Security in Österreich. 2020: 13.

[25] KPMG. Cyber Security in Österreich. 2020: 4.

[26] KPMG. Cyber Security in Österreich. 2020: 6.

[27] KPMG. Cyber Security in Österreich. 2020: 23.

[28] KPMG. Cyber Security in Österreich. 2020: 14.

[29] KPMG. Cyber Security in Österreich. 2020: 4.

[30] World Economic Forum. Risks of Doing Business 2019. 2019.

[31] KPMG. Cyber Security in Österreich. 2020: 6.

[32] World Economic Forum. Risks of Doing Business 2019. 2019.

Continue Reading

Publications

Latest

Health & Wellness1 hour ago

New COVID-19 infections fall globally for first time since September

Last week saw the first global decline in newly reported cases of COVID-19 since September, the head of the UN World Health...

Environment3 hours ago

Climate Action: It’s time to make peace with nature

The UN Secretary-General, António Guterres, has described the fight against the climate crisis as the top priority for the 21st...

Africa5 hours ago

Africa: A Rising Star in the New Economic Order

The African continent has been on top of the agenda of the policymakers in all periods. From the historical aspect,...

International Law7 hours ago

The Relevance of International Relations Theory in Community Policing

Community policing in general refers to adopting such measures by law enforcement agencies specifically police where closer ties between the...

Middle East9 hours ago

Biden’s Opportunity To Reset Relatons With The Muslim World Begins In Istanbul

When President Obama delivered his famous speech at Cairo University in June of 2009, it was an historic moment. The...

South Asia11 hours ago

Critical India: The Real Story

In recent months, there has been an unprecedented barrage of criticism, innuendos and verbal onslaught on the Modi-led Indian government....

Eastern Europe13 hours ago

The State of Civil Society in Belarus and Armenia: Challenges and Opportunities

 A vibrant civil society has long been thought to be a crucial instrument for political change in countries in transition...

Trending