Udo Helmbrecht, director of the European Network and Information Security Agency, discusses the future of internet security in the EU, saying that a proposal to let users wipe clean their digital slates is unrealistic.
Marko Orlovic (DW): Many people in Europe have little faith in the EU’s handling of internet security issues, thanks largely to the NSA affair in recent weeks. What is your agency doing to reestablish trust with EU citizens?
Udo Helmbrecht: We have always worked to make the Internet more secure so that citizens can trust it. Two points: First, we deal with business processes and technologies, like cloud computing, social networks and smart metering. We point out dangers to users so that they can protect themselves early on. Second, we founded the Europe-wide initiative Cyber Security Month, during which we try, with the aid of member states and other EU institutions, to reach out to citizens better.
The majority of EU citizens exclusively use American security programs. Calls for European internet security programs are getting louder. How can people be motivated in the future to use such programs?
I’d have to ask the citizens myself! One example: there used to be both StudiVZ and Facebook in Germany. But the people decided they would rather use the American product than the German one. In that case, there’s nothing you can do to help people. Then we can’t complain when foreign companies misuse our data.
ENISA’s tasks include advising EU institutions on IT security. How good has the cooperation been with these institutions, and are they taking ENISA’s advice?
It could be improved. We’ve certainly made a good start. It’s worth noting that ENISA wasn’t founded until 2005, and it takes time to get established. Cooperation with EU institutions is functioning well in the area of the digital agenda, in which experts for Internet security try out new defense mechanisms against cyber attacks. During the NSA discussion, the vice president of the European Commission, Viviane Reding, got in touch with us when it came to the topic of the smart grids. We are indeed at the beginning, but we’re on a good path.
In 2014, a reform of the EU’s General Data Protection Regulation is planned. That includes the new legal initiative called the „right to be forgotten.“ The intent is to allow every Internet user the ability to delete one’s own data. How realistic is that?
We’ve put together an informative text under the „right to be forgotten“ heading. First of all, though, it’s not technically possible to do a complete removal online. It’s all a question of companies‘ user agreements. And when the companies are located outside of Europe, it gets difficult. If, for example, someone gives their data to an online shop outside of the EU, there are very few legal avenues to have an impact on such an entity. Ultimately, it comes down to the realization that the Internet never forgets!
Is it even possible to put an all-encompassing data protection law into words?
There are certainly some basic approaches. But the question is whether that which is legally desired is also technically feasible. Where are the technological limits? If, for example, you take a cloud computing provider who passes data on to third parties, then it’s already technically difficult to follow that process. Legally speaking, the whole thing essentially becomes futile.
How can European companies and institutions protect themselves against attacks and pointed attempts at industrial espionage?
Encryption, encryption, encryption. At the BSI’s homepage, where ENISA is also represented, there are tips for citizens and mid-sized companies who want to protect themselves. For example, firewalls or antivirus software can help. When sending sensitive documents, I advise people to use digital signatures so that recipients can determine whether the document has been falsified. Patents should, generally speaking, always be sent in encrypted form.
Udo Helmbrecht (58) has been the director of the EU’s IT security group European Network and Information Security Agency since 2009. From March 2003 to October 2009, he served as president of the Federal Office for Information Security (BSI) in Germany.