Dr. Alan Riley

Can Brussels Take Security Seriously? Can the EU Move Beyond its ‘Common Market’ DNA?

Despite its Common Foreign and Security Policy (CFSP) the EU has always been happier focussing on market regulation. This is the original ‘common market’ DNA of the EU where the EU institutions are at their most comfortable. The underlying assumption that the EU’s reach in respect of CFSP will always be limited and any really serious security issues are for NATO. However, in a world of ever increasingly aggressive authoritarian states such as Russia and China, the EU is likely to find it more and more difficult to remain within its market regulation comfort zone. The most recent controversial example of this is in respect of Nord Stream 2. As the pipeline comes close to physical completion Gazprom seem to be prepared to cut gas exports to the EU in order to try and force the pipeline through the Union’s regulatory clearance procedure. It is likely that this autumn the EU institutions will face a major security crisis which does not fit within its usual market regulation parameters. Equally, the focus on opening up trade opportunities with the China-EU Comprehensive Investment Agreement (hereafter CAI) overlooks the security issues that stem from Chinese foreign direct investment. With Chinese foreign investment one is not just bringing in new capital and knowhow into the European market, but the Chinese Communist Party (CCP). This means CCP committees into every business, the control provided by their state-owned enterprises and the obligations of all employees even non-Chinese nationals to comply with the terms of the 2017 National Intelligence Law. A similar issue flows around Commission proposals to reform the regulatory framework in respect of the major tech platforms. While welcome in principle as a means of constraining monopoly or near monopoly power they overlook the security issues which flow from Facebook’s development of a huge attack ‘surface’ for hostile foreign powers seeking to reach deep into the democracies. Nor does the Commission’s market regulation approach deal with the changing tech security threat flowing from the recent Pegasus hacking scandal. The increasing focus on hacking and controlling smartphones and iPad generates a major security threat which needs to be addressed in any regulatory reform addressed to the tech platforms.

In each of these cases broader security concerns of the Union and its Member States have to be integrated into the more traditional market regulation approach. There has to be recognition that the Union operates in an increasingly fragmented and hostile world where we are ultimately responsible for our own security. This requires recognising the very real threats we face and develop policy and practices which can begin to counter them.

Nord Stream 2: The Coming Supply Security Threat

From the start Nord Stream 2 has raised significant energy security and security issues for the states of Central and Eastern Europe (hereafter CE Europe) and the Baltic States. Nord Stream threatens to undermine CE Europe’s transit security, split the single market in gas and increase Gazprom political and economic power in CE Europe. It also threatens to undermine Ukraine’s supply security, by terminating the transit of Russian gas via Ukraine, currently the principal way Ukraine obtains gas via reverse flow from Slovakia, Poland and Hungary.

The EU have helped in one way by enacting an amendment to the Gas Directive 2009 in May 2019 which formally extended the EU’s energy liberalisation rules to import pipeline such as Nord Stream 2. However, Gazprom, Nord Stream 2’s owner, does not want to be forced to comply with EU rules. It does not want to unbundle the pipeline, which would mean selling the pipeline (it cannot under EU law both own the pipeline and supply gas through it). It does not want to subject itself to third party access, which would mean granting Russian competitors such as Novatek and Rosneft access to the pipeline. It does not want to provide tariff transparency either.

Its approach therefore is to seek to force the EU to waive the pipeline through despite its non-compliance with Union law. It has chosen to cut gas exports to the EU. Currently gas exports are running at 20% below pre-pandemic levels. In addition, it has been drawing gas from European storages in order to fulfil its existing supply contracts. This has left European storages around 30% lower than they should be at this time of year on a five-year average. the result is that European gas prices have spiralled to a sixteen-year high. The message is clear. ‘If you want more gas and lower prices than waive Nord Stream 2 through, whatever EU rules say’.

If Gazprom does not relent the EU will face a serious energy security problem this autumn. It will face high gas prices and huge political pressure, while at the same time trying to maintain the integrity of the EU’s legal order.

At the very least, the Commission as guardian of the treaties has to be prepared to ensure the uniform application of Union law across all territories and sectors including the energy sector in Germany. More broadly this crisis requires greater consideration of the security implications surrounding the use of Russian gas, its potential replacement by trusted gas suppliers, renewables and other forms of energy.

Understanding the Chinese Investment Security Threat

Nord Stream 2 is only the most controversial security problem facing the Union. A far less obvious security threat is the one surrounding the CAI. This has been currently placed into deep freeze by the European Parliament as a result of Chinese sanctions imposed on European officials, as well as five MEPs.

One major understandable major concern over the agreement revolved around the issues of the treatment of the Uighurs and the use of forced labour across China. There are over one million Uighurs in labour camps in the Chinese province of Xinjiang. In addition to the human rights issues there is also a broader security issue which is little discussed which impacts on the CAI. This is the issue of foreign investment undermining national security. In recognition that this had become an issue the EU adopted a foreign investment screening regulation (EUFIS) which came into force in October 2020. It is a weak piece of legislation ( the Commission can only make non-binding recommendations on a deal). However, for now only half Member States have national foreign investment screening regulations. Though increasingly those that have such legislation are strengthening their regulations and more Member States are adopting such legislation.

The reason for such legislative activity is the increasing number of Chinese investments across Europe in strategic or technological industries. This is understandable not so much because of the scale of the investments but because Chinese acquisitions bring with them the influence of the CCP Many major Chinese companies acquiring assets in Europe are state owned enterprises under the control of the Chinese State Council’s State-Owned Assets Supervision and Administration Commission (SASAC). The central SASAC is the world’s largest shareholder with 48 Fortune 500 global companies on its books and holding stock worth approximately $10 trillion. In addition, every provincial government in China has its own SASAC. The SASAC’s are the ultimate governor and controller of hundreds of major Chinese corporations. Even if a Chinese firm is nominally a private company the company will have like all Chinese companies a CCP party committee running in parallel with the executive board of the firm. This level of control and influence over state and ostensibly private companies by the Chinese Party-State has been reinforced over the last few years by the imposition of a series of laws culminating in the 2017 National Intelligence Law. In particular, Article 7 of which provides that,

All organizations and citizens shall support, assist and cooperate with national intelligence work according to the law, and keep secret their knowledge of national intelligence work.

Article 14 of the legislation appears to extend obligations to co-operate with agents of the Chinese state to those who work at Chinese owned companies and not just in China. One question to legitimately ask is why the Union was prioritising the CAI and seeking to promote Chinese foreign investment while at the same time trying to strengthen its foreign investment screening regulations? It looks again as if the common market DNA with the Union focussing on trade while trying to ignore the uncomfortable security issues that the EU has been in play again. Surely at the very least the European Parliament should insist that all EU states adopt robust foreign investment screening laws, and strengthen the existing EU legislation before the CAI is given any further consideration. It should also by legislation reject any application of the Chinese National Intelligence Law on the territory of the Member States and to EU nationals.

The Tech Platforms and National Security

At one level the proposal to impose significant obligations on the major tech platforms via the Commission’s proposed Digital Services Act (DSA) and the Digital Markets Act (DMA) are welcome. The platforms such as Amazon and Google have obtained a far too great a hold over the economy. However, from a national security perspective the greatest threat flows from Facebook. Facebook provides a single ‘attack surface’ of 2.8 billion users which allows users to be identified at a very granular level. This is excellent for advertisers, but far less excellent for national security. It means that all almost all 450 million Europeans can be identified in terms of interest groups, personal interests and localities at an extremely micro level. Worst still the algorithms that Facebook use to promote engagement encourage the worst side of human nature hate and anger. As a result, hostile authoritarian foreign powers can use Facebook can reach deep into the democracies easily identify target groups and fan the flames of hatred division across the Member States.

Again, the regulatory approach taken by the Commission in the DSA an DMA do not really address this level of security threat. The DSA and DMA are classic EU market regulations which addresses issues such as self-dealing by the likes of Amazon and Google on their platforms. Such regulatory issues are clearly important, but they do not address the much greater security threats posed by Facebook. It may be that under the new Biden appointees at the US Federal Trade Commission, Chair Lina Khan and the new US Assistant Attorney General for Antitrust, Jonathan Kanter, that the US authorities break up Facebook and prohibit its algorithms from promoting hate and division. It will not though be the market regulation focussed EU which will have faced down this threat to national security and democratic integrity of its Member States.

A further concern highlighted by the recent revelations concerning the Israeli software firm NSO and its extremely sophisticated Pegasus hacking technology. Even the most sophisticated and secure smartphones can be potentially compromised by the Pegasus technology, even if there is no interaction between the smartphone owner and the Pegasus software (eg the owner does not even click on a link). The recent joint investigation involving 17 media organisations alleged that a wide range of actors in up to 11 countries had been subject to Pegasus surveillance. Those under such surveillance it is alleged included not only journalists and business executives, but the President of the European Council, Charles Michel, and the President of France, Emmanuel Macron.

The focus of Pegasus on devices flows from the improvement in end to end encryption technologies in the last few years with products such as WhatsApp, Signal  and proton mail. As a consequence, the capacity of hackers to intercept communications in progress has become much more limited. Pegasus is a response to end to end encryption where the focus is on hacking and then controlling the devices themselves. Again because of the EU’s traditional market regulation focus found in the DMA and DSA it has not yet absorbed the threat posed by these developments, nor provided any significant response.

There are a number of ways forward here. The most immediate is to insist with NSO backed up by EU legislation including penalties that the technology must not be used in respect of the phone numbers of smartphones registered in EU Member States and on more broadly on European Union territory. NSO has forsworn to use the technology in the United States. It does not seem unreasonable that the EU should require a similar approach in Europe. However, this threat to devices is not just from NSO, there are a wide range of actors who are looking to hack and control our smartphones and tablets. This threat requires a much stronger and broader legislative response. The aim should be to seek to close off as far as possible all devices from being hacked and controlled. This means looking at the draft DSA and DMA legislation anew to impose heavy security obligations and liabilities on the platforms to ensure that their software systems are much more difficult to access by hackers and therby ensure our devices cannot be taken over.

Moving Beyond the Market Regulation DNA

In each of these cases the Union, its institutions and the Member States are seeking to respond to geopolitical and security challenges with its traditional market regulation tools. At the very least the Union has to reconsider how it uses its market regulation tools, and refashion them for an age in which we are faced with more direct security challenges. Policymakers need to be able to consider in all EU policymaking the real security context and the actual security threats. We can no longer live in a world of the EU’s comfort zone where we just enact market regulations, and rely on the market weight and attractiveness of the single market to deliver for us.

Tuomas Malinen

Bank of Bust