US authoritarianism and the EU's tech dependencies

Contents

The EU's liberal democracies are under threat like never before. Not only are the Americans no longer a reliable partner, they are on a direct path to authoritarianism. Trump and Vance make no secret of the fact that they despise the EU and want to disintegrate it from within. Russia and to some extent China also share similar goals.

Manuel Atug

Manuel “HonkHase” Atug is a cyber security expert specializing in critical infrastructure protection and works as a consultant and auditor. He is the founder and spokesman of the independent KRITIS working group.

A smart, forward-looking policy should assume the worst. In the worst-case scenario, the EU democracies will find themselves alone in a few years' time, surrounded by authoritarian powers. Authoritarian states repeatedly use the means at their disposal, whether gas pipelines such as Nord Stream or technological or economic dependencies, to pursue a policy of blackmail. US Vice President Vance has already hinted that US security guarantees for EU and NATO states could be removed as a result of EU technology regulation of American companies. Dependence on US technology has thus become a national security risk for the EU.

Tech dependencies

Europe is dependent on US companies in numerous technology fields such as network components (Cisco, F5, Fortigate, Palo Alto, Extreme Networks), infrastructure software (Microsoft Active Directory, Sharepoint), virtualization and cloud computing (Azure, AWS and Google have a combined market share of over 70 percent in Europe), databases (Oracle, IBM), mainframes (IBM) and operating systems (Windows, macOS, iOS, Android). US companies own the majority of all submarine fiber optic cables relevant to the EU. Meta is currently investing ten billion US dollars in new fiber optic cables worldwide. In addition, there are dependencies in semiconductors, quantum technologies, AI and surveillance software for law enforcement agencies and intelligence services (Palantir).

Matthias Schulze

Matthias Schulze is a cyber security expert with many years of experience in this field. He heads the International Cyber Security Research Unit at the Institute for Peace Research and Security Policy in Hamburg (IFSH) and hosts the Percepticon.de podcast.

The associated risks go far beyond the monitoring and spying on European data via the CLOUD Act, Patriot Act and Foreign Intelligence Surveillance Act (FISA). Assuming the worst, US companies could be forced to limit or impose conditions on services or the sale of products in Europe. The Americans are already using this policy against China – Keyword Semiconductor. The Biden administration ordered similar measures as part of the sanctions against Russia, causing US companies to restrict their software services to Russia.

Trump could order Microsoft, Apple, Google, Amazon, Meta, IBM and Palantir to make European data, corporate and government environments in US clouds, as well as local environments, inaccessible and only release them again once political concessions have been made. Politically motivated "denial of service", i.e. the threat of shutting down essential services such as Starlink in Ukraine, could also be used as leverage against Europe. This is all the more serious as many critical infrastructures (KRITIS) as well as governments and public authorities in Europe now rely on US cloud environments and AI from the USA.

And because so many EU institutions and companies are dependent on US services, such a "denial of service" could trigger massive production losses in industry as well as supply shortages for the population and threats to public safety. Think of the CrowdStrike outage of 2024, only instead of an accident, it was deliberate. Something like this would be technically possible, as security software often has high system rights and is installed on many systems in European companies and administrations. The term blackmail software or ransomware takes on a whole new meaning.

Since 2019, Europe could have learned lessons from the discussion surrounding the Lex Huawei case and the question of whether the Chinese provider can be trusted with the expansion of the 5G network. But little has happened so far. It is currently impossible to predict when EU governments, the economy and, in particular, critical infrastructures will reassess the USA as a previously reliable partner as part of risk management.

Norway and Denmark are now warning against US cloud providers. However, too many are currently taking a wait-and-see approach, discussing timidly and, above all, acting late, as is often the case in crisis situations. One wonders whether and when the Federal Ministry of the Interior will instruct the BSI to publish a warning against US products, as it did with the Russian antivirus software company Kaspersky. Currently, there is a lot of silence in the forest at this point too; the population and the economy are on their own in this difficult situation.

Vulnerabilities

In the worst-case scenario, US companies and intelligence agencies could be instructed to actively withhold security updates and knowledge of vulnerabilities. This would massively compromise our IT security and make us even more vulnerable to Russian or Chinese cyberattacks, as well as organized crime. The exchange of information between intelligence services could also become more politicized: "We will only give you information, for example about cyberattacks we have detected against your systems, if we get something in return." The BKA, the BND and NATO in particular are heavily dependent on US information, both from the US intelligence services and from the private sector. Numerous cyber attacks could apparently only be detected thanks to tips from abroad.

The politicization of the vulnerability ecosystem, which has so far followed liberal globalization ideals, would be similarly problematic: ethical hackers look for vulnerabilities and report them to authorities and companies so that they can inform the manufacturers so that they can provide security updates to collectively increase the IT security of all users. Security vulnerabilities found are primarily cataloged according to US standards, bug bounty programs are mainly geared towards US companies, so they pay into their cybersecurity and not ours. In a post-liberal, authoritarian order, this can become a weapon.

Until recently, Europe had been rather slow and hesitant to establish its structures such as bug bounty programs and platforms or even Europe-wide coordinated vulnerability disclosure processes in authorities and companies. However, there is now a clear improvement here: this week, the EU launched its own vulnerability database EUVD. This should relativize the role of the US as a pioneer that has prevailed for many years and thus strengthen its independence from the US.

In Germany, the hacker paragraph 202c in the Criminal Code (StGB) still prevents participation in national IT security, as security researchers always put themselves at risk if they report a vulnerability in Germany. Section 5 of the Telecommunications Digital Services Data Protection Act (TDDDG), which prohibits eavesdropping and imposes a duty of confidentiality on operators of radio equipment, does not improve the situation in Germany either. The "traffic light" government wanted to initiate urgently needed reforms here, but failed to do so before the end of the coalition.