Forget cyber-espionage, cyber-warfare and cyber-terrorism. The biggest threat to Europe’s infrastructure cybersecurity are power outages and poor communication.
On Thursday, ENISA (European Network and Information Security Agency) held its biggest ever cybersecurity exercise involving more than 200 organisations and 400 cyber-security professionals from 29 European countries.
The bi-annual event* simulates a lifelike attack, modelled on real events, to test the reaction of national Computer Emergency Response Teams (CERTS), government ministries, telco companies, energy companies, financial institutions and internet service providers.
But Steve Purser, Head of Operations at ENISA explained: “The biggest threats we really see are not attacks, but hardware and software failures.”
#CyberEurope2014 will simulate more than 2,000 separate cyber-incidents, including denial of service attacks, website defacements, exfiltration of sensitive information and attacks on critical infrastructure.
Purser says he’s confident that they are testing the right things. “I speak at a lot of events and there are a lot of glib comments from people saying we need to share more data. But actually we need to share LESS data. We live in an age of data pollution and we need to discuss the right things at the right level.”
This would appear to include a standard array of attacks that systems need to be tested against but nothing particularly tricky such as exploitation of unpatched vulnerabilities, custom malware, data contamination or social engineering.
The distributed exercise, involving several exercise centres across Europe working with a central exercise control centre, is designed to test EU cooperation and escalation procedures. The exercise will also test out the EU-Standard Operational Procedures, a set of guidelines to share operational information on cyber crisis.
In the case of the Spanish military, at least, the exercise involves military personnel in camouflage uniforms (¿Por qué?) crowded together around laptops and wide screens in a crowded room on the outskirts of Madrid. A picture by OneMagazine illustrates the claustrophobic scene, seemingly devoid of tapas, cafe or other Spanish essentials.
Last year global web-based attacks increased by almost a quarter and the total number of data breaches was 61 per cent higher than 2012 according to Symantec’s Intelligence Report.
Each of the eight top data breaches resulted in the loss of tens of millions of data records while 552 million identities were exposed. Meanwhile, ENISA’s Threat Landscape report says that threat agents have increased the sophistication of their attacks and their tools and multiple countries have developed capabilities that can be used to infiltrate all kinds of targets, governmental and private.
The proposed EU Network and Information Security Directive, (aka the Cybersecurity Directive) aims to address these problems. The draft law is currently being discussed by national representatives, the European Parliament and the European Commission.
Some elements of the original law have already been substantially watered down. Originally “key internet enablers" faced mandatory security breach and incident notification requirements, but this was changed by the European Parliament and the provision now applies only to “market operators who provide critical infrastructure”.
Who and what these market operators are is vaguely worded and a cause for dispute between member states at the negotiating table.
“Member states deal with critical infrastructure in different ways - some are asset based, some process based and the challenge is to put those together. It’s a complex situation,” said Purser adding that events like CyberEurope2014 help to identify weaknesses.
He believes the proposed directive is a step in the right direction: national governments would still be required to appoint a competent central authority and develop a national cybersecurity strategy. These national authorities would be required to liaise with ENISA and an EU-wide “Cooperation Network”.
Professor Udo Helmbrecht, executive director of ENISA, commented: “Five years ago there were no procedures to drive cooperation during a cyber-crisis between EU Member States. Today we have the procedures in place collectively to mitigate a cyber-crisis on European level. The outcome of today’s exercise will tell us where we stand and identify the next steps to take in order to keep improving.”
However there is considerable resistance from some national representatives to mandatory sharing of information between countries as envisaged in the current draft law. Some countries fear giving away too much information to subjecting companies to “reputational damage”.
Based on previous CyberEurope events, Purser thinks that those involved are getting better at sharing information, and he was keen to stress that “we are not talking about industrial espionage, which I think is a false debate. [ENISA] is not interested in handling national security information. But exercises like this provide valuable bottom-up knowledge behind the policy.”
ENISA will produce a report on its findings from Thursday’s exercise by the end of the year, while the next discussion between national representatives on the cybersecurity directive will take place on November 27. ®
*Cyber Europe actually takes place in three phases throughout the year: technical – which involves the incident detection, investigation, mitigation and information exchanges (completed in April); operational/tactical – dealing with alerting, crisis assessment, cooperation, coordination, tactical analysis, advice and information exchanges at operational level (today and early 2015); and strategic, which examines decision making, political impact and public affairs. Thursday's activities form the main part of the whole exercise.
ENISA promises that the exercise will not affect critical information infrastructures, systems, or services.