Online security cannot be taken for granted as hackers and cyber attackers continue to outdo software engineers. Although there are means of beefing up security, including hardware and server backups, remote security controls, filtering and encryption, the scale and risk of attacks is becoming more pronounced and political.
- 30 March 2009: Commission adopts Communication on Critical Information Infrastructure Protection
- May 2010: EU adopts digital agenda which sets out security as a prerequisite for ICT take-up
- Sept. 2010: Commission adopts proposal for a Directive on Attacks against Information Systems
- Sept. 2010: Commission tables proposal to strengthen ENISA
- Nov. 2010: Establishment of the EU-U.S. Working Group on Cyber-security and Cyber-crime
- March 2011: Commission issues Communication on Critical Information Infrastructure Protection ‘Achievements and next steps: towards global cyber-security’
- 3 Nov. 2011: Joint EU-US cyber-incident exercise
- Jan. 2012: Commission publishes updated Data Protection Directive
- Dec. 2012: EU executive set to publish strategy paper on cyber crime
- 2013: ENISA begins operation of a European Information Sharing and Alert System (EISAS)
The largest cyber-attack in the European Union to date took place in Estonia in 2007 and led to a temporary shut down of the country’s banks, ministries, newspapers and broadcasters.
A smaller scale attack in 2011 saw more than 150 of the French finance ministry's 170,000 computers hacked for documents relating to a G20 meeting hosted there.
In March 2011 cyber attackers penetrated the European Commission’s external action service e-mails and the European Emissions Trading Scheme. A subsequent attack in July 2012 on the European Council targeted officials around President Herman Van Rompuy. The global number of web-based attacks went up 36% during 2011.
The European Commission has stated that cyber security is a “war of attrition” rather than an ad hoc battle.
In addition to strengthening its own security systems, the EU Executive has decided to open a dedicated cybercrime centre from the beginning of 2013. Meanwhile, Europe continues to seek new avenues for international co-operation on the issue as cyber-attackers often seek refuge in countries where legislation is the weakest.
The threat level of cyber crimes is rising. In a recent threat assessment, Europol highlighted that the internet acts as a facilitator for organised crime: “A new criminal landscape is emerging marked increasingly by highly mobile and flexible groups, operating in multiple jurisdictions and criminal sectors, and aided, in particular by widespread, illicit use of the Internet.”
The European Network and Information Security Agency (ENISA) has urged policymakers to take a broad view and to treat attacks on computers and infrastructure the same way. The agency argues that it makes little sense to separate the protection of infrastructure from the applications which run on top of it.
The EU's first notable response to cyber crime was the establishment of Computer Emergency Response Teams (so called CERTs) in every country. More than 100 CERTs have already been set up around Europe. These are now being beefed up and the European Commission has been piloting its own CERT.
ENISA will continue to encourage further CERTs to be set up, with additional efforts being made to create networks binding the public and private sector, an element that will be central to the Commission’s soon-to-be published cyber security strategy.
The European Union is set to establish a dedicated cybercrime centre at the beginning of 2013 aimed at tackling online operations of organised crime groups, ranging from e-banking fraud to online child sexual exploitation.
The centre will be set up next in the offices of Europol, the European law enforcement agency based in The Hague. Europol already deals with computer crimes, but the centre is expected to increase this activity with new staff, up to 55 full-time employees, and an annual budget of €3.6 billion.
Yet the centre faces considerable obstacles: gathering tips and information from a diverse region with multiple police jurisdictions and a private sector that may be hesitant to cooperate.
Critical Information Infrastructure Protection
The EU's current policy for online security, the Critical Information Infrastructure Protection (CIIP), is built on five pillars: preparedness and prevention; detection and response; mitigation and recovery; international cooperation; and definitions of European Critical Infrastructures in the field of ICT. It sets out the work to be done under each pillar by the Commission, the member states and/or industry, with the support of ENISA.
In September 2010 the European Commission issued a proposal on how to tackle attacks against information systems. The Commission decided to take actions as it recognised the steady rise of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks.
On 31 March 2011 the EU adopted the CIIP action plan but much remains to be done, and this is one reason why a new strategy is in the pipeline. The Commission aims to modernise ENISA to speed up reactions in the event of cyber attacks. The plan also aims to forge international agreements on cyber security.
The EU-US Working Group on Cyber-security and Cyber-crime, established during the EU-US Summit of November 2010, is an important step in this international direction.
Policy initiatives: Cloud and data protection
The European Commission in September released its new its EU strategy on cloud computing, aiming to push cloud services as a driver for economic growth.
The Commission attempted to allay user worry that their data may not be as safe if it is stored in another country, by suggesting that they could make sure their cloud computing contracts specified its physical location.
The EU is co-funding the IBM-led TClouds scheme, a set of testbeds for new security mechanisms that remotely verify the security and resiliency of their cloud infrastructure. They will involve a form of cloud-to-cloud backup where each project's data is backed up across multiple places.
The Commission’s proposed Data Protection Directive, currently doing the rounds in Parliament, requires information to be stored either in the European Economic Area or in a country with equivalent privacy laws.
The EU executive said it will work with the WTO and OECD to establish common international objectives for off-site data storage.
Meanhwhile, the European Strategy for Cyber-Security, which is set to be presented in December 2012 by the commissioner for the Digital Agenda, Neelie Kroes, with Home Affairs Commissioner Cecilia Malmström and EU High Representative for Foreign Affairs Catherine Ashton, will aim to provide a comprehensive vision on cyber-security and address both the EU and the international dimension.
The strategy will focus on the need to improve the overall resilience of network and information systems, by stimulating the competitiveness of the European ICT industry as well as user demand for security functionalities in ICT products and services.
Those initiatives will be complemented by initiatives aiming at developing an external EU cyber security policy.
Kroes has indicated that the strategy will take on a two-fold push. First it will require the EU Member States to be appropriately equipped and to cooperate among themselves.
Secondly, obligations to adopt risk management measures and to report significant incidents to competent authorities that currently apply in the telecom sector in the EU will be extended to new sectors, such as banking, energy, transport, health, public administrations.
There will also be a bilateral dialogue with key trading partners, including the US and Japan, and in multilateral fora, such as OECD, OSCE, UN, ITU, in order to establish international standards.
Cyber security as a proxy for trade protection
Any international dialogue will be timely, since the EU’s cyber security strategy will be released against a backdrop of escalating tensions over cyber attacks, and their potential use as a proxy to introduce trade protection measures.
In a report of the US House of Representatives' intelligence committee (8 October) the Republican-controlled panel recommended avoiding business with two of China’s leading technology firms, Huawei and ZTE, fearing they pose a threat to national security.
The report offered no evidence to back it up and caused friction in Europe, where countries such as the UK use Chinese suppliers, and where security specialists liaise with them to clear broadband infrastructure projects.
Vinton Cerf, one of the early internet pioneers who works as Google’s chief internet evangelist concurs, warned EurActiv in an interview earlier this year against trade protection measures masquerading behind ‘national security’ arguments. These were “attempts to create rules of operation which have the effect becoming trade barriers,” Cerf said.
The EU Commission has been keen to establish clear blue water between US fears of Chinese-controlled cyber attacks. For example in relation to attempts to penetrate the EU’s institutional computer systems – blamed by US media on China – EU officials have pointed out that even if attacks appear to come from Asia, they could just as easily be disguise assaults from other jurisdictions or governments.
Meanwhile industry, such as Huawei, has called for international standards and dialogue to detoxify the debate.
“Cyber security is not a single country or specific company issue. All stakeholders – governments and industry alike – need to recognise that cyber security is a shared global problem requiring risk-based approaches, best practices and international cooperation to address the challenge,” according to a recent white paper issued by the company on the subject.
Social networks and smartphones
The rise in the use of smartphones presents more opportunities for hackers since these are increasingly targeted by cyber attackers, according to a report by ENISA.
It claimed smartphone sellers and app developers need to do more to prevent malicious software or malware from creeping into phones and stealing users' valuable data. In 2011, malware was disguised as a popular Android app which infected thousands of phones.
There are many reasons why smartphone security is a matter of urgency. It is a booming market used by high-value professionals and there are an abundance of new app sellers like Amazon, Cisco, Microsoft and Nokia which develop apps for different operating systems. Both consumers and developers are overly concerned with functionality at the expense of security, argues the agency, which has laid out steps to bolster smartphone security.
Indeed the real threats to cyber security and privacy must be addressed by industry itself, CEOs from telecoms giant acknowledged earlier this year at the Mobile World Congress in Barcelona. They admitted that the dangers are increasing as cloud computing pushes technology into a hyper-connected phase.
Neelie Kroes, the EU Commissioner for the Digital Agenda, stresses that cyber security is a shared responsibility between public and private players.
Networks and infrastructure are mainly privately owned and run but only 26% of enterprises in the EU have a formally defined ICT security policy with a plan for regular review, she noted.
"I understand that companies do not share information due to fear of reputational damages or liability," Kroes stressed in a November 2012 speech, saying there should be "no weak links across the EU."
Kroes announced that the Commission was considering extending to new areas the telecom sector's obligation to adopt risk management measures and report incidents to authorities. She cited the following sectors: "Internet services, banking, energy, transport, health, public administrations".
Cecilia Malmström, EU Commissioner for Home Affairs, urged EU countries and national judicial authorities to cooperate on cybercrime: “We can't let cybercriminals disrupt our digital lives. A European cybercrime centre within Europol will become a hub for cooperation in defending an internet that is free, open and safe.”
Ren Zhengfei, founder and CEO of Chinese telecoms equipment giant Huawei, said growing data flows across borders are creating new challenges for industry and policymakers.
“As data flooding increases far faster than prevention technology develops, the whole industry faces information security challenges. Cyber security is a common issue that the whole industry has to face. We must join hands to proactively address this issue,” Ren said. “We must utilise information to benefit mankind and adopt a positive attitude towards data floods—not merely look at the ills or complexities that they create,” he said.
Rob Wainwright, director of Europol, said: “The establishment of the European cybercrime centre will be a landmark development in the EU's fight against cybercrime. I am delighted that the Commission has proposed its establishment at Europol. Organised crime groups, terrorist groups and other criminals are quick to exploit the opportunities afforded by developments in technology, and the time is ripe for the authorities to get one step ahead. The European cybercrime centre will provide governments, businesses and citizens throughout the Union with the tools to tackle cybercrime.”
Monika Hohlmeier (European People's Party), European Parliament rapporteur on the directive on attacks on information systems, said: “The effort of collaboration in the fight against cyber crime has to be stepped up - amongst authorities and between companies and public bodies. I am hoping that the new European centre for cyber crime at Europol can be successful in preventing and fighting online crime in the EU”, said the European Parliament Rapporteur.
“There is a serious disconnect in how people view the threat of cyber crime,” said Adam Palmer, cyber security advisor at Norton. “Cybercrime is much more prevalent than people realise. Over the past 12 months, three times as many adults surveyed have suffered from online crime versus offline crime, yet less than a third of respondents think they are more likely to become a victim of cybercrime than physical world crime in the next year. And while 89% of respondents agree that more needs to be done to bring cybercriminals to justice, fighting cyber crime is a shared responsibility. It requires us all to be more alert and to invest in our online smarts and safety.”
“The revised ITRs should acknowledge the challenges of the new internet economy and the principles that fair compensation is received for carried traffic and operators’ revenues should not be disconnected from the investment needs caused by rapid internet traffic growth,” said Luigi Gambardella, the chair of ETNO, which represents Europe’s largest e-communications services and network providers.
“The ITRs should be flexible enough so as to further encourage future growth and sustainable development of telecoms markets, while respecting the guiding principles that led to the successful development of the Internet: private sector leadership, independent multi-stakeholder governance and commercial agreements,” Gambardella added.
"If you are going to make policy on the internet you need to know about the affected parties in this case civil society, governments, industry. That means a multi-stakeholder approach should be preserved. That is not happening in the ITU negotiations,” said Vint Cerf, a so-called “father of the internet,” who works as Google’s chief internet evangelist.
“Static regulation could threaten the growth of the Internet, the Internet economy and Internet innovation,” said Sally Wentworth of the Internet Society, an NGO seeking to retain an open internet.
Wentworth went on to explain why there are fears over the Dubai negotiations: “Only governments ultimately get to negotiate. If you want to be involved, the first thing to do is to call on your government to offer an open and participatory national process to prepare for this treaty negotiation.”
John Suffolk, the global cyber security officer at Huawei, told EurActiv: “There is a danger that cyber could be used as a proxy for a trade barrier. I think every one of us should be very cautious that that accelerates. It’s a view I gave in government and in the private sector and it’s my private view, but I think it’s a dangerous road.”
“Cybercrime is borderless by nature – this also makes criminal investigations more complicated for law enforcement authorities. To effectively tackle cybercrime, adequate cross–border provisions are needed, and international cooperation and mutual assistance within EU law enforcement, and between the EU and third countries, needs to be enhanced.” says Rob Wainwright, Director of Europol.
The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyber-attackers,” comments Professor Udo Helmbrecht, Executive Director of ENISA.
“The bottomline is: cybersecurity is incredibly difficult – and is made even more challenging by the rapid change in technology, for instance what we are seeing in cloud computing,” said Katherine McGuire, Vice President of Government Relations for the Business Software Alliance.
McGuire stressed: “It requires continuous work and innovation to secure our evolving cyberspace and thwart the relentless work of cybercriminals. This is why we need the commitment and involvement of all parties to make it happen.”
Christopher Painter, coordinator for cyber issues for the State Department, said the US faces various potential cyber threats from “freelance hackers to militants and potentially rival states.” “It goes across governance issues, economic issues, military issues,” Painter told Reuters.
"Very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters," Peter Sommer from the London School of Economics and Ian Brown from the Oxford Internet Institute wrote on a report for the OECD.
"Over the past ten years, the frequency and sophistication of intrusions into U.S. military networks have increased exponentially. Every day, US military and civilian networks are probed thousands of times and scanned millions of times," said William Lynn, the US deputy Secretary of Defense, outlining the importance of security to EU policymakers.
"Adversaries have acquired thousands of files from US networks and from the networks of US allies and industry partners, including weapons blueprints, operational plans, and surveillance data," Lynn continued.
Assistant US Secretary for Infrastructure Protection, Todd M. Keil, observed in a recent speech that “An approach to critical infrastructure security that is based solely on protection is insufficient for successful management of the risks that we currently face.”
"The protection of personal data is a fundamental right," EU Justice Commissioner Viviane Reding said in a statement. "To guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalisation. The Commission will put forward legislation next year to strengthen individuals' rights while also removing red tape to ensure the free flow of data within the EU's Single Market," Reding continued. On the risk of personal data breaches, Arvind Narayanan and Vitaly Shmatikov from the University of Texas, argue: "Privacy risks of publishing micro-data are well known. Even if identiﬁers such as names and Social Security numbers have been removed, the adversary can use background knowledge and cross-correlation with other databases to re-identify individual data records."
On the difficulties of protecting data, Marc Mueller from the German Federal Office for Information Security, BSI, said: There is a high number of information recipients and senders in some sectors. Especially in the case of privatized markets changes in addresses and responsibilities by staff turnover or other changes inside organisations are daily business. Sometimes new companies are created and old ones disappear over night – just because of changing stakeholders. Guaranteeing the reachability of all involved partners during particular situations of crisis is extremely difficult."
The NGO, Europe versus Facebook, issued a press release urging citizens to demand their data from Facebook: "Every citizen in the EU has the right to get a full copy of all personal data a company is holding about them (“access request”). Three students from Vienna, Austria have done so recently and got a CD with a PDF of 780, 1,142 and 1,222 pages. In all data sets you could find sensitive information such as political and religious beliefs, or sexual orientation of the user."
“The completion of the Domain Name System Securit Extension (DNSSEC) chain of trust means that everyone visiting a website using a signed .eu domain name can be confident of its legitimacy since name server responses can now be validated all the way up to the Internet root zone,” said Marc Van Wesemael, General Manager of EURid, the .eu domain registry.
“As such, .eu is amongst the first top-level domains to have full DNSSEC-support, fulfilling our objective to be at the forefront of implementing Internet security measures via proven standards. EURid encourages .eu domain name holders, through their registrars, to sign their .eu domain names with DNSSEC, therefore adding digital signatures to all levels in the chain,” he added.