Most cyber security incidents are often not reported or detected even though they can affect millions of citizens and businesses, the EU's cyber security agency ENISA warned in a new report published today (27 August).
The report on cyber incidents reporting in the EU was published by the European Network and Information Security Agency (ENISA).
In recent years, there have been examples of cyber security incidents which had a significantly impact on society, such as the British data centre failure in 2011 which interrupted millions of business communications worldwide, and the storm Dagmar which in the same year wrecked millions of Scandinavian communication links.
In 2011, a certificate authority was breached also exposing the communications of millions of users, and in 2010, a Chinese telecom provider hijacked 15% of the world’s internet traffic for 20 minutes, ENISA reported.
This year, millions of business network passwords have also been exposed.
However, most incidents are rarely reported.
Incidents 'kept secret'
"Cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes," Dr Marnix Dekker and Chris Karsberg, the report’s co-authors, said in a statement.
The new study concludes that the EU-wide sharing of incident reports has to be improved. In only one of the above-mentioned incidents was within the scope of national regulatory mandates, indicating there are gaps in regulation.
Therefore, an ENISA working group for national regulators has developed both a common set of security measures and an incident reporting format. This will enable a more uniform implementation of Article 13a of the Telecom package.
ENISA has recently received reports on 51 large incidents from the regulators, describing impact, root causes, actions taken and lessons learnt. This material is used as input for the European cyber security strategy and the European cyber security exercise.
“Incident reporting is essential to obtain a true cyber security picture. The EU’s cyber security strategy is an important step and one of its goals is to extend the scope of reporting provisions like Article 13a beyond the telecommunications sector,” said Udo Helmbrecht, executive eirector of ENISA.