European countries have entered a global race to develop aggressive cyber attack capabilities, according to the latest threat landscape analysis published by the European cyber security Agency ENISA yesterday (11 December).
ENISA analysed 250 reports and sources for its annual report, revealing that “maturity in cyber activities is not a matter of a handful of nation states”.
Rather, “multiple nation states have now developed capabilities that can be used to infiltrate all kinds of targets both governmental and private ones in order to achieve their objectives,” the report claims.
The report comes as a further indication that cyber warfare may have definitely left the realm of fiction.
Peter Round, the capability director with the European Defence Agency – which promotes European defence cooperation – told EurActiv in an interview that he would be prioritising cyber warfare in the agency’s next strategic review.
UK, Netherlands developing aggressive capabilities
Although EU member states and other countries maintain secrecy over their cyber warfare capabilities both the UK and the Netherlands have publicly called for stronger aggressive capabilities in cyber warfare.
UK Defence Secretary Philip Hammond told delegates at his Conservative Party’s annual conference (29 September) that Britain was spending increasing amounts of its defence budget, the fourth largest in the world, on cyber intelligence and surveillance.
“Simply building cyber defences is not enough: as in other domains of warfare, we also have to deter. Britain will build a dedicated capability to counterattack in cyberspace and if necessary to strike in cyberspace,” Hammond told delegates.
The Netherlands’ Minister of Security and Justice Ivo Opstelten asked the Dutch parliament in October last year to pass a law that would allow the Dutch authorities to hack into computers both at home and abroad in an effort to fight crime.
No common level amongst EU member states
In asking the Lower House of the Dutch Parliament for a “possible expansion of powers”, Opstelten sought permission for government agencies to conduct remote searches on both local and foreign computers, render some data inaccessible and remotely install “technical resources” – which could include malware – on computers they are targeting.
“Our member states are not at a common level, they are not using common methodologies to protect themselves and there are not set standards for sharing the information, though these are coming,” Round said.
The ENISA report claimed that cyber attacks have become increasingly sophisticated and frequent, that “attack patterns and tools that targeted PCs a few years ago, have migrated to the mobile ecosystem” and that “two new digital battlefields have emerged: big data and the Internet of Things”.
Asked by EurActiv if those EU member states which have been developing aggressive cyber security capabilities are less keen to participate in EDA efforts to map out the readiness for cyber attacks in Europe, Round said: “We are the catalyst or the glue that brings together the capabilities of the member states. Some have more capabilities than others and they share what they want to share. Member states are sovereign states and are free to pursue their own strategies.”
However, he said that the issue was racing up the agenda in political and defence circles. “I do not think Europe is lagging behind other countries. In political terms we are making very quick progress, I would suggest we are even ahead,” he said.
Cyber becoming a strategic priority
He added that a capability plan is being finalised by EDA next year to determine strategic priorities. “I would be surprised if cyber was not a priority if not at the top of the list,” he said.
ENISA’s report claimed that this year has seen impressive successes by law-enforcement, and that an increasing number of reports and data regarding cyber-threats has also improved the quality of available information.
“Cooperation among relevant organisations to commonly assess and defend cyber-threats has been envisaged and is going to gain speed in the near future,” the report said.
The report recommended the active involvement of end-users in defence of cyber-threats and increasing the speed of threat assessment to reduce exposures.
In addition to the launch of its new over-arching Cybersecurity Strategy in February this year, the European Commission proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
- End 2014: EDA capability plan to be set, with cyber aspect prioritised