More than 200 organisations from 25 EU member states are under virtual cyber-attack today (30 October), as part of the continent’s largest and most complex ever cyber security exercise.
Organised by the European Network and Information Security Agency (ENISA), Cyber Europe 2014 is targeting security agencies, ministries, telecoms and energy companies, financial institutions and internet service providers.
All EU member states except Belgium, Lithuania and Malta are testing their procedures and capabilities against realistic large-scale cyber-security scenarios. The reasons those countries have declined to participate are not known, but are “uncontroversial,” according to ENISA sources.
More than 2000 separate cyber-incidents will be carried out, including denial of service attacks to online services, intelligence and media reports on cyber-attack operations, ambushes designed to change websites’ appearances, and attacks on critical infrastructure such as energy or telecoms networks.
Report expected later this year
The exercise also represents the first large-scale test of new pan-European standard operating procedures to share information on cyber crisis.
Experts from ENISA will issue a report with key findings by the end of the year. “The exercise is becoming more important as threats increase (see background) and as the internet of things is becoming a reality,” Steve Purser, head of operations department at ENISA told EurActiv.
Purser explained: “As people increasingly have a network of Internet-linked appliances controlling their domestic lives, the points of entry for cyber attack increase, and any point of weakness can be used to access key systems.”
Organised by ENISA every two years, this year’s exercise is the largest ever carried out and is likely to feed into the debate over the Commission’s proposed cyber security directive, which is currently approaching the trilogue stage of negotiations between the European institutions in Brussels.
Italian presidency wants to complete cyber security directive
Italy believes that the directive can be agreed before its presidency finishes at the end of the year, but the scope of reporting obligations covered by any directive remains controversial.
The directive would oblige certain infrastructure-critical companies to report any cyber attacks, but the definition of what types of companies would be covered is controversial.
Some internet and software companies are resisting pressure to be forced to make reports, arguing that there could be unnecessary bureaucratic replication of reporting.
"The sophistication and volume of cyber attacks are increasing every day. The cannot be cuontered if individual member states work alone or just a handful of them act together. I'm pleased the EU and EFTA member states are working with th EU institutions and ENISA bringing them together. Only this kind of common effort will help kep today's economy ad society protected," said Commission Vice-President for the digital agenda Neelie Kroes.
According to ENISA’s Threat Landscape report (2013), threat agents have increased the sophistication of their attacks and their tools, and global web web-based attacks increased by almost a quarter and the total number of data breaches was 61% higher than 2012.
Each of the eight top data breaches resulted in the loss of tens of millions of data records while 552 million identities were exposed. According to industry estimates cyber-crime and espionage accounted for between $300 billion and $1 trillion in annual global losses in 2013.
By end 2014: Italian presidency hopes to complete agreement between the Council and the Parliament on the cyber security directive