An EU exercise to test countries’ ability to react to cybersecurity attacks will focus on threats from terrorist organisation, “a quasi-democratic country” and anti-globalisation groups.
The series of made up attacks will be simulated as part of a competition this September and October. A source at the Council of the EU, one of the institutions organising the events, said all EU member states will take part in at least part of the exercise. It will run from 1 September until 11 October. The Council source said the exercise will test how countries react to so-called hybrid threats, which include cybersecurity attacks.
NATO is organising a similar exercise that will run at the same time as the EU event, in the first ever trial of coordinated competitions between the two blocs.
The exercises are planned to start around the same time as the European Commission is set to propose new EU laws on cybersecurity.
By mid-September, the EU executive will announce a system to certify the cybersecurity standards of technology devices, give a new legal basis to the EU cybersecurity agency ENISA and publish an updated cybersecurity strategy for the bloc.
EU agencies and NATO have held cybersecurity competitions before as a way to help staff in national agencies improve their technical skills, which could come in handy if their countries are hit with major hacking attacks.
Shortly before the exercise starts, EU defence ministers will take part in a smaller simulated response to a fake “table-top” cybersecurity attack during a meeting in Tallinn.
Estonian Defence Minister Jüri Luik wants the 7 September meeting to show how cybersecurity should be a major focus of an agreement brokered last year to allow the EU to work more closely with NATO.
“There are no borders between countries or organisations on the Internet, and when it comes to countering threats on the internet, barriers between European Union and NATO cooperation must be reduced,“ Luik said in a statement on Friday (28 July).
A European Commission source said that under the EU-NATO agreement, NATO’s computer incident unit NCIRC and the CERT-EU office in charge of the Commission’s cybersecurity are considering setting up common standards for a “severity scheme” that would determine how they respond to security breaches.
During the EU and NATO exercise that will continue after the defence ministers’ meeting, national authorities will respond to a scenario that “will be as realistic and plausible as possible”, according to a 53-page preparatory document from the Council, which was leaked by the NGO Statewatch.
While the examples of possible threats are fake and made up for the exercise, they reveal what experts think are serious cybersecurity risks for EU countries.
The Council wants authorities to respond to a fake scenario in which “a substantial number” of EU countries suffer “widespread cyber-attacks of different nature and intensity directed towards their critical infrastructures”, while fake news reports on social media claim that the EU and member states can not control the attacks.
In that simulated situation, the EU and NATO won’t have enough evidence to point the blame at any culprit, but intelligence reports suggest the attacks come from a “quasi-democratic country” – possibly a thinly veiled reference to Russia, according to the document.
The “quasi-democratic country” described in the scenario has “very advanced offensive cyber capabilities and controls hackers, hacktivists, and the national media” but uses proxies that make it hard to trace attacks back to the government, the Council document says.
Authorities will also respond to simulated threats from “a global terrorist group belonging to a religious sect”, hacking attacks against the military and attacks targeting the oil industry.
One part of the exercise trains authorities’ response to attacks from an anti-globalisation movement that organises “riots disguised as demonstrations, all combined with email spamming” and receives financing through anonymous cryptocurrencies, as well as from hostile countries—including the “quasi-democratic” state.