This article is part of our special report Cybersecurity.
More than 200 organisations from 25 EU member states are under virtual cyber-attack today (30 October), as part of the continent’s largest and most complex ever cyber security exercise.
Organised by the European Network and Information Security Agency (ENISA), Cyber Europe 2014 is targeting security agencies, ministries, telecoms and energy companies, financial institutions and internet service providers.
All EU member states except Belgium, Lithuania and Malta are testing their procedures and capabilities against realistic large-scale cyber-security scenarios. The reasons those countries have declined to participate are not known, but are “uncontroversial,” according to ENISA sources.
More than 2000 separate cyber-incidents will be carried out, including denial of service attacks to online services, intelligence and media reports on cyber-attack operations, ambushes designed to change websites’ appearances, and attacks on critical infrastructure such as energy or telecoms networks.
Report expected later this year
The exercise also represents the first large-scale test of new pan-European standard operating procedures to share information on cyber crisis.
Experts from ENISA will issue a report with key findings by the end of the year. “The exercise is becoming more important as threats increase (see background) and as the internet of things is becoming a reality,” Steve Purser, head of operations department at ENISA told EURACTIV.
Purser explained: “As people increasingly have a network of Internet-linked appliances controlling their domestic lives, the points of entry for cyber attack increase, and any point of weakness can be used to access key systems.”
Organised by ENISA every two years, this year’s exercise is the largest ever carried out and is likely to feed into the debate over the Commission’s proposed cyber security directive, which is currently approaching the trilogue stage of negotiations between the European institutions in Brussels.
Italian presidency wants to complete cyber security directive
Italy believes that the directive can be agreed before its presidency finishes at the end of the year, but the scope of reporting obligations covered by any directive remains controversial.
The directive would oblige certain infrastructure-critical companies to report any cyber attacks, but the definition of what types of companies would be covered is controversial.
Some internet and software companies are resisting pressure to be forced to make reports, arguing that there could be unnecessary bureaucratic replication of reporting.