Cyber security is a precondition to promoting innovation also in the area of payments. The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. ENISA supports the European Union (EU) and the Member States in enhancing and strengthening their capability and preparedness to prevent, detect and respond to network and information security problems and incidents.
In this article, first published in the April 2015 edition of the EPC Newsletter, ENISA’s Executive Director Udo Helmbrecht outlines key ENISA initiatives
to secure the EU’s cyber space. He says: “The protection of information, information systems and infrastructure from those threats associated with the use of information and communication technology (ICT) systems in a globally connected environment is inevitably linked with effective security policies, and robust and resilient cyber defence capabilities, within a common EU policy.
There are different aspects to cyber security and cyber attacks. But all current security attacks tend to make use of the same technology, making it difficult to judge who is attacking what and why. Within this context, it should be examined what cyber security can offer at another level, contributing and protecting the EU citizens. Cyber security is the EU’s ‘digital frontier’”.
Security of network and information systems is essential to the security of all the critical sectors in society
Information and communication technologies (ICT) are the backbone of every modern society. An open, safe and secure cyber space is key to supporting our core values set down in the European Union (EU) Charter of fundamental rights such as privacy and freedom of expression. This is also essential for the smooth running of our economies within the European single market. However, ICT technologies and business opportunities in cyber space also present opportunities for crime and misuse.1
Security of network and information systems is essential to the security of all the critical sectors in society. Disruptions on these infrastructures and services are becoming more frequent and are estimated to cost annually 260 to 340 billion euro to corporations and citizens2. The World Economic Forum’s 2014 report on global risks lists “failure to adequately invest in, upgrade and secure infrastructure networks” as a top threat to the global economy.
Various recent studies, including those of the European Union Agency for Network and Information Security (ENISA)3, demonstrate that the threat landscape will get worse, unless we take firm action. It is expected that there will be a significant evolution in the top threats, with new, more sophisticated malicious attacks on critical services and infrastructures, with a dramatic increase in data and security breaches (25 percent increase over the same period last year).
This article presents elements and activities in the global cyber security context and firstly addresses the taxonomy. Today we are still living in a tailored world of the silos of law enforcement, military, intelligence service, public institutions, private companies, etc. The attackers do not care about this separation and use the same tools and infrastructure to achieve their objectives. Therefore we have to distinguish between:
- Cyber security: means protection of information, information systems and infrastructure from those threats that are associated with using ICT systems in a globally connected environment. By deploying security technologies and security management procedures, a high level of protection of personal data and privacy can be achieved. A typical example is ensuring the integrity and security of public communications networks against unauthorised access.
- Cyber crime: crime on the internet has a new dimension. The technology allows organised crime to scale their ‘business’, especially outside the legal boundaries of states.
- Cyber espionage: military espionage has existed for thousands of years. The only difference between traditional espionage and cyber espionage is the use of technology and as long as we have civil intelligence agencies it will not stop. Another aspect is espionage because of philosophical disagreement.4
- Cyber warfare: we are facing a new type of asymmetric warfare with a new paradigm and no taxonomy.
Assessing the threat landscape environment
In 2014, major changes were observed in top threats: an increased complexity of attacks, successful attacks on vital security functions of the internet, but also successful internationally coordinated operations of law enforcement and security vendors. Many of the changes in cyber threats can be attributed exactly to this coordination and the mobilisation of the cyber community. However, the evidence indicates that the future cyber threat landscapes will maintain active dynamics.
Identifying and understanding cyber threat dynamics can be the basis of a very important cyber security tool. The dynamics of the cyber threat landscape set the parameters for flexible, yet effective security protection regimes that are adapted to the real exposure. Understanding the dependencies among all components of the threat landscape is an important piece of knowledge and an enabler towards active and agile security management practices. With the threat landscape 2014 report5, ENISA continues its contribution to publicly available cyber threat knowledge.6
Computer emergency response teams (CERTs) and first response
CERTs – the EU’s computer emergency response teams – respond to emergencies, new incidents and cyber threats that could affect vital computer networks or information systems.
These teams assist public and private sector organisations to provide an adequate response to incidents and threats across an EU wide network. They exchange experience and expertise while developing ‘baseline capabilities’7. Furthermore, it raises the bar for non-governmental teams to offer similar response to incidents across the EU.
As part of ENISA’s cooperation with CERTs, the agency has updated and extended its training material in the area of network forensics8, and has published a good practice guide on actionable information9 for security incident response. The study is complemented by an inventory that can be applied to information-sharing activities and an accompanying new hands-on exercise scenario10.
Pan-European cyber exercises11
Over the past five years ENISA has supported the implementation of the European Commission’s policy initiatives, the ‘Critical Information Infrastructure Protection (CIIP) Communication’ and the ‘Digital Agenda for Europe’ (see ‘related links’ below), by developing cyber exercises and cooperation and by defining and testing operational procedures (EU-SOPs) for all cyber security authorities in the EU.
In 2010, there was only a table top exercise and no crisis management procedures at the EU level for dealing with cyber events. Now standard operating procedures are in place for handling cyber events. New policy initiatives such as the EU’s Cybersecurity Strategy and the forthcoming Network and Information Security (NIS) Directive (see ‘related links’ below) have highlighted the importance of these successful activities.
Both activities will continue to contribute to the long-lasting impact of the EU Cybersecurity Strategy and the NIS Directive on the level of security in the EU. In this light, ENISA will need to streamline its activities in this area and further develop them to support effectively the implementation of this demanding policy context.
National cyber security strategies (NCSS)
Around twenty EU Member States have now developed a national cyber security strategy (NCSS). The remaining eight Member States are also developing strategies. ENISA has established an expert group with representatives from the Member States to exchange good practices and to analyse specific topics of interest to the group. Last year the agency developed a good practice guide for the evaluation of NCSSs12. This year, ENISA co-operates with Member States on public private partnerships (PPPs) and how they can be used in the context of an NCSS, while in May 2015 a workshop is planned on NCSS development.
Critical information infrastructure protection (CIIP)
ENISA has worked for many years in the critical information infrastructure protection (CIIP) area and has assisted the Member States in implementing the EU’s CIIP action plan. Currently, the agency focuses on the telecommunications, energy and finance sectors. In the future, ENISA plans to extend its efforts to the areas of health as well as transport and to cover more aspects within the energy sector.
For the telecommunications and smart grids areas, ENISA has developed minimum security measures. For telecommunications, the agency has also developed a harmonised incident reporting framework (due to Article 13a of the Framework Directive (2009/140/EC)). This work could provide a strong basis for assisting in implementing similar requirements in the NIS Directive once it is adopted.
All EU national regulatory authorities now use ENISA’s guidelines and recommendations for incident reporting. In the last four years, ENISA has issued annual incident reports covering the area of telecommunications operators. In the context of Article 4 of the e-Privacy Directive (2002/58/EC) which covers data breach notification, ENISA brings together national regulatory authorities and data protection authorities to develop a common approach to incident reporting in Europe. Additionally, the agency has been called in the ‘Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC’ (the eIDAS Regulation) (see ‘related links’ below) to assist national regulatory authorities to implement the incident reporting scheme for trust providers. The work has just started and is expected to finish in June 2016.
Cryptography research and tools and ‘security by design’13
Cryptographic tools are widely used to protect our information infrastructure from malicious users. Today cryptography is mainly used to protect the access to services and to protect communication of individuals and groups (e.g. virtual private networks and message encryption, end-to-end encryption).
A good approach to secure our personal data is to “reduce, protect, detect”. However, as with any quality measure, it poses a burden on implementers. Hence, EU legislation needs to support privacy by requiring systems’ developers and service providers to build in data protection measures from the design phase on, what is also known as ‘security by design’.14
For the EU to become the single market of choice for governments and industry, it is necessary to have trusted core NIS technologies and services for industry and citizens (i.e. trust in EU products and services).
Furthermore, there is a need for an innovative business model for EU companies producing cyber security products and services. Currently there is no properly coordinated EU industry policy in place specifically for the IT security sector. In addition, it is critical to ensure that the cost of implementing NIS legislation and policy does not penalise EU companies in a global market.
There are a number of initiatives in this direction, for example in the area of standardisation, certification, public procurement and research.
Challenges for the future
There are different aspects to cyber security and cyber-attacks. But all current security attacks tend to make use of the same technology, making it difficult to judge who is attacking what and why. We will see a new type of asymmetric warfare with a new paradigm and no taxonomy. This brings cyber security to a new level, making its scope more critical for the EU’s security. The protection of information, information systems and infrastructure from those threats associated with the use of ICT systems in a globally connected environment, is inevitably linked with effective security policies and robust and resilient cyber defence capabilities within a common EU policy.
To enable the EU to address this, cooperation among Member States, EU institutions and other relevant bodies, is a top priority. Within this scope, collaboration or so-called ‘service centres’ for special tasks can be created between agencies, e.g. ENISA and Europol including Member States’ national agencies.
We need European prevention, detection and response capabilities. This includes harmonisation of European and international legislative frameworks and procedures as well as collaboration models to ensure adequate policy implementation. Citizens need to be able to trust the EU to create a legal framework and to prosecute those who break the law. Furthermore, we need to implement early warning systems to support detection. Some of the current decisions will have an impact on the EU’s future over the next few decades.
ENISA is strategically well positioned to address the technical and organisational elements of these challenges and threats, provide solutions and the knowledge that will support investment and deployment of electronic services in the EU internal market. ENISA is here to actively contribute to a high level of network and information security within the Union, use its expertise to stimulate broad cooperation between actors from the public and private sectors and deliver its agenda on cyber security for the EU and its citizens.
Prof. Udo Helmbrecht is the Executive Director of ENISA since October 2009. Prior to this, he was the President of the German Federal Office for Information Security, BSI, for six years, between 2003-2009. Prof. Helmbrecht holds a doctorate in theoretical physics, and is an honorary professor at the Institut für Technische Informatik at the Universität der Bundeswehr Munich, Germany.
European Commission (7 February 2013): Proposal for a Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union (also referenced as the proposed Cybersecurity or Network and Security (NIS) Directive)