Security of network and information systems is essential to the security of all the critical sectors in society
Information and communication technologies (ICT) are the backbone of every modern society. An open, safe and secure cyber space is key to supporting our core values set down in the European Union (EU) Charter of fundamental rights such as privacy and freedom of expression. This is also essential for the smooth running of our economies within the European single market. However, ICT technologies and business opportunities in cyber space also present opportunities for crime and misuse.1
Security of network and information systems is essential to the security of all the critical sectors in society. Disruptions on these infrastructures and services are becoming more frequent and are estimated to cost annually 260 to 340 billion euro to corporations and citizens2. The World Economic Forum’s 2014 report on global risks lists “failure to adequately invest in, upgrade and secure infrastructure networks” as a top threat to the global economy.
Various recent studies, including those of the European Union Agency for Network and Information Security (ENISA)3, demonstrate that the threat landscape will get worse, unless we take firm action. It is expected that there will be a significant evolution in the top threats, with new, more sophisticated malicious attacks on critical services and infrastructures, with a dramatic increase in data and security breaches (25 percent increase over the same period last year).
This article presents elements and activities in the global cyber security context and firstly addresses the taxonomy. Today we are still living in a tailored world of the silos of law enforcement, military, intelligence service, public institutions, private companies, etc. The attackers do not care about this separation and use the same tools and infrastructure to achieve their objectives. Therefore we have to distinguish between:
- Cyber security: means protection of information, information systems and infrastructure from those threats that are associated with using ICT systems in a globally connected environment. By deploying security technologies and security management procedures, a high level of protection of personal data and privacy can be achieved. A typical example is ensuring the integrity and security of public communications networks against unauthorised access.
- Cyber crime: crime on the internet has a new dimension. The technology allows organised crime to scale their ‘business’, especially outside the legal boundaries of states.
- Cyber espionage: military espionage has existed for thousands of years. The only difference between traditional espionage and cyber espionage is the use of technology and as long as we have civil intelligence agencies it will not stop. Another aspect is espionage because of philosophical disagreement.4
- Cyber warfare: we are facing a new type of asymmetric warfare with a new paradigm and no taxonomy.
Assessing the threat landscape environment
In 2014, major changes were observed in top threats: an increased complexity of attacks, successful attacks on vital security functions of the internet, but also successful internationally coordinated operations of law enforcement and security vendors. Many of the changes in cyber threats can be attributed exactly to this coordination and the mobilisation of the cyber community. However, the evidence indicates that the future cyber threat landscapes will maintain active dynamics.
Identifying and understanding cyber threat dynamics can be the basis of a very important cyber security tool. The dynamics of the cyber threat landscape set the parameters for flexible, yet effective security protection regimes that are adapted to the real exposure. Understanding the dependencies among all components of the threat landscape is an important piece of knowledge and an enabler towards active and agile security management practices. With the threat landscape 2014 report5, ENISA continues its contribution to publicly available cyber threat knowledge.6
Computer emergency response teams (CERTs) and first response
CERTs - the ’s computer emergency response teams - respond to emergencies, new incidents and cyber threats that could affect vital computer networks or information systems.
These teams assist public and private sector organisations to provide an adequate response to incidents and threats across an wide network. They exchange experience and expertise while developing ‘baseline capabilities’7. Furthermore, it raises the bar for non-governmental teams to offer similar response to incidents across the .
As part of ENISA’s cooperation with CERTs, the agency has updated and extended its training material in the area of network forensics8, and has published a good practice guide on actionable information9 for security incident response. The study is complemented by an inventory that can be applied to information-sharing activities and an accompanying new hands-on exercise scenario10.
Pan-European cyber exercises11
Over the past five years ENISA has supported the implementation of the European Commission’s policy initiatives, the ‘Critical Information Infrastructure Protection (CIIP) Communication’ and the ‘Digital Agenda for Europe’ (see ‘related links’ below), by developing cyber exercises and cooperation and by defining and testing operational procedures (EU-SOPs) for all cyber security authorities in the EU.
In 2010, there was only a table top exercise and no crisis management procedures at the level for dealing with cyber events. Now standard operating procedures are in place for handling cyber events. New policy initiatives such as the ’s Cybersecurity Strategy and the forthcoming Network and Information Security (NIS) Directive (see ‘related links’ below) have highlighted the importance of these successful activities.
Both activities will continue to contribute to the long-lasting impact of the Cybersecurity Strategy and the NIS Directive on the level of security in the . In this light, ENISA will need to streamline its activities in this area and further develop them to support effectively the implementation of this demanding policy context.
National cyber security strategies (NCSS)
Around twenty Member States have now developed a national cyber security strategy (NCSS). The remaining eight Member States are also developing strategies. ENISA has established an expert group with representatives from the Member States to exchange good practices and to analyse specific topics of interest to the group. Last year the agency developed a good practice guide for the evaluation of NCSSs12. This year, ENISA co-operates with Member States on public private partnerships (PPPs) and how they can be used in the context of an NCSS, while in May 2015 a workshop is planned on NCSS development.
Critical information infrastructure protection (CIIP)
ENISA has worked for many years in the critical information infrastructure protection (CIIP) area and has assisted the Member States in implementing the ’s CIIP action plan. Currently, the agency focuses on the telecommunications, energy and finance sectors. In the future, ENISA plans to extend its efforts to the areas of health as well as transport and to cover more aspects within the energy sector.
For the telecommunications and smart grids areas, ENISA has developed minimum security measures. For telecommunications, the agency has also developed a harmonised incident reporting framework (due to Article 13a of the Framework Directive (2009/140/EC)). This work could provide a strong basis for assisting in implementing similar requirements in the NIS Directive once it is adopted.
All national regulatory authorities now use ENISA’s guidelines and recommendations for incident reporting. In the last four years, ENISA has issued annual incident reports covering the area of telecommunications operators. In the context of Article 4 of the e-Privacy Directive (2002/58/EC) which covers data breach notification, ENISA brings together national regulatory authorities and data protection authorities to develop a common approach to incident reporting in Europe. Additionally, the agency has been called in the ‘Regulation () No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC’ (the Regulation) (see ‘related links’ below) to assist national regulatory authorities to implement the incident reporting scheme for trust providers. The work has just started and is expected to finish in June 2016.
Cryptography research and tools and ‘security by design’13
Cryptographic tools are widely used to protect our information infrastructure from malicious users. Today cryptography is mainly used to protect the access to services and to protect communication of individuals and groups (e.g. virtual private networks and message encryption, end-to-end encryption).
A good approach to secure our personal data is to “reduce, protect, detect”. However, as with any quality measure, it poses a burden on implementers. Hence, legislation needs to support privacy by requiring systems’ developers and service providers to build in data protection measures from the design phase on, what is also known as ‘security by design’.14
For the to become the single market of choice for governments and industry, it is necessary to have trusted core NIS technologies and services for industry and citizens (i.e. trust in products and services).
Furthermore, there is a need for an innovative business model for companies producing cyber security products and services. Currently there is no properly coordinated industry policy in place specifically for the IT security sector. In addition, it is critical to ensure that the cost of implementing NIS legislation and policy does not penalise companies in a global market.
There are a number of initiatives in this direction, for example in the area of standardisation, certification, public procurement and research.
Challenges for the future
There are different aspects to cyber security and cyber-attacks. But all current security attacks tend to make use of the same technology, making it difficult to judge who is attacking what and why. We will see a new type of asymmetric warfare with a new paradigm and no taxonomy. This brings cyber security to a new level, making its scope more critical for the ’s security. The protection of information, information systems and infrastructure from those threats associated with the use of ICT systems in a globally connected environment, is inevitably linked with effective security policies and robust and resilient cyber defence capabilities within a common policy.
To enable the to address this, cooperation among Member States, institutions and other relevant bodies, is a top priority. Within this scope, collaboration or so-called ‘service centres’ for special tasks can be created between agencies, e.g. ENISA and Europol including Member States’ national agencies.
We need European prevention, detection and response capabilities. This includes harmonisation of European and international legislative frameworks and procedures as well as collaboration models to ensure adequate policy implementation. Citizens need to be able to trust the EU to create a legal framework and to prosecute those who break the law. Furthermore, we need to implement early warning systems to support detection. Some of the current decisions will have an impact on the EU’s future over the next few decades.
ENISA is strategically well positioned to address the technical and organisational elements of these challenges and threats, provide solutions and the knowledge that will support investment and deployment of electronic services in the internal market. ENISA is here to actively contribute to a high level of network and information security within the Union, use its expertise to stimulate broad cooperation between actors from the public and private sectors and deliver its agenda on cyber security for the and its citizens.
Prof. Udo Helmbrecht is the Executive Director of ENISA since October 2009. Prior to this, he was the President of the German Federal Office for Information Security, BSI, for six years, between 2003-2009. Prof. Helmbrecht holds a doctorate in theoretical physics, and is an honorary professor at the Institut für Technische Informatik at the Universität der Bundeswehr Munich, Germany.
European Commission (7 February 2013): Proposal for a Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union (also referenced as the proposed Cybersecurity or Network and Security (NIS) Directive)
Related articles in this issue:
How to Use Blockchain Technology to Develop Faster and Cheaper Inter-banking Infrastructures. The blockchain protocol and the distributed ledger used by crypto currencies could provide banks with a competitive technological advantage, if adopted quickly
Related articles in previous issues:
Guidelines on the Security of Internet Payments Released by the European Banking Authority: a Two-Step Approach. EPC response to the consultation on guidelines on the security of internet payments launched by the European Banking Authority ( Newsletter, Issue 25, January 2015)
Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World. Will the EU legal framework aimed at ensuring secure online payments amount to a series of harmonious provisions, or result in an uneasy compromise? ( Newsletter, Issue 24, October 2014)
Next Step to Create the Digital Single Market: EU Lawmakers Adopt the New Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market. European Union authorities seek to enhance trust in electronic transactions ( Newsletter, Issue 24, October 2014)
1 Recently the German newspaper Süddeutsche Zeitung reported an increase in damages only for Germany arising from cyber crime from 37 million euro in 2008 to 42 million euro in 2012 and an increase in reported cyber crime cases from 37,900 in 2008 to 63,595 cases in 2012.
3 ENISA is a centre of expertise for cyber security in Europe. ENISA supports the EU and the Member States in enhancing and strengthening their capability and preparedness to prevent, detect and respond to network and information security problems and incidents.
4 E.g. some countries see industrial espionage as part of their social behaviour.
5 ENISA Threat Landscape 2014 report: https://www.enisa.europa.eu/media/press-releases/enisa-draws-the-cyber-threat-landscape-2014.
6 The emerging technologies that will impact the threat landscape are: cyber physical systems (CPS), mobile and cloud computing, trust infrastructure, big data, and internet of things. CPS have an important impact within the protection of critical infrastructure protection – and represent a distinct opportunity creating competitive advantages for European industry and research.
13 See report on “Privacy and Data Protection by Design” http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design.
14 This should be done in a proactive manner and not simply secured after the event, on a case by case basis. This is a two-sided coin as information technology should also provide the capabilities for implementing the protection mechanisms foreseen by legislation. It also signals the importance of encouraging standardisation and certification activities within the industry.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.