Protecting Europe from cyber-attacks - costly but vital
by Francesco Guarascio
As wars and espionage increasingly move from the real to the virtual world, the EU is planning to force European companies to invest more in cyber security, but the cost of building electronic defences may be high
Today's most sophisticated terrorist attacks and attempts to disrupt an enemy's critical infrastructure rely more on digital means rather than traditional real world equipment and personnel. A hacker in a garage can be more disruptive and can create more panic than a dynamite-belted kamikaze exploding in a market during shopping hours. The western world has been on both sides of the cyber-attack scenario. First, it has been a victim. A well-known example was the 2007 cyber-attack on Estonia's electronic infrastructure, which commentators believe was carried out by Russian agents. Following the relocation of a Soviet-era war memorial in April 2007, Estonian authorities faced riots and protests led by the sizeable Russian community that live in the country. The civil disobedience was followed by large-scale 'distributed denial of service' attacks on several strategic websites including the country's banks, government ministries and public services.
For a while Estonia experienced an Internet black-out. For a country which prides itself on being one of the most digitised in the world, the cyber-attack was an unexpected sign of vulnerability. Panic spread in the streets of Tallinn, the picturesque capital of the Baltic state, as people were denied access to their online bank accounts. The attack pushed the European Union and the North Atlantic Treaty Organisation to intensify their efforts against electronic attacks. Cyber security rapidly became a hot topic in meetings at the highest levels. The annual NATO Summit in Bucharest, in April 2008, reserved a significant part of its agenda to cyber defence. New dedicated bodies were established and Tallinn became the seat of the NATO cyber defence centre.
A few years later, the west showed that cyber warfare is not only a matter of defence but also of attack. It is widely believed that Israeli and American cyber experts created Stuxnet, a malicious software virus considered to be one of the most sophisticated cyber weapons ever used. It is understood that the computer worm was able to seriously damage Iran's nuclear infrastructure, setting Teheran's plans to run a nuclear programme back by several years. A recent spin-off from Stuxnet is Duqu. Pundits call it 'the mother of all Trojans'. Although information about Duqu is still opaque and contradictory, the virus seems to be the most advanced programme for the purpose of stealing sensitive information. It could even be used for attacks against industrial control systems.
In this context, it is increasingly clear that cyber wars "are not anymore relegated to technical people, but have become a mainstream topic," as cyber adviser to Hillary Clinton Chris Painter put it during a conference in Brussels last week - hosted by the Security and Defence Agenda think-tank. The subject increases in importance as the virtual dangers grow. "So far, cyber threats have come mainly from organised crime but we have to be aware that there will be an increased use of espionage on the internet," European Network and Information Security Agency executive director Udo Helmbrecht had previously acknowledged.
If security has to be improved, the private sector will have a crucial role to play as it owns 90 per cent of critical infrastructure in the EU - according to data provided by Europol, the law enforcement agency. "But the industry does not always do enough to protect security," said a European Commission official, who specialises in cyber security issues. A key tool to increase the private sector involvement, and investment, in security is to make it compulsory to disclose breaches. To avoid the consequences on reputation of such disclosures, companies are likely to fight against this - goes the argument.
We know that EU rules already envisage an obligation to report security breaches for the telecoms and internet sectors. In January, Brussels proposed to tighten the existing legislation; obliging electronic communication services to report any data and security breaches within a strict deadline. The move was pushed by the consumers' protection champion Viviane Reding, who is in charge of justice at the commission. As the proposal is going through the long legislative process in Brussels, industry is lobbying hard to soften its stance and to avoid having to carry the extra costs of beefing up security.
The bad news for industry does not end with that proposal. In fact, Reding's plan attracted the attention of some of her colleagues in the commission. Neelie Kroes, in charge of information society issues, is studying the idea of extending reporting obligations to other sectors beyond telecoms. "The European Commission will propose by the end of the third quarter of 2012, a new obligation for security breach notifications for the energy, transport, banking and financial sectors," said a Kroes' aide at the SDA conference. And the private sector will clearly have to cooperate if Europe wants to equip itself with cyber walls, which are thick enough to shield it from more sophisticated and disruptive attacks. The security bill is likely to be expensive. But it will certainly be lower than the costs of restoring disrupted infrastructure post-attack.
I look at DDoS attacks from a more technical perspective. DDoS is the equivalent of many people pressing the refresh button on their browsers at the same time. In other words, it's not something that should be illegal. Technically, it's not even that big a deal, but it is something that companies claiming to offer 'critical' services should have an obligation to be prepared for.
Yes, those companies should be obligated to have redundant capacity to fall back onto, such as mirrors in 'the cloud'. If they are not prepared for a traffic spike, they have no right to complain about it when it happens.