EU Cyber Agency Hustles To Get Ahead of Hackers
At the core of ENISA’s efforts is shielding critical infrastructure.
Europe is taking on several socio-technological initiatives, including developing a digital single market and tackling consumer financial services reform. Add the need to balance privacy concerns and safeguards across 28 member countries of the European Union, and it may seem like a tall order for policy makers to help strengthen information security.
Enter the European Union Agency for Network and Information Security, the European Union’s cybersecurity agency known as ENISA. The agency, founded in 2004, equips the European Union (EU) to prevent, detect and respond to cybersecurity problems.
In its role as a cybersecurity center of excellence, ENISA supports policy development, provides recommendations and collaborates across Europe to improve network and information security. At the heart of these efforts is fortifying the continent’s critical infrastructure—energy, transportation, banking, financial markets, health care, water and digital assets.
The agency takes its lead from the European Commission’s (EC’s) Directive on Security of Network and Information Systems, commonly called the NIS Directive. The first piece of this continent-wide legislation that dictates measures EU countries must take to improve cybersecurity was enacted in 2016. The EC is carrying out further measures this year.
Given the extent of today’s cybersecurity challenges, the EC may expand ENISA’s duties to include cybersecurity certification and standardization of what Europe calls information and communication technology (ICT) products and services. ENISA’s role during large-scale cross-border cybersecurity incidents and crises also may increase.
By itself, ENISA is not a computer emergency response team, or CERT, explains Steve Purser, head of ENISA’s Core Operations Department. Based on its mandate, ENISA’s job is to prepare EU stakeholders before a cybersecurity attack happens. The agency does support the CERT community closely, providing threat information to CERT-EU and Europol’s European Cybercrime Center. “When we saw the worldwide WannaCry and NotPetya ransomware attacks, we were helping member states communicate with each other and facilitating common information flows,” he relates.
The agency also issues warnings to the public “when we believe that there is a big lesson to learn in terms of preparation,” Purser says. “It’s not our job to tell you what to do in the next five minutes or tomorrow. It’s our job to tell all stakeholder communities long-term preparative methods to beating cyber attacks.”
ENISA’s flagship and largest event, Cyber Europe, is a series of cyber incident and crisis management exercises. More than 700 public- and private-sector stakeholders and 300 organizations within EU member countries join in—along with participants from countries in the European Free Trade Association (EFTA), including Iceland, Liechtenstein, Norway and Switzerland. The EU considers the biennial event to be the most important cross-Europe cyber crisis exercise on the continent. This year ENISA will host the fifth European cyber crises exercise, with a theme centered on aviation. EU officials are thinking about making Cyber Europe an annual exercise.
The exercise gradually builds up over about six months, ending in a final scenario where everyone plays intently over two days, Purser explains. The most recent event, held in 2016, included three phases—tactical, operational and strategic—and featured simulated news agencies and social media platforms standing in for real outlets such as BBC News and Facebook. During the exercise, ENISA tests how well EU member states can cooperate with each other in the event of a cybersecurity attack that could evolve into a full-blown European crisis.
“Every member state plays from behind their desks in their home countries,” Purser shares. “It is a very realistic operational environment, so when people are playing, they get the feeling that they are in the real world.” In Purser’s view, the exercise has become very sophisticated in terms of what it is trying to achieve and who plays.
Another major role for ENISA is evaluating and communicating vulnerabilities and cyberthreats, which are presented in its annual “Threat Landscape” report. The latest report, released on January 15, found an increase in frequency last year in the top five types of cyber attacks: malware, web-based attacks, web application attacks, phishing and spam. Distributed denial-of-service (DDoS) attacks and botnet attacks, in the top five types of attacks in last year’s report, decreased slightly to the sixth and eighth top threats, respectively, in this year’s report. The main motive behind cyber attacks is now monetization. “When we did the analysis, we found that if you capitalize the damage or losses due to recent cybersecurity incidents, the market capitalization is as big as the second-largest American company,” Purser notes. That is Warren Buffett’s Berkshire Hathaway conglomerate, which owns Geico, Dairy Queen and dozens of other companies, and has a balance sheet of $620 billion.
ENISA, based in Heraklion, Greece, does not single out threats to specific sectors anymore, mainly for one reason. “We are seeing a large variety of risks that affect everybody,” Purser says. “We see that phishing and malware attacks are affecting all sectors. Nowadays, threats geared to a specific sector are probably more of an exception than the rule because adversaries can reuse most of these kind of attack scenarios in any sector.”
Looking into the future, ENISA officials predict that advanced threat agents will mount more sophisticated multichannel, layered attacks using state-of-the-art tools and will be more adept at hiding their tracks. In particular, state-sponsored actors will be “one of the most omnipresent malicious agents in cyberspace, and will remain a top concern of commercial and governmental defenders,” ENISA emphasizes in the “2017 Threat Landscape” report. “Cyber war is entering dynamically into the cyberspace creating increased concerns to critical infrastructure operators, especially in areas that suffer some sort of cyber crises.”
In the report, the agency also stressed the increasing importance of cyberthreat intelligence (CTI), and the need for cyber defenders to improve sharing of CTI.
Additionally, ENISA is supporting the EU’s latest foray into electronic identification (eID), known as eIDAS. The regulation implements an electronic identification system at the national level for access to public services across borders in other EU member states. Electronic identification and trust services will include electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication. A large number of sectors with obligations to provide security, reliable ID, strong authentication and legal certainty—such as finance, banking, transportation, insurance and health care—will be affected.
Associated regulations for the burgeoning trust service provider industry were redefined last year. ENISA was instrumental in helping the EC interpret the eIDAS regulations and how different member states should adapt to them, Purser notes. Cross-border recognition of the national eID in European electronic transactions becomes mandatory in September.
In addition, ENISA is aiding the EU’s work on the second Payment Services Directive (PSD2), which deregulates the payment industry in Europe. The latest rules, which took effect last month, provide the legal foundation for electronic payments in an integrated internal EU market, “with the goal of making international payments within the EU as easy, efficient and secure as payments within a single country,” according to an EU statement. The rules apply to both existing and new payment service providers and enhance consumer rights by reducing liability for nonauthorized payments from €150 to €50. They also add unconditional refund rights for direct debits in euros and remove surcharges for use of consumer credit or debit cards.
“The thing is, if you deregulate the payment industry, you bring new players into the payment system who need to apply the same level of cybersecurity that banks do,” Purser says. “So this is not trivial. The banks, of course, have been doing this for many, many years with a high level of security and very mature processes. ENISA is supporting deregulation of the market, but the new players have to be at the same level.”
With the implementation of other new EU policies, ENISA will remain busy throughout this year with its staff of 84. The General Data Protection Regulation (GDPR) goes into effect on May 25 as the EU’s main data protection legal framework. The certification policy outlines acceptable use and management of personal data by organizations and fines for improperly protecting the data. ENISA Executive Director Udo Helmbrecht says he believes that the “landmark piece of legislation designed to protect personal information is critical to the operation of the EU’s digital single market.” The digital single market strategy seeks to remove digital borders in the European Union, giving consumers and businesses better access to online goods and services across the continent while increasing consumer protections.
In addition to working to improve protection and resilience for critical information infrastructure, ENISA will continue to elevate the dialogue on network and information security in Europe across other noncritical sectors, Purser says. The agency also will prepare studies on “this whole world of Internet of Things,” he indicates, and new approaches with smart technologies, infrastructure, homes, transport, hospitals and airports.
Finally, ENISA will run its annual European Cyber Security Challenge, in which high school and college students compete to break into computer systems and “capture the flag.” The agency hosts national competitions across the continent, then a final round of competition at the European level. Every October, ENISA also hosts cybersecurity month, with numerous activities throughout Europe that aim to “keep the ball rolling” on cybersecurity awareness, Purser adds.