EU Holds Cyberattack Exercise, as Security Chief Calls for Global Cyberspace Behavioral Principles
Banks, telcos, ISPs and national and local governments held an EU-wide cyberattack exercise Thursday to see how they would respond to sustained attacks on the computer systems and public websites of major European financial institutions and markets. The organizations faced more than 1,200 separate cyberincidents, including more than 30,000 emails, during a simulated distributed denial-of-service (DDOS) campaign, the European Commission said. It’s Europe’s largest-ever cybersecurity test and follows a more-limited 2010 exercise, it said. At the same time, the EU’s top foreign affairs and security official urged participants at a Budapest, Hungary, conference to agree on global cyberspace behavioral norms.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Cyberattacks are “clearly a growing concern” for businesses and government, the EC said. In the past week alone, JPMorgan Chase and Wells Fargo were disrupted for hours by the same techniques being simulated in the EU test, it said. In addition, while it’s not known why the NASDAQ was forced to cancel trades in Kraft Foods after a computer problem caused company shares to rise more than 30 percent in a minute, “this shows how computer problems such as faulty algorithms can affect markets” and why affected parties need to be prepared to deal with sudden, unexpected changes, it said. The percentage of companies reporting security incidents with a financial impact rose from 5 percent in 2007 to 20 percent in 2010, it said.
The exercise was coordinated by the European Network and Information Security Agency, which is expected to start reporting results late Friday afternoon, the EC said. ENISA will report on key findings by year’s end, it said.
The scenario for Cyber Europe 2012 involves fictional adversaries launching technically realistic threats that combine into one escalating distributed denial of service attack on online services in all participating countries, ENISA said. It was designed to test the effectiveness and scalability of existing mechanisms, procedures and information flow for public authorities’ cooperation; explore the cooperation between public and private entities; and identify gaps in how large-scale cyberincidents could be tackled more efficiently. Twenty-five countries took part in the exercise, and four more observed, it said.
The exercise is really a test of the cooperative mechanisms between countries, ENISA Public Affairs Unit Head Graeme Cooper told us. It looks at the mechanisms and how existing systems could be ramped up if a large attack occurred, he said. “Would we need to simply increase what is there now, or are different approaches needed?” ENISA chose a DDOS attack as the scenario because it’s a realistic situation that is applicable to organization across Europe, and then escalated it to create something big enough to require cooperation among EU members, he said. “It’s significant (and pleasing) that we've got ISPs and banks taking part,” he said by email. It represents a big step forward in being able to create realistic scenarios to examine how coordination would work and where any gaps lie, he said.
The exercise didn’t use “live” systems, so there was no chance that either it or a potential hacking could affect actual systems, Cooper said. Asked whether the simulation itself could be hacked, he said ENISA used the Exito system as a platform. Supplied by the EC in-house science service, the Joint Research Center, the platform allowed only specific users involved in the test to access the system and blacklisted everyone else, he said.
The 2010 exercise was a “useful ‘cyber stress test'” for public bodies, ENISA said. One of the main conclusions was that the private sector could help future exercises, it said. Another finding was that EU governments must be internally well-organized, with national contingency plans that are maintained and checked regularly, it said. ENISA plans more tests in two years, it said.
EU institutions have just set up their own computer emergency response team, the EC said. By year’s end, the EC and the European External Action Service plan to lay out a comprehensive cybersecurity strategy, it said. One key element will be proposed legislation to beef up network and information security across the EU by providing cooperation mechanisms for EU members and introducing security requirements for the private sector, it said. An EC consultation on the proposal runs until Oct. 15.
A guiding principle of EU cyberdiplomacy is that cyberspace must remain open and free, Catherine Ashton, EU high representative for foreign affairs and security policy, said in Budapest. But “we also have to recognise our responsibilities to it,” she said in written remarks. Ashton called for the development of cyberspace behavioral norms among countries, crisis communication lines, and better dialogue on cyberissues. New regulation isn’t needed to promote good behavior, she said. Existing international measures such as the International Covenant of Civil and Political Rights and the Geneva Conventions apply in the new domain, she said. She urged governments to step up efforts to increase cybersecurity capacity through capacity-building programs and better coordination of existing initiatives.