Industry Self-Regulation Isn’t Enough to Stop Cybercriminals, ENISA Chief Says
"Governments and industry can do more” to tackle cyberattacks, European Network and Information Security Agency (ENISA) Executive Director Udo Helmbrecht said in an interview Wednesday. ENISA’s interim threat landscape review for mid-year 2013, an analysis of 50 reports covering the first half of this year, to be published Thursday, will show significant changes since its last full report in 2012, it said. Among those are the growing shift from botnets to malicious URLs, and the use of peer-to-peer and TOR-based botnets, it said. This first “taste” of current developments is intended to warn stakeholders as early as possible so they can take countermeasures, Helmbrecht said in a press release. In addition, he told us, a bit more regulation is needed because industry self-regulation isn’t working.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The report shows that since the last full report spam has declined, phishing has stayed the same and nearly every other cybercrime is up. One advantage of URLs as a distribution tool for malware is that they're not as easy a target for law enforcement take-downs, the agency said. Browser-based attacks are still the most reported threats, and Java the most exploited software for such attacks, it said.
Although malware infection methods are shifting to URLs, botnets are still a threat, ENISA said. While not new, one interesting aspect of botnet activity is their use to mine digital currency such as bitcoins, it said. Another development is the growing use of P2P botnets, which are hard to find and take down, it said. Browser-based botnets are another example of how easy it is to create a very large botnet infrastructure, it said. While there’s a rise in TOR-based botnets, more “traditional” botnet operators appear to be in decline, it said.
This year has seen an increase in rogueware/scareware attacks, the report said. There’s strong evidence that ransomware threats are rising, due in part to the expansion of ransomware and bogus antivirus distribution to mobile platforms, it said. Availability of anonymous payment services to channel illegal profits is a major enabler for this sort of fraud, it said. Also this year, cyber-espionage attacks “reached a dimension that went far beyond expectations,” largely due to the proliferation of mobile devices, it said.
Other threats identified were: (1) Identity theft, where attacks were based on financial Trojans such as Zeus and SpyEye and were put in place on mobile platforms to attack two-factor authentication. A significant source for applying this cybercrime remains social media, ENISA said. (2) Denial of service, where attack bandwidths reached a level of 300 Gbps this year. (3) Search engine poisoning. Although there were few references to this so far this year, the crime has gone mobile and should be monitored because it’s an important part of malicious code attack vectors.
The report concluded that cybercriminals are using ever more advanced methods to create attack systems that are non-traceable and difficult to take down. Mobile technology will increasingly be exploited by criminals, ENISA said. The mass availability of malware and cyberhacking tools and services, and of digital money and anonymous payment services, will create new avenues for cyberfraud, it said. Moreover, “there is a real possibility of large impact events when attacks combining” those threats are successful, it said.
Despite the availability of digital signatures, encryption and other technologies, they're not being used, Helmbrecht told us. The European Commission has proposed a cybersecurity strategy, but the problem is that industry self-regulation and market forces don’t work, he said. That’s why there are mobile phones without security, and protections such as speech encryption aren’t sold off-the-shelf, he said.
Better information technology (IT) security requires a bit more regulation because industry doesn’t see security as a business model or competitive advantage, Helmbrecht said. Buyers of new computers or mobile phones have to search out their own virus detection, encryption and other programs, he said. This may work for large companies but not for small players or individuals, he said. “IT security by design” should be built into all devices, he said.
Asked if more regulation is possible, Helmbrecht said there are national cyberstrategies in two-thirds of EU member states, and computer emergency response teams in all of them. Governments are more politically aware of the issues, but ENISA supports the EC proposal for an IT security authority in each country. On the industry side, there should be incentives for investing in security products, he said. There should also be a reporting mechanism, akin to those for the automotive and other sectors, that makes public information about the level of infrastructure security in the IT industry, he said.
Asked about ENISA’s comments on Java, Oracle pointed to a May 30 blog posting (http://bit.ly/1eoBAsL) that seeks to assure users that Java running in Web browsers is secure. Among other things, Oracle said it will start in October issuing four annual security releases, and will retain the ability to issue emergency fixes through its security alert program.