EU Cybersecurity Test Success, Network Security Agency Says
Europe's latest cybersecurity exercise appears to have been successful, said European Network and Information Security Agency (ENISA) Head of Operations Steve Purser in an interview Friday. Thursday's Cyber Europe 2014 test was the second part of a three-phase project to gauge cyber-readiness, ENISA said. It looked at the operational side of dealing with cyberincidents, including standard operating procedures, contact points, tools and best practices for managing multinational cyber-crises, it said. The third part of the exercise will take place in early 2015 and will focus on strategic objectives, it said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Telcos consider cybersecurity a priority, and were among the participants in the exercises, said a group of European telecom companies. Strategic and operational coordination are among the key issues in Council of Ministers talks on a European network and information security (NIS) directive, said an EU diplomatic official.
Cyber Europe 2014 involved more than 400 cybersecurity professionals from 29 EU and European Free Trade Area countries and 200 organizations, ENISA said. It said participants included computer security incident response teams, cybersecurity agencies, EU bodies, public entities, telecom operators, information and communication technology vendors and energy service companies. Each segment of the exercise has its own goal, but they all look at big security events that could have a major impact on Europe's economy, such as having a communications network go down or become corrupted, Purser told us. The scenario is "very ambitious," he said.
Lessons learned from the exercise were being collated Friday for a report at year's end, Purser said. It's doubtful that this part of the test raised any unusual issues, he said. Cybersecurity rests on people, process and technology, and the weakest component of security exercises at the European level seems to be process, he said. Now, however, there is a set of processes, and the goal is to make them better, he said.
This exercise showed improved cooperation, Purser said. There's a massive project at EU level to boost cooperation among players, he said. It involves helping countries align their national cybersecurity strategies and set policies, he said. ENISA is helping by bringing operational teams together to find out what does or doesn't work in practice and by teaching computer emergency response teams (CERTs). One project is to establish baseline services that ENISA encourages all national CERTs to deliver at a similar level, he said. One such service could be exchanging information on the latest vulnerabilities, or sharing practical solutions so when big cyberattacks emerge, solutions can be spread as quickly as possible, Purser said.
The NIS proposal is being discussed among the Council, European Commission and European Parliament, said a diplomatic official. A first informal "exploratory trilogue" with Parliament took place on Oct. 14, with a second planned for Nov. 11, the official said. The main issues include which services should be covered, strategic and operational cooperation and incident notification, she said.
Telcos have had "long-standing obligations" in the cybersecurity field, the European Telecommunications Network Operators' Association told us. As EU governments discuss the proposed network and information security (NIS) directive, "we believe that all actors in the value chain should contribute to fulfilling the same top-level standards," it said.
The directive would set minimum security requirements on "Internet enablers," ETNO said in an Oct. 28 blog post. These requirements, particularly adopting risk management practices and reporting security breaches, "should apply across the entire digital value chain in the interest of both consumers and businesses," it said. That should include cloud services, it said.