Protecting Europe against large-scale cyber-attacks

As on two previous occasions, I’ve been acting as specialist adviser to a House of Lords Committee. This time it was the European Union Committee, who held an inquiry into “Protecting Europe against large-scale cyber-attacks”.

The report is published today and is available in PDF and in HTML. It’s been covered by The Telegraph, the BBC, the Washington Post, and on Parliament’s own TV channel. Interestingly, there’s not all that consensus on what the main story is, or quite what the recommendations were!

At the end of March 2009, the European Commission published a Communication Protecting Europe from large scale cyber-attacks and disruptions: enhancing
preparedness, security and resilience”
which set out a programme for improving the response to natural disasters and to malicious denial-of-service attacks. The work has a big role for the European Network and Information Security Agency (ENISA).

The Lords Committee (as does an equivalent Commons Committee) scrutinises all the proposals coming out of Brussels. Most documents are non-contentious, but some lead to letters back and forth to Minsters to seek assurances or clarification. A handful lead to formal inquiries, as was the case here.

The inquiry report has a number of recommendations, of which I pick out two specifically. I am incidentally, not in any way required to endorse the report — which is the responsibility of the Committee members — but it’s all pretty sound stuff.

The first issue is “National CERTs”. The EU Communication recommends that every country should set up a CERT (Computer Emergency Response Team) for handling reports about Internet security. This is wise for the countries that have no such infrastructure already, but would be somewhat of a distraction for the UK which has a large number of sector-specific CERTs (and most of the ISPs and hosting sites have a functional “abuse@” team). Their lordships, in their formal recommendations said a UK national CERT “would make no sense and would bring no added protection”.

The second issue relates to the EU plans for a pan-European exercise to test out the pan-European response to a large-scale attack or disruption. Most EU countries have not even held a national exercise, so expecting anything useful out of an international exercise is wishful thinking. The Government witnesses described the timescale as “highly aspirational”, which is Sir Humphrey speak for “surely you’re joking”, and the recommendation was to aim for national exercises instead.

Just this week ENISA announced progress on plans for a November exercise — they’ve decided on the high-level scenario, at only 6 months (and August) to go! So perhaps too late for House of Lords recommendations to influence that which is becoming ever more more committed to.

Their Lordships also had some (extremely carefully chosen — two used to be extremely senior diplomats) remarks about the location of ENISA on Crete — rather than five minutes from Athens Airport arrival hall. The reality is that the institution itself isn’t going to be moved, but it did emerge that ENISA now have some meeting rooms in Athens, which will take several hours off the travel time for visitors.

There were 25 conclusions and recommendations in the report, and as I noted above, the press are differing considerably in what to pick out. My own recommendation would be to set aside a few minutes and read it for yourself!

3 thoughts on “Protecting Europe against large-scale cyber-attacks

  1. I was under the impression we already have a national CERT (CSIRTUK), albeit not branded so overtly in that context as it once was…which seems to run contrary to their lordships’ comments on such matters. I guess the ENISA vision of a CERT might differ from the CPNI one.

    As for exercises, my personal experience has been that there is often a great deal of wishful thinking on the part of high-level policy making types, which tends to divorce them from reality. The operational folk who are given the task of making exercises happen are then left to cobble together something that (with a bit of creative PR speak) meets the naive pledges of the policy types. As operational folk tend tend to be practical types they will extract as much learning and other benefits for participants as they can, but the bottom line is that the benefits of exercises (useful as they may be) are not necessarily what policy makers believe them to be.

  2. CSIRTUK is not a ‘national CERT’ in the context of the EU parameters – it is limited to “its partners in the private sector who operate elements of the national infrastructure.” Government organisations are managed by GovCERT, operating out of Cheltenham. MoDCERT seems to have (been) disappeared (its webpage is 404)

    Non-CPNI private and third-sector organisations do not have a government body looking after them, although there are a number of WARPs which focus on these areas.

    There is a clear distinction in vision between the original CERT-CC construction – a largely passive, best-practice and warning body, and the more active “Information Security Incident Response” elements of the ENISA vision.

  3. Greece being bankrupt they won’t move anything anywhere surely. Which begs the question: what if more and more states -the UK not too far from the brink either- will run out of money? Which goes first cybersecurity or other expenditures that politicans “understand” much better?

Leave a Reply

Your email address will not be published. Required fields are marked *