Cybersecurity: Protecting the digital economy

Summary

Online security cannot be taken for granted as hackers and cyber attackers continue to outdo software engineers. Currently there are a handful of ways to secure data like hardware backups, server backups, remote security controls, filtering, encryption and many more.

But recent history has shown that valuable data is still at risk. In February 2011, more than 150 of the French finance ministry's 170,000 computers were hacked for documents relating to the Group of 20 meeting hosted there. In March the European Emissions Trading Scheme suffered sustained attacks. But the largest remains the 2007 Estonia attack which led to a temporary shut down of the country's banks, ministries newspapers and broadcasters.

The European Network and Information Security Agency (ENISA) which was set up in 2005 as an advisory body on network security, insists that national approaches are not sufficient to insulate a pervasive phenomenon like the Internet from attack.

In response to the Estonia events ENISA and the European Commission have tried to establish new avenues for co-operation like international agreements, potential new agencies and updated legislation to prevent security breaches like the theft of valuable data.

Issues

The threat level of cyber crimes is rising. In the recently released organised crime threat assessment from Europol, the Internet acts as a facilitator for organised crime: “A new criminal landscape is emerging marked increasingly by highly mobile and flexible groups, operating in multiple jurisdictions and criminal sectors, and aided, in particular by widespread, illicit use of the Internet,” the organisation said.

The European Network and Information Security Agency (ENISA) has urged policymakers to take a broad view and to treat attacks on computers and infrastructure the same way. The agency argues that it makes little sense to separate the protection of infrastructure from the applications which run on top of it. Those who chose to attack systems in Estonia did not make this distinction as a botnet on one insecure machine was used to infect thousands of others. Computers can be remotely controlled by botnets to attack governmental websites and online services, like in Estonia.

The EU's first notable response to cyber crime is the establishment of Computer Emergency response teams in every country. At last count in June 2011 there were over 100 CERTS dotted around Europe. Some countries like the UK have about 15 centres while Greece, for example, has just one. These have all sprung up since the early nineties and try to provide advice, training and alerts on potential attacks. Their main aim is to contain possible risks by catching them early.

The cybercrime exercise conducted by ENISA showed that governments have a lot of work to do to speed up their response times. Over 70 Experts from the participating public bodies worked together to counter +300 simulated hacking attacks aimed at paralysing the Internet and critical online services across Europe. 

The test had two important conclusions: All bodies involved in containing risks need standardised operating procedures and they need to know who to contact once a risk is identified. Some 55% of countries were not confident they would be able to quickly identify the right contact, even with the available directories.

In addition, some countries like the UK have more advanced ways of tackling cybercrime while many others still lag. So far only 12 member states have organised exercises for large-scale network security incident response and disaster recovery, according to ENISA.

Critical Information Infrastructure Protection

The EU's most recent flagship policy for online security, the Critical Information Infrastructure Protection, is built on five pillars: preparedness and prevention, detection and response, mitigation and recovery, international cooperation and definitions of European Critical Infrastructures in the field of ICT. 

It sets out the work to be done under each pillar by the Commission, the member states and/or industry, with the support of ENISA.

In September 2010 the European Commission issued a proposal on how to tackle attacks against information systems. The Commission decided to take actions as it recognised the steady rise of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks. 

The proposal identifies three main kinds of attacks: exploitation attacks aimed at government IT systems, disruptions such as denial of service attacks and destruction attacks, a pre-emptive category in case critical facilities like water and electricity are targeted.

On 31 March 2011 the EU adopted the CIIP action plan but much remains to be done. The Commission aims to modernise ENISA to speed up reactions in the event of cyber attacks, including a CERT for the EU institutions. The plan also aims to forge international agreements on cyber security.

The EU-U. Working Group on Cyber-security and Cyber-crime, established during the EU-US Summit of November 2010, is an important step in this direction. The Working Group will focus on cyber incident management, public-private partnerships, awareness raising and cyber-crime. The two sides have agreed to hold a joint cyber war exercise before the end of the year to test both sides' abilities to identify botnets and prevent them from spreading. Officials also agreed to work closely to remove child pornography from the Internet by teaming up with domain-name registries.

Data Protection and the Cloud

That's the big picture. Below the surface, in the alphabet soup of EU policy, a swathe of other measures will try to contain risks online. The most important of these is the Data Protection Directive, an outdated set of laws in terms of technology.

In the strongest denunciation of online advertisers practice of collecting user data, Meglena Kuneva, the former European Commissioner for consumer affairs, argued that personal data has become "the oil of the internet and the new currency of the digital world".

She said this before EU policymaking had taken into account that more and more data would be moving into the cloud. Governments and businesses have come to recognise the benefits of replacing hardware with cloud computing, allowing them to run their operations online instead and storing their data in servers in different jurisdictions if they wish. The cloud can not only significantly reduce business overheads but it can also reduce the costs of securing data as security measures are cheaper when implemented centrally on a larger scale.

But the recognition of the cloud has not turned into the kind of take-up IT companies had hoped for. A survey "An SME Perspective on Cloud Computing" shows that small businesses migrating to the cloud still have major concerns on the confidentiality of their data and who is liable when it has been breached or even lost.

The Commission will soon come up with a recommendation for cloud computing which among others will ask providers of cloud servers to notify their customers of a breach within a designated window of time. In addition providers will be asked to share the location of servers with their customers; a condition some IT businesses argue is unworkable.

The EU is co-funding the IBM-led TClouds scheme, a set of testbeds for new security mechanisms that remotely verify the security and resiliency of their cloud infrastructure. They will involve a form of cloud-to-cloud backup where each project's data is backed up across multiple places.

The Commission has also noted that timely data deletion may be impossible or even undesirable because extra copies of data may not be available, or because the disk to be destroyed also stores data from other clients.

The review of the Data Protection Directive, due in November 2011, also includes measures to reduce the amount of data at risk of abuse. The EU's Digital Agenda Commissioner Neelie Kroes recently announced that the set of laws will include assurances that the minimum amount of non-personal data is being collected, provisions on the 'right to be forgotten' and on the portability of data.

Businesses argue that the data they store for commercial purposes is not personal and is too limited to be privacy invasive.  But a recent study from the University of Texas begs to differ.  Academics at the university conducted tests top see whether they could use a limited data set to gather more data and ultimately identify the person behind the code.

"Using the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information," the study concluded.

The European Commission also faces a powerful US lobby against the strengthening of data protections. The two sides are currently trying to agree on a transatlantic framework for data protection. But with a history of privacy invasive governments, during the Cold War, the EU has historically had more appetite to protect data from prying eyes.

Social networks and smartphones

Across the bloc, there is a lively campaign against the likes of Facebook which contains a myriad of personal details potentially putting people at risk. While Facebook insists it does not share personal details with anyone, the NGO claims that the amount of data stored about each user may in fact total 800 pages. Its website Europe versus Facebook (EvF) contains a sample 880-page PDF document.

Social networking is not the only area where data may be at risk. According to the Verizon Payment Card Industry Compliance Report, most businesses that accept credit or debit cards struggle to comply with the Payment Card Industry Data Security Standard (PCI DSS). As a result, they are at greater risk of losing confidential customer information and falling victim to credit-card fraud. Verizon's assessments include data from institutions in the US, Europe and Asia.

In fact, the opportunities for hackers have become endless as smartphones and popular apps are increasingly targeted by cyber attackers, according to a report by ENISA. Smartphone sellers and app developers need to do more to prevent malicious software or malware from creeping into phones and stealing users' valuable data, argues the ENISA report. In 2011, malware was disguised as a popular Android app which infected thousands of phones.

There are many reasons why smartphone security is a matter of urgency. It is a booming market used by high-value professionals and there are an abundance of new app sellers like Amazon, Cisco, Microsoft and Nokia which develop apps for different operating systems. Both consumers and developers are overly concerned with functionality at the expense of security, argues the agency, which has laid out five steps to bolster smartphone security.

First, app stores should be able to remove malware from users' phones remotely and they should be using sandboxes, web servers used as testing sites for new technologies, to ensure the absence of malware.  

In addition, smart phones should have jails, meaning they should either prevent owners from using untrustworthy app stores or send out clear warnings about installing from unknown sources.

In recent years malware has become increasingly sophisticated. For example, the Zitmo or Zeus Trojan was discovered in February 2010 after it had captured SMS messages bearing users' bank transaction codes.

According to ENISA there are many versions of Zitmo for different types of smart phones, including Windows Mobile, Symbian OS and Blackberry. The malware is spread by first infecting a user's Windows PC and then asking them to type in their phone number.

In March 2011, security company Symantec discovered that Google's Android apps were bundled and resold with malware attached that could take screenshots from people's phones and harvest sensitive data like bank details. There were somewhere between 50,000 and 200,000 downloads during the four-day security breach, according to Symantec.

The ENISA report offers some glimmer of hope for smartphone users as malicious software is perhaps easier to detect on phones because it goes beyond denial of service common to the PC-operated world.

During the agency's research they identified several potential threats, such as when an app suddenly reveals sensitive data, gives a user privileged access to an app or when a new data store suddenly appears without the user's authorisation. All of the above should alert the user that their phone is perhaps being tampered with by hackers. 

Positions

“Cybercrime is borderless by nature – this also makes criminal investigations more complicated for law enforcement authorities. To effectively tackle cybercrime, adequate cross–border provisions are needed, and international cooperation and mutual assistance within EU law enforcement, and between the EU and third countries, needs to be enhanced.” says Rob Wainwright, Director of Europol.

The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyber-attackers,” comments Professor Udo Helmbrecht, Executive Director of ENISA.

"A cloud without robust data protection is not the sort of cloud we need. So these features should be well-integrated in the design of cloud-computing products and services, from the very beginning of the business processes," Neelie Kroes, the EU Commissioner for the Digital Agenda.

“The bottomline is: cybersecurity is incredibly difficult – and is made even more challenging by the rapid change in technology, for instance what we are seeing in cloud computing,” said Katherine McGuire, Vice President of Government Relations for the Business Software Alliance.

McGuire stressed:  “It requires continuous work and innovation to secure our evolving cyberspace and thwart the relentless work of cybercriminals. This is why we need the commitment and involvement of all parties to make it happen.”

Christopher Painter, coordinator for cyber issues for the State Department, said the US faces various potential cyber threats from “freelance hackers to militants and potentially rival states.” “It goes across governance issues, economic issues, military issues,” Painter told Reuters.

"Very few single cyber-related events have the capacity to cause a global shock.  Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services.  In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters," Peter Sommer from the London School of Economics and Ian Brown from the Oxford Internet Institute wrote on a report for the OECD.

"Over the past ten years, the frequency and sophistication of intrusions into U.S. military networks have increased exponentially. Every day, US military and civilian networks are probed thousands of times and scanned millions of times," said William Lynn, the US deputy Secretary of Defense, outlining the importance of security to EU policymakers.

"Adversaries have acquired thousands of files from US networks and from the networks of US allies and industry partners, including weapons blueprints, operational plans, and surveillance data," Lynn continued.

Assistant US Secretary for Infrastructure Protection, Todd M. Keil, observed in a recent speech that “An approach to critical infrastructure security that is based solely on protection is insufficient for successful management of the risks that we currently face.”

"The protection of personal data is a fundamental right," EU Justice Commissioner Viviane Reding said in a statement. "To guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalisation. The Commission will put forward legislation next year to strengthen individuals' rights while also removing red tape to ensure the free flow of data within the EU's Single Market," Reding continued. On the risk of personal data breaches, Arvind Narayanan and Vitaly Shmatikov from the University of Texas, argue: "Privacy risks of publishing micro-data are well known. Even if identifiers such as names and Social Security numbers have been removed, the adversary can use background knowledge and cross-correlation with other databases to re-identify individual data records."

On the difficulties of protecting data, Marc Mueller from the German Federal Office for Information Security, BSI, said:  There is a high number of information recipients and senders in some sectors. Especially in the case of privatized markets changes in addresses and responsibilities by staff turnover or other changes inside organisations are daily business. Sometimes new companies are created and old ones disappear over night – just because of changing stakeholders. Guaranteeing the reachability of all involved partners during particular situations of crisis is extremely difficult."

The NGO, Europe versus Facebook, issued a press release urging citizens to demand their data from Facebook: "Every citizen in the EU has the right to get a full copy of all personal data a company is holding about them (“access request”). Three students from Vienna, Austria have done so recently and got a CD with a PDF  of 780, 1,142 and 1,222 pages. In all data sets you could find sensitive information such as political and religious beliefs, or sexual orientation of the user."

“The completion of the Domain Name System Securit Extension (DNSSEC) chain of trust means that everyone visiting a website using a signed .eu domain name can be confident of its legitimacy since name server responses can now be validated all the way up to the Internet root zone,” said Marc Van Wesemael, General Manager of EURid, the .eu domain registry.

“As such, .eu is amongst the first top-level domains to have full DNSSEC-support, fulfilling our objective to be at the forefront of implementing Internet security measures via proven standards. EURid encourages .eu domain name holders, through their registrars, to sign their .eu domain names with DNSSEC, therefore adding digital signatures to all levels in the chain,” he added. 

Timeline

• 30 March 2009: Commission adopts Communication on Critical Information Infrastructure Protection
• May 2010: EU adopts digital agenda which sets out security as a prerequisite for ICT take-up
• Sept. 2010: Commission adopts proposal for a Directive on Attacks against Information Systems
• Sept. 2010: Commission tables proposal to strengthen ENISA
• Nov. 2010: Establishment of the EU-U.S. Working Group on Cyber-security and Cyber-crime
• March 2011: Commission issues Communication on Critical Information Infrastructure Protection ‘Achievements and next steps: towards global cyber-security’
• 3 Nov. 2011: Joint EU-US cyber-incident exercise
• 2013: ENISA begins operation of a European Information Sharing and Alert System (EISAS) 

External Links