08 Dec 2016   |   Viewpoint

We are not prepared to defend against the next big cyberattack in Europe

Lessons were not sufficiently drawn from the heavy hit on Estonia’s internet back in 2007, says EU cyber watchdog Udo Helmbrecht. Technical proficiency has improved, but the EU could not mount a coordinated response

Europe would struggle to respond to a cyber-attack on the scale of the internet siege endured by Estonia in 2007, according to the EU adviser on cybersecurity.

“We’re not prepared for the next big attack,” said Udo Helmbrecht, executive director of the European Union Agency for Network and Information Security (ENISA), in an interview with Science|Business.

Almost ten years ago, Estonia endured a three-week wave of massive cyber-attacks. The barrage of digital warfare, which security analysts suspect was directed by Russia, disabled the websites of government ministries, political parties, newspapers, banks, and companies.

Not enough lessons have been drawn from this, said Helmbrecht. “Since the experience of Estonia, we’ve improved on a technical level, but not a governance level,” he said.

If the attacks were repeated again, it is not clear how EU leaders would even begin to coordinate their response.

“If something happens, who do you go to in Brussels – [Commissioner] Oettinger? Ansip? Bulc or King? If I got a call from Austria for instance, I’d say I can’t help them.”

“When it’s something to do with the refugee crisis, everyone knows [Commission President] Juncker will chair a meeting of foreign ministers in Brussels. For a financial crisis, it is the economic ministers. Which ministers would he call for a cyber-attack?”

The answer is not necessarily national heads of defence, it seems. For example in Greece, where ENISA is based, cyberattacks fall under the responsibility of the minister for transport.

“You don’t immediately know the goal of the attacks and whether they are some form of internal terrorism, sabotage, espionage or a system malfunction. If you call in defence ministers, that would suggest to everyone you see the security breach as an act of war,” Helmbrecht said. That would raise expectations of some form of retaliation. 

Hacking of computer systems is becoming an inconvenient fact of life.

Last month, the Commission’s website was bombarded by mass requests for information, overloading the servers in a distributed denial-of-service attack.

In 2015 hackers said to have close links with the Russian state swamped the Christian Democratic Union party of German Chancellor Angela Merkel in a similar attack. Bulgaria came under a cyber-attack during a referendum and local elections, which officials said was almost certainly linked to Russia.

ENISA was launched in 2004 with a brief to advise EU institutions and member states on cybersecurity, rather than actually hunting for intruders on computer networks.

“We are the ones telling you that you must stop when the traffic light is red. Then someone else, Europol [the EU’s law enforcement agency] gives you the ticket if you don’t,” said Helmbrecht.

Since 2010, ENISA has organised cross-Europe cybersecurity training exercises, and its mandate is about to be extended under the first EU-wide cybersecurity legislation, which comes into effect in 2018. The agency will then begin receiving reports of security breaches from EU governments.

Helmbrecht is in pursuit of a top up for ENISA’s €11 million annual budget, but this will not materialise next year. “The Parliament wanted to give us a 20 per cent increase but the Commission and Council said ‘No’. So we are squeezed,” he said.

Political logic dictates that money moves in response to the immediacy of a crisis. This year, it has mostly gone to deal with the one million or so asylum-seekers who have fled Syria, Iraq, Afghanistan and other war-torn countries for Europe. EU agencies such as Europol and border manager Frontex have gained at the expense of ENISA.

“Do you hear Juncker talk about ICT security?” Helmbrecht asked. “Because cyber-attacks don’t happen every day, these things are not always at the front of peoples’ minds.”

All the same, the Commission has increased its investment in safeguarding IT systems, putting up €450 million for a new research fund, with the aim of persuading industry to invest three times this amount. The first funding round will open early next year.

The EU money comes from Horizon 2020, with the remainder expected to flow from over 100 companies, including the aerospace manufacturers Thales and Airbus, German software company SAP and engineering giant Siemens.

The push is obviously welcomed by Helmbrecht, but he points out that this new fund, and the military research pilot being set up by the European Defence Agency, is likely to have a knock-on effect on other research budget lines.

“There’s a danger you sacrifice a part of the Horizon 2020 security agenda,” he said.

Never miss an update from Science|Business:   Newsletter sign-up