A recent cyberattack on a loyalty card company serving supermarket chain SuperValu saw more than 62,000 Irish customers’ credit card details compromised. The consequences of such an attack by terrorists on a national electricity grid or nuclear power facility, if successful, illustrates we’re now all at war on a cyber scale.
It is oddly fitting that the headquarters of ENISA, the organisation tasked by the EU with co-ordinating Europe’s defence against attacks by cyber-criminals and cyberarmies, is based in Heraklion on the Greek island of Crete; a city that has in time been in the possession of the rampaging armies of the Byzantine, Venetian and Ottoman empires.
However, for Steve Purser, head of core operations at ENISA, who was in Dublin last week at the IIEA Cybersecurity Conference, a high-level gathering of security chiefs from the US, Europe, UK and NATO, there is no time to engage in historical whimsy. The scale of the challenge increases as the world depends more and more on technology.
“Hackers are extremely sophisticated and more than the average person on the street understands. Malicious code is now being developed by organised gangs using procedures any corporation would be proud of. Fifteen years ago, kids hacked for glory and bragging rights. Then they entered a phase of hacking for money which is where botnets came from and more recently hackers have become political."
The work of ENISA
ENISA operates as a centre of expertise and facilitates the exchange of information between the public and private sector; combining people, process and technology.
The European Parliament recently voted to extend and strengthen ENISA to play a more significant role in cybersecurity initiatives across the EU. But as we enter a world where nations, criminals and terrorists are becoming increasingly sophisticated, Purser believes for Europe to defend itself, co-ordination is key.
Unlike his counterparts in organisations like the US National Security Agency (NSA) or NATO, Purser has a civilian background, having worked in the IT sector since 1985 and occupying senior IT security roles in the financial sector. Less conventional military thinking and a more organisational mind could prove critical in defending Europe as the threats mount up.
In 2007, the removal of a Soviet war memorial in Estonia triggered a determined cyberwarfare attack by Russia against the tiny Baltic nation in what was known as the world’s first cyberwar, with its parliament, banks, newspapers and TV under attack.
In recent years, the Stuxnet worm – a virus believed to have been developed by Israel’s secret service aimed at knocking out Iran’s nuclear power facilities – came to threaten utilities like water and electricity all over the world because it went viral and targeted the SCADA software used to run these facilities across the world.
“If you shut down our power grid, maybe we will put a missile down one of your smokestacks," a US military official was quoted as saying in a 2011 Wall Street Journal article. The US is believed to have developed its own arsenal of cyberweapons and after attacks on military contractor Lockheed-Martin’s computer networks has said it will perceive an attack on its networks an as an attack on sovereign American soil.
The answer to cyberthreats
Purser said the answer to threats for organisations and nations is education. "I think that fundamentally the most important challenge is building up and maintaining a strong security community and this involved education and training at all levels.
“It’s not enough that I secure my workplace, it’s also important that I protect my home and people need to realise this in all walks of life now."
The answer, for a better term, is better cop-on. Purser said it could take years for a country to train up a cadre of security professionals.
“I was chief security officer at various financial institutions and globally responsible for protecting information. To do that I had to understand people, process and technology and make sure they were all working together in a smooth and coherent fashion."
As cyberattackers prefer to go for the weakest links, Purser said he is worried about by the lack of proactive participation by ordinary citizens in protecting their computers and information. "It’s about electronic common sense – people need to behave in the cyberworld as they would on the street.
“If a stranger walked up to you on the street and asked for your bank details you wouldn’t divulge them yet this happens every day online."
The free market economy in which we all live and earn is one of the weakest links that Purser has his eyes on, and as well as the electronic common sense of ordinary people, security officers in companies may be doing it wrong.
“Companies spend a fortune on expensive, granular tools and systems but don’t follow this up with a coherent strategy. For a modern-day chief security officer, a good process would have sustainability, flexibility and adaptability built in."
However, he pointed out that in endeavouring to keep up with standards set by auditors and regulators, businesses lose their nimbleness and ability to respond to threats.
Large businesses need to appreciate the rate of change on a daily basis. "Boards insist on high-level security and so they spend a fortune on technologies, but security policy needs to be based on risk. All security is compromised somewhere between risk and opportunity. The key is to be nimble."
Security software, at least
For smaller businesses that don’t have the resources of the corporations, he urged them to have a baseline set of software and tools, such as anti-virus software, firewall software and to ensure that all software updates are patched by someone who knows what they are doing. "At the very least have someone at the other end of a phone line if something goes wrong. This of course is where a lot of companies fall down."
He continued: "Cybersecurity is far more than cyber-crime, cyberwarfare, or spying. Interestingly, a lot of the problems are also due to things like powercuts, hardware failures and old telecoms infrastructure. We’re constantly looking out for malicious attacks but let’s not forget the problems that can also be caused by human error and natural disasters."
He said that this open market perspective is one of the strength of Europe’s cybersecurity strategy and the insistence on a strategy of information sharing combined with people, process and technology should serve Europe well if it came under a co-ordinated attack or a natural disaster.
On the subject of how well national police forces are gearing up for the cyber age of hacking, fraud, counterfeiting and pornography and more, Purser said: "Awareness is high, but also awareness of the challenge is high. Developing the skills and expertise takes time and money and will have to be a balancing act. All in all I think police forces have come a long way and are arming themselves appropriately."
People, process and technology
Asked how Europe intends to respond if it came under cyberattack or had to respond to a natural disaster, Purser repeated his creed: people, process and technology.
“ENISA is doing a lot of work around protecting critical infrastructure, the systems for a society to function: power stations, hospitals, electricity grids.
“We’ve come a long way and we work together to improve security. We help member states perform cybersecurity exercises that are the equivalent of the US Cyber Storm exercise and all 27 states play a sophisticated exercise based around a scenario and this involves real people in real jobs.
“If there was an attack on Ireland, for the sake of argument, it is the response that is critical – who do you call? What’s the political mandate? Who do you share information with?"
He said that this is critical because Europe is a collective of sovereign states and not one single military superpower.
“Survival and adaptability will be determined by our ability to react in minutes rather than hours and procedures are important. Europe is a lot better prepared than it was five years ago and we are reaching a reasonable state of maturity in terms of cyberdefence and response," Purser said.
“We now have a set of procedures. In the beginning we had nothing."
A version of this article appeared in The Sunday Times on 17 November