European Commission to boost Europe's defences against cyber-attacks
Posted in: Legal, Privacy & Security at 01/10/2010 17:58
The European Commission today unveiled two new measures to ensure that Europe can defend itself from attacks against its key information (IT) systems. A proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks, is complemented by a proposal for a Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA).
The two initiatives are foreseen by the Digital Agenda for Europe and the Stockholm Programme to boost trust and network security (see IP/10/581, MEMO/10/199 and MEMO/10/200). Under the proposed Directive, the perpetrators of cyber attacks and the producers of related and malicious software could be prosecuted, and would face heavier criminal sanctions. Member States would be also obliged to quickly respond to urgent requests for help in the case of cyber-attacks, rendering European justice and police cooperation in this area more effective. Strengthening and modernising ENISA would also help the EU, Member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cyber-security challenges. Both proposals will be forwarded to the European Parliament and the EU's Council of Ministers for adoption.
Commission to boost Europe's defences against cyber-attacks [news release]
The European Commission today unveiled two new measures to ensure that Europe can defend itself from attacks against its key information (IT) systems. A proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks, is complemented by a proposal for a Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA). The two initiatives are foreseen by the Digital Agenda for Europe and the Stockholm Programme to boost trust and network security (see IP/10/581, MEMO/10/199 and MEMO/10/200).
Under the proposed Directive, the perpetrators of cyber attacks and the producers of related and malicious software could be prosecuted, and would face heavier criminal sanctions. Member States would be also obliged to quickly respond to urgent requests for help in the case of cyber-attacks, rendering European justice and police cooperation in this area more effective. Strengthening and modernising ENISA would also help the EU, Member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cyber-security challenges. Both proposals will be forwarded to the European Parliament and the EU's Council of Ministers for adoption.
Commissioner Cecilia Malmström, in charge of Home Affairs, said: "Crime is finding new ways. With the help of malicious software, it is possible to take control over a large number of computers and steal credit card numbers, find sensitive information or launch large-scale attacks. It is time for us to step up our efforts against cyber crime, also often used by organised crime. The proposals we are putting forward today are one important step, as we criminalise the creation and selling of malicious software and improve European police cooperation".
Commission Vice-President for the Digital Agenda, Neelie Kroes, said "Making every European digital will only happen if citizens feel confident and safe on-line. Cyber threats know no borders. A modernised European Network and Information Security Agency will bring new expertise and foster exchanges of best practice in Europe. Our EU institutions and governments must work ever closely together, to help us understand the nature and scale of the new cyber-threats. We need ENISA's advice and support to help design efficient response mechanisms to protect our citizens and businesses online".
While Europe is engaged in taking full advantage of the potential of network and information systems, it should not become more vulnerable to disruptions caused by accidental or natural events (like submarine cable breaks) or through malicious actions (like hacking or other cyber-attacks). These could be based on, for example, increasingly sophisticated tools which hijack large numbers of computers and manipulate them simultaneously as an army of robots on the internet ("botnets") without their owners' knowledge. These infected computers can later be used to carry out devastating cyber-attacks against public and private IT systems, as happened in Estonia in 2007 where most online public services, as well as government, parliament and police servers were made temporarily inoperative. The number of attacks against information systems has risen steadily since the EU first adopted rules on attacks against information systems in February 2005. In March 2009, the computer systems of government and private organizations in more than 100 countries were attacked by a network of compromised computers which extracted sensitive and classified documents. In this instance again, malicious software created 'botnets', networks of infected computers that can be remotely controlled to stage a coordinated attack.
The package proposed by the Commission today will strengthen Europe's response to cyber disruptions. The Commission's proposal on cybercrime builds on rules that have been in force since 2005, and introduces new aggravating circumstances and higher criminal sanctions that are necessary to fight more effectively the growing threat and occurrence of large scale attacks against information systems.
Moreover, it would pave the way for an improvement of cooperation between the judiciary and the police of the Member States, introducing the obligation for Member States to make better use of the existing 24/7 network of contact points by treating urgent requests in a specified timeframe.
Finally, the proposed Directive would provide for the establishment of a system to record and trace cyber attacks.
Reinforced cooperation across countries and industrial sectors
To help co-ordinate Europe's response, the Commission is proposing a new Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA), which was first established in 2004. This would reinforce cooperation across EU Member States, law enforcement authorities and the industrial sector. ENISA will play an important role in boosting trust, which underpins the development of the Information Society, by enhancing the security and privacy of users.
Under its new mandate, ENISA would engage EU Member States and private sector stakeholders in joint activities across Europe, such as cyber security exercises, public private partnerships for network resilience, economic analyses and risk assessment and awareness campaigns.
A modernised ENISA would have greater flexibility and adaptability and would be available to providing EU countries and institutions with assistance and advice on regulatory matters.
Finally, to respond to the increased intensity of cyber security challenges, the proposed Regulation would extend ENISA's mandate for five years and gradually increase its financial and human resources. The Commission proposes that ENISA's governance structure would also be strengthened with a stronger supervisory role of the Management Board, in which the EU Member States and the European Commission are represented.
The proposed Directive on attacks against information systems repeals the Council Framework Decision 2005/222/JHA. Member States would have an obligation to comply with the new Directive on cyber crime, and transpose it into national legislation within two years from its adoption at the latest.
ENISA was created in 2004 and its current mandate expires in March 2012. It is now proposed to extend it by 5 years. This proposal for a Regulation was preceded by a broad process that included an evaluation of the Agency, recommendations by its Management Board, two public consultations and an impact assessment including a cost/benefit analysis
Digital Agenda: Commission proposal to strengthen and modernise European Network and Information Security Agency (ENISA) - frequently asked questions
The European Commission today presented a proposal for a new mandate to strengthen and modernise the European Network and Information Security Agency (ENISA). This initiative is foreseen by the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200) and to boost trust and network security. Strengthening and modernising ENISA will help the EU, Member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cyber-security challenges. The proposal will be forwarded to the European Parliament and the EU's Council of Ministers for adoption. The ENISA proposal is complemented by a proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks ("botnets") See also IP/10/1239 and MEMO/10/463.
What is ENISA?
ENISA is the European Network and Information Security Agency. The Agency was created in 2004 for an initial period of five years. Its current mandate expires in March 2012. It is located in Heraklion, Greece.
ENISA's main goal is to ensure a high and effective level of network and information security within the EU in order to develop a culture of network and information security in society which will benefit citizens, consumers, businesses and public sector organisations, and so contribute to the smooth functioning of the Single Market.
ENISA has two main roles. The Agency gives support, advice and expertise to the EU institutions and the Member States on all relevant aspects of network and information security. It also facilitates the exchange of best practices and cooperation between both public and private sector organisations.
What are the aims of today's proposal?
One of the key actions of the Digital Agenda for Europe is measures for a reinforced and high level network and information security policy, including a legislative proposal for the modernisation of ENISA.
The main objective of today's proposal is to reinforce network and information security in Europe by enabling the EU, Member States and stakeholders to develop a high degree of capability and preparedness to prevent, detect and better respond to network and information security problems.
A modernised ENISA will play an important role in boosting trust, which underpins the development of today's digital society and economy, by enhancing the security and privacy of users. This will help make European businesses more competitive and strengthen the development of the Single Market.
Why modernise ENISA?
The evolving challenge of cyber-threats requires a greater effort from the EU.
In particular, the need to strengthen the role of ENISA was underlined by an evaluation of the Agency in 2007, the outcome of two public consultations (on ENISA in 2007 and on cyber security policy instruments in 2008-2009) and of a political debate that took place on network and information security. This debate resulted in December 2009 in a Council Resolution on a collaborative approach to network and information security (2009/321/01), which specifically called for further development of ENISA into a more efficient body and for an increase of its resources.
The Commission's proposal aims to give the Agency the appropriate tools to better focus on EU priorities and needs, to gain a more flexible response capability, to develop European skills and competences and to bolster its operational efficiency and overall impact.
How would ENISA's proposed new mandate enable it to face Europe's network and information security challenges?
Since the threat of cyber attacks is evolving and growing, a more cooperative approach is needed in which a reinforced and modernised ENISA has an essential role. The Commission's proposal would to extend ENISA's mandate for five years (to 2017) and includes the following key elements:
- Greater flexibility, adaptability and capability to focus.
- Better alignment of the Agency to the EU regulatory process, providing EU countries and institutions with assistance and advice.
- Interface with the fight against cybercrime; the Agency would take into account the network and information security aspects of the fight against cyber crime.
- Strengthened governance structure: stronger supervisory role of the Management Board, in which the EU Member States and the European Commission are represented.
- Simplification of procedures to improve efficiency.
- Gradual increase of the Agency's financial and human resources.
How would a modernised ENISA further enhance the security of electronic communications and of the Internet for Europeans?
This proposal complements a number of ongoing EU regulatory and non-regulatory policy initiatives in the area of network and information security, as consolidated in the Digital Agenda for Europe putting "Trust and Security" as one of its priorities.
ENISA provides direct support and advice to several of these:
- ENISA supports the policy cooperation in the European Forum for Member States (EFMS) and the European Public-Private Partnership for Resilience (EP3R), launched in 2009 by the Action Plan on Critical Information Infrastructure Protection (CIIP).
- ENISA provides expertise and assistance regarding the implementation of the security and data breach notification provisions of the revised EU telecoms rules.
- ENISA contributes to making EU-wide cyber security preparedness exercises and provides technical support for the establishment of a Computer Emergency Response Team (CERT) for the EU institutions, and for the establishment of a Europe-wide network of national CERTs.
How would a modernised ENISA help in the fight against cyber-crime?
One of the elements of the proposal is that ENISA will act as an interface between cyber-security experts and public authorities involved in the fight against cyber-crime. By bringing together law enforcers, the judiciary and privacy protection authorities, network and information security aspects of the fight against cyber-crime will be better co-ordinated.
Will the tasks of ENISA change?
ENISA will take on a broader range of tasks. The tasks of the Agency are updated and formulated more broadly to allow for a more dynamic response to the constantly evolving network and information security challenges.
For example, ENISA will:
- Regularly assess, in cooperation with the Member States and the European institutions, the state of network and information security in Europe.
- Assist the EU and the Member States in promoting the use of risk management and security good practice and standards for electronic products, systems and services.
How does this proposal relate to other EU initiatives in the area of justice (e.g., the Stockholm programme) and the fight against cyber crime (e.g., the proposal for a Directive on attacks against information systems)?
The 2009 Stockholm Programme, adopted by the European Council on 10-11 December, promotes policies to ensure network and information security and faster reactions in the event of cyber attacks in the EU. In this respect, it called for both a modernised ENISA and a Directive on attacks against information systems.
Under the new ENISA proposal, law enforcement and privacy protection authorities would become fully fledged stakeholders in ENISA, which would allow the Agency to be an interface with the fight against cybercrime.
Why is the Commission proposing an interim measure of one and a half years along with a fully-fledged proposal on ENISA?
The Commission is aware that the European Parliament and Council may require some time to adopt the proposal on ENISA. Since there would be a risk of a legal vacuum if the new mandate of the Agency were not adopted before the expiry of the current mandate in March 2012, the Commission is also proposing, as an interim measure, a Regulation extending the current mandate of the Agency with identical terms (same mandate and budget) for 18 months.
This would allow time for debate and adoption while ensuring the consistency and continuity of ENISA's work.
Why is the Commission proposing a mandate of limited duration for ENISA?
Information and communication technologies are evolving rapidly. Both the sector's societal, economic and industrial aspects and the appearance of unforeseen challenges have to be taken into account. 2017 meets a balance that allows medium-term planning for ENISA while granting the EU institutions the means to adjust their approach to cyber-threats.
The new proposal would reinforce ENISA's mandate to contribute to ensuring network and information security in Europe.
Proposal for a Directive on attacks against information systems, repealing Framework Decision 2005/222/JHA
What is the problem to be addressed?
In recent years, the number of attacks against information systems (IT systems) - or, in common words, the illegal entering of or tampering with information systems - has risen steadily in Europe. Moreover, previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, have been observed in the Member States and other countries. New concerns, such as the massive spread of malicious software creating 'botnets' - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks - have emerged.
What is a botnet?
The term botnet indicates a network of computers that have been infected by malicious software (computer virus). Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled - often without the knowledge of the users of the compromised computers - by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The people who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. It is very difficult to trace the perpetrators, as the computers that make up the botnet and carry out the attack, might be located elsewhere than the offender himself.
How does it work?
Figures and graphics available in PDF and WORD PROCESSED
- In a preparatory step a cyber criminal acquires or produces malicious software;
- This software is placed on one computer that becomes the 'command-and-control centre' and is set-up by the hacker to remotely control other computers through malware;
- Once installed the bot program turns the victim computer into a ''zombie'' that is able to infect more computers and turn them into other ''zombies''; all 'zombies' together form a botnet.
- Once bots connect zombies to controllers,
- The cybercriminals take control and command of the servers.
- At this point they can send commands to the zombies
- The zombies will execute those commands against targets.
What is the size of the problem?
The number of attacks against information systems has increased significantly in the last few years and a number of attacks of previously unknown large and dangerous scale have been observed, such as those in Estonia and Lithuania in 2007 and 2008 respectively. In March 2009, computer systems of government and private organisations of 103 countries (including a number of Member States, such as Cyprus, Germany, Latvia, Malta, Portugal and Romania) were attacked by malware installed to extract sensitive and classified documents.
More recently the world witnessed the spread of a botnet called 'Conficker' (also known as Downup, Downadup and Kido), which has propagated and acted in an unprecedented scale and scope since November 2008, affecting millions of computers worldwide.
Inside the EU, damages from this botnet were reported in France, the UK and Germany. French fighter planes were unable to take off after military computers were infected by Conficker in January 2009. The German army reported in February 2009 that parts of its computer network were infected by Conficker, making the websites of the German army, and the Defence ministry unreachable and preventing them from being updated by their administrators. Certain IT services, including e-mails, were unavailable for weeks to the UK Ministry of Defence personnel in January/February 2009 after they were infected by the Conficker botnet.
In the last few days experts at international level have launched an alert for a new type of malicious computer warm called Stuxnet that is infecting a high number of power plants, pipelines and factories and could be used to control plant operations remotely. If confirmed, this would be the first case of a highly sophisticated botnet aimed at industrial targets, a development experts don't hesitate to define ''the first directed cyber weapon''. Botnets like Stuxnet could give wrong information and orders to industrial plants and operate sabotage at several levels, causing severe damages.
What is the aim of the cyber attacks?
The underlying objectives can be varied. Attacks can have criminal objectives or can be used as one of the means in a larger campaign to exert pressure. Attacks often include one or more of the following elements:
- Diverting money from bank accounts and stealing sensitive financial information
- Extortion: criminals only unlock the computers after the victims pay a certain amount of money to the controllers of the botnet;
- Sabotage purposes: disabling (critical) infrastructure, such as a security system, either to commit another crime, or in relation to a terrorist act;
- Exerting illicit pressure on a state or an organisation. This pressure can have various objectives. In some cases, pressure is exerted through illegal means: there are a number of documented cases where viruses attacked sites related to certain political movements, or attempted to take out the sites and servers of governments. Economic pressure on a company can be exerted through for example, the use of emails containing malware. These can also be used to undermine the reputation of a competitor.
- Illegal information gathering / spying activities. Information and Communication Technologies (ICT) are increasingly used for purposes of information gathering, setting up surveillance networks by breaking into computer systems of economic competitors, or political opponents.
A strong tendency towards a stronger implication of organised crime in the attacks has been observed; organised crime groups may, for instance hire hackers or other computer specialists to conduct a specific attack. A large-scale attack may be launched against a critical information infrastructure of for example a financial institution, followed by a message that the financial institution has to pay a ransom in order for the attack to cease. Networks of more than a million computers linked together by a command-and-control centre have been observed, and the damages caused by a coordinated attack through the use of such network can be considerable
What has been done so far to prevent and respond to attacks against information systems?
The issue of cyber attacks has been intensively discussed in Europe over the last few years. Following the adoption of a Framework Decision on attacks against information systems in 2005 (which is to be "updated" by the present proposal), extensive consultations at EU-level haven taken place, resulting in the 2007 Communication from the Commission "Towards a general policy on the fight against cyber crime". Most recently, a Commission Communication in 2009 on Critical Information Infrastructure Protection entitled "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" highlighted the threat posed by cyber attacks, and the need to secure our information systems. The present legislative proposal considers recent technical advances and the new modi operandi found in today's cyber attacks.
What are the rules in place at EU level?
On 24 February 2005, EU Member States agreed a Council Framework Decision (2005/222/JHA) that addresses the most significant forms of criminal activity against information systems, such as hacking, viruses and denial of service attacks. The Framework Decision seeks to approximate criminal law across the EU to ensure that Europe's law enforcement and judicial authorities can take action against this form of crime.
Before the Lisbon Treaty, EU rules were adopted under the former so-called "third pillar" as "Framework Decisions". For a transitional period until 2014, the Commission cannot take legal action to make sure Member States enforce these rules, as it can in other policy areas. Until then, it will continue to monitor and actively support effective implementation and compliance by Member States. This Framework Decision is currently still in force and would be repealed by the proposed Directive.
Why is the European Commission willing to adopt a new Directive on areas already covered by the Council Framework Decision?
On 14 July 2008, the Commission published a report on the implementation of the Framework Decision on attacks against information systems1. While the conclusive part of the report stated that significant progress was made in most Member States and that the level of implementation was relatively good, it noted that implementation was still ongoing in some Member States. More importantly, the report underlined that "several emerging threats have been highlighted by recent attacks across Europe since adoption of the FD, in particular the emergence of large scale simultaneous attacks against information systems and increased criminal use of so called "botnets". These attacks were not the centre of focus when the FD was adopted. In response to these developments, the Commission will consider actions aiming at finding better responses to the threat [...]."
The cited Framework Decision currently in force was a first step towards addressing the issue of attacks against IT systems. Technological advances and new methods employed by perpetrators call for an improvement of EU rules.
In addition, the entry into force of the Lisbon Treaty on 1 December 2009 provides considerable advantages for new legislation to be adopted in the field of Justice and Home Affairs from now on. Legislation will no longer need to be approved unanimously by the EU Council of Minsters (which represents national governments). Instead, it will be adopted by a majority of Member States at the Council together with the European Parliament. A single country will not be able to block a proposal.
Implementation at national level will also be improved. The Commission will now be able to monitor how Member States apply EU legislation. If it finds that EU countries violate the rules, it will be in a position to refer the case to the European Court of Justice. These considerations add to the justification for the new proposed Directive.
What is new in the proposed Directive?
The proposed Directive, while repealing the Framework Decision in force, will retain its current provisions - namely the penalisation of illegal access, illegal system interference and illegal data interference - and include the following new elements:
- Penalisation of the use of tools (such as malicious software - e.g. 'botnets' - or unrightfully obtained computer passwords) for committing the offences;
- Introduction of 'illegal interception' of information systems as a criminal offence;
- Improvement of European criminal justice/police cooperation by
- strengthening the existing structure of 24/7 contact points, including an obligation to answer within 8 hours to urgent request and;
- Including the obligation to collect basic statistical data on cybercrimes
Furthermore, the proposed Directive raises the level of criminal penalties to a maximum term of imprisonment of at least two years. Instigation, aiding, abetting and attempt of those offences will become penalised as well.
Once adopted, the Directive raises the level of criminal penalties of offences committed under aggravating circumstances to a maximum term of imprisonment of at least five years (instead of two years, as foreseen by Framework Decision 2005/222/JHA) (i) committed within the framework of a criminal organisation (already included under Framework Decision 2005/222/JHA);
(ii) committed through the use of a tool conceived to launch either attacks affecting a significant number of information systems, or attacks causing considerable damage, such as in terms of disrupted system services, financial cost or a loss of personal data (not previously included under Framework Decision 2005/222/JHA). This provision would be relevant to tackle the spread of malicious software that is now used widely to launch most dangerous cyber attacks.
(iii) committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner (not included under Framework Decision 2005/222/JHA).
Terms of Reference
Botnet - indicates a network of computers that have been infected by malicious software (computer virus). Such network of compromised computers ('zombies') may be activated to perform specific actions such as attacks against information systems (cyber attacks). These 'zombies' can be controlled - often without the knowledge of the users of the compromised computers - by another computer. This 'controlling' computer is also known as the 'command-and-control centre'. The persons who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. It is very difficult to trace the perpetrators, as the computers that make up the botnet and carry out the attack, might be located elsewhere than the offender himself.
Bot capacity - the number of computers in a given botnet.
Denial-of-Service (DoS) attack - a denial of service attack is an act to make a computer resource (for example a website or Internet service) unavailable to its intended users. The contacted server or webpage will show itself as "unavailable" to its users. The result of such an attack could, for example, render online payment systems non-operational, causing losses for its users.
Information Systemis any device or group of interconnected or related devices, one or more of which, pursuant to a programme, performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance. An example of this is a computer or a server.
Illegal System Interference is the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data, which is punishable as a criminal offence when committed without right, at least for cases which are not minor (as defined in Framework Decision 2005/222/JHA).
Illegal data interference is the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system, which is punishable as a criminal offence when committed without right, at least for cases which are not minor (as defined in Framework Decision 2005/222/JHA).
Large-scale attacks are the attacks that can either be carried out by big botnets, or attacks that cause considerable damage, e.g. in terms of disrupted system services, financial cost, loss of personal data, etc.. The damage caused by the attack can have a major impact on the functioning of the target itself, and/or affect its working environment. In this context, a 'big' botnet will be understood to have the capacity to cause serious damage. It is difficult to define botnets in terms of size, but the biggest botnets witnessed were estimated to have between 40,000 to 100,000 connections (i.e. infected computers) per time span of 24 hours.
Malware is computer software designed to infiltrate or damage a computer system without the owner's consent. It is distributed through a variety of means (emails, computer viruses, botnets). Intention is to obtain data (passwords, codes) in a fraudulent way, or to integrate this computer in a computer network destined to be used for criminal actions.
Phishing is an electronic mail that convinces end users to reveal confidential data via websites that imitate the sites of bona fide companies (e.g. websites of banks).
Spam is electronic messages sent in large numbers to internet users without their consent. These unsolicited electronic messages are usually of a commercial nature. Spam is the electronic equivalent of stuffing letter boxes with advertising materials that have not been requested by their recipients.
Spyware is software that is installed on a user's computer without his knowledge. Such software transmits information on the user and his habits once connected to the internet. The information gathered this way is usually intended for use by advertisers.
For media coverage on this announcement, see: