In April 2019 the Leverkusen pharmaceutical company Bayer was attacked by a possibly Chinese hacker group with the so-called “Winnti” malware. The attackers were highly professional. They had infected systems at the interface from the intranet to the Internet and tried to penetrate deeper from there. Apparently Winnti could not steal information yet. But Winnti has been active in at least three other German companies. The threat situation in cyberspace has been serious for years – and European policy is countering this with a small agency in Malta, which is currently celebrating a voluntary certificate as a great success.
In Brussels, the European Network and Information Security Agency (ENISA) celebrated its 15th anniversary. The Agency was set up to safeguard network a nd information security (NIS) within the European Union. Their seat is Malta, their budget so far relatively small. The mood at the party was nevertheless optimistic – at the beginning of the year, ENISA was able to achieve great success at its own discretion: The EU Commission passed the Cyber Security Act it proposed. In it, the EU is committed to a certification process for digital products, to implement in products, smart homes, industrial solutions or critical infrastructures – for companies, it is voluntary.
A common European market needs indeed a common cyber policy. ENISA sees itself as a central competence center for cyber security, which regulates certification and promotes the exchange of information between the member states and research. Cyber security had arrived in politics, it was said several times in the speeches in Brussels. The threat is serious and now it is taken seriously. But that’s what experts doubt, because of the complex structure of the EU. Could one EU agency be even capable of playing a key role in protecting against cyber attacks.
The certification is a start. “We want to make it possible for the end user to better assess whether a product is safer than other products,” says ENISA Director Udo Helmbrecht, when I met him Brussels. “The certificate is comparable to the energy labels on refrigerators or child car seat certificates – manufacturers agree to comply with certain standards when participating.” Helmbrecht hopes that this will provide market advantages for EU companies: “When standards hit the market, companies will invest. The market honors security.”
A safe market is the primary objective of ENISA, and that is exactly where a problem lies. ENISA is not a defense agency. “The article on which the agency is founded is related to economic growth in the EU, and this also requires a secure digital space,” says Helmbrecht. “That’s why we look at the risks that companies and consumers are exposed to through such technologies. Intelligence and military issues such as espionage are not part of our mandate.” Only industrial espionage was a gray area. The latter was about prevention.
The question of who is responsible for what is the big dilemma of the EU. According to the so-called NIS directive (Network Information Systems) of 2016, countries need to build cyber security structures and participate in exercises. But how they do the former is relatively free: The German agency BSI is located in the area of the Ministry of the Interior. Greece has a Ministry of Digital Policy, Telecommunications and Media. In Lithuania, cyber-security is connected to the Ministry of Defense. The interests of the individual Member States are correspondingly different, as Helmbrecht confirms. Germany, for example, is currently focused on critical infrastructures – a topic of the Ministry of the Interior.
This patchwork is reflected at the EU level: in addition to ENISA, there is the Computer Emergency Response Team (CERT-EU), which responds to attacks on IT in EU institutions. Europol’s European Cybercrime Center (EC3) is active when requested by the Europol Cyber Intelligence Team, which is made up of the National Network of Computer Security Incident Response Teams (CSIRTs) – the national counterparts to the CERT-EU. The European Defense Agency (EDA) is responsible for cyber security in the military, but similar to ENISA has no own forces, but rather a center of competence. The European Agency for the operational management of large-scale IT systems (eu-LISA) manages and protects large information systems such as visas (VIS) and fingerprints (EURODAC). The European Aviation Safety Agency (EASA) is concerned with cyber security in aviation – similar facilities exist for rail and boat traffic. New additions include a Cybersecurity Industrial, Technology and Research Center and a Cybersecurity Competence Network – both could take over ENISA’s responsibilities if they are fully engaged in the certification process.
The consequence of the division is a great legal uncertainty, says Ursula Pachl, Deputy Director-General of the European Consumer Organization, in which, among other things, the German Consumer Center is a member. An example of this insecurity is the recent use of a series of smartwatches for children that came on the market. With these watches, parents can communicate with their child and determine their whereabouts. The Norwegian Consumer Council (Forbrukerrådet) found blatant security flaws in the devices: It is relatively easy for a hacker to take control of the clock via an Internet portal. He could persecute the child and communicate with him, but at the same time he could fool the parents into a wrong location. The data is also transmitted unencrypted and stored. Users can not even delete them. An SOS button that the child can press, if it is in danger, works unreliably. “Such devices should not be sold in Europe,” says Pachl. Parents feel they are protecting their children, but they put them at increased risk. “We contacted all kinds of institutions – privacy, consumer protection, the Commission; nothing happened.”
However, a month ago, Iceland responded by removing one of these watches – the Enox Safe-Kid-One – and issuing an “Alert” within the “Safety Gate”. It is a rapid alert system for exchanging information between EU Member States and the European Commission on dangerous non-food products that endanger the health and safety of consumers. In Iceland, too, there was a problem of competence because it was not clear whether the body was responsible for data protection or consumer protection or even the competition authority. But Iceland has a system where, in case of doubt, an authority is given jurisdiction, in this case the one for consumer protection. There is no such regulation in any other country. So Iceland is a model: the EU’s digital economy needs a similar approach to ensure clear ownership of the multitude of institutions.
Cyber Security is now an issue in almost all products. It is no longer about the classic critical infrastructures – even everyday products are today attacking areas for hackers. Manufacturers of toys, for example, only cost a few cents to put a chip into their products – which then provides them with data, whether the product is defective or where, and how it is used. For the manufacturer, such information is precious. As a result, more and more industries are developing digital products, even though they have no experience with cyber security and may not take it seriously. Helmbrecht also says that the topic has obviously not arrived at many companies yet.
On the other hand, the licensing procedures are outdated – toys, for example, concern the question of whether there is a risk of injury or a risk of pollutants. The chip would be a problem if children could swallow it. The certificate introduced by ENISA would change that, but it is voluntary. “Such self-regulation is inadequate,” says Pachl. “We fear that the certificate is not attractive enough for businesses because consumers are not sensitized with Cyber Security to demand it.”
Security experts are also skeptical. Sergej Epp, Chief Security Officer for Central Europe at US security company Palo Alto Networks, warns of the increase in attack areas thanks to constantly new devices that we no longer even perceive as digital and the simultaneous increase in attack attempts. “Anyone can theoretically prepare one,” he says. “It’s enough to be connected to the internet. They can paralyze the biggest companies from every corner of the world. You need neither money nor sophisticated devices. You just have to know how to do it.” Nowadays, you could acquire a level of education in that through the internet.
In addition, it usually takes months, sometimes years, until an attack is discovered. Bayer also announced that it was impossible to reconstruct how long the hackers had been in the company’s network. “This is often because the experts in the companies do not have the opportunity to create enough transparency,” says Epp. Regulations such as the Federal Data Protection Act (BDSG) would take too little account of the risks faced by companies. There must be exceptional cases in case of a suspected attack. In order to understand the attack strategy, security experts would have to analyze all data that resides on the corporate servers – even those that are otherwise protected.
Epp does not see the EU well positioned. This partly has geopolitical causes. Countries were less under attack, unlike the United States. They have invested billions in cyber security years ago, both in terms of the economy and the military. In the EU, politics and business invest too little. The latter would still respond rather than relying on preventive measures. A certificate would be a step forward. “However, regulators should not treat cyber security like a compliance black box and use a checklist to check which features a product has and which not,” says Epp. “Similar to an auto-crash test, manufacturers would have to prove that their product is safe to use in the overall system – in a simulation where it is exposed to real attacks.” A model could be the financial industry, which established the Framework for Threat Intelligence-based Ethical Reed Teaming, TIBER-EU for short – a common framework for testing and building resilience in so-called cyber-ranges.
In Finland, the JAMK University of Applied Sciences has set up such a training center, JYVSECTEC, with a Cyber Range, the actual training platform. In it, banks, government organizations and companies can deal with attacks under real conditions. For example, user traffic is simulated. The Finnish developers put together a “Red Team” – security experts who play the role of hackers, i.e. criminals, hacktivists or hackers of governments.
The attack team uses tools and methods that are in circulation: DDOS attacks, botnets, ransomware, phishing, malware, Trojan horses or “watering holes”. In the latter method, hackers watch which insecure websites frequent a company’s employees, then infiltrate the site and wait for a careless employee to make a mistake. He is then the ticket to the actual destination. “It’s important not just to be technologically prepared,” says Jani Päijänen, project manager at JYVSECTEC. “Management should be as involved in training as production, sales, PR or human resources – depending on the company.” The researchers are collaborating with F-Secure, a Finnish security company, to keep an eye on all current threats. Päijänen says: “It’s very time-consuming to keep the cyber-range up-to-date as new malware and new strategies crop up over and over again.” But that’s the only way to prepare the participants.
Päijänen does not want to say what typical weak points are. But in general, communication is a problem – for example, technology, management and PR staff need to work better together, for example, using real-time reporting tools – so everyone is always up to date and able to develop common strategies in an attack, how they communicate with the public or business partners. Communication during an attack is a complex process.
Smaller companies depend on external companies for security, but they also benefit from such exercises – they too need to understand the attack system and the consequences. In the end, hackers would have a limit in resources, and they would always have to calculate if an attack was worth the investment. “If the goal is well prepared, the resources needed increase,” says Päijänen.
The expertise is available in Europe. The path that ENISA sets out is fundamentally correct, but it is not consistent – Europe not only needs a good environment for research, but also IT security companies – and above all, more investment. It also requires binding safety standards, clear responsibilities in the countries and an EU-wide competence center with a corresponding budget. A prerequisite for all this is greater awareness in politics, in companies and not least among consumers. Only just that – so many experts fear – may come only when the first disaster has arrived.
This article appeared in a modified form in the magazine “t3n”.