Securing vulnerable networks across Europe
Over the past ten years the European Union has failed to protect the continent's energy security. Will it do any better when it comes to cyber-security?
At an EU conference on that subject in Tallinn on April 27th, participants wrestled with the need to act and the difficulty of deciding what exactly to do. The location was a suitable one: Estonia is the only EU member state to have suffered a full-scale cyber-attack, in April 2007. Amid a furious row with Russia about the relocation of a Soviet-era war memorial, a flood of bogus internet traffic disabled the country's main websites, briefly shutting down vital public services and crippling businesses such as online banking.
Yet two years later, the EU and its member states are still wrestling with the issue. Knowing whether such attacks come from pranksters, hooligans, terrorists, criminals or an unfriendly government is difficult—sometimes impossible. But the potential damage is clear: everything from water and electric power to financial industries and retail distribution depends on the internet. The right combination of malicious code, stolen or hacked passwords and a badly designed system could mean catastrophe.
One temptation is to put lots of faith in expensive and gimmicky technical fixes. But as Scott Borg, an American expert attending the conference, pointed out, the starting point should be economics: without knowing the cost of, say, a 24-hour power shutdown as opposed to a six-hour one, it is hard to know what priority to give the means necessary to prevent it.
A simple form of defence is sharing information. But that requires trust. If news of a cyberstrike on a business leaks out, it can scare customers and send share prices plummeting. The last thing that business will want to do is announce that it has been attacked. Yet pooling knowledge strengthens everyone's defences. Similarly, getting businesses and bureaucrats to share information runs into cultural barriers, as well as worries about confidentiality and legal liability.
So it is no surprise that countries with a high level of social trust are way ahead of the rest. Sweden, for example, will be staging its third bi-annual cyber-warfare exercise on May 6th and 7th, in which officials and businesses will practise coping with simulated attacks, some using live "ammunition", and work out how they would keep the economy and public services going most effectively. Most EU member states are nowhere near that level. Some have yet to set up a national body, usually known as a computer emergency readiness team or CERT, to coordinate cyber-defences.
That makes a provisional plan to hold EU-wide cyberwar exercises by 2010 look ambitious. So is placing great hopes on a common regulatory framework to deal with cyber-security, for example setting clearer rules about identity on the internet. It is hard to imagine the "black hats" (the generic term for the bad guys) quaking at the thought of yet another fat document emerging from the Brussels bureaucracy.
One contentious idea discussed at the conference was whether to make internet service providers (ISPs) legally liable, at least to some extent, for the damage caused by the data they transmit. That might encourage them to police and protect their customers better. But given the scale of the potential risk, it is hard to see how any ISP could cope.
The best hope is that countries with the best cyber-defences keep innovating and coordinating their efforts, and that over time more states will join them. By most counts, they number roughly seven European countries, including non-EU Norway. For everyone else, some prudent supplies of bottled water, canned food and candles sounds sensible.
(Europe.view column, April 30, 2009, Economist.com. Also posted on the author’s blog)
Batten down the cyber-hatches