enisa & cybersecurity

7/29/2019 ENISA & Cybersecurity

1/47

ENISA & Cybersecurity

Steve Purser

Head of Core Operations Department

March 2013


2/47

Agenda

Introduction to ENISA

The meaning of Cyber Security.

The ENISA Threat Landscape

Protecting Critical Information Infrastructure.

Cyber Security Strategies

Assisting Operational Communities

Security & Data Breach Notification

Data Protection2


3/47

ENISA

The European Network & Information Security

Agency (ENISA) was formed in 2004.

The Agency is a Centre of Expertise

that supports the Commission andthe EU Member States in the area

of information security.

We facilitate the exchange of

information between EU institutions,

the public sector and the private

sector.


4/47

Agenda








Data Protection4


5/47

Information Security / Cyber security

From a technological perspective, there is littlethat separates classical information security

from Cyber security.

Cyber security is about securing data and

systems in the global environment. It is just theperspective that changes.

Adopting this point of view, Cyber security is by

definition a global concern.

Due to the nature of the problem, advances in

Cyber security are most likely to be achieved

through political cooperation.

5


6/47

The Basics Are Still Valid

What we have already learned remains valid. Its still all about securing how people interact

with process and technology.

Fundamental principles still apply:

Defence in depth.

The need for End-to-End security.

The same methods and tools will be used:

Risk management. Policy Control Frameworks Processes + Tools.

There is a risk of reinventing the wheel.

6


7/47

Cross-Border Issues (I)

People, process and technology are all influencedby national policies and approaches.

Where people are concerned:

The governance structure for cyber security is not

adapted to the reality of the global threat.

Roles and responsibilities need to be clarified both at

the national level and at the international level.

Different communities need to align their goals so as to

achieve synergies and avoid duplication.

We need better mechanisms for building communities to

address common cyber security problems.

7


8/47

Cross-Border Issues (II)

Where process is concerned: There is no agreed structure for cross-border processes

relating to cyber security.

Processes for information sharing need to be improved.

Cross-border response mechanisms, such as StandardOperating Procedures need to be agreed

Where technology is concerned:

Security solutions must be able to inter-operate over

national boundaries. Minimum security standards need to be agreed.

The principle of Defence in Depth should be applied at

the EU level

8


9/47

Agenda








Data Protection9


10/47

Evolution of Threats

The way in which threats related to information

security evolve is extremely complex.

There are many variables affecting the evolution

of such threats, which make prediction extremely

difficulteven if we have data on current trends. Its a bit like the weather forecast we have a

reasonable idea of the near future, but it gets

more hazy as the timeframe increases.

In cyberspace, our ability to predict major events

is probably in the range of hours.

Our predictive powers are poor in this area.

10


11/47

Economic Constraints

Attackers have learnt how to exploit the weaknesses

created by the new business model and are

themselves becoming more efficient.

The window between the publication of a vulnerability

and the appearance of exploit code is continuallydecreasing.

The real issue - As businesses strive for greater speed

and efficiency, it becomes more difficult to maintain an

effective system of internalcontrols.

The solution to this problem lies in successfully

combining people, process and technology.


12/47

The Report

The ENISA Threat

Landscape provides an

overview of threats and

current and emerging

trends. It is based on publicly

available data and provides

an independent view on

observed threats, threat

agents and threat trends. Over 120 recent reports

from a variety of resources

have been analysed.


13/47

Method

The approach was to collect and aggregateexisting, publicly available information andcompile it into single report on the threatlandscape.

Over 120 individual reports have been taken into

account for this work, most of those issued in2012.

Elements of the ENISA threat landscape includedin this deliverable are:

A Current Threat Landscape consisting of development ofthreats as they have been reported by internationalstakeholders such as CERTs, industry, professionalassociations and academia and

An Emerging Threat Landscape consisting of threat trendsidentified.

13


14/47

Agenda








Data Protection14


15/47

www.enisa.europa.eu

Protecting Europe from large scale cyber-attacks anddisruptions: enhancing preparedness, security andresilience published 30 March.

Strengthens the role of ENISA.

Activities within the scope of the European Program forCritical Infrastructure protection (EPCIP).

Proposes five areas, or pillars, of action.

ENISA is explicitly called upon tocontribute to three of these areas.

The Commission CIIP

Communication


16/47


17/47


18/47

Cyber Exercises

Cyber Europe 2010. Europes first ever international cyber

security exercise

EU-US exercise, 2011.

Also a first : work with COM & MS to build

transatlantic cooperation

Cyber Europe 2012.

Developed from 2010 & 2011 exercises. Involves MS, private sector and EU

institutions.

Highly realistic exercise, Oct 2012


19/47


20/47

o 339 organisations

o 571 Individual Players in all Europe

Playing Organisations

20

0

20

40

60

80

100

120

53

97

113

76


21/47


22/47


23/47


24/47


25/47

Agenda








Data Protection25


26/47

Good Practice Guide on Cyber Security

Strategies (2012)

Known good practices, standards and policies

The elements of a good Cyber Security Strategy

Institutions and roles identified in a Strategy

Parties involved in the development lifecycle

Challenges in developing and maintaining a Strategy

National Cyber SecurityStrategies

26


27/47

Member States with NCSS

Czech Republic

Estonia

Finland

France

Germany Lithuania

Luxemburg

Netherlands

Slovakia

United Kingdom

27


28/47

Chronology EU Member States

Estonia (2008): Emphasises the necessity for a securecyberspace. Measures concentrate on regulation,

education and cooperation.

Finland (2008): Cyber security is closely related to data

security and of key economic importance. Slovakia (2008): Emphasises societal aspect. Strategic

objectives on prevention, readiness and sustainability.

Czec Republic (2011): Focusses mainly on unimpeded

access to services, data integrity and confidentiality. France (2011): Stresses technical measures, the fight

against cyber crime and cyber defence.

28


29/47

Chronology EU Member States

Germany (2011): Focuses on preventing and prosecuting

cyber-attacks and failure of critical infrastructure.

Lithuania (2011): Concentrates on confidentiality, integrity

and accessibility of electronic information and services.

Luxembourg (2011): Strategy based on five action lines;

incident response, legal framework, cooperation,

education and awareness and promoting standards.

Netherlands (2011):Acknowledges the need for security

but also for the openness and freedom of the Internet.

UK (2011): Concentrates on national objectives aims to

make cyberspace a safe place for citizens and

businesses.

29


30/47

Other Cyber Security Strategies

USA (2011):Activities across seven interdependent areas:

Economy, Protecting Networks, Law Enforcement, Military, InternetGovernance, International Development, Internet Freedom.

Canada (2010): Built on three pillars:

Securing government systems.

Partnering to secure vital cyber systems outside the federalGovernment.

Helping Canadians to be secure online.

Japan (2010): Three areas of action:

Reinforcement of policies taking account of possible outbreaks of

cyber-attacks and establishment of a counteractive organization.

Establishment of policies adapted to changes in the information

security environment.

Establishing active rather than passive information security

measures.30


31/47


32/47

EU Cyber Security Strategy (1)

In February, the EU Commission published:

Cybersecurity Strategy for the EU

Proposal for a Directive on Network and Information

Security (NIS)

The strategic priorities are as follows: Achieving resilience

Drastically reducing cybercrime

Developing cyber defence related to CSDP

Developing industrial and technological resources for

cybersecurity

Establish an EU international cyberspace policy


33/47


34/47

EU Cyber Security Strategy (3)

The Commission asks ENISA to: Support the organisation of a yearly cybersecurity

month.

Develop, in cooperation with relevant stakeholders,

technical guidelines and recommendations for theadoption of NIS standards and good practices in the

public and private sectors.

Collaborate with Europol to identify emerging trends

and needs in view of evolving cybercrime andcybersecurity patterns so as to develop adequate

digital forensic tools and technologies.


35/47

S ti O ti l


36/47

Supporting OperationalCommunities - Overview

36

National/governmental CERTs


37/47

National/governmental CERTsthe situation has changed

in 2005 in 2012

ESTABLISHEDIN 2005:Finland

FranceGermanyHungaryThe NetherlandsNorwaySwedenUK

Baseline capabilities of n/g CERTs Initially defined in 2009 (operational aspects)

In 2010 Policy recommendations drafted

In 2012 ENISA continues to work on a harmonisation together with MS

Status Report 2012

National/governmental CERT capabilities updated recommendations 2012


38/47


39/47


40/47

EISAS Large Scale Pilot

40

European Information Sharing and Alert Systemintroduced in COM(2006) 251: Communication on a

strategy for a Secure Information Society

In 2012: Pilot Project for collaborative Awareness

Raising for EU Citizens and SMEs

Gathered n/g CERTs, governmental agencies

and private companies in 6 different MS

Cross-border awareness raising campaign

Reached more than 1.700 people in 5 months

Social networks involved


41/47


42/47

Agenda








Data Protection

42


43/47


Supporting MS in implementing Article 13a of the

Telecommunications Framework Directive Supported NRAs in implementing the provisions under article 13a

Developed and implemented the process for collecting annual

national reports of security breaches

Developed minimum security requirements and propose associatedmetrics and thresholds

Supporting COM and MS in defining technical

implementation measures for Article 4 of the ePrivacy

Directive.

Recommendations for the implementation of Article 4.

Collaboration with Art.29 TS in producing a severity methodology

for the assessment of breaches by DPAs

43


44/47

51 incidents from 11 countries, 9 countries

without significant incidents, 9 countries with

incomplete implementation

Most incidents Affect mobile comms (60%)

Are caused by

hardware/software failures (47%)

third party failures (33%),

natural disasters (12%)

Many involve power cuts (20%)

Natural disasters (storm, floods, et cetera)

often cause power cuts, which cause outages

Article 13a - Incidents 2011


45/47


46/47


47/47

The right to be forgotten -between expectations and practice

Included in the proposed regulation on data protection

published by the EC in Jan 2012.

ENISA addressed the technical means of assisting the

enforcement of the right to be forgotten.

A purely technical and comprehensive solution to enforce

the right in the open Internet is generally not possible.

Technologies do exist that minimize the amount of

personal data collected and stored online.

enisa & cybersecurity

Documents