Lords Demand NATO, EU Cooperate On Cyber Security

The lack of cooperation between the EU and NATO on cyber security issues is leaving member states vulnerable to “potentially catastrophic” cyber attacks, according to a new report by the House of Lords.

The report examines how European states and their major organisations can defend themselves and their critical information infrastructures against large-scale cyber attacks, as well as assessing what level of EU intervention is appropriate.

EU should co-ordinate cyber security

“We regard the primary role of the EU as being to coordinate the activities of the member states, spread best practices, and bring the slowest member states up to the speed of the fastest,” the report states. “We believe that the government and the EU should be giving greater attention to how cyber security could be developed on a global basis. In particular, consideration needs to be given to the gradual development of international rules which will effectively discourage the launching of proxy attacks from within the jurisdiction of some of the main users of the Internet.”

The report found that, while the United Kingdom is “reasonably well placed to cope with such disruptions,” other European countries need encouragement to protect their online infrastructures. In particular, it highlighted the case of Estonia, which suffered an online attack in 2007 that took down the banking system, government and other core services.

“A first step must be better cooperation with NATO,” said Lord Jopling, chairman of the sub-committee on home affairs. “The EU and NATO have similar interests in defence against cyber-attacks and work in similar ways, yet there is virtually no communication between them. There must be cooperation rather than duplication.”

“Further to this, broadening the dialogue with other major international players, such as the US, Russia and China will be essential if we are to become more robust in our defences against cyber attacks,” he added.

Late last year the New York Times reported that the US was in secret talks with Russia and the United Nations about strengthening Internet security and limiting military use of cyberspace. According to cyber security expert James Lewis, many countries are developing weapons – such as logic bombs, botnets and microwave radiation devices – for use on large-scale operations networks. However, none of the countries involved want to hinder any future deployment by revealing the technologies they had developed.

The Lords’ report emphasised the need for developing national and governmental Computer Emergency Response Teams (CERTs) in less advanced member states, in order to prepare them for any large-scale attacks. It also recommended extending the mandate of the European Network and Information Security Agency (ENISA), which is currently based in Haraklion in Crete.

However, it expressed disappointment that British ISPs and the rest of the commercial UK Internet industry, including BT, Cable & Wireless, and Virgin Media, “should not have shown more interest in submitting evidence to this inquiry”.

Tories plan cyber defence increases

Earlier this year the Tories outlined plans to defend the UK against cyber attacks, and promised to improve national security, if the party is elected to government at the next election. These plans include setting up a Cyber Threat and Assessment Centre (CTAC), which would act as the single reporting point for all cyber-related incidents.

In 2009, the European Commission warned that a major cyber-attack could cost Europe £179 billion.

“There are concerns about cyber attacks originating from foreign shores, but keeping these nations at arm’s length will make this worse,” said Tony Dyhouse, director of the UK’s Cyber Security Knowledge Transfer Network (CSKTN), at the time. “Unfortunately businesses and organisations, particularly in cyber-security, have vested interests and aren’t always keen to share for fear of losing the competitive advantage. Addressing this silo mentality will be one of the key challenges of any cyber-security policy over the next few years.”