Europe Plays Cyber War Games – But What Now?

Today, public sector organisations, banks and ISPs fought off massive distributed denial of service (DDoS) attacks. Fortunately, they weren’t genuine attacks, they were just part of war games that the EU hopes will bolster collaboration in the cyber security space. But why are they bothering?

It’s largely because the European Union is going to release its grand Cyber Security Strategy in a matter of months. Given there has only been one other Europe-wide security test before, in 2010, another one was needed to feed into that strategy and determine how ready the bloc would be if cyber war became a reality.

“This document will bring different EU policy areas together and will be launched in a few months time,” said Baroness Ashton, the EU foreign affairs chief today, at the Budapest Conference on Cyberspace, where the UK launched a centre to hand out advice to foreign nations on security. “The strategy intends to harmonise the readiness of EU countries to deal with the security challenges in cyberspace.”

Sharing the cyber war burden

How exactly will today’s tests inform the strategy then? First off, the DDoS attacks being “launched” today are based on real-world hits that have taken sites offline in the past. That means that private or public organisations have already shared data on attacks they’ve experienced. This sharing of threat information looks set to be a core part of the strategy.

“An exercise like this will reveal a lot of issues that we are likely to see in the coming years,” Evangelos Ouzounis, ENISA’s head of resilience and CIIP (critical information infrastructure protection) unit, told TechWeekEurope. “This will be something the Commission will be very keen to know, maybe for inclusion in the strategy.”

Ouzounis, who has been leading today’s exercise, said cohesiveness between nations is key. When asked whether he had seen any outstanding players, he said: “This is not a beauty contest. We want to learn from each other.

“For us, it is important people engage themselves and learn and improve.”

Already, Ouzounis said he had seen a positive response from participants, even some experimentation, which could help make the EU strategy a little less predictable. “The member states understand the importance of the operation,” he added.

“They have been experimenting a bit in how they react. I think the lessons learnt will be very strong.”

Tomorrow, ENISA is hosting a meeting to analyse what happened with the various players. The body is moving quickly so “players don’t forget what happened, Ouzounis said. “We will collect a lot of data, monitor how the exercise progressed and will eventually come out with some practical conclusions,” he added.

Dealing with DDoS

Yet DDoS might come across as a strange choice, given its impact, financially and operationally speaking, varies massively between organisations. But Ouzounis believes it is such a common problem that it had to be addressed. “It was a very obvious choice.”

Industry experts agree. DDoS attacks have grown massively in size and sophistication over recent months. Given banks in the US have been struggling to fend such hits off, it’s clear that even the wealthiest organisations struggle against super-powered DDoS hits. Indeed, according to reports, banks were getting knocked offline by 100Gbps strikes. Few organisations can deal with that kind of power.

“Today’s DDoS attacks are carried out by a new breed of highly capable cyber criminals who quickly switch to different attack sources as each new attempt is thwarted,” said  Paul Lawrence, VP of international operations at Corero Network Security.

“Often DDoS attacks are used as a smokescreen to hide further attacks, which poses a significant risk to banks, governments and any organisation that relies on the Internet to conduct business and has information they need to keep safe.

“ENISA has clearly understood the significance that DDOS attacks now have on organisations, and it is a great first step in highlighting that DDoS attacks pose just as much of a threat as malware and APTs [advanced persistent threats].”

Moving on

As for the future, whilst documents from ENISA have indicated these exercises will be held every two years, Ouzounis believes cyber war games will be more frequent. “There is no firm decision to do this every two years.

“But we need to absorb the lessons learned. We need to understand and we need to implement a few of them before we move on to the next stage of sophistication. We also have to take into consideration that other members are very much engaged in other cyber exercises. For example, Nato or national exercises. So it’s not really possible to do exercises every six months”

ENISA itself was the driving force behind the first ever EU-US exercise – Cyber Atlantic 2011, which looks set to continue. Ouzounis confirmed there had been discussions between the EU and non-member nations, including China and Russia, on cyber issues, although he could not say what those talks amounted to.

Yet it’s not clear what the next European-wide exercise will look at. Usually, plans start forming around a year before the actual event, and ENISA won’t be rushing participants into forming conclusions too quickly.

“We will take time to reflect on what we have done,” Ouzounis  added.

How well do you know Internet security? Try our quiz and find out!