EU Will Take a Year to Set Up Full Cybersecurity Agency

Security experts have criticized the European Commission’s plans to set up a team to look at how to combat cyberattacks as too little, too late, saying that more coordination between member states is needed.

The so-called “pre-configuration” Computer Emergency Response Team (CERT) of IT security experts will spend the next 12 months assessing how a full-scale CERT should be set up for European Union institutions. But experts have warned that the threat of cyberattacks is current and real.

“Most individual member states already have their own CERTs, so I think the primary aim of the E.U. CERT should be one of coordination,” said Rik Ferguson, director of security and research at Trend Micro. “Twelve months is not an unreasonable length of time to prepare, but it should also include best practice so that all the different member states can work together.”

“Some action is better than no action. Also, an effective CERT should be well designed, and that takes planning and review,” added Ulla Toivanen from F-Secure

In recent years, CERTs have been developed in both private and public organizations to quickly and efficiently respond to information security incidents and cyber threats, and the Commission has called for member states to establish their own national CERTs.

“Over recent years, cyberattacks have risen to an unprecedented level of sophistication. It is essential that the European institutions make a joint effort in order to respond to the threat of massive cyberattacks,” said Maroš Šefčovič, Commission vice president for Inter-Institutional Relations and Administration.

But given the sensitivity of the information held by the European Institutions, security experts have warned that effective security is essential immediately. In March, an attack on the European Commission disrupted e-mail systems, while an attack on the E.U.’s Emissions Trading Scheme recently saw at least €30 million (US$44 million) of emissions allowances stolen from national registries.

The plan to set up a single agency to manage all large-scale IT systems could also prove a target for cyber criminals. The proposed agency would bring together databases such as the Schengen Information System (a common database which facilitates the exchange of information on individuals between national law enforcement authorities), the Visa Information System (a database that will allow member states to enter, update and consult visa data, including biometric data, electronically) and EURODAC (an IT system for comparing the fingerprints of asylum seekers and illegal immigrants). The goal is for the agency to start working in summer 2012 in Tallin, Estonia.

“Obviously aggregated data creates a target,” said Ferguson. “We have seen a sharp increase in the last 12 months of this sort of theft. We have entered the era of ‘steal everything.’ Criminals are no longer going after a single server. But hopefully lessons will be learned from incidents such as the Sony hack.”

Meanwhile, E.U. justice ministers agreed on Friday to draft rules setting out minimum sentences for cyber criminals. However security experts argue that trying to convict criminals who cannot be caught is a waste of time. “The emphasis should be on catching them in the first place. And for this there needs to be much more coordination because these criminals inevitably work across borders,” said Ferguson.

A proposed Directive on Attacks against Information Systems is also in the pipeline. The draft law lists crimes such as illegal access to IT systems, interference with these systems, stealing or deleting data and the interception of non-public data transfers.

Europol, the E.U.’s police force, currently manages information-sharing on cybercrime between police in different E.U. countries. But the Commission plans to set up a dedicated European Cyber Crime Centre by 2013 to coordinate operations across borders and provide training to law enforcement authorities.

The CERT pre-configuration team will comprise 10 members of staff from the European Commission, the European Parliament, the Council, the Committee of the Regions and Economic and Social Committee and ENISA.