Hacker Attacks on Critical Infrastructure - European Union Cybersecurity Strategies

>> Lese diesen Blogpost auf Deutsch.

Following a hacker attack on the IT systems of the Anhalt-Bitterfeld district in July 2021, the district declared the first cyber disaster in Germany. The IT was completely paralyzed. The district was still expecting problems weeks after the attack. Among other things, it could no longer pay out social benefits and benefits in the area of advance maintenance payments ^{(Deutschlandfunk Nova 2021)}.

So far, there is no precise overview of the extent to which public administration in Germany is affected by hacker attacks. However, according to research by Bayerischer Rundfunk and Zeit Online, there have been more than 100 cases in the past six years of public authorities, local governments and other state public agencies in which IT systems were encrypted by attackers. The investigation also showed that there is a particular fear of damage to critical infrastructure ^{(Zierer/Tanriverdi 2021)}. Such must be reported since 2015 and operators of certain facilities must allow regular inspections ^{(Sempf 2019)}.

Critical infrastructures (CRITIS) are „organizations and facilities of critical importance to the governmental community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.“ ^{(translated from Bundesamt für Sicherheit in der Informationstechnik, Bundesamt für Bevölkerungsschutz und Katastrophenhilfe)}. This includes

Transportation and traffic

Energy

Information technology and telecommunications

Finance and insurance

State and administration

Food industry and food trade

Water

Healthcare

Media and cultural institutions

These systems are sensitive to attacks mainly because many of them were developed a very long time ago – a time when IT security aspects played a lesser role. In modern industrial operations, however, many components are now connected to the Internet, which results in a higher vulnerability to cyberattacks ^{(Sempf 2019)}.

SIn 2020, for example, there was a ransomware attack on the electricity and water supplier Technische Werke Ludwigshafen (TWL). Afterwards, the company’s customer data was available on the darknet. The attackers had demanded a ransom of millions – the utility had not complied with this demand. However, encryption of the systems or access to the process control technology was prevented. ^{(Tremmel 2020)}.

The situation was different five years earlier in Ukraine, where there was a cyberattack on the power grid. Malware brought 30 substations and switching stations to a standstill. The entire power supply no longer functioned. Almost 230,000 people were left in the dark, and hospitals had to resort to emergency generators. Such a scenario can have far-reaching consequences, causing supply bottlenecks and paralyzing entire countries ^{(Handelsblatt 2018 und Sempf 2019)}.

Experts suspect state-sponsored Russian hackers behind the attack on Ukraine’s power grid. The European Union alone recorded around 450 attacks on critical infrastructure in 2019 ^{(Benediek/Kettemann 2021, 1)}. Only recently, NATO also warned of increasing cyberattacks on these same and democratic institutions. China in particular was criticized in this context.

Accordingly, what matters locally is also playing an increasingly important role transnationally: In a Bitkom survey in 2019, 67 percent of Internet users surveyed in Germany therefore said they would like to see increased investment in the security of critical infrastructure. Almost half of the respondents were also in favor of cyber alliances with other states ^{(Statista Research Department 2020)}.

This raises the question of how the European Union is arming itself against such attacks. Since 2015, the European Union has been working on various initiatives to respond to cyber attacks ^{(Benediek/Kettemann 2021, 2)}. IIn 2016, the European Union adopted the first cybersecurity measures with the Directive on the Security of Network and Information Systems. In the fall of 2017, at the Digital Summit in Tallinn, leaders called for the European Union to „become a global leader in cybersecurity by 2025 to ensure the trust, confidence, and protection of citizens, consumers, and businesses online and to enable a free, more secure, and law-enforced Internet“ ^{(translated from Amtsblatt der Europäischen Union 2021)}.

Strategy for cybersecurity and resilience

Finally, in December 2020, the European Union presented a new strategy for cybersecurity and resilience. According to it, it is the increasing interconnectedness of consumers and businesses – spurred in particular by the Covid 19 pandemic – but also geopolitical tensions related to the global and open Internet that require action. The latter are reflected in particular in the growing number of nation states erecting digital borders – a threat to the EU’s fundamental values. Cyber space is increasingly becoming a site of growing polarization at the international level and hybrid threats such as disinformation campaigns and cyberattacks on infrastructures, economic processes, and democratic institutions are emerging.

Malicious attacks on critical infrastructure posed the greatest threat worldwide. The latter are driven by the concentration of essential services in the hands of a few private companies and the European Union’s dependence on them. The lack of „collective situational awareness for cyber threats“ in the association of states is particularly problematic. Only a fraction of incidents are reported by the member states and the exchange of information is neither systematic nor comprehensive ^{(Europäische Kommission 2020a)}. Some of these points relate to the strategic goal of strengthening the digital sovereignty of the European Union. I have already written a blog post on this: Digital sovereignty in the EU – A brief overview.

The following aspects are listed in the Cybersecurity and Resillience Strategy:

Joint cyber office

According to the strategy, a joint cyber agency will be established to strengthen IT capabilities of defense and law enforcement agencies in cooperation with civilian and diplomatic communities ^{(Benediek/Kettemann 2021, 2)}. The cyber agency should provide better and faster coordination and ensure that the European Union is prepared for massive cyber incidents and crises.

Establishment of a cyber shield

In addition, a so-called „cyber shield“ is to be created. This has the task of recognizing dangers and initiating countermeasures before damage occurs ^{(Benediek/Kettemann 2021, 2)}. It builds on existing national computer emergency response teams and security operations centers, which collect information on intrusions, anomalies and logs and isolate suspicious events. Their knowledge helps to detect signals and patterns and extract threat intelligence from the vast amounts of data. They are to be combined into a network. It will also support the establishment of new centers. The goal is to network as many centers as possible and provide them with state-of-the-art AI technology and high-performance computing infrastructure.

Cooperation in the field of cybercrime

In addition, it is planned to promote cooperation and exchange between actors in the field of cybersecurity and those in the field of law enforcement. To this end, the capacities of criminal investigation authorities to investigate cybercrime are to be expanded. One focus is to be on combating the sexual abuse of children on the Internet. Europol is to further expand its role as a center of excellence and support national law enforcement agencies in combating crime in cyberspace. Cross-border access to electronic evidence is to be possible.

Extremely secure communication and highest security standards for 5G

Furthermore, according to the strategy, work will be done in the future on an extremely secure communications infrastructure for public authorities. This is to take place via existing terrestrial fiber-optic networks on the one hand and via space satellites on the other. 5G technology and future network generations are to be based on the highest security standards. Dependencies in the supply chain on high-risk suppliers must be avoided.

European DNS Resolution Service

As the smooth functioning of the Internet is heavily dependent on the Domain Name System (DNS), the European Union intends to develop a contingency plan for the „management of extreme scenarios affecting the integrity and availability of the global DNS root system“ ^{(translated from Europäische Kommission 2020a)}. DNS resolution is in the hands of only a few companies, which is why the establishment of a public European DNS resolution service is planned.

More presence in the technology supply chain and qualification of young talent

The existing funds will be used to pool resources and promote digital technologies and cybersecurity along the entire digital supply chain in line with European values and priorities. This includes data and cloud, next-generation processor technology, ultra-secure connectivity and 6G networks. Furthermore, funds are to flow into the qualification of the next generation. Promotion and retention of talent in the field of cybersecurity is planned.

Revised EU law

„To protect critical infrastructure, existing EU law and the 2016 EU Network and Information Security Directive (NIS Directive) will be revised to make greater use of artificial intelligence to identify cyberattacks against hospitals, utilities or transport networks“ ^{(translated from Benediek/Kettemann 2021, 2)}. The European Commission is proposing a so-called „network code“ with cybersecurity rules for cross-border power flows to be adopted by the end of 2022.

Expansion of cyber diplomacy

According to the strategy, malicious attacks are to be countered with an appropriate set of diplomatic instruments of the European Union. To enable a rapid response to such incidents, the establishment of an EU cyber intelligence working group of member states is to be promoted. This is to advance strategic intelligence cooperation against cyber threats. Furthermore, a proposal to further define EU cyber deterrence is planned. In it, the European Union intends to outline how it can more effectively use its political, economic, diplomatic, legal and strategic communication tools against malicious cyber activities. Cooperation with international partners, such as NATO, is to be expanded.

Expansion of cyber defense

Furthermore, it is planned to review the common security and defense policy of the member states of the European Union in the context of cyber defense. The aim is to better integrate cyber security into the respective security and defense agendas. In this context, cyberspace is understood as a military operational area. The cyber security of critical space infrastructures is also to be further strengthened.

Expansion of involvement in international standardization processes

According to the strategy, another objective is to expand the European Union’s presence in international and European standardization bodies and other standardization organizations. The background to this is the fear that other countries will base their actions in these bodies on values that do not correspond to those of the European Union. Furthermore, there is a fear of the fragmentation of the Internet. The blog post Digital sovereignty in China – A brief overview, which I wrote, is interesting in this regard.

Commitment to upholding international law in cyberspace

The European Union’s goal is to maintain a global, open, stable and secure cyberspace. To this end, the strategy invokes international law – in particular the United Nations Charter. According to this, the European Union should assert the position of its member states in international forums and commit itself to a United Nations action program to promote good governance in cyberspace. The subject matter is action against censorship, mass surveillance, violation of data protection and the suppression of civil society and science.

Promoting a multi-stakeholder model for Internet governance.

According to the strategy, it is planned that the European Union will expand its cooperation with third countries and promote multilateral exchanges. The aim is to prevent individual entities, governments or organizations from seeking control over the Internet. European values such as human dignity, privacy, freedom of expression and freedom of information are to be promoted. Regular exchanges with different stakeholders – including the private sector, academia and civil society – should take place.

Regulation establishing the European Centre of Excellence for Cybersecurity Industry, Technology and Research and the Network of National Coordination Centers

Building on the Cybersecurity and Resilience Strategy, the Regulation establishing the European Center of Excellence for Cybersecurity Industry, Technology and Research and the Network of National Coordination Centers was adopted on May 20, 2021. This is intended to help increase the security of critical infrastructure and the Internet. According to the regulation, the starting point is the European Union’s current overdependence on non-European cybersecurity providers. There is a wealth of expertise and experience in the association of states, but this is not sufficiently bundled and networked and is still fragmented. Civic tech projects are also of great interest to society. However, the European Union „still does not have sufficient technological and industrial capacities and capabilities to autonomously secure its economy and critical infrastructures and to become a leading global player in the field of cyber security“. ^{(translated from Amtsblatt der Europäischen Union 2021)}.

To this end, the first step under the 2021 regulation will be to create a cybersecurity center of excellence based in Bucharest. This is to be „the most important instrument for bundling investments in research, technology and industrial development in the field of cybersecurity“. ^{(translated from Amtsblatt der Europäischen Union 2021)}. The aim is to protect the economy and society from cyber attacks, to ensure excellence in the field of research, and to promote industry and make it competitive – all under the maxim of promoting the EU’s „open strategic autonomy.“ ^{(translated from Europäische Kommission 2020b)}. In particular, it appears important that the new center and the network of associated national coordinating centers will provide research and industry with testing and experimental facilities that would otherwise be prohibitively expensive for individual member states. The network of national coordination centers will continue to help promote and disseminate cybersecurity education programs. By the end of 2021, it will be up to each member state of the European Union to nominate a facility that meets the criteria to become a so-called national coordination center in the network ^{(Amtsblatt der Europäischen Union 2021)}.

Conclusion

The European Union has been making increasing efforts in the area of cybersecurity since 2020 and is pushing ahead with its December strategy with the first regulations. In the background of all this is the idea of digital sovereignty – that is, autonomy from other regions and companies from abroad. The first step seems to be the development of a dedicated research infrastructure. Furthermore, legal changes are being sought and various diplomatic efforts are being made. The goal is to maintain an open Internet that is secure and based on European values. Third countries, in particular, which pursue the opposite approach and rely on censorship policies and territorial isolation, are perceived as a potential source of danger. These are to be countered in particular by participation in international standardization bodies and closer cooperation with the United Nations. The question arises to what extent all these supranational strategic goals also have an impact at the local level and whether the European Union’s cybersecurity measures can provide a toolbox for hacker attacks on critical infrastructures in the future.

Reading recommendation:

„Blackout – A Novel“ – by Marc Elsberg

On a cold February day, all the power grids in Europe collapse. A total blackout. Italian computer scientist Piero Manzano suspects a hacker attack and tries to warn the authorities – unsuccessfully. When Europol commissioner Bollard finally listens to him, dubious emails turn up in Manzano’s computer that cast suspicion on himself. He has become the target of an adversary who is as cunning as he is merciless. Meanwhile, all of Europe is in the dark, and the fight for survival begins … ^{(translated from Elsberg)}

Resources

^{Amtsblatt der Europäischen Union. 2021. „Verordnung (EU) 2021/887 Des Europäischen Parlaments und des Rates vom 20. Mai 2021 zur Einrichtung des Europäischen Kompetenzzentrums für Industrie, Technologie und Forschung im Bereich der Cybersicherheit und des Netzwerks nationaler Koordinierungszentren.“ < https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021R0887&from=EN > (22.07.2021)}

^{Benediek, Annegret; Kettemann, Matthias C. 2021. „EU-Strategie zur Cybersicherheit: Desperat Cyberdiplomatie.“ SWP-Aktuell 12 < https://www.swp-berlin.org/publications/products/aktuell/2021A12_EUCyberdiplomatie.pdf > (22.07.2021)}

^{Bundesamt für Sicherheit in der Informationstechnik, Bundesamt für Bevölkerungsschutz und Katastrophenhilfe. „Glossar – Kritische Infrastrukturen (KRITIS).“ < https://www.kritis.bund.de/SubSites/Kritis/DE/Servicefunktionen/Glossar/Functions/glossar.html?lv2=4968594 > (22.07.2021)}

^{Chaosradio. 2020. „KRITIS – Kritische Infrastruktur.“ < https://chaosradio.de/cr263-kritis > (06.08.2021)}

^{Deutschlandfunk. 2021. „Nato warnt vor zunehmenden Cyberattacken auf kritische Infrastruktur.“ < https://www.deutschlandfunk.de/hackerangriffe-nato-warnt-vor-zunehmenden-cyberattacken-auf.1939.de.html?drn:news_id=1282263 > (22.07.2021)}

^{Deutschlandfunk Nova. 2021. „Erster deutscher Cyber-Katastrophenfall“ < https://www.deutschlandfunknova.de/nachrichten/hack-in-anhalt-bitterfeld-erster-deutscher-cyber-katastrophenfall > (11.07.2021)}

^{Elsberg, Marc. „Blackout – Morgen ist es zu spät“ < https://marcelsberg.com/buecher?isbn=9783442380299 > (06.08.2021)}

^{Europäische Kommission. 2020a. „Gemeinsame Mitteilung an das Europäische Parlament und den Rat – Die Cybersicherheitsstrategie der EU für die digitale Dekade.“ < https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:52020JC0018&from=EN > (22.07.2021)}

^{Europäische Kommission. 2020b. „Kommission begrüßt politische Einigung über das Kompetenzzentrum und das Netz für Cybersicherheit.“ < https://ec.europa.eu/commission/presscorner/detail/de/IP_20_2384 > (22.07.2021)}

^{Handelsblatt. 2018. „Im Fadenkreuz der Hacker.“ < https://www.handelsblatt.com/technik/it-internet/kritische-infrastruktur-schuetzen-im-fadenkreuz-der-hacker/20877220.html > (22.07.2021)}

^{Sempf, Julia. 2019. „Kritische Infrastrukturen – der wohl verwundbarste Punkt eines Landes.“ < https://www.hornetsecurity.com/de/security-informationen/kritische-infrastrukturen/ > (22.07.2021)}

^{Statista Research Department. 2020. „Umfraeg zu Vorbereitungen auf künftige Cyberattacken in Deutschland 2019.“ < https://de.statista.com/statistik/daten/studie/1088587/umfrage/vorbereitungen-auf-zukuenftige-cyberattacken-in-deutschland/ > (22.07.2021)}

^{Tremmel, Moritz. 2020. „Daten von Stadtwerken Ludwigshafen im Darknet veröffentlicht.“ < https://www.golem.de/news/nach-hack-daten-von-stadtwerken-ludwigshafen-im-darknet-veroeffentlicht-2005-148484.html > (22.07.2021)}

^{Zierer, Maximillian; Tanriverdi, Hakan. 2021. „Zahlreiche Fälle von digitaler Erpressung in deutschen Behörden“ < https://www.br.de/nachrichten/deutschland-welt/hacker-angriffe-digitale-erpressung-in-deutschen-behoerden,SbduLPs > (11.07.2021)}

Hacker Attacks on Critical Infrastructure – European Union Cybersecurity Strategies

Schreibe einen Kommentar Antworten abbrechen