By Thomas Ewert
An earlier article about asset restitution suggested the European Union (EU) takes its example from Switzerland. In cybersecurity, the EU’s institutions appear to be very Swiss – but unfortunately in the sense of a Swiss cheese full of holes. The European Court of Auditors (ECA) has recently investigated the level of cybersecurity of the EU’s institutions, bodies and agencies (EUIBAs). The conclusions are concerning – but there is hope.
The hungry mice: cybercriminals
The EU Cybersecurity Act defines cybersecurity as “identifying, preventing, detecting, responding to and recovering from cyber incidents” and to preserve the “confidentiality, integrity and availability of information” physically and electronically. This involves technical controls, government arrangements and cyber awareness programmes.
The number of cyberattacks against EU institutions is increasing. Their aims include espionage and stealth attacks (‘advanced persistent threats’). These have “political implications, harm the overall reputation of the EU and undermine the trust in its institutions.” The main field of action is digital, where attackers gain the first access to networks. The COVID-19 pandemic made the EUIBAs increase their digital information exchange, which enlarged the ‘attack surface’ for potential attackers. The EUIBAs reportedly used 15 different videoconferencing tools.
Between 2018 and 2021 the number of incidents increased tenfold. In the past 2 years, 22 EUIBAs have been hit by significant incidents. For example, data from the European Medicines Agency was leaked and manipulated in a way as to undermine trust in vaccines. Most cyberattacks require more than a single step to reach their final target and are not always direct. Many involve making staff download malware through phishing or social engineering.
The fridge: EUIBAs
The survey analysed the European Commission, the EP, the ENISA, the EBA, the EMSA, the EUAM Ukraine and the IMI JU. It was complemented with video meetings with the CERT-EU, the Information and Communication Technologies Advisory Committee (ICTAC) and the Interinstitutional Committee for Digital Transformation (ICDT).
The EUIBAs’ weakness is their inevitably high interconnectedness. Cyber criminals can invade one barely secured institution and use this as a door-opener to gain access to other EUIBAs. Overall, the EU’s institutions are not prepared enough against attacks. Their level of preparedness is very heterogenic and each EUIBA is responsible for its own cybersecurity.
Only 58% of the surveyed EUIBAs have an IT security strategy that involves its top management. Some 78% have an information security policy of which 75% are up-to-date. Admittedly, the EUIBAs’ security strategies are aligned well with their business objectives. Though only the Commission has structured procedures for monitoring its compliance with IT security policies. 60% of EUIBAs have no Chief Information Security Officer (CISO) and only in the large ones that position is independent of the institution’s IT department. The smallest EUIBAs have no cybersecurity experts at all and this area is managed part time by employees with an IT background. Some 58 of 65 EUIBAs follow a risk assessment strategy, but with no common framework. Of 7 institutions, only 2 carry out risk assessments that are not limited to their most important IT systems, but include their entire IT environment.
The chefs: EU staff
It is a major challenge is to find cybersecurity experts. They are scarce. EUIBAs compete for them against each other and the private sector. Recruitment procedures are lengthy, contract conditions uncompetitive and lacking attractive career prospects. All the more depends on regular employees. Some 95% of EUIBAs provide cyber-awareness training for all staff, 41% especially for managers and 29% for the heads of IT systems that contain sensitive information. In the past five years, 55% of EUIBAs organised simulated phishing campaigns. The Commission’s cyber awareness actions represent a good practice available to other EUIBAs. The ENISA and CERT-EU promote cooperation, but can only support and assist the EUIBAs.
The tests performed by CERT-EU have overall increased between 2014 and 2020. Penetration testing was introduced in 2014, Red team exercises and Phishing campaigns in 2017 and Vulnerability Assessment (Web apps) added in 2020. Vulnerability Assessment (IP ranges) increased more than ten-fold since 2019.
In the offices, sensitive information is not offline when not used. Mobile endpoints are a weak link, lacking security solutions. Patching policies and encryption could be more systematic. Strong points are the used firewall solutions and anti-virus programmes. However, key systems are being backed up. Between 2015 and 2021, only 34% of EUIBAs experienced no IT security audit. In the last five years, 69% performed a proactive test of their cyber defenses. Some 46% conducted Red team exercies involving multiple systems. Unfortunately, the EUIBAs do not always share their best practices with each other. The level of engagement in the cybersecurity subgroup (CSSG) of the ICDT is decided individually. Lacking a service catalogue, newly created agencies have to build their IT security from scratch. Some EUIBAs have neither a solution for exchanging sensitive non-classified information, nor common markings. And 20% of them have no encrypted email service at all.
The recipe book: recommendations
In order to bring the EUIBAs closer to the ideal, as envisaged by the Information Systems Audit and Control Association (ISACA), the ECA recommends three things:
- Shift CERT-EU’s and ENISA’s focus onto less mature EUIBAs until the fourth quarter of 2022.
- Have the Commission promote further synergies among EUIBAs in the ICDT and increase encryption use. Introduce common rules for sensitive non-classified information and economies of scale for common cybersecurity service contracts until the first quarter of 2023.
- Increase resources for CERT-EU and introduce common rules for all EUIBAs. Have the Commission include in its forthcoming proposal on cybersecurity regulation the appointment of independent Information Security Officers and an overarching entity monitoring all EUIBAs’ compliance until the fourth quarter of 2023.