EU Seeks Better Coordination to Battle Next Big CyberattackLife After WannaCry and NotPetya: Europol Wants EU Member States To Be Ready
The EU is looking to head off the next major cyberattack against Europe by creating rules for how member states should react and respond. The new EU protocol is meant to better coordinate the response to large-scale disruptions such as WannaCry and NotPetya.
Europol, the EU's law enforcement intelligence agency, announced Monday that the EU Council - one of the EU's major decision-making bodies - has adopted the EU Law Enforcement Emergency Response Protocol. The framework is designed to help the EU more rapidly respond to cross-border cyberattacks, and ensure that agencies are cooperating and that information about attacks is shared in a timely manner.
Rapid interagency coordination will be crucial for securing critical infrastructure and minimizing the impact of hack attacks, says Joseph Carson, the Estonia-based chief security scientist at security vendor Thycotic.
"This new agreement strengthens EU member states so they can collectively work together when cyberattacks occur as well as share intelligence to help disrupt and prevent cyberattacks from spreading quickly," Carson tells Information Security Media Group. "This is a major step in the right direction for nation states to be more transparent and work together to defend against today's rising cyber threats."
European Parliament Elections Loom
The news that Europol is trying to better prepare EU member states for the next big cyberattack comes as fresh warnings are being sounded that Russia is looking to interfere in upcoming EU parliamentary elections scheduled for May. On Thursday, CNBC reported that FireEye has found evidence that two advanced persistent threat groups are gearing up for more attacks in the coming months (see Au Revoir, Alleged Russian 'Fancy Bear' Hackers).
The CNBC report specifically pointed to increasing activity from APT 28, the Russian-backed group that is also known as Fancy Bear and which is believed to been involved in different disruption campaigns around the world, including Sandworm, which has been linked to the NotPetya wiper-malware attack that was unleashed in July 2017.
To help governments better defend themselves against such attacks, numerous vendors - including Cloudflare, Google, Microsoft and Symantec - have moved to offer free services. In February, Microsoft announced that it would expand its AccountGuard, which provides protection and threat detection geared to blocking nation-state and APT activity, to 12 more European countries in preparation for the 2019 elections. AccountGuard is part of the software giant's Defending Democracy Program, which is designed to protect candidates, voters and equipment during elections.
While Microsoft did not refer to any specific threats when it made the announcement last month, the company has been involved in various investigations into election interference in the U.S., as well as in Europe, including calling out attacks designed to disrupt various think tanks in Germany and elsewhere.
Defense Against Nation-States, Criminals
Europol's new protocol is aimed at helping to contain and minimize these types of state-sponsored attacks, as well as criminal activity.
"It is of critical importance that we increase cyber preparedness in order to protect the EU and its citizens from large scale cyberattacks," Wil van Gemert, the deputy executive director of operations at Europol, says in a statement.
"Law enforcement plays a vital role in the emergency response to reduce the number of victims affected and to preserve the necessary evidence to bring to justice the ones who are responsible for the attack," he says.
Goal: More Coordinated Response
The new protocol looks to improve many of the problems EU states encountered in 2017, when such attacks as WannaCry and NotPetya spread rapidly, locking up systems across the continent and causing millions of dollars in damage to government agencies as well as private businesses.
"Law enforcement plays a vital role in the emergency response."
— Wil van Gemert, Europol
Under the new protocol, Europol is looking to streamline how different nations within the EU respond to attacks and to facilitate rapid sharing of data between different EU member states and the agencies charged with investigating cybercrime and nation-state attacks. This information sharing will ideally be happening not only between government agencies but also with private businesses.
Provisions also detail how electronic evidence should be collected and retained so that further investigation can be conducted and possible criminal charges brought against threat actors.
Reached for comment, Europol spokeswoman Claire Georges tells ISMG that "the evidence can be gathered through different ways, depending on the online or physical environment we are dealing with, but always in line with the legal provision applicable, making sure there is a proper chain of custody and documented process."
But there are limits, however, to what the new protocol can do. For instance, the protocol is not designed to address man-made errors, system failures or natural disasters.
Expert: Move is Long Overdue
While the protocol will surely be tested in coming months, especially in the run-up to the European Parliament elections, many experts say this type of coordinated response is long overdue and note that by starting now, the EU can help avoid some of the problems it experienced in 2016 and 2017.
Drawing on the full resources of the EU backed by full member state cooperation is the best way to combat large-scale cyberattacks, says Steve Durbin, the managing director of the Information Security Forum, a London-based cybersecurity and risk management firm.
"One of the challenges this addresses is cross-border coordination and cooperation in the event of large-scale cyberattacks," Durbin tells ISMG. "The appointment of a central coordinating authority with the ability to call upon EU-wide resource is a step forward in dealing with the ever increasing sophistication of nation state and cybercriminal-sponsored attacks."
Additionally, as more and more business and government services move to the cloud, and other technologies such as machine learning become more ingrained into everyday businesses us, law enforcement will need different tools to address cyberattacks, Durbin says.
"Espionage will be rife as nation states target next-gen technologies, whilst cloud services will become a prime target for sabotage," Durbin says. "It is exactly this kind of coordinated response that will be necessary to deal with increasingly sophisticated attacks which oftentimes will focus on critical infrastructure."