Cybersecurity still sounds to many like science fiction. Can you give an example on how a cyber attack can look like and what it can cause?
Cyber attacks come in all shapes and sizes. Most textbooks will talk about cybersecurity as the “practice of ensuring the confidentiality, integrity and availability of the information we use through our computers, smart phones and other connected electronic devices”. But let us say that in ENISA’s annual Cybersecurity Threat Landscape Report, we focus on nine different larger scale categories of cyber attacks – in this case threats – which negatively impact the cybersecurity of our data systems and devices we use every day.
- Ransomware, where cyber attackers gain and block access to data on your device and demand payment to restore access. Here we often see the unauthorised introduction of malware where a software is illegally installed and can manipulate data.
- Disinformation and misinformation campaigns which ENISA sees as a part of hybrid attacks aimed to reduce the overall perception of trust, a major proponent of cybersecurity.
Cyber attacks are far from science fiction and cause disruptions to the critical infrastructures we all depend upon daily, at the same time denting our trust in an ever-more connected environment. Cybersecurity is a part of the digitalisation equation we need to pay far greater attention to and need to get it right.
Three examples that come to mind of the impact cyber attacks can have:
• We all still recall very clearly the attack of mid 2017 initially targeting Ukraine. Due to common vulnerabilities, this led amongst others to an almost complete shutdown of operations of a global shipping company headquartered in another country for about ten days. While the exact figures differ, this resulted in losses of some EURO 280 mio, instantly putting approximately 45 000 workstations and a few thousand servers out of action and requiring a few hundred people to rebuild the network.
• At the height of the pandemic in 2021, a ransomware cyber attack on the Irish health care system managed to affect near to every aspect of patient care in a hospital. This is a crucial sector, which does not have a natural focus on cybersecurity, and ENISA is working closely with national authorities to address this.
• And on the day of the Russian invasion of Ukraine, in the EU we witnessed critical infrastructure attacks, one of which targeted satellite military communication in the Ukraine but with cascading effects on a European satellite network provider. This attack indirectly affected several thousand terminals in around 20 countries within Europe with an impact on residential, business and other services. For example, the remote monitoring and operation of almost 6.000 wind turbines in one Member State was affected.
Cybersecurity is named a “generational challenge”. ENISA itself emphasizes its wish to understand but also to respond. It sounds like the EU is moving from “reacting” towards “acting” itself. Would you say that is accurate and how ENISA tries to achieve this?
‘Acting’ in the current cyber conflict situation implies taking counter-hacking measures. This is not the focus of ENISA. Acting for us means helping to prevent attacks and contain their impact by building preparedness, expertise and foresight. It equally means building strong and resilient cybersecurity capabilities, as well as ensuring coordinated situational awareness on current and emerging threats and attacks among EU cybersecurity communities and decision-makers. Here ENISA covers a full range of activities all aimed at achieving a high common level of cybersecurity across the Union.
What did we see in Ukraine in terms of hybrid warfare and what conclusions can we draw from it for the EU?
Since the start of Russian military aggression, there has been a notable increase of cyber incidents as well as an expansion of scope in terms of sectors affected. This includes information operations, increased activities of hacktivists supporting the parties, as well as cyber operations to support kinetics attacks. We are witnessing in real time that cyber is indeed a central part of hybrid warfare. What we are also seeing is a high level of cyber resilience and preparedness. We have to learn from such experiences.
With some exceptions, no mayor spill-overs into the EU’s cyber space have been reported so far. At the same time we have observed attacks against critical infrastructures in the EU. Though not all of them can be categorised clearly as spill-overs, we need to be ready to support and build resilience in our critical infrastructures. We need to strengthen cybersecurity in and across sectors and raise cybersecurity maturity levels. Legislation such as the current NIS2 proposal will help here, bringing more sectors under its framework.