16.12.2014   

EN

Official Journal of the European Union

C 451/31


Opinion of the European Economic and Social Committee on ‘Cyber attacks in the EU’

(own-initiative opinion)

(2014/C 451/05)

Rapporteur:

Mr McDonogh

On 27 February 2014 the European Economic and Social Committee decided to draw up an own-initiative opinion, under Rule 29(2) of its Rules of Procedure, on:

Cyber attacks in the EU.

The Section for Transport, Energy, Infrastructure and the Information Society, which was responsible for preparing the Committee's work on the subject, adopted its opinion on 18 June 2014.

At its 500th plenary session, held on 9 and 10 July 2014 (meeting of 10 July), the European Economic and Social Committee adopted the following opinion by 135 votes to 1.

1.   Conclusions and recommendations

1.1

The Committee would like to see an EU-level authority for cyber security created, analogous to the central authority in the aviation industry, the European Aviation Safety Agency (EASA), to provide the strength of leadership required at EU-level to deal with the complexities of implementing an effective Europe-wide cyber security policy.

1.2

Informed and empowered citizens are critical to strong cyber security in Europe. The education of citizens in personal cyber security and data protection should be a fundamental part of school curricula and workplace training programmes. Furthermore, the EU should drive public information programmes and initiatives across the Union on these topics.

1.3

Businesses should be required by law to have a proactive approach to protecting themselves from cyber attacks, including secure and resilient information and communications technology (ICT) and training for staff on security policies, just as there are on health and safety issues.

1.4

Every Member State should have an organisation whose job it is to inform, educate and support the SME sector on issues regarding cyber security best practice. The large firms can easily acquire the knowledge they need but SMEs need support.

1.5

The mandate of the European Network and Information Security Agency (ENISA) should be extended and funding provided to take more direct responsibility for cyber security education and awareness programmes especially targeted at citizens and small and medium-sized enterprises (SMEs).

1.6

Businesses and organisations need to heighten the awareness of responsibility for cyber security at Board-level. The potential corporate liabilities resulting from inadequate cyber security policy and actions should be explicitly communicated to the directors of all organisations.

1.7

Because of their critical role in the provision of online services, all Internet Service Providers (ISPs) in the EU should have special responsibility for protecting their customers from cyber attacks. This responsibility should be defined and enshrined in legislation at EU level.

1.8

To ensure that the great potential for economic growth from the dynamic expansion of cloud computing is quickly realised (1), special security requirements and obligations should also be imposed at EU level on the providers of cloud services.

1.9

The Committee considers that voluntary measures are not enough, and so there need to be strong regulatory obligations on Member States to ensure harmonisation, governance and enforcement of European cyber security. Legislation is also needed to make notification of significant cyber security incidents mandatory for all businesses and organisations, not just for critical infrastructure providers. This would help increase Europe's response to threats, as well as increase the knowledge and understanding of cyber attacks so that better defences can be developed.

1.10

The Committee strongly recommends that the EU takes a design-led approach to tackling the menace of cyber attacks, by ensuring that all the technology and services used in Europe to provide Internet connectivity and online services are designed to provide the highest possible levels of security from cyber attacks. Design considerations should especially focus on the man-machine interface.

1.11

The EESC wants to see substantial cyber security standards developed and disseminated for all ICT networking technology and services by European Standardisation Organisations. These standards should include a compulsory code of practice to ensure that all ICT equipment and Internet services sold to European citizens conform to the highest standards.

1.12

The EU must act without delay to ensure that every Member State has a fully functioning Computer Emergency Response Team (CERT) in place to protect itself and Europe from cyber attacks.

1.13

The Committee demands that the European Cyber Crime Centre (EC3) at Europol receives the additional funding it requires to fight cybercrime and to strengthen cooperation between police forces in Europe and with forces outside the Union, to increase Europe’s capability to capture and prosecute cyber criminals.

1.14

To sum up, the EESC considers that EU cyber security policy needs to deliver in particular on the following points: strong EU leadership; cyber security policies that enhance security while preserving privacy and other fundamental rights; awareness raising among citizens and encouraging proactive protection approaches; comprehensive Member State governance; informed and responsible business action; deep partnership between governments, the private sector and citizens; adequate investment levels; good technical standards and sufficient R&D&I investments; international engagement. To this end, the Committee reiterates its recommendations concerning cyber security policy as voiced out in many previous opinions (2) and calls on the Commission to follow-up on the actions demanded therein.

2.   Scope of the opinion

2.1

The Internet economy generates over one fifth of GDP growth in the EU and 200 million Europeans buy online each year. We depend on the Internet and connected digital technology to support our vital energy, health, government and financial services. However, the critical digital infrastructure and services that play such an essential role in our economic and social lives are vulnerable to a growing risk of cyber attacks that threaten our prosperity and quality of life.

2.2

The Committee believes that the Union’s increasing dependency on the Internet and digital technology is not sufficiently matched by practices and policies that provide an adequate level of cyber security across Europe now and into the future. The purpose of this opinion is to highlight the gaps that the Committee sees in EU cyber security policy and to recommend enhancements that would increase the mitigation of cyber attack risks.

2.3

The motivations for cyber attacks can range from the very personal, for example revenge against a person or a company, to cyber spying by nation states and cyber war between countries. While preparing this opinion, it was decided to narrow the scope to deal purely with criminally motivated cyber attacks, so as to focus the recommendations on the problems of primary concern to the majority of the Committee. The complex political debate on cyber attacks by Member States against citizens and other states might be a topic for a future opinion.

2.4

This opinion deals only with cyber attacks by cyber criminals motivated by money, which account for the vast majority of attacks. By putting in place cyber security policies and practices to deal effectively with cyber attacks for criminal motives, the risks from cyber attacks motivated by political or more personal motives are also reduced.

2.5

Whereas the EU has made good progress with the implementation of the Trust and Security actions in the Digital Agenda and has developed a wide-ranging cyber security strategy that addresses most of the objectives outlined above, more needs to be done.

3.   Cyber attacks and cyber security

3.1

A cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer networks, and/or personal digital devices by various means of malicious acts to steal, alter, or destroy a specified target. The target can be money, data or information technology.

3.2

Cyber criminals launch cyber attacks to steal money or data, to commit fraud, criminal espionage or extortion. Cybercrime attacks can damage the essential networks and services that we depend on for health, safety and economic well-being, including government, transport, and energy networks.

3.3

The threat from cyber attacks is keeping pace with our growing dependence on the Internet and digital technology. According to a recent report from Symantec, the total number of data breaches in the world increased by 62 % in 2013, amounting to more than 552 million records exposed. These breaches often exposed real names, birth dates, or government ID numbers, medical records or financial information. Furthermore, 38 % of mobile users have experienced mobile cyber crime in the past 12 months.

3.4

Cyber attacks can have a major impact on individual companies and on Europe's wider economy:

An industry report in 2011 suggests that victims of cyber attacks lose about EUR 290 billion each year worldwide, making it more profitable than the global trade in marijuana, cocaine and heroin combined.

Citizens are under constant threat from identity theft from cyber attacks. In May 2014, a database containing the personal details of 145 million account holders on eBay were stolen in a single attack. According to a 2013 cyber security survey of the University of Kent, in just one year (2012/13) more than 9 million adults in Britain had their online accounts hacked, 8 % of the population lost money because of cyber crime, and 2,3 % of the UK population lost more than £10  000 due to cyber crime.

In 2011 a British government report estimated that the overall cost of cyber crime to the UK economy was £27 billion:

Online fraud £1,4bn;

Identity theft £1,7bn;

Intellectual property theft £9,2bn;

Espionage £7,6bn;

Customer data loss £1bn;

Online theft (direct) from businesses £1,3bn;

Extortion £2,2bn;

Fiscal Fraud £2,3bn.

Cyber attacks cause huge economic damage in Europe each year. The cost has to take into account:

The loss of intellectual property and sensitive data;

Opportunity costs, including service and employment disruptions;

Damage to the brand image and company reputation;

Penalties and compensatory payments to customers (for inconvenience or consequential loss), or contractual compensation (for delays, etc.);

Cost of counter measures and insurance;

Cost of mitigation strategies and recovery from cyber attacks;

The loss of trade and competitiveness;

Distortion of trade; and

Job losses.

According to the 2014 Information Security Breaches Survey, a UK Government publication, 81 % of large companies and 60 % of SMEs suffered a security breach in 2013.

The same government report estimated that the average cost to a large organization of its worst cyber-security breach could be up to EUR 1 4 00  000 and to EUR 1 40  000 for a SME.

Even if attacks do not succeed, the cost of mitigating them is rising fast. In 2014 worldwide information security market growth will accelerate to 8,6 % and exceed $73 billion.

3.5

Cyber attack techniques are constantly evolving:

A cyber attack usually involves the use of an attack vector by which a cyber criminal can gain access to online identity credentials, a computer or network server in order to achieve a malicious outcome. Common attack vectors include USB devices, email attachments, web pages, pop-up windows, instant messages, chat rooms, and deception, such as a phishing attack.

The most common forms of attack involve the deployment of malware. Malware is software that hijacks a digital device to achieve a criminal objective, for example to steal user credentials or money, or to spread itself to other devices. Malware includes computer viruses (including worms and Trojan horses), ransomeware, spyware, adware, scareware and other malicious programmes. For example, ransomware is a particular type of malware which locks access to the computer system that it infects and demands a ransom for the lock to be removed.

Malware can also convert a computer into a bot connected to a cyber criminal's botnet or zombie network, which the criminal controls to attack victims.

A spam attack occurs when a criminal sends unsolicited bulk emails, frequently to deceive a victim into spending money on counterfeit products. Botnets are used to send most spam messages.

Phishing attacks are attempts to steal usernames, passwords and credit card details by pretending to be a trustworthy entity, so that the criminal can gain control of a victim’s email accounts, social networks and bank accounts. Phishing attacks are particularly effective for the criminal because 70 % of Internet users choose the same password for almost every web service they use.

Cyber criminals sometimes use a denial-of-service (DoS) attack to extort money from companies or organisations. A DoS attack is an attempt to make a machine or network resource unavailable to its intended users by saturating the target with external communications requests so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Again, botnets are commonly used by criminals in DoS attacks.

3.6

There is common agreement among cyber security organisations on the priority actions that citizens and businesses should take to protect themselves from cyber attacks. These practices should be the communicated in every cyber security awareness and education programme:

a.

Citizens

use strong, memorable passwords;

install anti-virus software on new devices;

check privacy settings on social media;

shop safely online, always ensuring to check online retail sites are secure; and

download software and application patches when prompted.

b.

Businesses

application whitelisting;

use of standard, secure system configurations;

patch application software within 48 hours;

patch system software within 48 hours; and

reduce the number of users with administrative privilege.

3.7

Small companies often lack sufficient IT support to keep abreast of potential cyber threats; so they need special help to protect themselves from cyber attacks.

3.8

Disclosure of cyber attacks and system vulnerabilities is essential to combatting cyber attacks, especially when tackling so-called zero-day attacks, i.e. new varieties of attacks not previously known to the cyber security community. However, businesses often do not publicise cyber attacks because of reputational and liability fears. This lack of disclosure hurts Europe's ability to respond speedily and effectively to cyber threats, and to improve general cyber security through shared-learning.

3.9

Citizens and businesses buy Internet access and services through Internet Service Providers (ISP). Because of their critical role in the provision of online services it is vital that ISPs provide the highest possible level of protection from cyber attacks to their customers. In addition to ensuring that their own services and infrastructure are designed and maintained to provide the highest levels of cyber security, the ISPs should provide excellent advice on cyber security to their customers, and should have special protocols in place to help identify and combat cyber attacks on customers as they occur. This responsibility should be defined and enshrined in legislation at EU level.

3.10

Accelerating the adoption of cloud computing by citizens and business in Europe is very important to the economy of the EU (3). As the reliance on cloud computing for personal and business applications increases, it is important for Europe to especially ensure the cyber security of cloud service providers. Uncertainty about the security of cloud services is negatively impacting the rate of adoption of this dynamic technology. The Committee would like the EU to impose special security requirements and obligations on the providers of cloud services to support the growth of cloud computing in Europe.

3.11

Special efforts must be made to recruit employees for Europe's cyber security industry. The demand for graduate-level information security workers is expected to grow by more than twice the rate of increase for the overall computer industry. In this context, the Committee draws the attention of the Commission to the success of competitions in the US and in some Member States, at raising cyber security awareness and cultivating the next generation of cyber security professionals.

3.12

One of the best strategies for protection from cyber attacks is to take a design-led approach by ensuring that all the technology and services used in Europe to provide Internet connectivity and online services are designed to provide the highest possible level of security from cyber attacks. Design considerations should especially focus on the man-machine interface. This would involve collaboration between technology manufacturers, Internet service providers, the cyber security industry, EC3, ENISA, the national defence and security agencies of Member States, and citizens. The organisation of this design approach to cyber security could be organised at EU-level by the Commission and perhaps coordinated by ENISA.

4.   EU Cyber Security Policy

4.1

The EU is developing a comprehensive strategy (4) to increase cyber security for Europe’s citizens:

The Digital Agenda’s Trust and Security pillar includes 14 actions targeted at increasing cyber security and data protection.

The Cyber Attacks Directive (5), which must be transposed into national law by 4 September 2015, sets out instructions concerning definitions of criminal offences in this field and the sanctions for those found guilty of them.

To increase cyber security knowledge and to facilitate cross-border collaboration between Member States, the EU has strengthened the mandate of the European Network and Information Security Agency (ENISA).

The European Cybercrime Centre (EC3) has been created within Europol to tackle cyber crime.

The policy initiative on Critical Information Infrastructure Protection (CIIP) focuses on the protection of Europe from cyber disruptions, including attacks, by enhancing cyber security and resilience across the EU.

The Strategy for a Better Internet for Children, aims to create a safe environment for children on the Internet and to combat child sexual abuse material online and child sexual exploitation.

The proposed Directive on Network and Information Security (NIS) requires Member States to put in place a set of NIS capabilities, e.g. a well-functioning Computer Emergency Response Team (CERT). It also specifies network security and reporting requirements for critical infrastructure providers.

4.2

The EESC reacted forcefully to the Commission's proposal for the Directive on Network and Information Security (NIS) (6) because the proposed measures were considered too soft and would not push Member States sufficiently to protect their citizens and business against cyber attacks. However, while adopting the proposed Directive, the Parliament further weakened its usefulness by strictly limiting the Directive's application to providers of ‘critical infrastructure’, thus removing its application to search engines, social media platforms, Internet payment gateways and cloud computing services providers.

4.3

The proposed NIS Directive will not now be sufficient to provide the legislation required to enhance threat awareness and responsiveness to cyber attacks in the Union. The Committee would like to see new legislation enacted to make notification of all significant cyber security incidents mandatory, not just for critical infrastructure providers. The lack of mandatory reporting helps cyber criminals thrive on the ignorance of vulnerable targets.

4.4

The EU should consider expanding the mandate of ENISA to strengthen cyber attack threat awareness and response across the Union. Perhaps the role of ENISA could be expanded to take more direct responsibility for cyber security education and awareness programmes especially targeted at citizens and SMEs.

4.5

The European Cyber Crime Centre (EC3) was established at Europol in 2013 to increase Europe’s ability to fight cyber crime. EC3 acts as a central hub in Europe for criminal intelligence and it supports Member States' operations and investigations of cyber attacks. However, in its first annual report EC3 warns that its current resources are already constraining the progress of investigations and that EC3 will not be able to cope with the level of major investigations coming-into it.

4.6

The EU should request the European Standardisation Organisations — CEN, CENELEC and ETSI — to develop cyber security standards for any software, ICT hardware or Internet-based services for sale in the EU. These standards should be continually updated to keep pace with new threats.

4.7

Legislation is needed to make notification of significant cyber security incidents mandatory for all businesses and organisations, not just for critical infrastructure providers. This would help increase the mitigation response to live threats as well as increase knowledge and understanding of cyber attacks being perpetrated, thus helping authorities, the cyber security industry, businesses and citizens to improve cyber security and to combat threats. To encourage the sharing of cyber attack information, any legislation should provide appropriate anonymity for businesses and organisations providing notification of an attack. Considerations should also be given to the provision of liability protection where appropriate.

4.8

Despite the initiatives undertaken by the EU, the Member States have very different levels of capabilities and preparedness, leading to fragmented responses to cyber attacks across the EU. Given the fact that networks and systems are interconnected, those Member States with a very weak approach to cyber security weaken the overall ability of the EU to deal with cyber attacks. Action is needed to bring all Member States up to an acceptable level of cyber security. Special attention is needed to ensure that every MS has a fully functioning Computer Emergency Response Team (CERT) in place.

4.9

As advised in previous opinions (7), to increase EU protection from cyber attacks, the Committee believes that voluntary measures do not work and that there need to be strong regulatory obligations on Member States to ensure harmonisation, governance and enforcement of European cyber security.

4.10

In summary, to put itself in a position to provide real and updated protection to citizens and businesses from cyber attacks, that EU cyber security policy should focus on the following actions:

strong EU leadership that puts in place the policies, laws and institutions to support high levels of cyber security across the Union;

cyber security policies that enhance individual and collective security while preserving citizen rights to privacy and other fundamental values and freedoms;

high awareness among all citizens of the risks of using the Internet, and the encouragement of a proactive approach to protecting their digital devices, identities, privacy and online transactions;

comprehensive governance by all Member States to ensure that critical information infrastructures are secure and resilient;

informed and responsible action by all businesses to ensure that their ICT systems are secure and resilient, to protect their operations and the interests of their customers;

a proactive approach by ISPs to the protection of their customers from cyber attacks;

a deep partnership approach to cyber security across the EU between governments, the private sector and citizens, at strategic and operational levels;

a design-led approach to build-in cyber security when developing Internet technologies and services;

adequate levels of investment in cyber security knowledge and skills development to grow a strong cyber security workforce;

good technical cyber security standards and sufficient investment in RD&I to support the development of a strong cyber security industry and world-class solutions;

active international engagement with non-EU states to develop a coordinated global policy and response to cyber security threats.

Brussels, 10 July 2014.

The President of the European Economic and Social Committee

Henri MALOSSE


(1)  OJ C 24, 28.1.2012, p. 40; OJ C 76, 14.3.2013, p. 59.

(2)  OJ C 97, 28.4.2007, p. 21;

OJ C 175, 28.7.2009, p. 92;

OJ C 255, 22.9.2010, p. 98;

OJ C 54, 19.2.2011, p. 58;

OJ C 107, 6.4.2011, p. 58;

OJ C 229, 31.7.2012, p. 90;

OJ C 218, 23.7.2011, p. 130;

OJ C 24, 28.1.2012, p. 40;

OJ C 229, 31.7.2012, p. 1;

OJ C 351, 15.11.2012, p. 73;

OJ C 76, 14.3.2013, p. 59;

OJ C 271, 19.9.2013, p. 127;

OJ C 271, 19.9.2013, p. 133.

(3)  OJ C 24, 28.1.2012, p. 40; OJ C 76, 14.3.2013, p. 59.

(4)  JOIN/2013/01 final.

(5)  OJ L 218, 14/8/2013, p. 8-14.

(6)  OJ C 271, 19.9.2013, p. 133.

(7)  OJ C 255, 22.9.2010, p. 98; OJ C 218, 23.7.2011, p. 130; OJ C 271, 19.9.2013, p. 133.