Frankly, I am becoming less convinced that Europe is capable of winning the war against cyber-attacks. Ever since a series of online attacks paralysed Estonia in 2007, protection against internet crime and terrorism has moved up the agenda for the European Commission, NATO and individual European countries. But it is unclear whether any real progress has been made in the last three years.
The UK’s House of Lords will on Thursday publish its study into how well Europe protects itself online. The conclusion is that there are serious concerns about co-ordination between different member states and a real risk that less well prepared countries could compromise those, like the UK, which are relatively advanced in their cyber protection measures. Not very surprising conclusions perhaps.
But the detail of the report highlights some farcical aspects.
For example, the main European agency that is supposed to be coordinating European internet crime-fighting is ENISA, the European Network and Information Security Agency. However, the work of this body has been severely hampered by its location in Heraklion, Crete, a good 7 to 10 hours flight time away from most places in Europe, and with limited flight schedules outside the summer holiday season.
European agencies – which bring employment and money to a region – are highly sought after, and the EU tries to share these out equitably. It was Greece’s turn to be given something and so it was allocated ENISA. However sticking the agency on a remote holiday island has made it hard for staff to carry out the liaison and co-ordination work they are meant to do across Europe. A lack of good international schools on the island means it is hard to recruit and retain staff.
“I have seen a lot of Athens Airport over the last few years,” moaned one UK civil servant who regularly liaises with ENISA.
It was also somewhat depressing that no internet service providers contributed to the Lords report, apart from one small Dutch company. All ISPs were invited to comment but declined.
ISPs should clearly be at the forefront of plans to protect the internet, and they do have their own emergency plans. Perhaps they dismissed the Lord’s inquiry as yet another toothless government exercise. Perhaps they felt they had little influence over European cyber-attack policy, whether they took part in this process or not. But their complete lack of interest in what attempted to be a serious and detailed examination of the cyber-attack problem does not bode well. Without ISP help, it is hard to do anything practical about internet threats.
Meanwhile, in the UK, losses from online banking fraud rose 55 per cent between 2008 and 2009, and more internationally, Google revealed earlier this year that its systems had been infiltrated by what it believed were Chinese hackers. Several other companies were also targeted. The problem is getting more acute, but European efforts are still woefully disjointed.
