Final Report: Pan-European Cyber Security Exercise

Orome1 writes "The EU's cyber security agency, ENISA, has issued its final report (PDF) on the first Pan-European cyber security exercise for public bodies, Cyber Europe 2010. The exercise was conducted on the 4th of November, 2010. Its objective was to trigger communication and collaboration between countries in the event of large-scale cyber-attacks. Over 70 experts from the participating public bodies worked together to counter over 300 simulated hacking attacks aimed at paralyzing the Internet and critical online services across Europe. During the exercise, a simulated loss of Internet connectivity between the countries took place, requiring cross-border cooperation to avoid a (simulated) total network crash."

busy phone lines?

[rbrausse]

From TFP(df): "The most common difficulties faced [..] were [...] busy phone lines."

uh, what? They should defend us from The Evil(tm) and can't even get other stake holders on the fscking phone?

Re:

[HungryHobo]

hey, I'm just surprised that the recommendations didn't simply read "we did ok but we need a lot more money for our departments because terrorists and cyberhackers"

it reads more like a report from a team building day out.

*Ya, we had lots of fun, great exercise, lets do this again some time*

Re:

[somersault]

I didn't realise they had internet in the Shivering Isles..

Cost figures

[Tasha26]

I read Paulos' "Innumeracy" book and never quite understood how those security people come up with cost figures for cyber attacks... especially when it's in the billions range e.g. Skynews [sky.com] reports "Last year, cyber attacks cost Britain £27bn. The global hub for targeted attacks is China. An estimated 1.6 billion attacks are launched from the country each month."

Re:Cost figures

[Tx]

That's a good question, and one suspects the answer is that they ask security consultants and companies, who have a stake in hyping up these costs, to pull figures out of the air. Googling gives for example this article [telegraph.co.uk], quote

"In order to figure out the financial losses businesses incurred during 2009, Symantec asked companies to look at a range of factors which negatively impacted them as a result of cyber crime – such as lost revenue, loss of customer relationships and damage to their firm’s brand. This came out at a mean average of £1.2 million per company. "

Putting a dollar value on "loss of customer relationships", "damage to the firms brand" etc is not even guesswork, it really is just pick-a-number. If the firm wasn't lax in it's security, there shouldn't be any significant damage to the brand. Losses directly due to downtime could be established meaningfully, but overall I think the figures are pretty much as meaningless as the figures the record companies come up with for losses due to piracy.

Re:

[maxwell demon]

Well, if the RIAA can pull numbers out of their ass, they why not security consultants as well? After all, 95%* of all statistics are pulled out of someone's ass anyway.

*) I got the percentage by <strike>taking the first numer I thought of</strike> careful analysis of all the data I had about this <strike>(where "all I had" basically means "none")<strike>.

Re:

[somersault]

Money spent on anti-virus, anti-spam, etc and support costs for these products is a direct cost that has to be taken into account.

Re:

[Hognoxious]

This came out at a mean average of £1.2 million per company.

A mean average? Do I take it that the figure is in British UK Pounds Sterling, and applies to all incorporated business companies?

Re:

[lsatenstein]

I would suggest that once a security or major loss of the net has taken place, that the repair can take place as soon as detected. With that view, the consequential financial losses would be minimal. But there is an after effect. And that after effect that affects businesses and that bad effect can linger for weeks or months until cleared out. (B2B is what I am thinking about, in general, or hospitals sending x-ray images or other medical information to another hospital for life-saving purposes.

Re:Cost figures

[Errol backfiring]

Easy. Those security people know that they have to report to upper management, who's nature is to think in money. So the only way to get a serious message passed is to talk money.

Re:

[HungryHobo]

they might be considering every spam email to be a separate attack.

In some cases they just make up a big number.

In others take the cost figure for an attack on some big organisation (inflated for a legal case where the jail time or penalties is based on the damage/cost) and multiply by some estimate of the number of attacks per year.

Re:

[Hazel Bergeron]

Sky News is basically a British Fox News - same owner and same agenda - slightly toned down to adjust for the slightly more refined tastes of the British public.

The sad thing is the number of people who whine about Murdoch and his propaganda while still paying him to produce it (via a Sky or newspaper subscription).

Re:

[TaoPhoenix]

(Going for Funny) One attack made a copy of the complete discograpy of Metallica. (/Ruining Joke for Mods)

Re:

[will_die]

They add in all the costs that even remotly relate to the topic.
For attacks it includes all the classes people are sent to, extra hardware/software, that companies hire a security person, even that I have to spend some time looking through web logs instead of reading /..

if the tubes with clogged with hackers

[FudRucker]

then use HF two-way radio,

why the focus on computers with internet connectivity as the only source of communication?

Re:

[Errol backfiring]

Because it is conveniently backed up by Echelon?

Re:

[DamienRBlack]

How easy would it be to jam HF radios? I mean, the idea is that were being attacked by an entity powerful enough to compromise the most advanced systems in the world, wouldn't radio be an easy task in comparison?

Email/Phones?

[Anonymous Coward]

While it sounds like a good idea, the impression that I got after reading the report was that this was hardly real-world and more security theater. Using phone/email to communicate when you are having major national communications problems?. Also some key members didn't seem to be playing (eg Spain)

This sound more like the task for a centralized organization that coordinates and works with key agencies in each member state.

I wish i could laugh harder...

[Fallen Andy]

but i'd probably drop dead at my age (52).

"Paralyze teh intertubes" (sigh). Hello - this is the 21st century. If you haven't woken up to the SQL injection attacks and other stuff a while back that r.a.p.e.d many websites run by naive suckers, then hell - enjoy the chaos

Don't need to think black hat - if the United Nations, US Dept of homeland (in)secure(ity) etc. can be compromised by injected SQL then maybe the frail should hide in a room and play a saxophone (Gene Hackman for you slashdot gurus)

....and

Re:

[maxwell demon]

I was tempted to mutter something about TDR, but not sure it works with "big cables"

They claimed Tokyo Disney Resort removed the cables? :-)

Re:

[TaoPhoenix]

Dear Andy,

Please sit down safely before I assist with your laughing attack.

Seriously now, combining all kinds of weird topics including international computer law etc, suppose Slashdot united as many of the 2,050,000 of us as Taco could muster and WE did our own study? It would be officially announced in Lawyer Advised Ways, but then *that's all the warning they get* - and even that is "too much"! (But ya have to be nice ya know.) Types range all the way from goatse from our new friends in the 2mil-uid crew

Re:

[cavreader]

It must be difficult for someone as smart as you to live in a world filled with idiots. Maybe you should stop hiding your brilliance and straighten these people out once and for all.

Nice acronym

[Hognoxious]

I wonder why "pan" was in the project's title but didn't get included in the name of the agency?

This was a communication exercise

[otmar]

Just for the record: This was purely a communication exercise. The scenario was just an excuse to get people to talk to each other. Technical realism was not a goal in this exercise.

One can argue whether the assumptions on the availability of the PSTN was warranted or not, but given the fact that a good number of the involved teams had no direct contact prior to this exercise, this exercise was a worthwhile first step.