UK-EU infosec data sharing may not be KO'd by Brexit, reckons ENISA bod
Ops director talks to El Reg about continential cybersecurity contrivances
Interview A senior EU cybersecurity official has said he is “optimistic” about information sharing between the UK and the political bloc continuing after Brexit.
In an interview with The Register, Steve Purser of the EU agency for Network and Information Security (ENISA) said that while it is “obvious” that the information-sharing relationship “will be changed… if the Brexit goes about”, he is keeping an open mind.
This could be seen as a contrast to the decidedly gloomy view being promoted today by a slack handful of retired defence and security bigwigs.
“ENISA and the [EU] Commission doesn’t just do things within our boundaries,” he said at France’s FIC2019 infosec shindig earlier this week. “My guess would be that [being] within the Union would give the best information sharing relationship. Having said that, we are looking for global approaches and we will make the best deal out of a bad situation.”
ENISA is a relatively small agency based in Greece, with its head office in Athens and an outpost in Heraklion, Crete. Employing 83 people at present, its ambition is to grow to “around 140” heads – and, presumably, expand its annual budget of just 11m euros. Following new EU cybersecurity directives in 2017, Purser told us, ENISA secured “a permanent mandate and [many] more responsibilites.”
“The most interesting thing about it from my point of view is that we get a very big new responsibility which is to set up an EU cybersecurity certification framework. This is a framework that will allow certifying authorities to certify everything from lightbulbs, toasters to atomic stations and submarines. And processes and services,” he added. This “voluntary” scheme would, in his vision, ultimately allow the general public to “understand and interpret” the security capabilities of consumer goods and “influence their purchasing decisions.”
ENISA functions by “leveraging the expertise of the [EU] member states”, said Purser. Rather than doing all its own work in-house, it aims to bring together “a community of experts” to work on problems and exercises. Though this seems like a very limited role, when we put this to Purser he emphasised how “scalable” ENISA’s setup is:
“By working like this, the ownership of the solution is with the community. That’s a powerful model because it’s then their solution and not ENISA’s solution. We do not pretend to be those that can save the world but by working together [with the EU] member states, together we can do an extremely good job.”
Surely, El Reg asked, it’s not all as smooth as that, and the EU’s traditionally top-down approach doesn’t really gel with the realities of frontline infosec? Purser, bespectacled and slightly flush from the powerful heating in Lille’s Grand Palais conference centre, nodded. “When we started out, we did terribly.”
Referring to a 2010 exercise that was a "failure", Purser said that “was the best possible thing that could have happened. Ever since then we’ve been doing exercises every two years and now have a very sophisticated setup. We have SOPs defined across borders… incidentally, they were used for Wannacry and Notpetya, so we had a better response than we would have done otherwise.”
In light of that failure, he said ENISA has three main objectives regarding incident response terms: identifying who to call; understanding that person’s “decision making powers and capabilities”; and exchanging, in a secure way, the right information to solve the problem.
“A lot of what ENISA does is bottom up,” he emphasised. “We get the experience on why some things worked well and others don’t, and we feed back into the policy loop.”
Don’t worry, be happy … oh, er, about that
In terms of what badness he sees coming our way this year, Purser was explicit: ENISA thinks black hats are getting more sophisticated and more geared towards hacking for profit rather than notoriety.
“We see, to a certain extent, a move towards hardware,” he said. “Spectre and Meltdown, the Rocker vuln, some evidence that things may be moving lower down in the stack to some extent.”
“Monetisation, for sure,” he continued. “People used to hack for reputation, now it’s about money. There are industrial level processes and quality systems supporting some attacks. We see people understanding the weaknesses of new technologies – but, of course, when new things come out like AI or robotics we can be ready for a whole new wave of attacks.”
Moreover, things are not going to get safer any time soon. Even new technologies bring their own unique set of threats with them, Purser agreed.
“Fundamental concepts are being threatened. For many years we assumed that safety and security were pretty much the same thing, whereas some things taught us that’s not necessarily true. The example I give is the Eurowings crash where the pilot used a security feature to crash the plane.* As we move into the world of cyberphysical systems, we cant assume they’re the same: we have to look very carefully at the two.” ®
* Andreas Lubitz, the Germanwings pilot who in 2015 murdered 150 people in cold blood as well as himself, waited until the aircraft captain briefly left the flight deck before locking the cockpit door shut and setting the autopilot to fly into the Alps. After the Twin Towers terrorist murders of 2001, all airliner cockpit doors were reinforced and made unopenable from the outside if locked.
Shortly after the Alps mass murder, Germanwings rebranded as Eurowings.