States across Europe have today carried out the region’s first ever cyber-attack ‘desk simulation’ designed to find weak spots in the way government organisations might behave if faced with the real thing.
Cyber Europe 2010 involves public-sector security organisations in the 27 EU member states plus Iceland, Norway and Switzerland in stress testing an imaginary scenario in which country after country faces growing disruption to its Internet infrastructure.
The thinking is that by involving government security agencies including national computer security incident response teams across Europe, it will test how countries interact with one another and whether key staff know who to contact in partner agencies in the event of problems.
Given the number of countries involved, it will also look at possible lurking language barriers and work out whether certain countries’ security response resources would cope in the event that channels such as the phone network are disrupted.
If it sounds grand, organisers ENISA (European Network and Information Security Agency) stressed that the scale and scope of the exercise was limited compared to high-profile exercises elsewhere in the world such as the US Department of Homeland Security’s recent Cyber Storm III.
The exercise was restricted to public agencies and would not involve private sector companies responsible for critical infrastructure, nor directly set out to test technical response and recovery.
One ENISA representative even described Cyber Europe II as having a “budget in the hundreds of Euros,” in an attempt to downplay its ambitions [this figure has been clarified as around 100,000 euros - Ed].
However, compared to US cyber-simulations, a European equivalent was always going to need a more limited first step to more advanced eventsin the future. Unlike the US, the EU and partner countries must grapple with co-ordinating around 30 different nations, each with its own cyber-security hierarchy.
The numbers involved in the exercise were put at 50 people in the Athens-based control centre plus another 80 around the continent in 70 organisations.
"This exercise to test Europe's preparedness against cyber threats is an important first step towards working together to combat potential online threats to essential infrastructure and ensuring citizens and businesses feel safe and secure online," said Neelie Kroes, formerly the EU Competition Commissioner but now vice president of the European Commission for the Digital Agenda.
Unofficially, the UK is seen as a lynchpin in EU cybersecurity efforts, which helps explain why on the day of the simulation Kroes visited the country’s Cyber Security Operations Centre (CSOC) with Security Minister, Baroness Pauline Neville-Jones.
The EU remains some way behind the US at conducting these sorts of simulations. Cyber Storm III, held at the end of September, was a large-scale technical test. This followed on from Cyber Storm II in April 2008, which is probably the most direct parallel to today's EU exercise.
ENISA will offer an initial report on Cyber Europe 2010 tomorrow, 5 November, with a more detailed analysis early next year.