The European Union must give itself the means to counter cyber attacks, which are no longer the stuff of small-scale web hackers but of organised crime. This message has been relayed by a number of experts and seems to have been heard. Under impetus from the French EU Presidency, the Union’s 27 justice and home affairs ministers decided, on 24 October in Luxembourg, to give Europol, the European Police Office, a structure that will receive reports on offences transmitted by member states’ national platforms and pass on information concerning them to the national platforms.  

Cyber crime is a growing phenomenon that takes a number of forms: child pornography, credit card fraud, illegal site content, false university degrees, incitement to racial hatred or terrorism, targeted attacks on electronic networks, denial-of-service and hacking. “This implies a comprehensive response that tries to anticipate events," commented French Home Affairs Minister Michèle Alliot-Marie. The creation of this platform “is a first step” that will allow “grouped investigations and therefore a saving of money and energy”. The new structure will also help determine the member states most likely to be able to respond to the criminal acts, thus avoiding multiple investigations. The Justice and Home Affairs Council, in late November, will adopt more general conclusions on an action plan against cyber crime.

Jacques Barrot, EU commissioner for justice, freedom and security, responded to the financial expectations with the release of €300,000 for the creation of this European structure. “Combating sexual abuse of children on the internet is an absolute priority for me and for the Commission,” he said. Child pornography today accounts for more than half of all cyber crime, according to the Commission. The EU executive is also prepared to offer financial help to the member states lacking a national platform. They have been asked by the Council to secure equipment or set up a common structure among several states.

Lastly, the Council asks these states to “encourage partnership among private and public players concerned with the fight against cyber crime”.

Urgent reaction 

A reaction had become pressing after the attacks in the spring of 2007, many of which came from Russia, against the very well developed internet network in Estonia. The attacks coincided with riots by Russian speakers who were unhappy about a monument to the Soviet army being moved. This summer, Georgian government websites also suffered from a similar attack in the middle of the armed conflict with Russia over Georgia’s separatist regions of South Ossetia and Abkhazia.

The European Network and Information Security Agency (ENISA), set up in 2004, recently called on member states to invest more in the security of networks and information, to launch awareness campaigns, to exchange more information and to create emergency reaction teams. For the moment, there are 14 of these computer emergency response teams (CERT) in the EU as opposed to eight in 2005. 

“More than a million computers in the world were used to attack Estonia in the spring of 2007,” said Tim Boerner, an expert from the US secret service, basing himself on data received by the offices of secret services in Europe, during a conference on the issue, in Tallinn on 4 September. Estonia’s banking network had, in particular, been paralysed.

“The cyber war against Georgia in August has shown that it can be part of a real war on the ground,” said Mart Laar, a former Estonian prime minister who has been advising Georgia’s President Mikhail Saakashvili for three years. At the NATO summit, in April 2007, Estonia secured agreement from alliance members for the opening of a cyber defence training centre.

Future of ENISA

The EU had the chance to be a lot more ambitious. The European Council and the European Parliament did not in the end go with the Commission’s idea of creating an anti-cyber attack elite cell within a telecoms 'super regulator'. It stayed with ENISA, which is based in Crete and whose mandate has been renewed until 2012. However, more thinking is due to be done on the effectiveness of the agency. “The European Network and Information Security Agency must be rethought in terms of these objectives [fight against cyber crime - Ed],” said French Socialist Catherine Trautmann, the European Parliament’s rapporteur on the revision of EU telecoms rules, to Europoliticsrecently.

She was the one who removed ENISA’s functions from the telecoms package, which is on the way to being adopted.

“Everything is done now online. We don’t want to witness an 11 September 2001-type digital attack,” said the Executive Director of ENISA, Andrea Pirotti, when visiting Brussels last May. “An attack would be very damaging but I can say that for the moment the situation has been under control,” he added. The agency’s role for the moment is to collect information and to serve as a broker between the member states. It does not have the power to pursue cyber terrorists and cyber crime. With a budget of €8 million per year and a staff of 50, ENISA needs more resources. As from 2009, Pirotti thinks that ENISA will need €15 million per year.

[R] add tables on main threats

A reaction has become pressing since the cyber attacks against Estonian web networks