Many cyber security failures are still not detected – and even when they are, most are not reported to authorities or made known to the public, according to a study by the European Network and Information Security Agency.
When large data breaches or outages are made public they receive extensive media coverage – demonstrating the importance of the issue to society, says the report, which was published yesterday. But ENISA, the European Union’s cyber security agency, warned that even though reliable internet and electronic communications are now central to the economy, many incidents remain undetected or unreported.
“Cyber incidents are most commonly kept secret when discovered, leaving customers and policy-makers in the dark about frequency, impact and root causes,” said the authors of the paper, Dr Marnix Dekker and Chris Karsberg, in a statement. Their report identifies gaps in the regulatory framework around incident reporting, and calls for an improvement in sharing across the EU. There is “still little exchange of information between national authorities” about lessons learnt and best practices, despite the cross-border nature of the threat.
The report highlights a number of recent high profile incidents. For example in June, 6.5 million hashed passwords for the business focused social network LinkedIn were published on hacker forums. In December 2011 the internet and phone connections of millions of people in Norway, Sweden and Finland were knocked out for two weeks by the Dagmar storm. And in October 2011 BlackBerry users could not send or receive emails after a failure at a datacentre in the United Kingdom. According to the study, only one out of five cases mentioned in the report fell within the scope of national regulators’ mandate for reporting cyber security incidents.
Nevertheless, “a lot of progress has been made, in terms of addressing incidents and increasing transparency”. The European Commission’s new cyber security strategy marks an “important step to increase transparency about incidents, and ultimately to prevent them or limit their impact”, the study adds.
And in May this year national regulators submitted the first annual reports under Article 13a of the EU’s telecom package. The information, while incomplete due to the different approaches taken in different countries, describes 51 major incidents that took place in 2011 and will “provide valuable insight into the types of threats facing the European electronic communications sector”. A summary of the reports will be published in September.
Professor Udo Helmbrecht, executive director of ENISA, said: “Incident reporting is essential to obtain a true cyber security picture. The EU’s cyber security strategy is an important step and one of its goals is to extend the scope of reporting provisions like Article 13a beyond the telecommunications sector.”