25/10/2010

Defending Europe's Cyberspace

By Lasse Böhm, German and Luxembourg Press Adviser

A new virus

A new virus appeared on the scene in 2009. Called Stuxnet, it was so complex that the implications of what it could do only became clear a few months ago. But it has contributed to cyber defence climbing the agendas of security and defence ministers.

Stuxnet has infected operating systems on equipment manufactured by the German industrial giant Siemens and has been found to target the industrial infrastructure at the core of our economies. Its potential for damage grabbed headlines in October this year when it became clear that an Iranian nuclear power station had succumbed to an attack by the virus. Problems with equipment at another facility suspected by some to be involved in a uranium enrichment programme compounded fears.


In Parliament

Following the most recent attack of the Stuxnet computer virus against suspected nuclear facilities in Iran, the European Parliament's Subcommittee on Security and Defence held an in-depth hearing on cyber attacks, featuring experts from the European Commission's unit for the protection of critical infrastructure, the European Agency on Network and Information Security, and Nato's Tallinn-based Cyber Defence Centre.

The discussion evaluated the range of threats for computer networks, government infrastructure and businesses, and included an assessment of the legal basis for investigating and punishing cyber crimes, cyber attacks and espionage in the digital sphere.


Why now?

The time is ripe for Europe to act: even before Stuxnet had demonstrated the vulnerability of industrial infrastructure to digital manipulation, the United States identified network security as a key national priority, with President Obama declaring America's digital infrastructure a "strategic national asset". In May 2010 the Pentagon set up the new Cyber Command in order to defend US networks from foreign attacks.


A beginning

In 2009, the European Commission presented its assessment of the situation in a communication on critical infrastructure protection, concluding that "Cyber-attacks have risen to an unprecedented level of sophistication", with Estonia and Lithuania having been targets of such attacks already. The Commission report highlights the dangers of fragmentation and inefficiency if Member States act only individually and calls for a joint effort to secure Europe's digital space.


Some interesting facts from Parliament's hearing

• The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major Critical Information Infrastructure (CII) breakdown in the next 10 years, with a potential global economic cost of approximately $250 billion
• The US Business Roundtable in 2007 suggested that the economic costs of a month-long Internet disruption to the United States alone could be more than $200 billion
• According to the OECD's report on “Malicious software”, the estimated annual loss to United States businesses caused by malware is USD 67.2 billion
• The macroeconomic costs of a major disruption to Switzerland, having an annual GDP of CHF 482 billion (EUR 317 billion) are estimated at CHF 6 billion (EUR 3.9 billion), i.e. 1.2% of GDP