Daily news of major hacks and cybercrime is generating a lot of concern about attacks on essential services and producing billions in revenue for organized crime. So, it isn’t surprising that Europe sees this as one of the top three existential threats it faces today, right above immigration and below climate change.
Unfortunately, there's no escaping the fact that commercial organizations remain a primary target for cybercriminals. Digital assets are usually the crown jewels of a business, especially when you consider the value of assets like IP, customer data and trade secrets. With many other types of organization, operators of essential services are developing increasingly digitalized business models, which acts only to widen the surface area for a cyber-attack. Consequently, the risk of an OES suffering a cyber incident is not going away, and there are right to be concerned about the possible consequences of this. Bryony Hurst, partner at Bird & Bird LLP, recently sat down with Inside Counsel to discuss this in more detail.
In Europe on May 9, 2018, the Network & Information Systems Directive (NISD) will come into force. This imposes strict obligations upon Operators of Essential Services to put in place appropriate and proportionate technical and organizational risk management measures, including measures to prevent and minimize the impact of incidents that affect the security of their systems and networks. It also obliges them to act swiftly when an incident occurs, both in terms of investigating the incident and reporting it to their regulator.
“If personal data of European citizens is impacted by the attack, then additional obligations under the General Data Protection Regulation (GDPR) are also likely to be triggered, which again relate to having appropriate measures in place and reporting incidents within a set period to the regulator and to any affected individuals,” explained Hurst. “Failure to comply with either the NISD or the GDPR provisions exposes OESs to severe financial penalties – depending upon the breach, as much as two or four percent of the company's annual global turnover. It is therefore imperative that OESs focus resources on achieving compliance with these laws as soon as possible after they are implemented in May 2018.”
According to Hurst, there are several ways that cyber criminals can generate income from carrying out attacks on businesses, but one method constitutes a growing threat – the use of ransomware (whereby a user is tricked into opening an infected email or pop-up, for example, which then downloads malicious code, locks down their device and generates a message containing demands in order to regain access. Sophisticated ransomware can infiltrate a company's entire system, as we witnessed in the May 2017 worldwide Wannacry ransomware attack. Statistics published by CNN recently noted that in Q1 2016 alone, over $209 million was paid to ransomware criminals.
“As the scale and sophistication of cyber-attacks continues to increase, it is easy to understand why fears are growing that, at some point, an attack will take place that not only temporarily brings downs a company's IT systems, but completely destroys them and leaves them unable to recover,” she said.
The Wannacry attack of May 2017 was followed by the Petya attack, which spread across over 60 countries in just days and brought down the operations of dozens of major corporations, including Reckitt Benckiser, FedEx and Maersk. Later, Maersk announced that its Q3 results were likely to be impacted by $200-300 million because of the attack, and certain of its operations were still not up and running more than two months after the attack. FedEx announced losses of a similar level.
However, it is not just the threat to the private sector that raises cyber to a top priority for Europe; the potential for attacks to paralyses essential public services is perhaps of even greater concern, per Hurst. For instance, during the WannaCry attack, the UK's National Health Service was subject to severe delays and disruptions and Germany's rail network was disrupted as a result of the infection spreading to its largest rail operator's systems. In a separate subsequent attack the UK Parliament was also hit by a massive cyber-attack, striking at the very heart of government. Fortunately, Hurst said, the fallout from these attacks was largely contained within a short period of time, but the potential for greater damage is something that cannot be ignored.
“The threats that accompany Europe's increased reliance upon secure digital systems cannot be underestimated,” he explained. “Not only could the next major cyber-attack bring down critical infrastructure but, as seen from the attack on the UK Parliament, it could also bring down the most fundamental organizations in our democratic systems.”
In addition, particularly as state-sponsored bad actors continue to target Western governments, it is not difficult to envisage an attack that focusses directly on the military capabilities of European Member States. In addition to these very serious concerns, the Commission's focus on cyber resilience is probably also fueled in part by its desire to establish and promote Europe as one of the world's leading digital economies. When it announced its Digital Single Market strategy in 2015, it identified cybersecurity as one of three main challenges to ensuring a fair, open and secure digital environment and described it as "essential to keep the online economy running and to ensure prosperity."
The EU's various bodies are already at work to promote cyber resilience in many ways. ENISA was established in 2004 and given a significant mandate. The NISD was first proposed in 2013 and has been heavily debated and refined ever since. The driver behind expanding its focus on cyber-security is the need for greater co-operation between Member States to ensure that individual countries' efforts are part of a comprehensive program. Recent attacks have demonstrated that multiple countries and industries are likely to be targeted simultaneously going forwards, and it will only be by establishing a uniform set of standard and sharing knowledge that the EU can hope to win not only each battle, but eventually also the war.