Organisers have drawn up their conclusions following a pan-European cyberwar exercise.
Cyber Europe 2016, the fourth cyber crisis exercise organised by the European Union Agency for Network and Information Security (ENISA), is one of the biggest international stress-test exercises to date.
Over 1,000 participants from all 28 EU member states, along with Switzerland and Norway, joined a simulated crisis lasting more than six months, culminating in a 48-hour event on 13 and 14 October 2016. The scenario featured a ransomware attack that in some ways foreshadowed the WannaCrypt and NotPetya attacks that have shaken the infosec world over recent weeks.
Cyber Europe 2016 offered opportunities for participants to increase their technical and operational expertise as well as testing their ability to handle crisis communication. National and governmental Computer Security Incident Response Teams, cybersecurity agencies, EU institutions and agencies, internet and cloud service providers, cybersecurity software and service providers, banks, energy companies and other critical infrastructure operators were all involved.
The exercise featured a dark scenario, inspired by events such as the blackout in Ukraine in Christmas 2015 or the dependence on technologies manufactured outside the jurisdiction of the EU. It also featured IoT, drones, cloud computing, innovative exfiltration vectors, mobile malware and ransomware. Previous exercises have been criticised for a focus on DDoS attacks, something the organisers appear to have addressed this time around. The exercise environment featured dozens of simulated news outlets, TV channels, search engines and social media platforms.
"The true value of ENISA's Cyber Europe 2016 is that it simulates cyber incidents that test and develop the member states' capability to work together and address cyber incidents that have a cross-border perspective," said Udo Helmbrecht, executive director of ENISA, in a statement. "The simulations are particularly useful in that they are designed to test technical, operational, public relations and political responses to cross-border cyber incidents."
Organisers said the exercise fostered cooperation between security providers and national authorities. "Participants had to follow existing business processes, agreements, communication protocols and regulations to mitigate effectively the situations presented to them," ENISA reports. "Such mechanisms were not always in place for all participants, which hindered the overall ability to reach full EU-level situational awareness."
Cyber Europe 2016 highlighted, as previous exercises, the absence of a cooperation framework at EU level for crises stemming from cybersecurity incidents, officially endorsed cooperation procedures or a centralised hub. "The creation of the EU CSIRTs Network and the European Commission initiative to publish a crisis cooperation blueprint in 2017 are excellent developments in that regard," ENISA added.
The EU security agency concluded that technical capabilities and crisis communications were of a high standard although the development of an overall strategy demonstrated scope for further improvement.
Organisational and individual cybersecurity preparedness and capabilities in the EU were excellent overall. Technical expertise, business continuity and crisis communications procedures were of a high standard. Nevertheless, the vision required to link technical – and operational-level response activities to strategic crisis management mechanisms was sometimes lacking, which proved detrimental to fostering crisis exit strategies supporting decision-making.
Findings from the exercise including an after-action report and closure video (below) were published on Friday. ENISA hopes to use the exercise to work with partners across Europe in developing a cyber crisis cooperation plan as well as a prototype cyber crisis management platform. Meanwhile, preparations for Cyber Europe 2018 have already started.