WannaCry Provided First Test of EU Cyberattack Coordination

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The European Union was able for the first time to present a coordinated cyberattack response when it faced the recent WannaCry ransomware hack, the head of the bloc’s network security agency told Bloomberg BNA in an interview.

The scope of the attack, which ultimately affected over 300,000 computers in some 153 countries, provided a real test of new systems put in place under an EU cybersecurity law, European Union Agency for Network and Information Security (ENISA) Executive Director Udo Helmbrecht said.

Helmbrecht has served as ENISA’s executive director since 2009. Prior to his appointment, he served as president of the German Federal Office for Information Security.

Businesses benefited from an improved information sharing and coordination system that allowed them to receive intelligence from companies in other countries that were first hit by the attack. In the WannaCry attack, cybercriminals unleashed a virus that locked user access to data unless a ransom was paid.

The EU Network Information Security (NIS) Directive that took effect in August 2016 allowed an EU-level intervention by creating a structure that the 28 member countries could use to share incident information with each other to combat the serious cyberattack, Helmbrecht said. The NIS Directive tasked ENISA with aggregating information about cybersecurity incidents at the EU level to accommodate businesses that increasingly operate across European country borders.

Helmbrecht said that the information sharing and cooperation among EU member countries, ENISA, and the EU’s central law enforcement agency, Europol, softened the spread of WannaCry throughout the EU and may prove important to law enforcement.

Information sharing about ransom paid via bitcoin to unencrypt the locked data could be posted to ENISA’s website and shared among Europol and national law enforcement agencies to help them in the effort to trace payments to cybercriminals, he said.

WannaCry Was Different

Unlike previous cyberattacks, WannaCry affected a variety of critical infrastructure industries, such as hospitals in the U.K. and railway companies in Germany, causing European-level law enforcement and information security organizations to deploy significant resources, Helmbrecht said.

Even the Mirai botnet, which used tens of millions of internet of things devices, such as wireless routers, to conduct a distributed denial-of-service (DDoS) attack in October 2016, was “more business as usual” than WannaCry, Helmbrecht said. “WannaCry was another dimension.”

ENISA set up a taskforce and invoked the EU Standard Operating Procedures allowed by the NIS Directive to manage the WannaCry attack. The directive requires each EU country to designate a Computer Security Incident Response Team (CSIRT); the teams come together in an EU-wide network, with ENISA providing leadership to oversee cooperation among the response teams.

“The principle is you have a national crises management, then when it becomes pan-national crisis management,” then information starts being exchanged, Helmbrecht said. Having Europol as a partner made for faster coordination and quicker information sharing, he said.

“Ransomware is currently the top cyberthreat,” Helmbrecht said. ENISA named ransomware one of the top threats in its Threat Landscape Report 2016.

Preventing Cyberattacks

New cyberattack response protocols and information sharing help mitigate the spread of malware but don’t prevent cyberattacks, Helmbrecht said.

Companies, he said, can be “lazy” in failing to patch their systems, leaving the door open for cybercriminals. To thwart cyberattacks, they must practice better cybersecurity hygiene by updating and patching their systems, he said.

Individual computer users also need to be educated to avoid the temptation to click on email attachments, Helmbrecht said.

Lax data security standards employed by manufacturers of internet-connected devices is also a problem, he said. There is “an obligation on industry to have certain minimum standards.”

Setting stricter liability for industry and mandating security patches may be one solution, Helmbrecht said. Industry also needs to be better at incorporating security by design at the earliest stages of creating new services and products, he said.

ENISA is discussing what sort of cybersecurity labeling, standardization, and certification may be helpful, Hemlbrecht said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security