Limitations of EU Cyber warfare Planning Part 1

Posted by Bruce Hallas on Nov 9th, 2010 in Business Continuity, Information Security, National Policy, The Future | 5 comments

Towards the end of last week it was widely reported that Europe had “tested” itself against the threat of a cyber attack by unknown entities. By all accounts it appeared to go well. Though the cynic would say “why would anyone say otherwise”. However this differs from the relatively recent report in 2009 of a less than adequate response to a previous simulated cyber attack which was spurred on by attacks on other sovereign states and a growing awareness of the vulnerability of society and the impact on economic prosperity and global politics of cyber orientated threats.

First let me make it very clear that I fully support the work of national and EU stakeholders responsible for understanding and managing cyber risk. Activities like these recent simulations need to, sadly, happen. However from a practical point of you I have several observations which I’m going to spread over this and a couple more blog posts.

Variety is the spice of life

This applies to so much in life including practising defending against cyber attacks.

The reports suggest that the simulated cyber attack which the EU member states defended against was

a DDOS (Distributed Denial of Service) attack. This is the same technique, I blogged about, used against Burma (Myanmar) during its general election recently. However this is one of potentially many techniques that could be used. As techniques go DDOS would be classified as the preverbal “hammer to crack a nut”. It is also as blunt as a spoon and as obvious as an elephant in a small room.

A better picture of the EU’s preparedness for a cyber attack would take into consideration much more than its ability to handle distributing / routing web traffic generated through a DDoS attack. “Yes” it is helpful, but “No” it falls short in the overall scheme of things because just like in real warfare no single attack wins an overall war.

How can the EU and member states prepare for the following cyber scenarios?

In my next blog I’ll identify briefly what other scenarios the EU and member states may want to consider. Register on my blog to know when I’ll be updating my blog next.

5 Responses to “Limitations of EU Cyber warfare Planning Part 1”

otmar says:

November 12, 2010 at 10:35 am

fyi,

contrary to what some media wrote, this was not an exercise to test actual technical problem solving skills. The scenario was completely fictitious and far removed from the Internet as it exists.

The scenario was just the story we needed to get all the European players to interact and cooperate with each other. We just as well might have used some fantasy RPG as the setting and get the teams to cooperate in slaying some virtual dragon.

It was a communication exercise, not a technical exercise.

Reply
- Bruce Hallas says:
  
  November 12, 2010 at 2:04 pm
  
  I appreciate what you have to say. You’re right to make the observation. As you’ll have noticed this is Part 1 of a small series of blogs I’m writing. Your points may be covered in the following blog posts over the next couple of weeks.
  
  As with any resilience / BCP testing there is always a need for the scene to be set. Clearly a DDoS attack was the threat in this case. My point is that DDoS is just one of the threats national states and the EU need to examine. Don’t you agree?
  
  Testing communications plans is essential. Though on its own not a real test of our ability to handle a real attack. But as with any real warfare an attacker would also have a plan for disrupting the means by which your communication plan is delivered or even the communication plan itself.
  
  Regarding your comment about fantasy RPG. Isn’t any future attack on national states or the EU a fantasy until it happens!? And the use of MMOG / RPG’s as a means of testing is arguably a real option as I’ll mention in one of the next blogs.
  
  Keep an eye on the follow up posts to this blog. I’d welcome your comments.
  
  Bruce
  
  Reply
  - otmar says:
    
    November 13, 2010 at 12:59 pm
    
    > Clearly a DDoS attack was the threat in this case.
    
    No, it was not.
    
    otmar
    
    Reply
David Upton says:

November 14, 2010 at 8:15 am

Yes, it was perhaps a limited scenario, but as Otmar says the purpose was to practice coordination between teams who have never exercised together beforehand. Besides DDOS was the basis of the 2007 attack on Estonia, so it’s not totally unreal. It’s easy to do and difficult to counter.

I’ll be interested to see your promised next posting, of scenarios for the EU to consider next time round.

Reply
- admin says:
  
  November 16, 2010 at 9:24 am
  
  Thank you for taking the time to comment Dave.
  
  Not being party to the planning, I agree with Otmar’s and your suggestions that the purpose appears to have been to practice communication between different parties who’d be involved in managing a DDoS. Couldn’t you also say that the purpose of the exercise was to give re-assurance to EU governments, politicians, the business community and citizens that we have a “handle” on the problem? And, where opportunities for improvement have been found, to put forward a road map for addressing these gaps?
  
  DDoS has been widely reported in the media. The attacks on Estonia in 2007 did much to raise the profile amongst governments and also the public. However, wouldn’t it be feasible that things have moved on since then? Doesn’t Stuxnet illustrate this? Thank you for agreeing, that the point I’m highlighting, is that it was a limited scenario. As such, and my next posts will highlight, provides a limited level of re-assurance to the stakeholders. If so shouldn’t this be part of the story being presented in the media?
  
  Reply