CERTs, Law Enforcement Agencies Need Closer Ties but Challenges Block the Way, ENISA Says
Computer emergency response teams (CERTs) increasingly must work with law enforcement agencies to deal with cybercrime and cyberattacks, but their collaboration is being stymied by legal, regulatory, cultural and operational hurdles, the European Network and Information Security Agency (ENISA) said Wednesday. There has been little research on how to connect the two communities and the ENISA report on good practice for addressing network and information security aspects of cybercrime (http://bit.ly/TlzqMk) will help combat cyberincidents by identifying ways to surmount the challenges, the agency said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The document is a “work in progress” but it’s clear that “while we may already be several steps closer to a smoother collaboration, we need to continue our common efforts to reach that goal,” ENISA’s report said. It noted several high-level strategic challenges between the two communities. One is the focus on different definitions of cybercrime/attack, with CERTs concentrating on unintentional incidents and attacks against the confidentiality, availability and integrity of information and communication technologies, and law enforcement authorities (LEAs) looking for evidence or suspicion of a crime, including where ICT systems haven’t been affected. The CERT community is informal and based on problem-solving, the police more procedural and rules-based. CERTs seek to fix problems, law enforcement to prosecute. CERTs are more likely to have to respond to requests, law enforcement agencies to send them.
Responses to ENISA’s online questionnaire uncovered several legal and regulatory factors keeping CERTs and LEAs from better cooperation. Replies suggested that CERTs aren’t commonly confronted with legal barriers, other than data protection compliance, which poses a major hurdle, ENISA said. CERTs appear to be aware of national laws but international harmonization efforts are less known, complicating cross-border assistance, it said. There are few standardized approaches for dealing with legal challenges, creating a lack of legal know-how with CERTs, which generally value prior experience, cooperation agreements and personal contacts over more formal instruments, it said. There are questions about CERTs’ powers and other regulatory issues.
There are also operational blockages between CERTs and LEAs, ENISA said. These come from, among other things, language barriers; a lack of trust about how information provided by CERTs will be used and sent on by police agencies; incorrect security clearances; lack of known and trusted personnel; or the absence of secure communication channels, it said.
The report makes five main recommendations: (1) More joint training between CERTs and LEAs. (2) Creating a single system for information-sharing between the two communities and defining the kinds of information they can share. (3) Considering if and how CERTs can play an investigative role for LEAs akin to the enforcement role environmental inspectors have, and legislating on the kinds of inquiries CERTs can undertake. (4) Creating good practice guides for information-sharing and developing a consensus on what constitutes a cyberincident. (5) Harmonizing and clarifying legal and regulatory aspects by, for example, giving CERTs specific guidelines and standardized templates for assessing whether information pertains to personal data and, if so, how to handle it; and establishing a clear regulatory footing for national/governmental CERTs to encourage smoother information flow.
Asked if ENISA, which has published several reports in recent years on cybersecurity threats and issues, is being taken seriously by EU governments, ENISA Public Affairs Unit Head Graeme Cooper said: “The threat landscape has changed since the Stuxnet attack. Cyber attacks can impact the entire society, its energy, food supplies, communications; in brief, modern society as we know it.” Politicians recognize that, he said. ENISA’s reports have had a “very good uptake,” he said. The smartphone security issue reports generally formed the basis for the Swedish civil contingency agency’s report on the same topic, he said.
ENISA’s new mandate is being updated to secure Europe’s information society, which will give the agency a stronger role, the ultimate proof of its importance, Cooper said. Moreover, the agency has successfully brought together diverse players in cybersecurity by, among other things, supporting CERTs in EU countries and taking a lead role in European cybersecurity exercises, he said. So “Europe is gearing up and putting cyber security ever higher on the political agenda ... which is inevitable, given that it is the basis for a modern society, and the digital economy of Europe,” he said in an email.
As to whether Europe’s economic meltdown has affected the development and take-up of cybersecurity measures, Cooper said ENISA’s message to company chiefs is that “cyber security IS the business, it is not an add-on, it is a must, which you cannot cut down on in stringent times.” If anything, the financial crisis has increased the need for security, because “you cannot afford not to have a tight security and to not take the online threats seriously.”