Thursday

22nd Feb 2018

EU cyber assault would cost €86 million, expert says

  • A technician overlooks EU air traffic at Eurocontrol, the Brussels-based European air safety body - a potential target in any cyber assault (Photo: Eurocontrol)

A malicious foreign power could - given €86 million, 750 people and two years to prepare - launch a devastating cyber attack on the EU, a US security expert has said.

The assault would begin with a member of staff at, say, the London Stock Exchange or the French electricity grid operator, RTE, opening a PDF attachment in an email which looks as if it had been sent by a colleague.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

The PDF would contain software enabling a hacker on a different continent to silently take over his computer. Over time, the hacker would monitor the employees' keystrokes, sniff out passwords, and use the information to take over computers higher up the command chain, eventually putting him in a position to switch off the target's firewalls, leaving it open to DOS (Denial of Service) attacks, and to install RATs (Remote Administration Tools), which control its hardware.

Around 18 to 21 months down the line, with enough targets compromised, the assault could take place.

The EU 27 countries would wake up to find electricity power stations shut down; communication by phone and Internet disabled; air, rail and road transport impossible; stock exchanges and day-to-day bank transactions frozen; crucial data in government and financial institutions scrambled and military units at home and abroad cut off from central command or sent fake orders.

Normal life could be restarted in a few days' time. But the damage done to administrative capacity, consumer confidence and the economy by loss of vital data would last years.

Charlie Miller, a mathematician who served for five years at the US' National Security Agency stress-testing foreign targets' computer systems and designing "network intrusion detection tools," calculated the EU scenario on the basis of a more detailed study of US vulnerability.

Mr Miller said the bulk of the money, €83 million, would be used to pay an army of 750 hackers, with just €3 million spent on hardware - a testing lab with 50 computers, another two computers each per hacker and assorted smartphones and network equipment.

An elite corps would consist of 20 "world class" experts whose main job would be to find "0-day exploits" - previously undetected security gaps in popular software such as Windows, Java or Adobe. The experts would have to be paid a small fortune, over €200,000 each a year, or extorted.

Another 40 people, drawn from the enemy country's secret services or recruited inside EU member states, would get inside "air-gapped" facilities - the most secure targets, such as military command structures or air traffic control bodies, which are physically cut-off from the Internet in order to prevent cyber attacks. When the time came, the agents would un-airgap targets by connecting them to the Internet via 3G modems and satellite phones.

The rest of the cyber army, 690 people, mostly computer science graduates and post-graduates from inside the hostile state, would use the 0-day exploits to take over target networks. They would also collect, maintain, create and test "bots" - software which secretly uses computers in ordinary people's homes to run automated tasks, such as DOS attacks, which bombard target systems with overwhelming amounts of data. The final assault would require 500 million bots in diverse locations.

Dr Miller, who currently works for the Baltimore, US-based company, Independent Security Evaluators, admitted that Internet scare stories help firms like his to get business. But he noted that classic intelligence gathering, rather than hiring IT experts, is the best line of defence.

"It's really hard to defend against an attack that's well equipped and carried out by smart people. But you do have years to detect it before it happens. If you have an elaborate intelligence gathering network you could detect it, not technically because you can see it, but because you have human intel," he said. "If you want to spend your money well, spend it on your intelligence services."

Learning from Estonia

The threat of cyber war against EU targets became a reality on 27 April 2007 when hackers crashed Estonian online news agencies with DOS attacks in the middle of an Estonia-Russia political dispute.

The assault gathered pace over the next three weeks disrupting online banking services and government communications. Three and a half years down the line there is no hard evidence linking the attack to a foreign power, although activists in the pro-Kremlin youth group, Nashi, claim to have taken part.

"If these cyber attacks were used to test the Estonian cyber defense capabilities, much more sophisticated attacks could possibly follow, based on the knowledge acquired during the attacks," a report on the 2007 events by the Estonian government's Computer Emergency Response Team said.

Nato and EU countries are putting more resources into joint cyber-security projects.

Liisa Tallinn, a spokeswoman for Nato's Tallinn-based Co-operative Cyber Defence Centre of Excellence (CCDCOE), told this website that Turkey and the US are "about to" send staff to join personnel from its eight current participating countries - Estonia, Germany, Hungary, Italy, Latvia, Lithuania, Slovakia and Spain.

The CCDCOE in May ran a "Baltic Cyber Shield" exercise in which a "red team" of "friendly hackers" took on a "blue team" of defenders to try and disable factories and communications infrastructure. Part of the results will be made public in September.

'Like water out of the tap'

The EU's own cyber-security unit, the Crete-based European Network and Information Security Agency (Enisa), will in late October or early November carry out the first ever pan-EU cyber security exercise. Enisa spokesman, Ulf Bergstrom, said the exercise will look at disrupting normal Internet operations in the EU's internal market and the way EU member states' authorities co-operate across the union's internal borders.

Mr Bergstrom noted that Enisa's initial mandate, which covers security of ecommerce, online banking and mobile phones, is being expanded to cover cyber-criminality.

"We have been given political signals, for example by [information society] commissioner Neelie Kroes, to work more closely with agencies like Europol and Interpol," he said. "Cyber security is vital for the economy of Europe, to protect the businesses and operations of ordinary citizens. This is the digital society that we take for granted, like water out of the tap, which we need to defend."

The original text quoted Liisa Tallinn as saying France is about to join the CCDCOE. This quote was incorrect, as she did not mention France

Corruption report: Hungary gets worse, Italy makes progress

Italians, Czechs and Latvians perceive less corruption than a few years ago in Transparency International's annual ranking. The Berlin-based NGO said Finland was a 'worrying case', whilst Bulgaria - which holds the EU presidency - is EU's most corrupt.

UK seeks flexible transition length after Brexit

Britain wants to negotiate with Brussels the end date of the Brexit transition period - without saying what their preferred end date would be. The UK's position paper disagrees with the EU on other key points too.

Corruption report: Hungary gets worse, Italy makes progress

Italians, Czechs and Latvians perceive less corruption than a few years ago in Transparency International's annual ranking. The Berlin-based NGO said Finland was a 'worrying case', whilst Bulgaria - which holds the EU presidency - is EU's most corrupt.

News in Brief

  1. EU migration to UK at lowest since 2012
  2. MEP Andrieu will chair parliament pesticide committee
  3. Juncker's right-hand man warns of 'institutional blockage'
  4. Greek parliament to open probe on PMs and EU commissioner
  5. May gathers Brexit ministers to hammer out UK position
  6. Tajani asks Juncker for all EMA Brexit relocation documents
  7. Hahn: EU to back entry talks with Albania and Macedonia
  8. UEFA signs deal to promote 'European values' at EURO 2020

Stakeholders' Highlights

  1. EPSUMovie Premiere: 'Up to The Last Drop' - 22 February, Brussels
  2. Aid & Trade LondonJoin Thousands of Stakeholders of the Global Aid Industry at Aid & Trade London
  3. Macedonian Human Rights Movement Int.European Free Alliance Joins MHRMI to End the Anti-Macedonian Name Negotiations
  4. Mission of China to the EUChina-EU Tourism Year to Promote Business and Mutual Ties
  5. European Jewish CongressAt “An End to Antisemitism!” Conference, Dr. Kantor Calls for Ambitious Solutions
  6. UNESDAA Year Ago UNESDA Members Pledged to Reduce Added Sugars in Soft Drinks by 10%
  7. International Partnership for Human RightsUzbekistan: Investigate Torture of Journalist
  8. CESICESI@Noon on ‘Digitalisation & Future of Work: Social Protection For All?’ - March 7
  9. UNICEFExecutive Director's Committment to Tackling Sexual Exploitation and Abuse of Children
  10. Nordic Council of MinistersState of the Nordic Region 2018: Facts, Figures and Rankings of the 74 Regions
  11. Mission of China to the EUDigital Economy Shaping China's Future, Over 30% of GDP
  12. Macedonian Human Rights Movement Int.Suing the Governments of Macedonia and Greece for Changing Macedonia's Name

Latest News

  1. Poland and Greece broke EU environment laws, rules court
  2. Dutch MPs vote on ending 'Ukraine-type' referendums
  3. Corruption report: Hungary gets worse, Italy makes progress
  4. UK seeks flexible transition length after Brexit
  5. Commission defence of Barroso meeting leaves 'discrepancies'
  6. MEPs bar WMD and killer robots from new EU arms fund
  7. Canete gets EU parliament pension while still commissioner
  8. Bank of Latvia sends deputy to ECB amid bribery probe

Stakeholders' Highlights

  1. Dialogue PlatformBeyond the Errors in the War on Terror: How to Fight Global Militarism - 22 February
  2. Swedish EnterprisesHarnessing Globalization- at What Cost? Keynote Speaker Commissioner Malmström
  3. European Friends of ArmeniaSave The Date 28/02: “Nagorno-Karabakh & the EU: 1988-2018”
  4. European Heart NetworkSmart CAP is Triple Win for Economy, Environment and Health
  5. European Free AlllianceEFA Joined the Protest in Aiacciu to Solicit a Dialogue After the Elections
  6. EPSUDrinking Water Directive Step Forward but Human Right to Water Not Recognized
  7. European Gaming & Betting AssociationGambling Operators File Data Protection Complaint Against Payment Block in Norway
  8. European Jewish CongressEJC Expresses Deep Concern Over Proposed Holocaust Law in Poland
  9. CECEConstruction Industry Gets Together to Discuss the Digital Revolution @ the EU Industry Days
  10. Mission of China to the EUChina-EU Relations in the New Era
  11. European Free AlllianceEnd Discrimination of European Minorities - Sign the Minority Safepack Initiative
  12. Centre Maurits Coppieters“Diversity Shouldn’t Be Only a Slogan” Lorant Vincze (Fuen) Warns European Commission

Stakeholders' Highlights

  1. Dialogue PlatformWhat Can Christians Learn from a Global Islamic Movement?
  2. European Jewish CongressEJC President Warns Europe as Holocaust Memory Fades
  3. European Free AlllianceNo Justice From the Spanish Supreme Court Ruling
  4. Nordic Council of MinistersNordic Solutions for Sustainable Cities: New Grants Awarded for Branding Projects
  5. Mission of China to the EUTrade Between China, Belt and Road Countries up 15%
  6. Nordic Council of MinistersOresund Inspires Other EU Border Regions to Work Together to Generate Growth
  7. Mission of China to the EUTrade Between China, Belt and Road Countries up 15%
  8. AJC Transatlantic InstituteAJC Calls on EU to Sanction Iran’s Revolutionary Guards, Expel Ambassadors
  9. ILGA EuropeFreedom of Movement and Same-Sex Couples in Romania – Case Update!
  10. EU2017EEEstonia Completes First EU Presidency, Introduced New Topics to the Agenda
  11. Bio-Based IndustriesLeading the Transition Towards a Post-Petroleum Society