Unformatted Attachment Preview
DIRECTORATE GENERAL FOR INTERNAL POLICIES
POLICY DEPARTMENT A: ECONOMIC AND SCIENTIFIC POLICY
INDUSTRY, RESEARCH AND ENERGY
Data and Security Breaches and
Cyber-Security Strategies in the EU
and its International Counterparts
NOTE
Abstract
This long briefing provides an overview of the definition of security
incidents and breaches and an analysis of their scale and trends. We
summarise the current EU-level efforts to address network and
information security, review some of the provisions of the Commission’s
2013 proposals for a Network and Information Security Directive and
offer recommendations. We have some potentially major concerns
including the relationship of incident notification achieving the outcomes
of the directive, potential for overlapping regulation and definitions of
covered entities. We also suggest that it would be helpful to clarify what
kind of incidents the Directive is aimed to address.
IP/A/ITRE/NT/2013-5
PE 507.476
September 2013
EN
This document was requested by the European Parliament's Committee on Industry,
Research and Energy
AUTHORS
Mr Neil Robinson (RAND)
Ms. Veronika Horvath (RAND)
Prof Jonathan Cave (RAND)
Dr Arnold P. Roosendaal (TNO)
Dr Marieke Klaver (TNO) (as reviewer)
RESPONSIBLE ADMINISTRATOR
Fabrizio Porrino
Balazs Mellar
Mariusz Maciejewski
Policy Department Economic and Scientific Policy
European Parliament
B-1047 Brussels
E-mail: Poldep-Economy-Science@europarl.europa.eu
LINGUISTIC VERSIONS
Original: EN
ABOUT THE EDITOR
To contact the Policy Department or to subscribe to its newsletter please write to:
Poldep-Economy-Science@europarl.europa.eu
H
Manuscript completed in September 2013.
© European Union, 2013.
This document is available on the internet at: http://www.europarl.europa.eu/studies
DISCLAIMER
The opinions expressed in this document are the sole responsibility of the author and do
not necessarily represent the official position of the European Parliament.
Reproduction and translation for non-commercial purposes are authorised, provided the
source is acknowledged and the publisher is given prior notice and sent a copy.
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
CONTENTS
CONTENTS
3
LIST OF ABBREVIATIONS
7
LIST OF TABLES
10
LIST OF FIGURES
12
EXECUTIVE SUMMARY
15
1
21
2
INTRODUCTION
1.1
Our methodology
22
1.2
Structure of this report
22
WHAT ARE SECURITY INCIDENTS AND DATA BREACHES AND HOW
DO THEY OCCUR?
2.1
Background
23
2.2
Security incidents
24
2.3
3
23
2.2.1
Malicious incidents
29
2.2.2
Accidents
34
2.2.3
Incidents arising from natural causes (‘force majeure’)
35
2.2.4
Other physical incidents of relevance
35
Legal basis of definitions
37
2.3.1
Security incident
39
2.3.2
Security breach
39
2.3.3
Data breach
40
2.4
Generalising comparisons between cyber attacks and the real world
40
2.5
Conclusions
41
WHO IS AFFECTED AND WHERE? THE SCALE AND TRENDS OF
SECURITY INCIDENTS AND BREACHES
3.1
3.2
Collection of data on incidents
43
3.1.1
Anecdotal evidence
43
3.1.2
Evidence from the industry: surveys and other empirical data
44
3.1.3
Official statistics
49
3.1.4
Evidence from cyber security and technology companies
58
Costs of breaches
3.2.1
3.3
42
65
Extrapolating from ISBS to an EU-wide estimate
71
The reaction: the state of cyber-security preparedness in EU
enterprises
74
3.4
Cyber-security practices in public administrations
76
3.5
Cyber-security skills and preparedness of European citizens
76
PE 507.476
3
Policy Department A: Economic and Scientific Policy
3.6
4
78
HOW IS EUROPE CURRENTLY MANAGING THESE PROBLEMS?
4.1
4.2
4.3
5
Conclusions
80
Overview of the interaction between European-level institutions
82
4.1.1
The European Network and Information Security Agency (ENISA)
83
4.1.2
The European Forum for Member States (EFMS)
87
4.1.3
The European Public–Private Partnership for Resilience (EP3R)
87
4.1.4
The CERT-EU
89
4.1.5
The European Cybercrime Centre (EC3)
90
Other organisations
92
4.2.1
The Collège Européen de Police (CEPOL)
92
4.2.2
The European Cybercrime Training and Education Group (ECTEG)
93
4.2.3
The European Data Protection Supervisor (EDPS)
93
4.2.4
The Article 29 Working Party
93
4.2.5
The European Public–Private Partnership for Trust in Digital Life
(EP-TDL)
94
4.2.6
The Advanced Cyber Defence Centre (ACDC)
94
4.2.7
Networks of incident response teams
96
4.2.8
The Anti-Phishing Working Group (APWG)
96
Conclusions
96
MEASURES FORESEEN IN THE PROPOSAL FOR A NIS DIRECTIVE
98
5.1
Overview of the NIS Directive
98
5.2
Why an incident notification regime?
99
5.3
What entities are covered?
5.4
100
5.3.1
Public administrations
101
5.3.2
Social networking services
102
5.3.3
Hardware and software providers
102
5.3.4
Micro-enterprises
103
5.3.5
Definition of market operator
103
5.3.6
Territoriality and cloud computing service providers
104
Impact assessment
104
5.4.1
Overlap with other proposed breach notification regimes
105
5.4.2
Overlap with legislation relative to critical infrastructures
108
5.4.3
Costs of the system outlined in the proposal for a NIS Directive
110
5.4.4
Administrative burden
117
5.5
Supply side factors in the market for cyber security
122
5.6
Estimating the total costs for investment in cyber security
123
5.7
Conclusions
124
4
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
6
RELEVANT CYBER SECURITY PRACTICES IN OTHER
JURISDICTIONS
6.1
Introduction
125
6.2
Incident reporting and notification regimes in selected third
countries
125
6.3
6.2.1
The United States
125
6.2.2
Japan
130
6.2.3
Australia
130
6.2.4
South Korea
131
6.2.5
India
132
The difference between incident reporting mechanisms and data
breach notification regimes
133
Comparison of notification regimes covering losses of personal data
in selected jurisdictions
134
6.5
Non-regulatory information sharing mechanisms
138
6.6
Approaches in other sectors
139
6.7
Conclusions
140
6.4
7
125
WHAT ARE THE POTENTIAL PITFALLS WITH THE PROPOSALS FOR
A NIS DIRECTIVE?
142
7.1
Analysis from the Impact Assessment Board (IAB)
142
7.2
General considerations
143
7.3
Uncertainty over public disclosure versus private notification with
regard to security incidents and data breaches
144
7.4
Vague understanding of public–private partnerships
145
7.5
Centralising effects may cause divergence in implementation
145
7.6
Regulatory duplication
145
7.7
Proposed mandates of CAs and CERTS encourages a reactive and
technical focus
146
Additional reporting requirements might lead to fragmentation of
consideration of risk and poor outcomes for cyber security
146
Conservative understanding of current approaches to implementing
cyber security in SMEs would cause inefficiencies
147
Little attention given to other stakeholders that collect and process
incident information on behalf of customers
147
7.11
Multiple reporting mechanisms create additional burdens
147
7.12
Obligations fall on those more likely to be doing something already
148
7.13
Regulation of internet economy enablers is without precedent
148
7.8
7.9
7.10
PE 507.476
5
Policy Department A: Economic and Scientific Policy
7.14
8
Conclusions
148
RECOMMENDATIONS
8.1
149
Strive for transparency in the EU policy framework for cyber
security
149
8.2
Make reporting voluntary rather than mandatory
149
8.3
Exploit and strengthen existing information sharing channels
150
8.4
Elaborate a larger role for existing sector-specific regulators
150
8.5
Consider the use of guidance as part of stock market listings to
encourage good security behaviour by publicly listed firms
150
Facilitate creation of an informal trusted information sharing
mechanism for internet enablers
151
Adapt Article 13a to cover critical infrastructure owners only and
broaden its scope to include security incidents not resulting in
outages
151
Create an informal trusted information sharing mechanism for
public administrations
151
Engage SMEs through Chambers of Commerce and grassroots
cyber-security initiatives
152
Leverage international practice in implementation guidance for
ENISA to take forward for implementation
152
8.6
8.7
8.8
8.9
8.10
References
153
NOTES
168
6
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
LIST OF ABBREVIATIONS
ACDC Advanced Cyber Defence Centre
ACLU American Civil Liberties Union
APT Advanced Persistent Threat
APWG Anti-Phishing Working Group
CA Competent Authority
CEPOL European Police College
CERT Computer Emergency Response Team
CIIP Critical Information Infrastructure Protection
CIP Critical Infrastructure Protection
CISPA Cyber Intelligence Sharing and Protection Act
CLUSIF Club de la Sécurité de l'Information Français
CSIRT Computer Security Incident Response Team
CSOC Cyber Security Operations Centre (AUS)
DDoS Distributed Denial of Service
DPA Data Protection Authority
EC European Commission
EC3 European Cybercrime Centre
ECTEG European Cybercrime Training and Education Group
EDPS European Data Protection Supervisor
EFMS European Forum for Member States
ENISA European Network and Information Security Agency
EP3R European Public–Private Partnership for Resilience
PE 507.476
7
Policy Department A: Economic and Scientific Policy
EuroSCSIE European Supervisory Control and Data Acquisition and Control
Systems Information Exchange
FTE Full-time Equivalent
GCHQ Government Communications Headquarters (UK)
GDP Gross Domestic Product
HIPAA Health Insurance Portability and Accountability Act
IAB Impact Assessment Board
ICT Information and Communication Technology
ISAC Information Sharing and Analysis Centre
ISBS Information Security Breach Survey
ISO International Organization for Standardization
ISP Internet Service Provider
ITRE Industry, Research and Energy
MS Member State
NATO North Atlantic Treaty Organization
NCSC National Cyber Security Center (NL; SK)
NERC National Electric Reliability Council (US)
NIS Network and Information Security
NIST National Institute for Standards and Technology (US)
OCSIA Office of Cyber Security and Information Assurance (UK)
OECD Organisation for Economic Co-operation and Development
OSCE Organisation for Security and Co-operation in Europe (OSCE)
PII Personally Identifiable Information
PPP Public–Private Partnership
8
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
SEC Securities and Exchange Commission (US)
SIR Security and Intelligence Report
SME Small and Medium-sized Enterprise
TISN Trusted Information Sharing Network (AUS)
TLD Trust in Digital Life
UN United Nations
WARP Warning, Advice and Reporting Point
PE 507.476
9
Policy Department A: Economic and Scientific Policy
LIST OF TABLES
TABLE 1
The major potential pitfalls associated with the proposal for a NIS
Directive
TABLE 2
The main recommendations of the study
TABLE 3
Examples of data breaches collected by Hackmageddon in the EU since
October 2012
TABLE 4
Comparisons of definitions of security incident, security breach and data
breach
TABLE 5
Generalised comparisons between cyber attacks and real world incidents
TABLE 6
Overview of available data sources
TABLE 7
Analysis of costs from 137 claims made by US firms on data breaches of
personally identifiable information in 2009-2012
TABLE 8
Cost breakdown for information security breaches by company size
TABLE 9
Minimum direct cost estimates by category of attacks and enterprises
TABLE 10
Comparison between Directive 2008/114/EC and the proposal for a NIS
Directive
TABLE 11
Cost framework proposed by the NIS Directive
TABLE 12
Current landscape of competent authorities and national level CERTs in
Member States
TABLE 13
Government organisation models in EU countries
TABLE 14
Numbers of people in some existing cyber-security units (equivalent to
CAs)
TABLE 15
Numbers of law enforcement personnel working on cyber crime in 2010
at Member State level and in the HQ
TABLE 16
Categories of incidents and relevant legal frameworks for reporting
TABLE 17
Example risk management measure and types of cost
10
19
20
31
37
40
42
69
70
74
109
110
111
114
115
116
119
121
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
TABLE 18
Estimate of costs of information security measures in the UK, Italy,
124
Germany, France, Japan and the US
TABLE 19
NIST framework core draft
TABLE 20
Example 10-K filings from US financial services according to SEC rule
TABLE 21
Statistics on cyber-security personnel in the Republic of Korea
TABLE 22
Comparison of security incident reporting mechanisms to data breach
notification mechanisms
TABLE 23
Overview of national level data breach notification systems
TABLE 24
Security incident and data breach notification regimes in selected third
countries
TABLE 25
Examples of non-regulatory information sharing mechanisms
PE 507.476
11
126
129
132
134
135
137
138
Policy Department A: Economic and Scientific Policy
LIST OF FIGURES
FIGURE 1
The relationship of security incidents to security and data breaches
FIGURE 2
Framework for the study
FIGURE 3
The relationship of security incidents to security breaches and data
breaches
FIGURE 4
The logic of adversary-driven incidents
FIGURE 5
The number of incidents in Italy
FIGURE 6
Sector breakdown of targets in Italy in 2012
FIGURE 7
Targets by sector in Italy in 2011
FIGURE 8
Percentage of firms experiencing an incident in the context of major
events in the UK
FIGURE 9
Breakdown of targets of sophisticated attacks by sector per month in
2013
FIGURE 10
The number of incidents reported by companies in France for the
preceding year
FIGURE 11
Percentage of incidents affecting different services, incidents reported
under article 13a to ENISA
FIGURE 12
Average number of users affected by incidents reported under Article
13a
FIGURE 13
Total number of incidents reported to DK-CERT
FIGURE 14
Information security breaches reported in South Korea
FIGURE 15
Incident reports received by US-CERT 1998–2003
FIGURE 16
The number of incidents reported to US-CERT 2006–2012
FIGURE 17
Total vulnerabilities catalogued by CERT/CC 1995–2008
FIGURE 18
Sectoral breakdown of security incidents reported to the National
Intelligence Agency, Korea
12
PE 507.476
16
22
28
29
44
45
46
47
48
49
50
50
52
53
54
55
56
57
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
FIGURE 19
Trends in security incidents reported to the KNPI
FIGURE 20
Number of reports of cyber crimes in Germany (000s)
FIGURE 21
SIR scores for European countries 2012
FIGURE 22
2012 Security Intelligence Report index to GDP and the online
population (>15m)
FIGURE 23
2012 Security Intelligence Report index to GDP and the online
population ( many incidents -> effective response
-> hiatus; repeat cycle). Second, reports alone cannot capture all important characteristics such as
motivations, methods used, different probabilities of detection, incentives to report and the effectiveness of
passive, active and specific countermeasures, all of which should be taken into account when drawing
inferences from these data about the true incidence, prevalence and impacts of cyber threats.
Google Scholar: http://scholar.google.com
ACM Digital Library: http://dl.acm.org/
22
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
2 WHAT ARE SECURITY INCIDENTS AND DATA BREACHES
AND HOW DO THEY OCCUR?
KEY FINDINGS
x
Understanding what constitutes an incident or breach can be technically
challenging; therefore the available definitions used by different actors overlap only
in part.
x
Internationally recognised standards such as ISO27005:2008 define security events
and incidents. For example, the ISO definition of security incident is: ‘a single or a
series of unwanted information security events that have a significant probability of
compromising business operations and threatening information security’.
x
Article 13a of the EU’s 2009 Framework Directive and ENISA’s 2011 Guidance on
Technical Incident Reporting currently defines what should be reported as a breach.
ENISA defines security breach as a ‘breach of security or a loss of integrity that has
a significant impact on the operation of electronic telecommunications networks
and services’.
x
Adversaries with malicious intent can use different approaches to target the
integrity, availability and/or confidentiality of the data. However, incidents and
breaches do not always need to be a result of malicious intent – they can be driven
by human, organisational or natural phenomena.
The preamble to the proposal for a NIS Directive makes reference to security incidents as
‘deliberate or accidental security incidents’9 and in the definition in Article 3(4) refers to:
‘any circumstance or event having an actual adverse effect on security’ in the context of,
according to Article 3(2)m an ‘accident or malicious action that compromise the
availability; authenticity, integrity or confidentiality of stored or transmitted data or the
related services’.
We analyse this definition further in this chapter.
2.1 Background
The conceptual understanding of online security incidents (or data breaches) is
undoubtedly extremely complex, for various reasons, not least those of a technical
nature.10 Definitions discussed in different communities are not standardised and may
overlap – for example a single breach from the perspective of one community may be
considered to be several security incidents by another community (for example malware
variants are delimited according to different standards with regards to the difference
needed to exist between two variants in order to be registered as separate malwares). For
instance, parts of the zero-day vulnerability in Stuxnet have been re-used in other
examples of malware, but do not count as Stuxnet attacks themselves.11
9
Ibid.
Howard et al., 1998
11
A ‘zero-day vulnerability’ is a security gap in a software that is unknown to the vendor, and is exploited by
hackers before the vendor is aware of the gap and can patch the software. The name refers to the fact that
there are zero days between the vulnerability becoming known and the first attack(Source: PC Tools, Definition
of zero-day vulnerability, http://www.pctools.com/security-news/zero-day-vulnerability/
10
PE 507.476
23
Policy Department A: Economic and Scientific Policy
It is also highly important to understand that security incidents with a malicious motivation
resulting in breaches may exploit socio-technical (behavioural, organisational or
procedural) vulnerabilities instead of or together with vulnerabilities expressed in technical
terms (for example, ‘product x having bug y’).12
Various types of guidance are available to define incidents, and some are encapsulated in
internationally recognised standards (sets of agreed practice concerning security). These
include:
x
x
x
x
x
ISO/IEC 27001:2005 – Information technology – security techniques – information
security management systems – requirements13
SO/IEC 27035:2011 (revising ISO/IEC TR 18044:2004) Information technology –
security techniques – information security incident management
Standards of individual Member States (for instance BSI)
NIST SP 800-61 Computer security incident handling guide recommendations of the
US Department of Commerce, National Institute of Standards and Technology
CMU/SEI-2004-TR-015 Report on defining incident management processes for
computer security incident response teams (CSIRTs).14
2.2 Security incidents
A security incident may be understood as something that arises the interest or flags a
particular warning or alert with regards to a desired or attained security posture.
ISO/IEC Standard No. 27005:2008 (revised by ISO/IEC 27005:2011) is an international
standard for security techniques and information security risk management, to which
several Member State standards are aligned.15 Effectively, it constitutes a set of broadly
accepted practice relating to security and contains commonly understood terms. This
standard defines an information security event as:
an identified occurrence of a system, service or network state indicating a
possible breach of IS policy or failure of safeguards, or a previously unknown
situation that may be security relevant 16
and an information security incident:
is indicated by a single or a series of unwanted information security events that
have a significant probability of compromising business operations and
threatening information security.17
12
Breaches may also occur as a result of accident, at system boundaries or through failure of communications
and co-ordination (especially where disposal or loss of physical devices are concerned).
13
The ISO/IEC 27001:2005 standard is going to be replaced by ISO 27001:2013 in the course of 2013.
14
Alberts at al., 2004.
15
E.g. BSI IT-Grundschutz standards on Information Security Management Systems; BSI BS 7799-3:2006 on
Information Security Management Systems standards package, first established in 1995; was a precursor to
ISO 27001. See http://www.bsi.de/english/gshb/; Susanto et al., 2010.
16
ISO definitions: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=56742
17
Ibid.
24
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
Examples of incidents include an alarm being triggered on an intrusion detection system,
analysis of security incident event monitoring data resulting in flagged patterns; certain
kinds of suspicious behaviour being logged (port scanning,18 for example) by specialised
network security personnel or a report from an end-user about odd behaviour occurring on
their computer. Consider a ‘distributed denial of service’ (DDoS)19 attack, for example.
Technically, this may be legitimate traffic, but the sheer scale and speed of the requests to
a server (in other words a pattern) alerts administrators and security personnel that this is
something unusual and to be considered as a security incident.
The US-CERT defines an ‘incident’ as ‘the act of violating an explicit or implied security
policy’,20 but this is a very ‘security orientated’ understanding of the word. A practical
example of an incident may also be sudden slow or loss of internet connectivity, caused by
problems upstream in the network (for example an outage in an electricity power station).
The complex dependency on energy provision of internet infrastructures makes it difficult
to determine exactly how incidents in one infrastructure relate to consequences in another.
The RFC 2350 guide, laying down expectations for the future functioning of CSIRTs,
defines security incidents as: ‘any adverse event which compromises some aspect of
computer or network security’. However, the guide emphasises that these are very general
categories and emphasises that attacks, even if they failed because of proper protection,
can be regarded as incidents, and often it is the task of the entities performing the
response to make a distinction between the two.21
The US Committee on National Systems Security Instruction No. 4009 defines an ‘incident’
as: ‘assessed occurrence having actual or potentially adverse effects on an Information
System’.22
Operational definitions proposed by NIST might be thought of as the most comparable to
those from ENISA.
The non-binding US computer security incident response teams (NIST) Computer Security
Incident Handling Guide (NIST SP 800-61 rev 2 from 2012)23 discusses events, adverse
events and incidents. It does so from the perspective of those that are computer security
related, not those caused by probabilistic events such as natural disasters, power failures
and so on.
18
As described in Lee et al., 2001, port scanning is a method that can be used as a part of an attacker’s strategy
searching for susceptible vulnerable hosts. The activity involves sending a message to a port and listening for
an answer. The received response indicates the port status and can be helpful in determining a host’s operating
system and other information relevant to launching a future attack.
19
As outlined by the US Computer Emergency Readiness Team (US-CERT), 2009, a denial of service attack, an
attacker attempts to prevent legitimate users from accessing information or services. By targeting a computer
and the network connection of the user, attackers may be able to prevent you from accessing e-mail, websites,
online accounts (banking, etc.) or other services that rely on the affected computer. With a distributed denial of
service attack, attackers take over other computers and use them, for instance, to send huge amounts of data
to a website or send spam to particular e-mail addresses. The attack is ‘distributed’ because the attacker is
using multiple computers to launch the denial of service attack.
20
US-CERT incident definition: http://www.us-cert.gov/government-users/compliance-and-reporting/incident
definition
21
The purpose of this 1998 document was to express the general internet community's expectations of computer
security incident response teams. It was not possible to define a set of requirements that would be appropriate
for all teams, but was considered helpful to list and describe the general set of topics and issues which are of
concern and interest to constituent communities. http://www.ietf.org/rfc/rfc2350.txt
22
Committee on National Security Systems, 2010.
23
National Institute of Standards and Technology, 2012.
PE 507.476
25
Policy Department A: Economic and Scientific Policy
Events might include any observable occurrence in a system or network, such as a server
responding to a request for a web page, a user sending an e-mail or a firewall blocking a
connection attempt.
NIST’s Computer Security Incident Handling Guide defines adverse events as:
events with a negative consequence, such as system crashes, packet floods,
unauthorized use of system privileges, unauthorized access to sensitive data,
and execution of malware that destroys data. This guide addresses only
adverse events that are computer security-related, not those caused by natural
disasters, power failures, etc.
It further defines a computer security incident as:
a violation or imminent threat of violation of computer security policies;
acceptable use policies or standard security practices.24
A proposed US bill from 2013 on Co-ordination of Federal Information Security Policy
proposes a definition of an incident in Section 332 of Title 44 of the US Code as
An occurrence that:
x
actually or imminently jeopardises without lawful authority the integrity,
confidentiality or availability of an information system or the information
that system controls, process, stores or transmits or:
x
constitutes a violation or imminent threat of violation of law, security.25
Finally, as an example of a definition from a critical infrastructure provider, the US National
Electric Reliability Council (NERC) defines a security incident as:
Any malicious act or suspicious event that: Compromises, or was an attempt to
compromise, the Electronic Security Perimeter or Physical Security Perimeter of
a Critical Cyber Asset, or, Disrupts, or was an attempt to disrupt, the operation
of a Critical Cyber Asset.26
Despite this, under the US regulatory system, each critical infrastructure has a sectorspecific plan that outlines definitions applicable to that particular sector. For example, the
US Defense Industrial Base pilot, in its interim rule27 (hereinafter ‘Interim Rule’) from 2012
defined a cyber incident as:
actions taken through the use of a network that result in an actual or
potentially adverse effect on an information system and /or the information
residing therein.
24
25
26
27
Ibid.
Federal Information Security Amendments Act, 2013, pp. H2037–H2042.
North American Electric Reliability Corporation, 2013.
US Department of Defense, 2012.
26
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
The Defense Industrial Base (DIB) pilot rule also defined threats as:
any circumstance or event with the potential to adversely impact organization
operations (including mission, functions, image, or reputation), organization
assets, individuals, other organizations, or the Nation through an information
system via unauthorized access, destruction, disclosure, modification of
information and/or denial of service.
The Japanese CERT JP-CERT defines an incident as:
x
x
Human Manipulation related to computer security
Abuse of resources, denial of service breaking data information
leakage28
A security breach, by contrast, may be considered to occur when an incident breaches or
causes a state where certain perimeter based security controls are compromised. The term
‘breach’ implies the penetration of a barrier or some other form of protection mechanism.
At the same time, the definition of ‘data breach’ has received the common understanding
(and an understanding which the legal framework aims at) that intends data breaches to
mean those incidents resulting in the compromise of the confidentiality, integrity or
availability of personal data (as defined by the Data Protection Directive 95/46/EC),
although technically the term might cover a range of data types beyond personal data
(e.g. intellectual property, classified information). EU Member States largely conform to
this legislation in defining the conceptual and legal frameworks of their relevant systems. 29
Therefore, there is little evidence of courts or competent authorities utilising definitions not
aligned with the ones laid down by the Directives.
The US Health Information Technology for Economic and Clinical Health (HITECH) rule in
the Health Insurance Portability and Accountability Act (HIPAA)30 defines a breach as:
an impermissible use or disclosure under the Privacy Rule that compromises
the security or privacy of the protected health information such that the use or
disclosure poses a significant risk of financial, reputational, or other harm to
the affected individual.
In January 2013 the Breach Notification Rule was amended. 31 The US Department of
Health and Human Services defined breach as: ‘the acquisition, access, use or disclosure
of Personal health information (PHI) in violation of the Privacy Rule that compromises the
security or privacy of the PHI’. The amendments modified the phrase from significant risk
of financial, reputational or other harm to the model that, notwithstanding exceptions, an
impermissible use or disclosure of personally identifiable information is presumed to
constitute a breach unless the covered entity can demonstrate that there was a low
probability that personal health information had been compromised based on, at a
minimum, a four part risk assessment.
28
JP CERT, 2008.
Article 29 Working Party, 2011, p. 32
30
Interim final breach notification regulations, issued in August 2009, implement section 13402 of the Health
Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and
their business associates to provide notification following a breach of unsecured protected health information.
31
Final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in
accordance with the HITECH Act of 2009.
29
PE 507.476
27
Policy Department A: Economic and Scientific Policy
The multidisciplinary character of vulnerabilities, incidents and breaches can become
complex to understand. For example, the loss of unencrypted laptops can be seen as a
failure of policy and procedure where those using the laptops expected them to be
encrypted (yet they weren’t) and therefore behaved more recklessly in their use. Such
challenges become even more acute with regard to individual owned devices (under the
bring your own device – BYoD) model.
Figure 3 presents a broad classification of how these terms are sub-sets of one another.
Figure 3 The relationship of security incidents to security breaches and data
breaches (Source: RAND Europe)
However, this is a somewhat (and necessarily) simple and abstracted picture. A security
incident may result in a data breach where an adversary targets personal data to obtain or
copy illegitimately. A security incident also may not involve personal data – such as a
DDoS, for example, which does not target personal data but aims to take the target
offline.
Regulators may also choose to include certain types of incidents and not others. The
proposed legislation on information security breaches under consultation in the
Netherlands, for instance, only covers the breaches that are considered to affect the
security or integrity of electronic information systems most severely. In the Explanatory
Memorandum to this draft bill, DDoS attacks are not considered to have this effect and
are, thus, not covered by the notification duty. It is argued that DDoS attacks result in the
temporary unavailability of certain systems, but does not affect the systems that are used
in this respect.32
To complicate matters, a breach of personal data might not necessarily precede a security
incident (although, if discovered, it may become an incident after the fact). A careless data
controller might, through lack of oversight or poor practices, lose or misplace personal
data, as occurred in the UK at the UK’s HM Revenues & Customs (HMRC) in 2005 when
two CDs with the personal data of 25m UK citizens went missing in the post.
32
Ibid, p. 3.
28
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
By the time such an incident becomes known it is undoubtedly a security incident (in that
the management controls aiming to meet security objectives regarding the protection of
personal data failed).
2.2.1
Malicious incidents
The type of security incident that is perhaps most focused on is one where it is thought a
malicious actor (‘adversary’) may be involved. Adversaries may cause incidents in order to
effect some kind of consequence: either extracting information,33 or denying use of a
service to others.
Focusing on the motivation of malicious actors in perpetrating incidents, Figure 4 presents
an overview of the logic behind adversaries exploiting different kinds of vulnerability.
Figure 4 The logic of adversary-driven incidents (Source: RAND Europe)
It is difficult to determine absolutely whether an adversary is part of an organised crime
network;34 a disgruntled former employee or a nation-state.35 Furthermore, even the
definition of attack is far from straightforward. Some security incidents may not
necessarily breach defences to be useful from an attacker’s perspective, for example a
port scan where an attacker can remotely check to see what kind of services are running
on a particular machine.36 Armed with this information, which may sometimes include
technical details about the computer offering such services, the attacker can then select
which methods to use and might try to target:
33
It is difficult to define ‘information theft’ since by copying it, its use is not denied to others; therefore the term
often used is ‘data exfiltration’.
34
E.g. the Russian Business Network.
35
Mandiant Intelligence Center Report, 2012.
36
See footnote 18 above.
PE 507.476
29
Policy Department A: Economic and Scientific Policy
x
x
x
the integrity of information, by breaking into networks (e.g. by exploiting known
vulnerabilities to software versions running on the targeted computer) to modify
data to cause damage or disruption
the availability of information or information systems by undertaking attacks such
as DDoS attacks
the confidentiality of information, for example by downloading it and exploiting it
for criminal purposes, such as identity theft and accessing bank accounts;
disclosing confidential information for political purposes etc.; the target can be
either commercially or nationally sensitive data (such as business or military
secrets) or personal data (such as usernames, passwords, bank account
information or credit card details).
Cyber attacks may comprise more than one security incident such as in an advanced
persistent threat like the Night Dragon series.37 Furthermore, attacks affecting or
exploiting cyber space do not necessarily need to be electronic. Many are multidisciplinary
and can employ a variety of vectors.38 We present below an overview based on analysis of
some common types:39
x
x
x
x
DDoS: in a DDoS attack, a denial of service, a number of computers send a barrage
of legitimate requests (e.g. for web pages or other type of service) over an
extremely short period of time, overloading the destination server. Normally, DDoS
attacks are carried out using a botnet – a network of compromised computers
usually unwittingly running software that allows them to become part of such a
network. Botnets are controlled using command and control server software. An
example of such software is Low Orbit Iron Cannon.40 An adversary (either an
individual or a group of individuals) behind a botnet is called a ‘bot master’. A DDoS
can be politically or ideologically motivated or, as part of a threat to extort,
criminally driven.
Advanced persistent threat (APT): this type of attack is characterised by multi
stage, multidisciplinary (‘advanced’) techniques over an extended (‘persistent’)
period of time. Incidents usually include social engineering or spear phishing to
gain access; network reconnaissance (mapping of the internal network to discover
where services or assets are located); installation of backdoors or remote access
tools) and then data exfiltration (unauthorised copying of data).
Web defacement: in this type of cyber attack a website or other online service
accessible through a web browser is defaced and the original content replaced
(usually with a message intended to convey a particular point that the attackers
wish to get across).
Insider attack: this is a particularly complex form of attack as an insider attack may
encompass any of types of incident listed below. For example, an insider might try
to escalate his or her account privileges via their knowledge of the network layout
in order to copy information. The defining characteristic of the insider attack is that
the perpetrator is in some way trusted as being inside the organisation or having
some level of trusted role within it.
37
McAfee, 2011.
Attack vectors (source: ENISA, 2012)
39
For more detailed taxonomy, see ENISA, 2012b.
40
For more information, see: GCN. Com, 2012, Hackers’ New Superweapon adds Firepower to DDoS, 24 October
2012, GCN.com: http://gcn.com/articles/2012/10/24/hackers-new-super-weapon-adds-firepower-to-ddos.aspx
38
30
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
x
x
Social engineering: although not strictly a type of cyber attack, given the huge
quantities of information stored and accessed via cyber space, adversaries are wont
to try and exploit as many possible routes to get to it to achieve their objectives.
The human factor is usually the easiest route. Kevin Mitnick, the notable computer
hacker, remarked that 80% of his success was down to social engineering,41 a class
of attack where an adversary tries to exploit different psychological, behavioural or
social weakness in order to breach security controls. A simple example is where an
adversary calls a user pretending to be someone from the IT department and asks
the user for their password under the guise of performing system maintenance.
Undermining integrity of the supply chain: a form of attack that is also non-specific
to cyber but because of the complex interdependent globalised supply chains for
information society products and services is particularly acute in cyber space. In
this case, the entities in the supply chain may be coerced or bribed or acting
against the wishes of business partners and others in the supply chain to
deliberately modify or change products and services, installing backdoors or other
code that is not part of what they were contractually asked to complete. This type
of attack is relatively insidious to defend against and has similar characteristics to
the insider threat (in that addressing it comes down to management, procedural
and organisational measures).
The list above identifies incidents where attackers acting strategically might try to breach
security controls by exploiting specific vulnerabilities to cause desired consequences. There
are many other types of incident which might affect the security posture of an
organisation, including accidents, incidents arising from natural causes and incidents
caused by other phenomena.
Table 3 illustrates a list of prominent recent incidents of these types of attack, compiled by
one of the online databases collecting data on these events.
Table 3 Examples of data breaches collected by Hackmageddon in the EU since
October 2012 (Source: Timeline master index on Hackmageddon website 42)
Date
Event
Implication
26/05/2013
Monsanto website hacked
Whole database dumped,43 including
credentials of personnel managing the
website
22/05/2013
XCount3r hacked Audi Switzerland
More than 2,000 accounts dumped
20/05/2013
UK Toyota blog hacked
Personal information of 5,000 individuals
leaked
19/05/2013
Imperial College information system hacked
Staff and administrator accounts breached
11/05/2013
Website of the Romanian
qualifications hacked
08/05/2013
Dutch government websites suffered DDoS
National
Authority
41
for
Administrator and user accounts breached
10 million citizens unable to pay taxes and
bills online
Mitnick, 2000.
http://www.hackmageddon.com
43
The term data dumping (a technique usually used in the backing up of databases) usually refers to the
publication of data and the structure of the database itself, usually in the form of SQL commands (for more
information
(see:
definition
of
dump
at
MySQL
Forum:
http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html). The term data leaks usually refers to the
disclosure
of
sensitive
information
(see:
Definition
of
data
leaks,
Mitre.org:
http://capec.mitre.org/data/definitions/118.html).
42
PE 507.476
31
Policy Department A: Economic and Scientific Policy
03/05/2013
Anonymous Italia published 4.2 GB of e-mails by
Movimento Cinque Stelle
Members of parliament and senators email accounts breached
20/04/2013
Unknown hackers
bluebird.pt
4,316 member accounts and credentials
dumped
15/04/2013
Website of the German Young liberals hacked
More than 10,000 e-mail addresses and
contact details breached
06/04/2013
Lulzsecwiki hacked HPTH UK, a charity for a rare
medical condition
User accounts leaked
05/04/2013
Polo Tecnico Giulianova hacked
Approximately
500
credentials dumped
02/04/2013
Website of UK branch of Commonwealth Bank of
Australia hacked
1,900 encrypted passwords, accounts and
full names dumped
14/03/2013
An unnamed hacker penetrated the computers of the
Polish president's office and computers in the Ministry
of Foreign Affairs
14/03/2013
The careers website of a Lithuanian university hacked
Names and passwords of 14,000 students
dumped
27/02/2013
Several European governments (including Czech
Republic, Ireland, Portugal, Romania) and NATO were
targeted by a malware in Adobe Systems software
Not disclosed
25/02/2013
The database of the Hungarian police breached
More than 5,000 records published
24/02/2013
EADS and Thyssenkrupp reported as victims of cyber
espionage by Chinese firms
Not disclosed
19/02/2013
LulzES breached the database of the Spanish film
academy
Personal details of members leaked
18/02/2013
Mandiant published a report exposing cyber-state
backed cyber espionage
Among the victims were UK, Belgian,
French and Luxemburg-based companies
15/02/2013
Website muslim-ads.co.uk hacked
IP addresses and e-mails of more than
6,000 members leaked
13/02/2013
Website muslim-news.co.uk hacked
Personal data including phone numbers,
addresses, e-mails and names of more
than 1,600 users published
13/02/2013
Ruhr University Bochum made public that it was
hacked
50,000 students potentially affected
02/02/2013
French Ministry of Sport breached
100 accounts breached
02/02/2013
French Ministry of Development breached
800 account details leaked
02/02/2013
Luxembourg British Chamber of Commerce website
hacked
Login information
leaked
01/02/2013
Association des Anciens Eleves France hacked
Account information of 17,900 members
leaked
17/01/2013
Database of Italian Democratic Party hacked
Information of 630 members leaked
15/01/2013
A sub-domain of the French Ministry of Defence hacked
Server details and 20+ account details
07/01/2013
Panasonic Europe
websites hacked
Complete database dumped
06/01/2013
Association of Irish Festival associations hacked
15,000 records
dumped
04/01/2013
Anonymous release of files from German Chamber of
commerce
2.66 GB (approx. 5,500 files) leaked
hack
Czech
jewellery
Republic
manufacturer
and
32
Slovakia
of
with
accounts
900
full
and
individuals
credentials
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
22/12/2012
Belgian railway company data breached
Internal error – inadvertently published
1.46 million sets of customer data online
26/12/2012
Renault Bulgaria hacked
7,000 accounts, including administrative
accounts and passwords, leaked
24/12/2012
German Muslim website Ihya.org hacked
100,000 accounts leaked
21/12/2012
For the expected end of the world, several
organisations hacked and data dumped, including ecommerce and online services websites from Europe
16/12/2012
Anonymous Bulgaria took down the website of the
Ministry of Finance
11/12/2012
UK MP David Morris website hacked and defaced
06/12/2012
Private
document
leaked
from
Telecommunication Union meeting
04/12/2012
IAEA database hacked
04/12/2012
Swiss national security agency warned that large
amounts of confidential antiterrorism data were leaked
by employee
03/12/2012
phisolophia.eu.org website hacked
28/11/2012
Phone numbers of several famous Spanish football
players published
28/11/2012
Websites of several large companies redirected to
hacker websites.. including the Romanian websites of
Google, Yahoo, Microsoft and Kaspersky
27/11/2012
Several retail firms hacked
27/11/2012
Piwik, the free web analytics tool for PHP/MySQL
hacked, planting malicious code inside the latest
version of the programme
26/11/2012
Website of the Lithuanian police hacked
25/11/2012
IAEA server hacked
21/11/2012
Computers in the French presidential office reported to
have been victims of a US-originated targeted attack
20/11/2012
Man arrested over massive-scale ID theft in Greece
19/11/2012
Complete database
arenabg leaked
15/11/2012
Danish dating
injection
11/11/2012
Anonymous hacked the Organisation for Security and
Co-operation in Europe (OSCE)
55 mbs of internal documents leaked
11/11/2012
Amazon.co.uk hacked (Amazon denies the attack)
600 account details, names etc and e-mail
addresses dumped
10/11/2012
Far-right organisation English Defence League hacked
E-mails and list of donors hacked
08/11/2012
UNESCO website hacked
60 usernames and passwords leaked
08/11/2012
The laptops of two EU officials, Ryan Heath and
PE 507.476
International
Divulged confidential information on deep
packet inspection measures
Data from nuclear data section leaked
1,700 e-mail addresses and other text
dumped
The largest leak was of more than 2,000
accounts each from Royals Quay, UK and
Leaden Hall UK
160 e-mail addresses leaked
of
website
Bulgarian
sex.dk
torrent
attacked
33
Theft of 9 million files including personal
data, social security numbers, vehicle
registration numbers etc of Greek citizens
website
via
SQL
30,000 accounts and passwords published
online
Policy Department A: Economic and Scientific Policy
Camino Manjon apparently hacked in a hotel in Baku,
Azerbaijan, during the Internet Governance Forum
07/11/2012
LG Hungary's site hacked
1,300 user credentials, names, locations,
e-mails and passwords leaked
06/11/2012
Anonymous claimed to have hacked Telecom Italia
Anonymous claimed to possess 300,000
credentials (several are dumped to
substantiate the claim)
06/11/2012
Ministry of Defence UK hacked
3,600
user
accounts
information dumped
04/11/2012
Anonymous claimed to
documents from the OSCE
29/10/2012
Anonymous leaked confidential documents from the
Greek Ministry of Finance
27/10/2012
International Professional Management Association UK
website hacked
More than 2,400
passwords released
24/10/2012
UK Police internal communication network hacked
More than 20 million accounts hijacked
23/10/2012
Italian Police database hacked
3,500 private documents leaked
15/10/2012
WHO website hacked
Part of the database dumped
2.2.2
have
released
and
account
several
user
names
and
Accidents
Given the complexity of cyber space and the sheer size of the infrastructure, it is perhaps
unsurprising that human error is an important consideration. In fact, many argue that at
the level of the core backbone of the infrastructure, human error is a more significant
security issue than those listed above.44 Human error may encompass misconfiguration of
devices or routers45 or other infrastructure causing either local or in extreme cases
regional or international issues. Mistakes and misconfigurations may go unnoticed and
result in vulnerabilities that attackers can then exploit if found, for instance by accessing
the system and compromising information stored on it, or assuming control of the system
and causing disruption of its functioning; or installing malicious software on its elements.
There is also the possibility of errors arising from the sheer complexity of cyber space,
which may be compounded by mistakes in configurations or may occur ‘naturally’ as a
result of systemic complexity.46 For example, routers in the backbone infrastructure read
tables to tell them where to send traffic for the next hop. If there are delays in updating
the tables (for instance due to systemic glitches, general network latency, or unusually
high quantities of transmitted data) then a condition called 'route-flap' occurs, which can
reduce internet speed for end-users. A domain of research called ‘internet weather’ has
developed, which investigates such issues.47
44
These are discussed in several guidance documents, e.g. ENISA, 2012b; also the German Federal Ministry of
the Interior’s guidelines on critical infrastructure protection also stress the high potential damage and rapid
dissemination of incidents caused by human error (see: Federal Ministry of the Interior, 2008).
45
E.g. see Pakistan YouTube outage: in 2008, an attempt of the Pakistani government to block access to
YouTube within the country for hosting content it perceived as anti-Islamic resulted in YouTube becoming
inaccessible around the globe for more than an hour as a result of a mistake committed by Pakistan Telecom
(see: Gannes, 2008).
46
Incident leading to outage that occurred in France in July 2012, where a software glitch in France Telecom’s
software used to trace mobile phones accidentally multiplied signals and resulted in a flood of signalling traffic,
eventually bringing down the network and resulting in 28 million customers unable to place calls or receive text
messages
(see:
http://theneteconomy.wordpress.com/2012/07/11/france-seeks-influence-on-telcos-after
outage ).
47
For an explanation of this phenomenon, see: Connection Management, 2013.
34
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
2.2.3 Incidents arising from natural causes (‘force majeure’)
Events in the natural environment may affect the physical elements of the internet
infrastructure resulting in security problems (e.g. loss of availability). Examples include
tsunamis, which can affect submarine cables resulting in outages,48 solar flares,49 storms
and other extreme weather conditions.
2.2.4 Other physical incidents of relevance
Major acts of terrorism, such as the attacks in the eastern seaboard in the US in 2001,
may have security implications for the availability of internet infrastructures and hence
cyber space.50
Physical accidents such as the accidental severing of undersea or underground fibre optic
cables (known as ‘backhoe failure’51) are more frequent than might be expected and,
although the internet infrastructure is designed to be resilient, can have an effect.52
Serious large scale industrial accidents such as the Deepwater Horizon disaster or
Buncefield Oil Refinery fire in the UK may result in knock-on effects on the internet
infrastructure and consequently in cyber space.53
Theft of physical elements of the internet infrastructure are also relevant. The theft of
copper wire is a major security issue for telecommunications companies – as prices of
copper have risen on the market and there is extensive use of copper in
telecommunications infrastructure, copper wire has become a target for criminals.54
48
Carter et al., 2009.
Sommer and Brown, 2011.
50
There has been no public analysis of the implications of other major terrorist attacks on the internet
infrastructure (such as Madrid; London or Mumbai). The report by the Committee on the Internet under Crisis
Conditions noted that the attacks in New York in 2001 did not have a noticeable effect on the backbone routing
infrastructure despite the collapse of an AT&T switching centre – rather that the high demands made on
electronic communications networks by voice calls and SMS messages (of people calling each other to see
where they were) and traffic to news websites were the more significant visible effects – see: National Research
Council of the National Academies, 2003.
51
Backhoe failure or backhoe induced fibre failure is where a tractor or digger accidentally cuts fibre optic cables
when engaged in other work (e.g. laying new gas pipes).
52
Accidental severing of submarine cables in Cairo.
53
Deepwater Horizon oil spill: on 20 April 2010 and explosion killing 11 people and subsequent fire on the
Deepwater Horizon oil rig operated by BP resulted in the largest oil spill recorded so far, leaking 4.1m barrels of
oil in the Gulf of Mexico. In the more than 80 days that oil flew from the underwater oil well, five states were
impacted, and rescue operations involved more than 47,000 staff and 6,870 vessels (see: National Response
Team, 2011). In the Buncefield fire on 11 December 2005 a series of explosions took place at Buncefield Oil
Storage Depot, Hemel Hempstead, Hertfordshire. 40 people were injured and significant damage occurred to
commercial and residential properties in the vicinity. The fire burned for several days, destroying most of the
site. According to the final report published by the investigation into the accident the overall cost amounted to
approximately £1 billion comprising compensation for loss, costs to the aviation sector, the emergency
response and the costs of the investigations. The incident ultimately led to redefining health and safety good
practice applying to the storage of similar materials (see Buncefield Major Incident Investigation Board, 2005).
54
The Guardian, 6 April 2011.
49
PE 507.476
35
Policy Department A: Economic and Scientific Policy
Finally other physical acts include vandalism of physical parts of the infrastructure.
Vandalism (the motives of which are beyond the scope of this study) might also have
effects on the availability of internet infrastructure and elements of cyber space. For
example, it has been recorded that burning rubbish bins have taken parts of the UK
telecommunications infrastructure55 offline for short periods of time.
This discussion is not wholly academic because firms report incidents in different ways and
prioritise different types of incident depending on the specific nature of their own business.
Under ENISA’s 2013 Technical Guidance (Article 13a), the reporting regime for providers
of e-communications services (mainly although not exclusively fixed or mobile telephony
and fixed or mobile internet access) security incidents is defined as: ’a breach of security
or a loss of integrity that could have an impact upon the operation of electronic
telecommunications networks and services’.56
As part of the formulation of reporting guidance, ENISA agreed with national regulatory
authorities (NRAs) to report only ‘incidents involving outage of services’. 57 The Agency
identifies the following root causes of incidents in 2011:58
x
x
x
x
x
natural phenomena – storms, floods, heavy snowfall
human errors – caused by errors committed by employees of the provider
malicious attacks – caused by a cyber attack or other forms of malicious behaviour
(e.g. cable theft)
hardware or software failures – caused by a failure of hardware or software
third party failures – caused by an incident or failure at a third party.
55
ZDNet, 23 October 2002.
ENISA, 2013a. Under a common information security understanding, integrity in this instance equates to the
term availability.
57
Therefore some forms of security incident (e.g. those that may occur in cyberspace and revolve around
exfiltration of sensitive or personal data) do not fall under this scheme. This may go some way to explaining
why the incidents included are mainly of a physical nature.
58
ENISA, 2011b.
56
36
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
2.3 Legal basis of definitions
Table 4 Comparisons of definitions of security incident, security breach and data
breach
Legislation
Definition
Security incident or event
Proposal for a NIS Directive
Article 3(4) Any circumstance or event having an adverse
effect on security
Directive 2009/140/EC
Article 13a (3)
Not specifically defined but identified in the context of
reporting under Article 13a as: “a breach of security or
loss of integrity that has had a significant impact on the
operation of networks or services”
ENISA (2011) Reporting An event which can cause a breach of security or a loss of
Major Security Incidents – integrity of electronic communication networks or
Implementation of Article services
13a Technical Guideline on
Incident Reporting
Reportable incident: A breach of security or a loss of
integrity that has a significant impact on the operation of
electronic telecommunications networks and services
ISO/IEC
Standard
27005:2008
No. [Security event]
An identified occurrence of a system, service or network
state indicating a possible breach of IS policy or failure of
safeguards, or a previously unknown situation that may
be
security
relevant
[Security incident]
A single or a series of unwanted information security
events that have a significant probability of compromising
business operations and threatening information security
US-CERT
The act of violating an explicit or implied security policy
US Committee on National Assessed occurrence having actual or potentially adverse
Security Systems
effects on an information system
US
NIST
Computer [Adverse events]
Security Incident Handling Events with a negative consequence, such as system
Guide
crashes, packet floods, unauthorised use of system
privileges, unauthorised access to sensitive data, and
execution of malware that destroys data
US
proposed
legal
definitions proposed bill
from
2013
on
Co
ordination
of
Federal
PE 507.476
‘An occurrence that
(A) actually or imminently jeopardises without lawful
authority the integrity, confidentiality or availability of an
information system or the information that system
37
Policy Department A: Economic and Scientific Policy
Information Security Policy controls, process, stores or transmits or:
proposes a definition of an (B) constitutes a violation or imminent threat of violation
incident in Section 332 of of law, security’
Title 44 of the US Code
RTF 2350 Guide
Any adverse event which compromises some aspect of
computer or network security
JP-CERT
Human manipulation related to computer security; abuse
of resources, denial of service breaking data information
leakage
Security breach
Proposal for a NIS Directive
No clear definition exists in legislation, interpretation
based on proposal for a NIS Directive, Article 3(2): A
security breach is present when a provider has breached
its security duties as obliged by the Directive
Article 4 of the e-Privacy
Directive 2002/58/C, as
amended by the 2009 EU
legislative framework on
electronic communications
‘A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of,
or access to, personal data transmitted, stored or
otherwise processed in connection with the provision of a
publicly available electronic communications service in
the Community’
Article 15 of the
Services Regulation
Trust Not specifically defined but identified in the context of
reporting under Article 15(2) as a ‘breach of security or
loss of integrity that has a significant impact on the trust
service provided and on the personal data maintained
therein’
US Defence Industrial Base Any circumstance or event with the potential to adversely
Pilot Guidance
impact organisation operations (including mission,
functions, image, or reputation), organisation assets,
individuals, other organisations, or the nation through an
information system via unauthorised access, destruction,
disclosure, modification of information and/or denial of
service
Data breach
Article 30, 31 and 32 of the ‘A breach of security leading to the accidental or unlawful
proposed data protection destruction, loss, alteration, unauthorised disclosure of,
regulation
or access to, personal data transmitted, stored or
otherwise processed’
US
Health
Insurance An impermissible use or disclosure under the privacy rule
Portability
and that compromises the security or privacy of the protected
Accountability Act
health information such that the use or disclosure poses a
significant risk of financial, reputational, or other harm to
the affected individual
38
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
2.3.1 Security incident
Of the three terms ‘security incident’, ‘security breach’ and ‘data breach’, the first one is
the only one defined in the NIS Directive. As we have seen, Article 3(4) defines incident as
‘any circumstance or event having an actual adverse effect on security’. This is a broad
definition. In paragraph 3 of Article 13a of Directive 2009/140/EC the term ‘incident’ is not
used, but the term notification duty is introduced for ‘a breach of security or loss of
integrity that has had a significant impact on the operation of networks or services’. ENISA
does define ‘incidents’ and ‘reportable incidents’ in its non-legally-binding Technical
Guideline on Reporting Incidents:
x
x
Incident is herein defined as an event which can cause a breach of
security or a loss of integrity of electronic communication networks or
services.
Reportable Incident: A breach of security or a loss of integrity that has a
significant impact on the operation of electronic telecommunications
networks and services.59
ENISA’s definition of a reportable incident is thus similar to the definition of a security
breach for which the notification duty in Directive 2009/140/EC applies. The only difference
is in the absence of the word ‘had’ in the ENISA definition. This has no direct influence on
the definition, but rather on the moment at which a notification is required. The wording of
the Directive leaves some room for notifying afterwards, while the ENISA definition requires
immediate notification once an incident takes place.
The essential element is that there has to be an impact on the security of the core services
(significant impact on the operation) provided. This makes it possible to place the other two
terms in perspective as sub-categories.
2.3.2 Security breach
A security breach occurs when a provider has breached its security duties as obliged by the
Directive. By analogy, on the basis of the Data Protection Directive60 or the e-Privacy
Directive, companies should apply sufficient technical and organisational measures to
guarantee the security of the data they process. If these measures are not taken
sufficiently, a security breach takes place, regardless of whether there really is a loss of
data. Such a breach can take the form of the installation of malicious software, without it
being activated, or a DDoS attack.
A clear definition of security breach is not present in legal texts, however. Directive
2002/58/EC (the e-Privacy Directive) mentions the risk of a breach of security in Article
4(2) and Recital 20. The service providers should notify the subscribers of their services
about these risks. Thus the security breach is linked to a certain risk. A broader
introduction of data breach notification duties came with Directive 2009/136/EC, which
amended the e-Privacy Directive, but definitions are still not included.
The Article 29 Working Party has found that Member States have been following closely the
core elements of the personal data breach provisions in the e-Privacy Directive, including
definitions and thresholds. Accordingly,
59
60
Ibid, pg 8.
See article 30 of European Parliament & the Council, 2012.
PE 507.476
39
Policy Department A: Economic and Scientific Policy
It is expected that competent national authorities and relevant actors will
increasingly rely on these concepts to deal with personal data breaches. In the
next years, these concepts and procedures will therefore ‘solidify’ across EU
Member States.
Therefore, the level of granularity and preciseness of definitions in EU legislation can have
repercussions on the conceptual frameworks adopted at the Member State level as well.61
The absence of a general security breach notification duty has led to a patchwork of
national legislations, with two basic flavours: notification to either the supervisory
authorities or to the individuals that may be affected by the security breach is required.62
2.3.3 Data breach
A data breach takes place when there is any impact related to the data themselves, such as
the data being lost or illegitimately accessed, and not only related to the security of the
system. These data do not necessarily have to be personal data. When personal data are
involved the breach is a ‘personal data breach’, which is defined in Article 4(9) of the
proposal for a general data protection regulation: ‘personal data breach means a breach of
security leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise processed’. Once
the regulation is in place as the general legal framework concerning personal data
protection, this definition can be applied to the NIS Directive as well.
2.4 Generalising comparisons between cyber attacks and the real
world
As we have seen, understanding technical security incidents can be complex even for
experts. Table 5 provides a generalised analysis of close comparators from the real world to
some of the phenomena discussed above.
Table 5 Generalised comparisons between cyber attacks and real world incidents
(Source: RAND Europe)
Cyber-security incident
61
62
Broad non-cyber equivalent
Phishing is like…
Theft of your wallet
Identity theft is like…
Theft of your bank statements from a rubbish bin
Distributed denial of service
is like…
Barricading the doors to a business or bank
Web defacement is like…
Graffiti on the front of a shop
Attacks against critical
infrastructure are like…
Covertly sabotaging infrastructure (e.g. physically
interfering with control systems)
Article 29 Working party, 2011, p. 32.
Kuner and Pateraki, 2012.
40
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
Hacking or network
penetration is like…
Covertly breaking into a business or organisation to
go through offices and filing cabinets
Hacking or network
penetration into a bank is
like…
A bank robbery
An advanced persistent
threat is like…
A complex extended campaign of trickery,
deception, espionage, break-ins and going through
offices and filing cabinets
Personal data breaches are
like…
Filing cabinets or drawers full of data about citizens
or customers being lost or stolen
2.5 Conclusions
This chapter has outlined the range of definitions applying to the categories of attack,
security incident and data breach based on definitions from ISO, policy documents and the
legal framework. Consistent and unambiguous definitions across legislative instruments are
often lacking.
Incidents can have a variety of root causes, including malicious attacks and accidents.
These include environmental conditions, such as storms or floods, human error, malicious
intent, hardware or software failure, and third party failure.
An information security incident can be defined as a breach, when an incident breaches or
causes a state where certain perimeter based security controls are compromised. The term
'breach' implies the penetration of a barrier or some other form of protection mechanism,
as in the transfer of information from a trusted to an untrusted environment.
A data breach takes place when there is an impact related to data (in the sense of personal
data) itself, such as data being lost or illegitimately accessed, and effects do not only have
repercussions on the security of the system. Under the proposed data protection regulation,
'personal data breach' means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed.
PE 507.476
41
Policy Department A: Economic and Scientific Policy
3 WHO IS AFFECTED AND WHERE? THE SCALE AND
TRENDS OF SECURITY INCIDENTS AND BREACHES
KEY FINDINGS
x
No common framework exists under which security incident or breach data is
collected.
x
Different actors in the public and private sector collect and compile incident reports.
x
Incident reporting is beset by structural characteristics, and the number of those
reported is generally acknowledged to be smaller than actual incidents.
x
The trend appears to suggest that incidents are increasing but the rate of increase is
uncertain.
x
There is nothing to suggest that Europe is any more or less secure than other
comparators such as the US or Japan.
x
It is difficult to determine the effect of policy interventions on incident trends.
x
Based on conservative estimates and available Eurostat data, the total minimum
direct costs for all types of security incident (including hardware and software
failure) affecting companies is 0.004% of GDP and for other countries 0.061% of
GDP.
x
At EU level, the estimated minimum total cost to SMEs was €2.3bn, or 0.017% of
EU GDP.
Although systematic comparable data sources covering the EU 63 are hard to come by, there
are several proxies that can help us gain an understanding of the distribution and
frequency of information security and data breaches in Europe. Table 3 in Chapter 2
illustrates recent examples of such breaches. In this chapter we present the available data
by different types of evidence; a wide variety of biases should be kept in mind.
Data usually include the counts, sizes or losses due to incidents, but none of these
incidents can tell us much on its own – all three indicators are needed to attempt to
understand the equilibrium between attackers and defenders.
Table 6 summarises the available data sources and their respective strengths and
weaknesses in providing an evidence base for decisions.
Table 6 Overview of available data sources
Source
type
Anecdotal
evidence
63
64
Examples
Datalossdb.org
Hackmageddon.com
Shadowserver.org64
Strengths
Detailed information on
individual breaches
Often only source of
information on breaches
Weaknesses
Unfit as a basis for
analysis
Data collection relies on
publicly available reports
Noting Croatia joined the EU on 1 July 2013 thus making 28 Member States
Data loss db, Open security foundation (http://Datalossdb.org ); Hackmageddon Website, publishing Cyber
attack timelines (http://Hackmageddon.com ); Shadow Server Foundation (http://Shadowserver.org ).
42
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
Can help contextualise and
illustrate trends
Industry
statistics
UK Information
Security Breach Survey
(ISBS)65
Publications by
organisations such as
Club de la Sécurité de
l'Information Français
(CLUSIF), CLUSIT,66
etc.
Often only data source on
industry perspective
Lack of common
frameworks for reporting
Data limited by
awareness or propensity
of companies to disclose
incidents
Official
statistics
Eurostat,
Eurobarometer, reports
from national or
governmental CERTs
ENISA
Robust and presumably
bias-free reporting
Many databases cover all
EU MS
Limited availability of
indicators
Lack of common
definitions for CERT
reporting
Information
security
companies
Microsoft Security
Intelligence Reports67
Symantec Internet
Security Threat
Reports68
Automated data collection
not dependent on
awareness or propensity to
report of targets
Wide coverage (according
to market share)
Misaligned incentives:
cyber-security companies
have an interest in
framing threats in a way
that supports demand for
their products
Data collection depends
on market share of
individual company
3.1 Collection of data on incidents
3.1.1 Anecdotal evidence
Systematic reviews of available open-source information (such as those reported by the
media and entities such as datalossdb.org) can give some evidence on the landscape of
breaches in a country. However, the validity of aggregative or comparative analyses on the
nature, sector breakdown and magnitude of breaches based on these sources is
constrained by biases and a lack of uniform standards for reporting incidents. Most of the
reported attacks noted in Table 3 were targeted at high-profile institutions and companies
with the implicit aim of publicity, in addition to a few instances of internal error or other
sources that were reported on these lists. This illustrates that such anecdotally derived
compilations are subject to significant selection bias as media outlets base their choice of
incidents to report on their access to suitable corroborating detail and level of interest to
their audience. Similarly, reports to online databases depend on the willingness of affected
or detecting entities to share the information (companies are understandably reluctant to
disclose information about incidents), those reporters’ ability accurately to describe the
events and the consistency of their reports.
65
66
67
68
E.g.
E.g.
E.g.
E.g.
BIS, 2013.
CLUSIT, 2012.
Microsoft, 2012.
Symantec, 2013.
PE 507.476
43
Policy Department A: Economic and Scientific Policy
3.1.2 Evidence from the industry: surveys and other empirical data
Associations and clubs of information security professionals in some EU Member States 69
have been conducting annual surveys of the frequency of breaches and different types of
incidents for some years.
Italy’s CLUSIT is an example of such an effort. Figures 5, 6 and 7 illustrate the frequency
and sectoral breakdown of incidents in Italy in 2011 and 2012.70 The figures show that the
public sector accounted for the largest proportion of publicly reported breaches in both
years for which the information has been synthesised. However, this picture is likely to be
at least partially the result of the above-mentioned selection bias, as public sector breaches
and high visibility cases (in particular a series of defacement attacks targeting political
parties in 2011) often attract more media attention and thus are likely to be over-reported
in comparison with breaches in industry sectors.
Figure 5 The number of incidents in Italy (Source: CLUSIT)
69
70
For a full list of these ‘Information Security Clubs’ see: CLUSIF website: http://www.clusif.fr/fr/clusi/
See: CLUSIT website: http://www.clusit.it
44
PE 507.476
Data and Security Breaches and Cyber-Security Strategies in the EU and its International Counterparts
Figure 6 Sector breakdown of targets in Italy in 2012 (Source: CLUSIT)
Figure 7 shows the segmentation of targeted organisations in 2011 according to the CLUSIT
data for 2011.
PE 507.476
45
Policy Department A: Economic and Scientific Policy
Figure 7 Targets by sector in Italy in 2011 (Source: CLUSIT)
There is longitudinal survey data for only a few European countries. For example, the
annual report commissioned by the UK Department of Business Information Security
Breach Survey (ISBS), compiled by approximately between 50...