ENISA's Enhanced Cybersecurity RoleAgency's Steve Purser on Greater Scope, 'Proactive' Impact
The European parliament recently voted to extend and strengthen ENISA. With this new endorsement, the agency is expected to play a significant role in top cybersecurity initiatives across the EU, says the agency's Steve Purser.
ENISA has been granted a new seven-year mandate. With it, the agency is expected to play a large role in the implementation of the EU Cybersecurity Strategy adopted by the European Commission in January.
Purser, head of operations for ENISA, says the new mandate provides ENISA with greater scope, flexibility and focus.
"The new mandate gives us a much more proactive role," he says in an interview with Information Security Media Group [transcript below].
"Whereas in the old mandate we simply had a role of tracking the developments of standards in the area of network and information security, now we have a role in facilitating the establishment of technical standards."
The mandate also enables greater cooperation between ENISA and other organizations, such as the European Cybercrime Centre.
"This is one of the mechanisms we use to align our work and to make sure that the fight against cybercrime is very much aligned with what ENISA is doing in terms of increasing preparedness," Purser says.
ENISA maintains a preparatory role when it comes to cybersecurity, Purser says, not response. "We're like a catalyst in a way," he says. "Our aim is to bring existing groups together, to get them working on problems that are important to today's policy agenda. And once these groups are working together smoothly, then we drop out of the equation and move on to something else."
In an interview about ENISA's growing influence on European cybersecurity matters, Purser discusses:
- The European parliament vote to strengthen ENISA;
- Key components of the EU's cybersecurity strategy;
- How the agency helps organizations mitigate emerging threats.
Purser was born in the UK and attended the universities of Bristol and East Anglia, where he obtained a BSc in chemistry and a PhD in chemical physics, respectively. He started work in 1985 in the area of software development, subsequently progressing to project management and consultancy roles. From 1993 to 2008, he occupied the role of information security manager for a number of companies in the financial sector. He joined ENISA in December 2008 as head of the technical department and is currently responsible for all operational activities of ENISA.
Purser is co-founder of the 'Club de SecuritÃ© des SystÃ¨mes Informatiques au Luxembourg' (CLUSSIL) and is currently the ENISA representative on the ISO SC 27 working group. He frequently publishes articles and is the author of 'A Practical Guide to Managing Information Security' (Artech House, 2004).
Role with ENISA
TOM FIELD: You were telling me you've got a new role since the beginning of the year. Why don't you explain your role with ENISA to us, please?
STEVE PURSER: When I say it's a new role, to be quite honest, it's a continuation more or less of what I've been doing since I joined the agency in 2008. Broadly speaking, I'm responsible for the operational activities of ENISA. The only part I would say in the work program that's not in my area is what we call research, which is basically desk-based Internet researching, which is done in our office.
But before I answer too much, let me explain who the European Network and Information Security Agency is in a few words. We are what's known as a regulatory agency. That having been said, we work very closely with particularly the European Commission, and other European bodies, to make sure that we're well coordinated in our approach. We're a center of expertise that supports the Commission and EU member states in the whole area of information security, so it's quite a vast subject area. One of the things we have to do is to be able to focus strongly and to make sure that we're doing work where it's at maximum value.
Last but not least, as an agency we facilitate the exchange of information between EU institutions - public sector and private sector - and we're quite unique in that fact that we have in our core mandate this role of bridging the public and private sector, which is particularly important I think in information security.
My role consists of essentially three things. I help the executive director in defining the annual work program by bringing together stakeholders, capturing their requirements and getting them to converge on a work program which everyone agrees with. Secondly, it's my department which actually executes the biggest part of the work program, actually implementing it. Finally, I also have a role in generally talking to stakeholders and making sure that the agency is satisfying their requirements and expectations.
FIELD: That's a fine overview, and it's timely as well. I note that this week the European Parliament approved a regulation that's designed to help strengthen ENISA. I wonder if you might describe for us the details of that regulation and how it's going to help your agency enhance its role in cybersecurity.
PURSER: Let's start off with what the agency does not do, because this is a note of confusion, particularly outside Europe. ENISA does not have any response role. We're entirely in the area of preparation, and to capture what we do very succinctly we work together with public sector and private sector to create what I would call a strong and effective community for dealing with information security. The way we do that is we're like a capitalist in a way. Our aim is to bring existing groups together, to get them working on problems which are important in today's policy agenda, and once these groups are working together smoothly then we go back to the equation and we move on to something else.
Because we're dealing with 27 member states, the challenge is to make sure that we don't reinvent the wheel and that we get the maximum potential out of all those security engineers, managers and all the profiles that need to be involved, and that we make the most of our existing resources.
Now when you ask about the new mandates, we have just had a new mandate. It's a very positive thing because the new mandate gives ENISA a lot more scope for increasing its impact. It gives greater flexibility. It gives a lot more adaptability, I would say, and it gives us the capability to focus. Now these are all rather high-level terms, but one of the problems in describing the new mandate is it's a very detailed document and a lot of it is in the fine print.
If you compare the current mandate against the one that's being agreed upon at the moment and which will certainly go through, the wording is much better. We have, for instance, some things which are simply more explicit. Let me give you an example of that. Within the new mandate, we specifically mention capability building, which is very important for today's agenda of information security, and we explicitly mention things like pan-European cybersecurity exercises, which is our equivalent of what you would call Cyber Storm.
The new mandate gives us a much more proactive role. Let me give you an example. Whereas in the old mandates we simply had a role of tracking the developments of standards in the area of network and information security, now we have a role of facilitating the establishment in technical standards. It's an entirely different approach where ENISA is really part of the motor to get standards going, rather than simply taking a more passive role and looking at where the problems may be.
We also have a much broader role in terms of cooperation with other bodies. We actually have an interface with the fight against cybercrime, which is also new. Now we have a lot more liaison with the new European Cybercrime Centre which is in The Hague. I, for instance, have been designated by the executive director to sit on their program board, and this is one of the mechanisms we use to align our work and to make sure that the fight against cybercrime is very much aligned with what ENISA is doing in terms of increasing preparedness, making sure that critical information infrastructure is protected correctly, etc.
After that, two other things the new mandate brings [is] a simplification of procedures which should help us run our operations a lot more efficiently, and it's foreseen that there will be a greater increase of the agency's financial and human resources, which I think is appropriate. The cybersecurity challenge is one of the most fundamental challenges we have today. Almost everything we do involves computing infrastructure. This I think is a good sign.
Key Components of EU Cybersecurity Strategy
FIELD: You've done a good job talking about how ENISA supports the EU cybersecurity strategy. Can you describe for us what some of the key components of that strategy are?
PURSER: Yes, I certainly can. If you take the cybersecurity structures, basically it starts with a set of principles; nothing new here. The EU has always conducted its business on the basis of principles. More interesting, I think, is that in the strategy you find five strategic priorities. What are they? The first one is achieving cyber resilience. This is essentially making sure that we protect critical information infrastructure and networking structures in general appropriately. The second objective is drastically reducing cybercrime. This is different because here we put the emphasis much more on the perpetrators and the idea that we need to catch the people that are affecting the systems in the first place. The third objective is to develop cyberdefense policy and capabilities. The fourth objective is to develop industrial and technical resources. The last objective of the strategy is to establish a coherent international cyberspace policy for the EU.
Now if you take those five points - which cover very well what we need to be doing in information security; they cover what I would call the open-market aspects; they cover the military and defense aspects - ENISA has an explicit role in two of them, which is achieving cyber resilience and developing industry and technological resources, because, as I explained to you earlier, we have a very strong background in this, so it's more of a natural continuation of what we've been doing. We also have a secondary, or indirect, role in two others, so we're certainly and directly involved in reducing cybercrime through our relationship with the Euro Cybercrime Centre. Incidentally, there's a document which exists called the Internal Security Strategy which defines even better what ENISA is doing in this area. We're also indirectly involved in the international aspect of this thing, establishing a coherent international cyberspace policy.
Let me just explain very briefly how we distinguish ourselves from all the other institutions and bodies. A nice way to think about ENISA's work is the commission is essentially a legislative and policy-producing body. They concentrate much more on the higher level strategic aspects and then they still have a big input into this. Where we come into this process is that we make sure that the policy and strategy is based on solid operational experience and that we don't invent policy that's incompatible with what industry requires or is economically inefficient.
ENISA is a bit at the other end of the scale. We like to get our hands dirty. We're very much into implementation scenarios and operations, and I think probably the best way to describe it is we work very closely with industry and the public sector to try and define what are currently best practices or good ways of doing things, and make sure that the information is [spread] quickly to other communities so that we don't have any inefficiencies within the market and people are helping each other and learning from each other.
Top Cybersecurity Threats
FIELD: We're [half way] way through 2013. What would you say have emerged as some of the most important cybersecurity threats in the EU this year?
PURSER: If you permit, let me take a slightly more global view of that because I don't have the figures for this quarter in front of me. But let me mention several things. First of all, please encourage your audience to go to our website. It's totally free, being a public institution, and it contains a lot of what I think is very helpful material, ranging from high-level policy material right down to very technical material. An example of this would be the work we did with the Cloud Security Alliance where we put together a quick and efficient methodology for evaluating cloud providers against the number of security requirements.
Now why do I say that? One of the things you'll find on our web portal is a recent document from last year which we call the ENISA Threat Landscape. This we will do on an annual basis and the idea is not that we carry out the risk assessment - because my team is only 30 people strong, and the whole agency is only 60 people strong - we use the same mechanisms that I told you about at the beginning of this interview; we work very strongly with the communities out there. In this particular case, we look at all the global risk analysis and threat analysis that we can find, and we try to, if you like, extract what are the key threats for our stakeholder communities, which is mainly in the area of large industry or major network providers, etc. We [have] top-ten threats and top ten ways of dealing with it. Let me tell you a bit about this. We did this exercise. We had over 120 recent reports from a variety of resources that we looked at - target groups who are essentially decision makers, security professionals, risk managers and pretty much any other interested individuals in the security community. I won't bore you with the method. I will just cut to the chase and tell you essentially what the major findings were.
In terms of the top threats for last year, we came up with a list. Top of the list is drive-by exploits. This is essentially malicious code which exploits browser vulnerabilities. The idea is if you go unwittingly to a dangerous website, you can download this stuff without even knowing about it. There's a lot of this going on. Worms and trojans continue to be a very big source of worry. They're pretty much second on the list, used for economic purposes these days; for making money associated with botnets, etc. A lot of code injection, exploit-kits and botnets are still up there. Excuse me if I'm using technical terms here.
Denial-of-service is still up there. This is blocking the service of servers so the users cannot use it, and we've seen recent evidence of this. For instance, in the banking sector over the last few days within Europe, I think this will continue to be a trend. Phishing - I'm sure you know about this - is social engineering techniques to gather personal details; compromising confidential information. ...
This is the list. What I would say about this is there's nothing really particularly new in the keywords, but it's very important to look at the ways these things are evolving within their own areas. One very good example of this would be when Stuxnet came out. There was nothing really surprising about Stuxnet in terms of technology evolution or what it could do. It was very capable but we could have predicted that. What was really surprising about Stuxnet was its target, because suddenly instead of causing loss of money and economic inefficiencies, we're now talking about potential loss of life. Stuxnet was attacking industrial control systems. This is very indicative of the way we need to approach the threat environment. It's good to collect data and it's good to analyze it, but we need to be constantly aware and ready to react to these sorts of black-swan events, which are events which really make the paradigm shift in the security landscape. You can't predict them, but you can make yourself ready for them by having robust security procedures and, I would say, security staff, making sure that they're well aware and able to recognize signs of change.
Mitigating Emerging Threats
FIELD: You talked about the drive-by exploits that organizations are facing. Certainly malware is causing fraud and, as you mentioned, there are European institutions that are now suffering DDoS. Given the threat landscape, what advice do you have for organizations as they navigate through this tricky and evolving landscape?
PURSER: As I've said before, it's very important to understand what this data gives us. It only has a limited predictive power and this has been shown in the past. There will always, I believe, be these big events which totally revolutionize the way we do things. This is not necessarily bad news. I think it's important to follow what's happening in the threat landscape. I think it's important to keep the whole security process fine-tuned, and that requires constant monitoring of what's happening; but it also includes keeping a component in that process which allows you to react to the surprising event.
Now you may say that's a contradiction in terms. How can you react to something that you don't know what it is? I think you can do that by teaching people to recognize when things are going wrong or recognize when things are not normal and react appropriately. This is one of the key features that distinguishes a good security process, because it's there where we learn big things from apparently small events. This is the first piece of advice I would give.
When dealing with threat data, let me just read what we put in the threat report, because I think this is also good advice for everyone who deals with this on a day-to-day basis. We think that people should collect and develop better evidence about attack vectors in general. The data is not as good as it should be, and the better the data is, the better we understand what's going on. We should collect and develop better evidence about the impact achieved by adversaries as well. What really happened? What was the scope of the damage? How did it happen?
We need to get more quality information about the threat agents. Who are we dealing with? Everyone recognizes that the old image of the hacker [is someone] smoking cigarettes in a loft somewhere and staying up to five in the morning. This is absolutely not true. It's much more organized crime. It's a very efficient network out there that we're fighting against and this needs to be recognized. I think that we need to understand this network even better.
I think it would be good to encourage a common terminology within threat reports so that, when we compare different threat reports, we know we're talking about the same things. This is good advice for people reading them as well. Different terminologies can hide common sources of problems. When reading threat reports, you really need to be careful in how you interpret some of the jargon. ... We should develop use cases for threat landscapes and, in general, we need to perform a shift in security controls to accommodate emerging threat trends. In other words, we need to be looking continually ahead to the way new technology and new business models are affecting our processes and we need to be, I think, much more practical in trying to get the controls into our environment way before these things become everyday practice.
It's easy for me to sit down there and say that, but I was a chief information security officer for many years, so I do recognize the magnitude of the task. But the bottom line is we have to do it.