Article 13a requires member states to provide ENISA and the European Commission with annual reports on major outages. The first summary incident reports for 2011 were sent to ENISA in May 2012. Many of the member states only finalized their own internal reporting schemes towards the end of 2011, meaning that only 11 countries contributed and only 51 incidents were reported. ENISA expects these figures to improve in the next annual report: “This year, the Member States have more mature national incident reporting schemes. So next year we expect to publish an annual report with about 10 times more incidents”, comment the report authors Marnix Dekker and Christoffer Karsberg.
It is an important step towards gaining an overview of cyber security in the EU. “We are now, for the first time, equipped with an overview of major cyber incidents in Europe. This is a decisive moment for the EU’s efforts to improve understanding of the impact of cyber security incidents,” suggests Professor Udo Hulmbrecht, ENISA’s executive director. Nevertheless, this first report is of only limited value – something that ENISA clearly recognizes. “But this still deals with only a small subset of cyber security incidents,” he continued. “This type of reporting should be extended to cover a wider range of incidents and more sectors.”
The reality is that this report does not provide an overview of cyber incidents – it provides a somewhat skewed view of some incidents affecting telecom service providers in some of the countries. For example, the national reporting requirements are currently based on a percentage of users affected. Smaller providers with a smaller number of users thus have to report incidents that would fall under the threshold for larger nations. This is something the authors recognize and hope will change in the future. “Large countries report few incidents, while small countries have to report many (smaller incidents). Absolute numbers for reporting should be introduced,” says the report.
From an information security point of view it is very noticeable that few incidents are down to malicious cyber attack – ‘acts of god’ and hardware/software failure (and perhaps the malicious former employee who set fire to a switching system) are the primary cause of outages. This could imply that cyber attacks by outsiders in Europe is not as serious as we are otherwise led to believe – but of course this report covers only the telecom provider sector which is not a mainstream target for hackers. Telecom users rather than providers are hackers' primary target.
ENISA is well aware that a true overview of cyber incidents in Europe will require a far more complete reporting regime for all sectors across all of Europe. ENISA hopes and expects that this will emerge from the EC’s forthcoming European cyber security strategy. In the meantime, this current report has provided a perfect pilot scheme to learn how reporting should be done in the future.