European Union member states have adopted a new Europol emergency response protocol for law enforcement agencies to handle major cross-border cybersecurity attacks.
The EU Law Enforcement Emergency Response Protocol, which is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises, calls for faster detection and threat classification aimed at mitigating and confining cybersecurity events. “An attack with repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable,” the law enforcement agency said.
Apparently, the WannaCry and NotPetya cyber-attacks showed the EU that incident-driven and reactive responses weren’t going to get the job done to address evolving cyber criminal operations. Now law enforcement is the lead dog: The Protocol gives a central role to Europol’s European Cybercrime Center (EC3).
“It is of critical importance that we increase cyber preparedness in order to protect the EU and its citizens from large scale cyber-attacks,” said Wil van Gemert, Europol deputy executive director of operations. “Law enforcement plays a vital role in the emergency response to reduce the number of victims affected and to preserve the necessary evidence to bring to justice the ones who are responsible for the attack.”
In addition to spelling out the procedures, roles and responsibilities of key players, information sharing and collaboration in the event of a major cross-border cyber-attack is the main idea behind the protocol, including:
- Securing communication channels and 24/7 contact points for the exchange of critical information.
- Providing a mechanism for overall coordination and conflict reduction.
- Complementing existing EU crisis management mechanisms by streamlining transnational activities and facilitating collaboration with relevant EU and international players.
- Facilitating collaboration with the network and information security community and relevant private sector partners.
The protocol is a multi-stakeholder process and includes seven possible core stages:
- Early detection and identification of a major cyber attack.
- Threat classification.
- Emergency response coordination center.
- Early warning notification.
- Law enforcement operational action plan.
- Investigation and multi-layered analysis.
- Emergency response protocol closure.
One European security expert early to weigh in on the new protocol said it will have far reaching implications for EU cybersecurity law enforcement. Working out the details still remains, however. For example, any enterprise or law enforcement agency involved in “detecting, responding to or analyzing a cross-border cyber-attack” may be asked to work with or provide information to , said Dario Forte, chief executive of DFLabs, a Milan, Italy-based security orchestration, automation and response solution provider.
“It is not yet clear exactly how the EC3 will be providing notifications,” said Forte. “U.S. companies doing business in the EU or storing data on EU citizens should ensure that they have established relationships with the law enforcement agencies for the jurisdictions in which they are located, as this will likely be the most efficient way to work with the EC3.”