Lords question security firms on cyber-attack prevention

The European Commission published a report calling for more collaboration between nations

The House of Lords questioned two security firms today on the technical measures needed to protect nations against cyber-attacks and IT infrastructure failure.

The meeting was held in response to Critical Information Infrastructure Protection, a report published earlier this year by the European Commission (EC) on the danger to Europe from large-scale cyber-attacks.

The House of Lords EU Sub Committee said it wanted to see whether the recommendations made by the EC were realistic.

Symantec director of government relations, Ilias Chantzos, and Arbor Networks security research manager, Dr Jose Nazario, said the recommendations were a good start but did not go far enough.

“The report has had an impact but it needs to be followed through,” said Chantzos.

Nazario said the report's recommendations were a good foundation but were “too vague in places” and “incomplete”.

In its report, the EC called for more co-operation between countries to guard against attacks on electronic communication services such as the one that hit Estonia, Lithuania and Georgia in 2007.

The report also called for public and private agencies to work together to ensure there are consistent measures for prevention, detection and recovery in all member states.

Chantzos said a framework needs to be established before private companies can collaborate with the public sector to set up a protective infrastructure.

He recommended the framework should facilitate information exchange between security companies, build trust and provide financial assistance.

The framework should also lift legal obstacles that may hinder collaboration, such as those relating to data protection legislation, and anti-trust policies that limit how much similar companies can work together, he said.

Chantzos said more countries could consider adopting similar data retention laws to those that exist in the UK. He said because cyber-attacks are more focused now on stealing information than denial of service, retaining data is key to prevention as it provides a forensic trail.

When the Lords Committee asked Chantzos how much more money governments need to commit to combat critical system failures, he said investment should correlate to risk.

Chantzos used as an example an incident that occurred off the coast of West Africa when a ship dropped its anchor on an undersea cable and it cut online operations from African states.

Chantzos argued that because incidents such as this occur so infrequently - once every 30 years or so – the question legal bodies need to ask is whether it is worth spending a large amount of European taxpayers’ money on a back-up cable.

The Lords Committee also asked the security firms whether the EU should have a role in combating cyber attacks or whether this responsibility should lie with national governments across the world since cyber attacks were multinational problems that affect China and the US as much as Europe.

Chantzos and Nazario both agreed that the EU does have a role in bringing all member states up to the same level of security but that the whole world needs to be involved in developing a response to cyber-threats in order for the approach to work.