It’s not just the CIA that needs to worry about hackers. European banks are now at the centre of the fight against cybercrime, and they are facing a formidable foe. Udo Helmbrecht, executive director of ENISA, talks to Christian Doherty about the most effective methods of defence.
Proof of the security threat facing European banks comes from the most recent 'State of cybercrime' report from security company Symantec, which reported that cybercrime now costs the world $388 billion annually.
Of that, $114 billion comes through the direct cash cost of online fraud, and the remainder through the indirect costs of dealing with its consequences. To put it in perspective, that figure dwarves the black market in marijuana, cocaine and heroin combined.
But Udo Helmbrecht, chief executive of the European Network and Information Security Agency (ENISA), believes that, while the 'threat landscape' may not show signs of abating, the strides being made by companies and governments in confronting the threat are heartening.
"It's going to be a busy few years, for sure, but we're always confident that we're fighting a winning battle," he says.
Awareness is high
Helmbrecht is well placed to judge where to be next in the fight against cybercrime. ENISA has been working with banks and other critical institutions to develop tools to tackle the threats. And he's encouraged by the fact that overall levels of awareness both within banking and beyond have increased significantly in recent years.
"In general, we can see there is more awareness from a political viewpoint, with commissioner [Neelie] Kroes pushing this at EU level," he continues. "And as a result of our activities, IT security is getting more support."
And where does banking fit into this? "On one hand, banks have done a lot in this area," he says. "For instance, in online banking and the improvements there, and with some banks you have mobiles working well; lots of things have improved over the past few years, but that's not the same with every bank."
This last comment hints at the fears held by some that, as a result of the past four years of severe financial difficulty, banks in some parts of Europe have taken their eye off the ball when it comes to cybersecurity. And while Helmbrecht is reluctant to name those that may have fallen behind in the battle against the growing threat, he clearly sees the whole sector as being on the front line.
Changing threats
So how has the threat landscape evolved? "It certainly has changed and become more sophisticated," says Helmbrecht. "If you go back five years, we were talking about viruses; then it was Trojan horses; then came botnets, which are still a problem despite efforts to find a solution and track the people behind them.
"Then last year we had Stuxnet [where a nuclear power plant in Iran was targeted with malware], which was the first time critical infrastructure was attacked, and I think that showed that professional efforts were going into these kinds of attacks. It was certainly sophisticated."
Listening to Helmbrecht's diagnosis of the current threat levels leaves little doubt that governments and institutions will have to focus on this issue in greater depth as the sophistication of cybercriminals grows daily. And while he is at pains to avoid scaremongering, he is at the same time clear that banks and other bodies need to develop new solutions to combat what are essentially age-old problems.
"From a technical perspective, of course these things change, but if you look at it in general, it's human behaviour, and that doesn't change," he says. "Take banking - you used to have people holding up banks with pistols, and that led to security guards and bulletproof glass and so on.
"And if you look at phishing it's the same. People use technology to circumvent IT security to steal. Now you see different people are involved, but the principle is the same. All that's changed is the guy with the pistol is now sitting in front of his PC."
And that development is exponentially more threatening when you consider the sophistication with which crime networks now operate. "With malware, you see criminals making money by selling toolkits for building malware to other criminals," says Helmbrecht. "In the past, you could find instructions on how to build a bomb on the web, and now the same is true of malware. There are criminal websites where you can buy Trojan horses, or rent a botnet, if you find the right criminal site."
Safety in numbers
This is worrying, without doubt, but ENISA has been working closely with the banking industry to encourage continued investment in anti-crime measures. Helmbrecht is clear that no one body can hope to tackle this alone. In his view, a joint effort is required. "We're lucky that there are a lot of good firms working in this area and, if we're aware of criminal behaviour, law enforcement is able to be more focused on it, but the third part is social engineering and public education, and that is the most difficult part.
"All of this will involve a joint effort, but in my experience the lead must come out of the sector itself. That's because we as an agency can put material out to the public, but really the problem is getting them to visit our website. How many take notice of these technical issues? Not many. With that in mind, the banks have to take the lead, with government support and encouragement. In the end, if you tell your customers how to use the credit card, they will listen."
Alongside that lurks the threat to the newest form of computing: the cloud. Targeting the servers that host countless data on users online must be in the sights of the more sophisticated hackers. Western consumers' insatiable demand for real-time information across all devices in and out of the home has created for banks the added dilemma of servicing that need while maintaining a secure network for their customers.
It's clearly an issue banks must grapple with, and ENISA has made ita priority to facilitate the exchange of information to help them improve their defences. "We have initiatives, which we call the European Information Security Alert System, and within that we bring different companies and sectors together to exchange experiences to learn from best practice," Helmbrecht explains.
"Because, of course, the issue is that if you're in a room with your competitors, you're probably less likely to want to talk about your weaknesses and problems. So it takes time to build the trust so people can exchange information in an open way, but we offer a platform and invite people along to that."
It's just another weapon in the ongoing war against the cybercriminals.
