Last March, the Council of the European Union announced the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries. Remember well-known incidents such as NotPetya and WannaCry? They’re good examples of how cyberattacks can simultaneously impact organizations and other entities in two or more countries. This especially applies to multinational corporations since they have footprints in multiple jurisdictions.
In reading through the Protocol, a few key items are worth noting:
- There’s a focus on process—It’s so good to see them focusing on process (and not only on technology). Too many regulations and rulesets talk about technology as if it’s the sole solution to all problems. To truly resolve cybersecurity attacks and to mitigate downstream implications quickly, it takes the combination of technology + people + process.
- Operational Technology (OT) systems and risks need more attention—For many years, OT systems have been increasingly attacked by adversaries. While the focus on IT in the Protocol is logical, the omission of OT factors keeps it from being an even stronger and more robust document. The new Protocol explicitly calls out this problem when it says, “…to establish the criminal nature of the attack, it’s fundamental that the first responders perform all required measures … to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.” This omission of OT systems is all the more confusing when the website announcing the Protocol states that, “The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable.”
- Operational alignment is well-executed—Praise is deserved for the outstanding effort to coordinate multi-stakeholder processes using existing resources and teams. For instance, a partial list of the entities working on these issues in Europe includes Europol’s European Cybercrime Centre (EC3), the European Union’s Cybersecurity Incident Response Team (CSIRT) Network, the European Union Agency for Network and Information Security (ENISA), and other EU member law enforcement groups. While everyone has the best interest of preventing and responding to cyberattacks at heart, ensuring the alignment and optimal use of existing resources makes very good sense.
- Important cross-border thinking adds value—Cyber-adversaries pay no attention to boundaries, so it’s important to defend against these problems with a similar mindset that embraces diverse thinking. Countries that cooperate and coordinate their efforts are likely to detect and identify cyber-adversaries faster and more comprehensively if they approach the problem as a united front. This cross-border way of thinking should be an example for other regions of the world.
The improvements to the EU Law Enforcement Emergency Response Protocol are invaluable. By streamlining and strengthening their cross-border approaches, protocols, and ways of communicating, efforts to thwart attacks can begin immediately and proceed more effectively.
Preserving electronic evidence makes finding and punishing the perpetrators a priority. However, work still must be done on developing plans and protocols to mitigate damage to OT systems, and I hope they prioritize this focus for their next iteration.
- Complete an offline assessment of your Active Directory—Assess your Active Directory security posture and reduce support costs by exposing and remediating configuration and operational security issues before they affect your business.
- Learn more about the cybersecurity risk landscape—Watch this Microsoft Digital Crimes Unit overview video to learn more about how Microsoft is working with public and private partners.
- Discover how the Microsoft Incident Response and Recovery Process can help—Read about our expert security services that are available in case an incident occurs.