The public administrations all across the EU are undergoing a phenomenon never seen before with regard to cyber attacks. This has been documented recently as per the report published by the European Union Agency for Cybersecurity (ENISA). As per the NIS2 Directive, the public authorities are categorized as of highly critical importance, which means that a basic level of cyber protection should exist. However, the cyber infrastructure is extremely weak, and as such, these public authorities are left vulnerable to attack by would-be cybercriminals.
This situation cannot be more serious
Despite the extremely sophisticated cyber attacks, the public institutions and administrators, responsible for the essential services like emergency healthcare, public education, and transportation, are simply unable to protect themselves.
Reports show that about 60% of all attacks targeting public administrations are DDoS attacks. Hacktivists and similar groups perform these attacks by overwhelming the serverโs capacity with fake traffic, temporarily immobilizing the website for all users.
The attack is short, and its impact seems small, but they are cumulative and, over time, can degrade public confidence in the systemsโ effectiveness and disrupt public services in profound ways.
ENISA forecasts these attacks to increase in intensity and scope over moves of significant public interest, like elections and international summits, leading to a significant and enduring threat to operational continuity.
Close to 63% of these incidents were due to hacktivists
Hacktivists, who infiltrate systems for reasons other than money, made up 63% of attacks, and 16% were by other cybercriminals. There are also other actors sponsored by states with some worrying incidents.
DDoS attacks happen more often than data breaches and ransomware, which put public services at a greater risk than DDoS attacks. Data breaches and exposures were 18% of all recorded incidents.
Ransomware attacks are notable for their ability to render critical services, like tax portals and e-ID platforms, useless. There is a serious operational and financial impact on the affected organizations, as these attacks involve the encryption of core documents, and payment is demanded for their release.
Although there have been attempts to create legislation with the NIS2 Directive, ENISA believes that public administration is still in the process of developing cybersecurity resilience in the public administration sector. ENISA also states that:
“The systems which are in place are at risk of being compromised, even severely compromised.โ
ENISA suggests that a balance of architectural resilience and operational preparedness be utilized
In order to address the concern as best as possible, ENISA suggested that a balance of architectural resilience and operational preparedness be used. This includes attempts to implement advanced firewalls, delivery network systems within cloud computing systems, and DNS failover systems.
To minimize risks, public sector administrators are expected to terminate or limit working contractual relationships that are within a single cloud computing system. Additionally, public administrators need to develop basic communication and exercise relationships within the domain of incident response.
These relationships must include, at a minimum, members of the public and private ISPs and cloud computing systems. Regular exercises are also required to ensure that there is functionality to stop a cascade of failures.
If public administrations fail to function as they should, the EU will struggle to provide governance and services to its citizens, will lose the publicโs trust, and have to deal with cyber attacks threatening the operational flow of public governance administrations. As the report says from Initiatives of the European Union Agency for Cybersecurity (ENISA), we cannot just keep adjusting and making piecemeal changes. Europe needs to adopt a fully integrated, well-planned, and fully active model of cyber protection. This will enable Europe to truly protect its digital future.
