ENISA criticises local EU cyber security teams

Security agency identifies 16 shortcomings in local Computer Emergency Reponse Teams, including a lack of collaboration

The European Network and Information Security Agency (ENISA, pictured) has identified 16 serious shortcomings in the way national Computer Emergency Response Teams (CERTs) operate.

In a report released today, ENISA warns that the CERTs, described as "digital fire brigades", are failing to use all the tools available to them, and makes 35 recommendations to data providers, data consumers, and government bodies to mitigate the shortcomings.

Although the response teams can be operated by public or private groups, the study focused on the former.

"National/government CERT managers should use the report to overcome identified shortcomings, by using more external sources of incident information, and additional internal tools to collect information to plug the gaps," said the agency executive director, Udo Helmbrecht.

The report stated that one of a CERT's key tasks is the proactive detection of incidents.

"[This] is the process of discovering malicious activity in a CERT's constituency through internal monitoring tools or external services that publish information about detected incidents, before the affected constituents become aware of the problem.

"It can be viewed as a form of early warning service from the constituents' perspective."

However, ENISA found that this monitoring is often hampered by legal and technical problems.

ENISA described the most serious technical faults as being insufficient data quality (false positives in provided data, poor timeliness of delivery) and lack of standard formats, tools, resources and skills.

There are legal problems too, involving privacy regulations and personal data protection laws that hinder information exchange.

However, the problems do not end there. The report found that even when CERTs do have accurate data, they are failing to use or share it in the most efficient way.

"CERTs are currently not fully utilising all the data at their disposal. Similarly, a large number of CERTs do not collect incident data about other constituencies.

"Even those that do, often do not share this data with other CERTs. This is an area of concern as exchange of such information is key to the effective combating of malware and malicious activities and is extremely important in a cross-border environment."

Among the recommendations are some attempting to improve communications between those experiencing cyber incidents and CERTs.

There are also recommendations around the quality and use of data, with the agency calling for better data format, distribution, and data quality.

ENISA wants CERTS to do more to verify the quality of data feeds, deploying new technology if necessary.

Finally, ENISA also stated recommendations aimed at a governmental level.

"[These include] balancing of the privacy protection and security needs, as well as facilitating the adoption of common formats, integration of statistical incident data, and research into data leakage reporting."