Reporting DDoS attacks: a change of tack

A recent revision to the European Electronic Communications Code highlights the need for more safeguards against distributed denial of service attacks within service providers to prevent outages

Posted 11 August 2021 by Christine Horton

The public sector has fallen into the direct crosshairs of cyberattackers over the last few years. The health service in particular has borne the brunt both in the UK and across the wider European landscape. In May of this year, the Health Service Executive of Ireland suffered a major ransomware cyberattack that caused all its IT systems nationwide to be shut down. While the French government has confirmed that 27 hospitals across the country suffered from “serious cyberattacks” during 2020.

However, the most visible signs of the issue are newspaper headlines – but in many more cases, unless there is a noticeable and public facing outage, the need to report a cyberattack can vary by international jurisdiction. In the UK for example, ICO guidance on security breaches states: “You’re legally obliged to report any personal data breaches within 72 hours of becoming aware of them, unless you can show that the breach is unlikely to pose a risk to individuals’ rights and freedoms.” However, the last clause offers a way of brushing certain incidents under the carpet.

While in Spain, its National Cybersecurity Council, transposition of the NIS (network and information systems directive) directive made cybersecurity attack reporting mandatory for not only Public Administrations, but also organisations considered critical infrastructures or strategic operators within their field including digital service providers. In both cases, reporting is to a government body – but whether this reporting must be made public is vague.

Regulatory landscape

In terms of cybersecurity regulations, there are two big camps. The first are industry specific frameworks such as PCI-DSS for credit cards or HIPPA – a US-led initiative that focuses on healthcare, plus notables’ rules in financial services and utilities. These are joined by EU wide initiatives – that have also been written into UK law as part of the equivalency process during Brexit – of which GDPR and NIS are the most well-known.

GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. While the NIS Directive (network and information systems directive) aims to enforce better cyber security practices and reporting requirements for operators of essential services across both public and private sector. NIS focuses on organisations with an important role to provide security in healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply.

A pioneer behind many of the EI regulations is the European Union Agency for Cybersecurity (ENISA) that contributes to EU cyber policy, trustworthiness of ICT products, services and processes through cybersecurity certification schemes.

ENISA played a role in defining some of the cyber security regulations within the European Electronic Communications Code (EECC), an EU directive, which regulates electronic communications networks and services. The lofty goal of the EECC is help build a Digital Single Market in Europe and create a broad framework where traditional telecoms companies and a new generation of internet enabled digital services can operate in the market fairly, securely and with equal benefit for all EU citizens.

At the end of 2020, all EU nations needed to align national laws with the articles of the EECC which includes reporting obligations in the event of a cyber-attack that impact EU citizens. The language within the EECC has left a lot of scope around what could be considered as damage – but cyber-attacks such as Distributed Denial of Service that overwhelm a digital service were not explicitly sighted as a reason to report an attack.

Guidance update

However, new guidance from ENISA (March 21), has potentially for the first time made Distributed Denial of Service attacks that impact payment and user authentication systems leading to “…outages for a significant group of customers” now a reportable event under Article 40 of the European Electronic Communications Code (EECC).

The change is not a moment too soon. DDoS attacks have risen over the last decade – and by 400 percent for certain types of attacks that uses Open VPN – during the shift to mass working from home forced by the pandemic. The change in guidance makes it much clearer that telecommunication operators must do more to protect against distributed denial of service attacks that impact the critical intermediary services that run across their networks.  

The EECC states that the scope of reporting within its provision include, “Due to denial-of-service attacks on the authentication server [that] people are unable to authenticate and use the OTT platform.” As an example, a DDoS attack that stopped users authenticating identity, or impacted billing systems or portal access to payments methods such as direct debits from a particular bank or payments from PayPal – would all require reporting.

Question time

For those working in the cybersecurity industry, the revisions made by ENISA are welcomed and may well prompt additional telecoms providers to build more robust anti-DDoS measures directly into the network layer. This offers better protection and is more efficient than   relying on each customer whether it be a private sector bank – or public sector hospital – to build DDoS protection within their own data centres and server rooms.

The next step is for large customers – of which the public sector has significant weight – to start posing the questions to communication and digital service providers and asking, ‘If they are compliant with the obligations of the EECC to protect their customers and citizens against “significant outages” caused by distributed denial of service attacks?’

Although DDoS is just part of the overall cybersecurity landscape, any guidance at an EU level that recognises the danger and promotes systemic improvements will make the situation better for all citizens across the region.

Ashley Stephenson is CTO, for Corero Network Security