26 March 2021
“Digitising Europe” is the new ELF Blogposts series that engage with policymakers, industry experts, and academics in order to contribute to a better understanding of how technological change is also driving social, political, and regulatory affairs.
By Francesco Cappelletti, Research Fellow at European Liberal Forum
A concept strongly linked to cybersecurity is awareness, which can be defined as the consciousness of possible threats in cyberspace and the best tools for a user to protect themself. Being aware also means understanding why a given phenomenon is relevant. While the words “cybersecurity”, “ransomware” and “hacker” are frequently encountered by most of us, it is sometimes necessary to quantify why these threats should be high among all European citizens’ priorities. Globally, during the last five years, cyber-attacks have more than doubled. Similarly, the cost associated with this threat – measured in trillions of Euros – is constantly rising.
In 2020, cyberattacks (i.e. espionage/sabotage operations) have increased by 30%, followed by cybercrime (i.e. cyber-attacks that seek monetary profit) and cyber warfare operations. In addition to attacks on pharmaceutical companies, which aimed to steal information about vaccine technologies, hospitals have been a significant target, raising ethical concerns. Among the data stolen from citizens are names, addresses, healthcare-sensitive information, social security details and financial data. What is more, compared to the period before the pandemic, there has been a noticeable increase in the use of new attack methodologies, while malware remains the most frequently used tool.
By exploiting the uncertainty of official announcements in the first phase of the epidemic, cybercriminals were able to disseminate emails with malicious attachments containing false official statements from health organisations or governments. Then, the beginning of the lockdown marked a corresponding increase in different attacks. Phishing attempts, social media scams, fake ads, and social engineering attacks hit home-workers, students, and children alike (with the last category already exposed to the network’s dangers). Concerns increased with smart working because attacks hit both “work-related” and “personal” data (i.e., data concerning family intimacy) while employees were forced to use their private home networks and devices to work remotely. Moreover, accessing cloud-based apps for file sharing, company software and video conferencing tools, produced security concerns for firms all over Europe. The trend of attacks on mobile devices was also on the rise.
Figure 1 – Distribution of the key COVID-19 inflicted cyberthreats based on Interpol report (source: Interpol)
Finally, the impact of the pandemic had internal consequences for EU Member States. Disinformation campaigns concerning the pandemic – often supported by state actors – have increased and become more sophisticated, effectively exploiting the crisis. This is to be understood in the broader context of information warfare and influence operations, and the pandemic has increased the number of these actions. But the direct consequences are felt by the general public:European citizens’ perceptions about Covid-19 can be described in the context of an “Infodemic” , which is also causing them to question the future of technology and how to regulate it.
Figure 2 – An example of fake covid alert (source: FraudWatch)
It is a difficult task to quantify the cost of all cyberattacks. Globally, for attacks in 2020 (and for those observed in 2021), the trend is not surprising. Compared to the last ten years, the costs have roughly tripled. Although it would be unnecessary for this brief analysis to quantify each sector’s expenditure, it is interesting to understand at least the figures behind such a common phenomenon, to ensure an appropriate understanding of the problem.
Overall, considering the year we have just left behind, we have seen a wide-ranging and sudden increase in the use of connected devices (every second more than a hundred IoT devices are connected to the internet, and it is foreseen that 75 billion devices will be connected in 2025 – up from 7 billion in 2018). Moreover, a corresponding increase in network traffic volume during the year was observed. The same period saw an incredible number of disruptive cyberattacks with a three-year average increase of about 30% in the “severe” attacks category. As already mentioned, the sectors affected were very varied, and hackers spared no-one: from social media platforms to electricity grids and institutions.
According to Statista, the average cost of all cyber-attacks for big firms (employing between 250 and 999 people) in North American and European amounted to 133 thousand dollars in 2020.
The volume of personal data and profile information stolen in the major (known) cyber-attacks of the past year is estimated to be hundreds of millions. Companies lost an average of $1.52 million due to cyber-attacks (in lost business volume), while large breaches (involving 1 to 10 million records) cost an average of $50 million.
This is relevant considering that less than 10% of security officers in companies are able to quantify the economic impact of an attack. Nevertheless, spending on data security often does not exceed 15% of a company’s total expenditure, while it has been established that having an Incident Response Team ‘at the ready’ can save $2 million for a single attack. There is also a hidden, or ‘indirect’ cost as a consequence of cyber-attacks, namely the impact on how investors view companies on the stock market.
A further aspect to be considered is the speed with which hostile actors adapted during the pandemic: in Q1 2020 alone, Interpol estimated that about nine hundred thousand spam messages and 48,000 malicious URLs with allusion to Covid-19 were recorded. In the first months of the year, the registration of domains associated with the words “Covid” or “Coronavirus” increased by more than 600%, with seven times as many “high risk” profiles as before the pandemic.
To continue giving some figures, in Q3 2020 alone, cybersecurity company Kaspersky blocked 1,416,295,227 threats globally, while half a million URL addresses were recognised as dangerous, and around 90 million ‘unwanted’ objects in customers’ systems were identified using a proprietary antivirus. The distribution of the victims of these attacks (as well as their origin) varies according to the type of threat.
Figure 3 – Distribution of exploits used by cybercriminals, by type of attacked application, 2020 (source: Kaspersky)
First of all, it is good to remember that there are a number of measures already in place to ensure personal safety while connected to the Internet, and regulatory guarantees (especially in Europe), which, combined with virtuous behaviour, can mitigate cyber threats. Indeed, due to the online scenery to which workers have been forced to switch in the past year, computer security experts have focused on imparting awareness to workers, users, and students. It is not only about application tools aimed at countering threats (be they software or hardware) but about a series of best practices and, in general, about the improvement of users’ online behaviour.
In absolute terms, the number of cyber-attacks, together with the crisis experienced at EU CSIRTs, may have led to a greater awareness of the problem contributing to a safer cybersecurity environment.
The European Commission’s recent proposals seem to be a step toward achieving greater resilience to cyber threats at the European level. At the same time, the EU institutions are continuing to refine a system of targeted sanctions against cybercriminals. In addition, the approved recovery and strategic plans allocate significant resources to the digitisation sector, and it remains essential to identify and protect critical infrastructures at the EU level. Finally, investment in technology and research is crucial to confront increasingly sophisticated threats and is the only way to achieve a complete digitisation process that will qualify Europe as a global competitor in the Digital Market.
Cybersecurity is among the top 5 risks of our world. Thus, political choices regarding European cybersecurity should interest all citizens. They will be crucial in determining the right strategy to deal with the constantly growing numbers. New technologies are implemented in the manufacturing and digital sectors which tend to be more and more complementary. Digitalisation also means the emergence of new and more complex threats. Fostering the development of cutting-edge technologies for cybersecurity and (not least important) the awareness of end-users will be decisive.
It seems complicated to imagine that the EU will be able to eliminate the costs of cyberattacks. With it being a global issue and in light of the constantly increasing number of IoT technologies, connected devices, and smart-working arrangements, the coming years will probably see an increase in these costs. Certainly, investments in cybersecurity will be a priority this year and in the coming years. New businesses will be willing to include the cost of security as essential to compete in the (digital) market. The solution of a strong (and free) European digital market and a robust European cybersecurity industry will further contribute to a resilient digital environment in favour of all Europeans.
Hand-in-hand with this, there is another “hidden cost” that nobody should risk paying. And it is precisely the role of politicians to oversee and protect what could be defined as the primary “critical infrastructure” of the European project: our democracy. As we saw during the pandemic crisis, this can be jeopardised by targeted (dis)information operations and even lead to a destabilisation of certain values, leading to unwise choices. Because, as we all know, politics matters.
Francesco Cappelletti holds an MA in International Relations from the University of Florence and MA in World Politics from MGIMO. He is a member of the Center for Cybersecurity and Fondazione Luigi Einaudi. He focuses on cybersecurity, digitisation, Russian-Western relations.
Published by the European Liberal Forum. The opinions expressed in this publication are those of the author(s) and do not necessarily represent those of the European Liberal Forum.