A billion user hours lost in EU telecoms due to security incidents in 2019

The European Union Agency for Cybersecurity publishes the 9th annual report on telecom security incidents.

The report published today provides an analysis of root causes and impact of major incidents that happened in the course of 2019 and multiannual trends. The national telecom security authorities in Europe reported a total of 153 major telecom security incidents in 2019. These incident reports were submitted to the EU Agency for Cybersecurity as part of the annual summary reporting on major telecom security incidents in the EU. The reported incidents had a total impact of almost 1 Billion user hours lost.

Juhan Lepassaar, the Executive Director of ENISA, said: "Incident reporting is essential to understand different factors that play a role in cybersecurity incidents, as well as relevant issues. It helps us to see the trends and allows us to assess if the related legislation is working. This will help us to develop the right security measures, if further adjustments or clarifications are needed in the form of implementing acts, and thus improve the overall level of cybersecurity. National authorities use the reporting as a basis for targeted policy initiatives. Our role at ENISA is to make sure that the process is working and to allow the stakeholders, the Member States and the Commission to get the most out of it. We work to harmonise the security incident reporting processes across the Union, to reduce security risks and barriers to the internal market."

Jakub Boratyński, Acting Director of Directorate H in DG CONNECT commented: “Security incident reporting is important in order to get hard numbers about incidents, to analyse root causes and impact, which helps prevent future incidents. It is essential to collect this data not only at EU-level, but also at national level. The COVID-19 outbreak shows more clearly than ever the importance of securing telecom networks.”

The report published today presents an analysis of root causes, impact, and trends of major incidents. It is the 9th annual report on telecom security incidents.

Key takeaways from the 2019 incidents

  • System failures dominate in terms of impact: this category makes up almost half (48%) of the total user hours lost. It is also the most frequent root cause of incidents. Both the frequency and overall impact of system failures have been trending down significantly over the past 4 years;
  • More than a quarter (26%) of total incidents have human errors as the root cause. Human errors increased by 50% compared to the previous year;
  • Almost a third (32%) of the incidents were also flagged as a third-party failure. This means that these incidents originate at third parties, typically utility companies, contractors, suppliers, etc. This number tripled compared to 2018 when it was 9% then;
  • Looking inside the category of system failures, hardware failures are a major factor: almost a quarter of incidents (23%) were caused by hardware failures and they heavily impacted user hours amounting to 38%;
  • Power cuts continue to be an important factor: being either the primary or the secondary cause in over a fifth of the major incidents.

To access the report, please visit: https://www.enisa.europa.eu/publications/annual-report-telecom-security-incidents-2019

ENISA provides also an online visual tool - CIRAS - giving public access to the full repository of telecom security. This tool gives statistics and anonymized information about the 1200 major incidents reported over the past 9 years.

EECC broadening the scope of the telecom security incident reporting

The New EU telecom legislation, known as the European Electronic Communications Code (EECC), has to be transposed into national law by 21 December 2020.

These new rules are broader in scope, adapting to the changes in the EU’s electronic communications landscape. The new legislation will also cover so-called number-independent interpersonal communications services, such as Whatsapp and Skype. The reporting obligations will cover a broader range of telecom security incidents, including incidents having an impact on confidentiality, availability, integrity or authenticity of the communication networks and the data transmitted via those networks or services.

ENISA is working with the EU Member States to implement these changes. The annual reporting guideline is currently being updated to include new thresholds for the annual summary reporting. The EU Agency for Cybersecurity is also updating the guidelines on security measures.

General observations

National telecom authorities use incident reports for targeted policy initiatives and guidelines: the mandatory reporting helps to identify common root causes. This is how we start finding solutions to mitigate the impact of some of the biggest incidents.

Every year the annual summary reporting at EU level highlights important issues and trends: the national authorities then follow up these issues and trends in more details.

Reporting about threats: under the new provisions of the EECC, important threats will also have to be reported along with incidents. This means there is a clear need for national authorities to exchange information about ongoing attacks and important vulnerabilities, in addition to actual incidents with impact on telecom services.

The current incident reporting does not show the complete telecom security threat landscape: security incidents not causing large network disruptions currently remain out of the reporting obligations.
Background information

Electronic communication providers in the EU have to notify telecom security incidents having a significant impact to the national authorities for telecom security in their country. At the beginning of every calendar year, the authorities send summary reports about these incidents to the EU Agency for Cybersecurity.

Security incident reporting has been part of the telecom regulatory framework of the European Union (EU) since the 2009 reform of the telecom package: Article 13a of the Framework directive (2009/140/EC) came into force in 2011. The breach reporting in Article 13a focuses on security incidents with significant impact on the operation of services, such as outages of the electronic communication networks and/or services. Article 40 of the European Electronic Communications Code (EECC) will replace Article 13a by the end of 2020.

The Article 13a Expert Group was founded by ENISA back in 2010, under the auspices of the European Commission. Its purpose is to bring together experts from national telecom security authorities from across the EU to agree on a practical and harmonised approach to the security supervision requirements in Article 13a and to agree on an efficient and effective incident reporting process.

Warna Munzebrock, a representative of Agentschap Telecom, the Dutch Radiocommunications agency, now chairs the group. The Article 13 expert group meets 3 times per year and its work and deliverables can be found in the Article 13a Expert Group portal hosted by ENISA.

Leave a Reply