]The European Union has been busy these past months, significantly updating its cybersecurity regulatory framework. The NIS2 Directive and the Cyber Resilience Act (CRA) came into force just a week apart in October, soon to be followed by the Digital Operational Resilience Act (DORA) for the financial sector in January next year. Cybersecurity regulation has significantly picked up and it can’t afford to slow down in order to keep up with constantly evolving threats. While these regulations positively impact general cybersecurity robustness, they don’t go far enough with DDoS protection. This is concerning considering that the European Union Agency for Cybersecurity (ENISA) recently released research putting DDoS attacks as the number one cyber threat in Europe, eclipsing even ransomware. It only highlights the large, DDoS-shaped blindspot currently in the EU’s cybersecurity regulations, evidenced by its lack of guidance around the increasing use of AI in DDoS.
Well, what do these regulations cover?
Regulation on DDoS mitigation is somewhat light across the board, but let’s take a look at the NIS2 Directive as an example. It’s the newest and by far, the most heavy-duty regulation in terms of infrastructure security and resilience. The Directive’s purpose is to strengthen the cyber resilience of critical systems within the EU such as healthcare, transportation and digital providers. And granted, it does to a degree with stipulations for enhanced security measures, incident reporting, and ensuring continuity of services.
However, it is not specific enough. Nowhere in its 60 pages does it contain a specific reference to DDoS, despite its new position as the number one cyber threat in Europe. While regulations do at times have to take a blanket approach without getting too specific, NIS2 does specifically mention Ransomware several times. With maintaining business continuity being one of the core pillars of the directive, not appropriately addressing attacks which directly aim to disrupt this is a critical oversight.
While these measures are a significant step forward for general cybersecurity, the Directive leaves a significant DDoS-shaped gap. DDoS protection does not fall under the realm of ‘general cybersecurity’, it requires a far more tailored approach. This is particularly problematic when you consider that the sectors covered under NIS2 ( such as finance and digital infrastructure) are those most likely to be targeted by DDoS attacks in the first place.
Out of the DDoS frying pan and into the fire
So, what should regulation be focussing on? Any DDoS attack on an organisation has the potential to be devastating, but attackers are increasingly focusing their efforts on telecom providers. The be-all and end-all aim of any DDoS attacker is to cause as much damage as possible, which is exactly what makes telecoms providers an attractive target - the massive volumes of critical information they manage. When malicious actors take down a telecom provider, they’re also disrupting the critical business operations of network customers. As such, providers are finding themselves increasingly targeted by bad actors with the frequency of DDoS attacks skyrocketing from one or two per day to over 100 in the space of a single year. Even more surprising than the absence of DDoS-specific requirements is the lack of regulation explicitly targeting the telecom sector.
Another growing risk we’re seeing is from AI-powered DDoS attacks. AI and ML data mining can be used to feed massive amounts of data to complex and creative attack algorithms that mimic decision-making at various stages of an attack. Most worrying is that sophisticated attacks have moved beyond human intervention, becoming fully automated. This makes it much easier to launch an attack, boosting the popularity of DDoS. Organisations and regulators need to be wary as AI cyber-attacks are set to become the norm within a year.
Mitigating the AI-powered nightmare
NIS2 missed a beat by failing to suggest how organisations can face emerging threats such as AI-powered DDoS attacks. For example, it could have introduced a new general standard for traffic monitoring. It’s the foundation of every organisation’s cybersecurity defences, and in most cases, is a potentially catastrophic weak spot if not updated. While it was once the standard DDoS detection method, it’s since been outpaced by attackers who are shifting towards a ‘low and slow’ method. Rather than creating huge spikes in traffic that simple monitoring can easily spot, attacks tend to be smaller in size, relying on the accumulation of multiple smaller attacks to clog up services, eventually bringing operations to a complete standstill.
This is a shining example of an area where a regulation as large as NIS2 could have made a massive impact on DDoS mitigation. By just stipulating that organisations upgrade their DDoS traffic monitoring detection to be supported with AI, many of those smaller attacks that can slip through the cracks of ‘traditional’ systems, would be stopped in their tracks. For instance, machine learning can be applied to monitoring systems to identify DDoS attacks within seconds.
AI can also help extend DDoS protection to Domain Name System (DNS) attacks. DNS systems facilitate seamless access to websites, email communications, and most internet interactions. Despite being part of the internet’s backbone many ISPs and enterprises aren’t aware that these systems can be targeted by DDoS, meaning that DNS lacks the protection it needs. Combining emerging technologies and machine learning techniques, enterprises can predict the legitimacy of DNS threats much more accurately.
Implementing AI in DDoS protection is an upgrade that pretty much every organisation covered under NIS2 could make (and likely needs to). While the more general cybersecurity recommendations outlined in NIS2 will undoubtedly boost overall cybersecurity hygiene, by drawing attention to blindspots like these, incoming regulation could have scored some instant improvements to cybersecurity, yet it has failed to do so.
Where is cyber regulation headed?
While cybersecurity regulation has significantly picked up in the past year, threats are constantly evolving and blind spots can easily emerge. This is the case with NIS2 and DDoS attacks. It is important for regulators to constantly revise their regulatory output and provide tailored requirements for prominent threats such as DDoS that hit critical infrastructure particularly hard. As emerging technologies change the nature of cyberthreats, new requirements are needed to ensure cyber defences are sophisticated enough to meet these challenges head on. And at the very least, they need to draw attention to the growing threat of DDoS. In this case, ignorance is not bliss and you don’t want to crash into a DDoS blindspot.