The European Repository of Cyber Incidents (EuRepoC) is an independent research consortium that is dedicated to providing evidence-based scientific analysis of cyber incidents, making way for a better understanding of our current cyber threat environment. Its resources include user-specific, reliable data based on an interdisciplinary perspective, which aims to make this research network a public information forum on cyber incidents, their characteristics, and relevant trends.

The EuRepoC is a consortium that stands for independent research, dedicated to evidence-based scientific analysis. It is currently based in three EU member states and is led by the University of Heidelberg. Members include the Institute for Political Science at the University of Heidelberg in Germany, the Department of Legal Theory and Future of Law at the University of Innsbruck in Austria, the German Institute for International and Security Affairs, and the Cyber Policy Institute in Estonia. The consortium is funded by the German and Danish ministries of foreign affairs and is currently expanding to onboard more European partners.

Matthias Schulze writes in Quantifying Cyber Conflict: Introducing the European Repository on Cyber Incidents:

‘What can be done to address these challenges? Enter the European Repository on Cyber Incidents. A group of researchers (including myself) from European universities and think tanks are launching a new cyber conflict dataset known as the European Repository of Cyber Incidents (EuRepoC). It features data on more than 1,400 different cyber operations worldwide, reaching back to the 2001 Chinese intrusions into the U.S. Department of Defense, and the dataset is growing constantly. With the help of data mining, machine learning, and natural language processing, our program scrapes data on new cyber incidents daily to add them to the database. Human coders evaluate and classify the incidents. Our methodology is peer reviewed, transparent, and open to feedback from the community.

We have had long debates about what and how many cyber incidents to include in the EuRepoC. It would be nearly impossible to include every single one of the millions of distributed denial of service (DDoS) attacks that are launched each year. Therefore, we chose to include only those cyber operations that resulted in a policy response from targeted nations, such as indictments or sanctions, and those that made it into the policy discourse in general. Selected cyber operations also included cyberattacks that targeted political entities, caused a high degree of damage and impact on targets, or both. To gauge political significance, we established a reiterative coding loop: Old incidents are frequently reassessed and updated to check whether they gained political traction or to see if new information, such as an operation’s attribution, arises.’

As a public resource for policymakers, diplomats, academia, industry, and members of civil society, this database provides the foundation of EuRepoC’s broader ambition to transparently translate information on cyber operations into a shared understanding of the security landscape.

The openly accessible dashboard that visualizes where and how cyber capabilities are used. The EuRepoC research team will present the building blocks of the project’s continuous effort to develop and maintain an interdisciplinary database of cyber operations worldwide that powers this graphical interface but, more importantly, narrows a critical data gap.

To explore how this resource can help further strengthen the development of coherent policy responses, the site convenes policymakers from the EU institutions and EU member states together with voices from the cyber threat intelligence industry and the academic research community.

Asvin was invited to the launch of Eurepoc. The general discussion led to a number of arguments for Eurepoc: to raise awareness along a general audience, to structure the datasets and set up a one stop shop, to inform policy, and to enhance the role of the private sector as a limited shared situational awareness leads to inconsistent responses and political un readiness.

Two key issues were raised. The first is on attribution, which takes a lot of energy. It is necessary to know who you are dealing with but that should not take time from a swift first response, how to recover, be resilient throughout.
The second issues was about sharing responsibly. Both in a technical as well as in a moral way. Technically, the question is: How do we share safely and securely? Morally, the response is that We do not share because we do not trust IN our partner countries, some times not even in the same country.

Conclusion: We need a space off and for sharing; a shared situational awareness.

Which is exactly what focuses on : the context involved graph analysis and the disposable identity for selective sharing.

Asvin is working on combining mesh-network architectures, graph-based analysis able to group context driven attack patterns into events, and disposable or ephemeral identities that are awarded to events limiting them in scope, time and location ready to be shared contextually and temporarily with third parties – safeguarding proprietary, business-critical and sensitive enterprise data from being shared. We thus achieve an added rationale for companies to share data and information throughout their supply chain. In Information Sharing in Supply Chains: a Literature Review and Research Agenda, Imam Baihaqi and Dr. Nicholas Beaumont argue: “Information sharing is a vital aspect of coordination amongst parties in a supply chain. Information sharing can increase supply chain efficiency by reducing inventories and smoothing production. Supply chain efficiency is highly important as today’s competition is no longer between companies, but between supply chains.”

The cybersecurity paradigm shift involves mesh networks and ways of identifying attack vectors in graph form by scraping contextual information of every incoming node thus building real time defence strategies. Some of these attack vectors are perpetually new, others are characterised by recurring forms and patterns. Identifying the latter as ‘event’, where an event is the attack vector, its components, its internal relationships and its unique feature as a ‘coherent’ pattern. If you want to share these events along the supply chain, you might also share (vital) sensitive information. In order to only share what is information about the attack and not sensitive information we investigate a recent framework in privacy and security enhancing tools: disposable identities. Disposable Identities, in this context – are unique one characteristic identifiers used to real time store and retrieve event identities. They are time, context and scope sensitive.

The descriptions of Eurepoc in the article are taken from the Invitation to the event which was under Chatham House rules which is why the discussion part is in such general terms.