On Thursday, 20 January 2011, the EU Commission was forced to suspend the trading of Co2 certificates in the frame of the European Emission Trading System (ETS) due to fraud and so called cyber-attacks. This step became necessary after the theft of seven million Euros in carbon emissions allowances and the illegal transfer of up to 2 million allowances, worth 28 million EUR in the frame of a coordinated electronic attack against national registries in the Czech Republic, Estonia, Greece and Austria. In an exchange with the Commission, the members of the environment committee of the European Parliament questioned the Commission on the steps forward.
The ETS is one of the central building blocks of the EU’s energy and climate change package. It was introduced in 2005 and till 2009 the ETS market went from zero to 89 bn EUR. Studies showed that in the period from 2005-2007 the scheme led to a reduction in greenhouse gas emissions of between two and five per cent against business-as-usual scenarios, resulting in carbon savings of 120 million to 300 million tonnes during the three-year period. To date the ETS runs carbon accounts of some 11,000 power stations as well as investment firms and intermediaries across the 27 members states in the EU. It has been developed to help reduce Co2 emissions by on the one hand putting a price on carbon and setting up a carbon market, which makes it beneficial for companies to emit less and on the other hand creating revenues that can be geared towards low-carbon, environment and climate friendly technologies. The ETS has been studied by many other regions in the world, such as California or China, as a potential blueprint for their own systems and the EU has also been lobbying other non-EU countries to join in. Against this background, it is crucial that the system is not undermined due to weak security measures.
Unfortunately, this was not the first incident caused by a lack of security in the ETS. Already in 2010 the system made the headlines when phishing attacks and other frauds became public.
It seems that the core instrument in EU’s Co2 mitigation and reduction tool box faces a serious security gap, which urgently needs to be closed. The problems are not inherent in or specific to the EU ETS but they do threaten the reputation of the system at a crucial moment. The EU will only be able to successfully acquire new partners for the ETS if its reliability and safety can be ensured.
There are a number of measures, which can be employed to make national registries safer, e.g. anti-phishing controls with secure identification requirements or the restriction of the online accessibility to account holder data only. Basic security precautions and identity checks, as used in financial transactions could already solve many problems. But with 27 national systems operating at different security levels and with different structures, it will remain a difficult task to combat fraud effectively. The chain is only as strong as the weakest link.
Thus, ultimately, the solution lies in the set-up of a single European registry, which can register and track transfers across borders and guarantee confidentiality of exchanged data. This way, national authorities have a fast-track to check suspicious transactions instead of trying to access 26 different national systems. Considering the problems that the current system has encountered throughout the past year, it would be sensible to move the starting date for a single EU registry, currently foreseen for 2012, forward. It is important to establish an effective reaction to guarantee international trust in ETS.
In the meantime, Member States but also companies active in the carbon market must take the IT security threats seriously and establish protective mechanisms.