IHS Gas Analysis Service Perspective | |
Significance | In an unprecedented move, the European Commission (EC) shut down the registries of the European Union Emissions Trading Scheme (EU ETS) this week following a breach of security where carbon permits were stolen from the Czech Republic's national registry by hackers. |
Implications | The digital robbery resulted in around 1 million carbon allowances disappearing from Czech accounts, meaning a number of Czech-based companies now have fewer rights to emit carbon dioxide. Permit stealing by hackers has been a feature of the ETS for the past few months, with permits illegally being transferred between traders representing individual member states, distorting the market and undermining national allocation plans (NAPs). |
Outlook | Since 2009, the revised ETS Directive has mandated a centralised registry run by the EC from the next phase of the scheme beginning in 2013. This latest raid on national accounts strengthens that case; it also puts immediate pressure on member states to increase cyber defences, as well as raising questions about why they have not done so already. |
Trouble in the Air
In the latest heist on the Emissions Trading Scheme (ETS), this week the Czech Republic's national carbon emissions registry announced that one million carbon permits had been stolen by hackers from the account. Indicating the extent of its exasperation about lax security on the part of some member states, on 19 January the European Commission (EC) shut down all transactions, except for allocation and surrender of allowances, in all 30 EU ETS registries until "at least" 26 January. "This transitional measure is taken in view of recurring security breaches in national registries over the last two months", the EC said in a statement. The EC said it would use this time to investigate the hacking incidents, and would only lift the suspension on registries "with adequate security measures".
The disappearance of Czech permits is the third such incident in the past three months. On 10 January, Austria said emissions permits had been taken from its national registry in a hacker attack. The Austrian Federal Environment Agency froze the registry, after admitting that the stolen permits had been transferred "to a foreign account". In November, Romania suffered a hacker attack on its registry, when it was disclosed 15-million-euro (US$20.3 million)-worth of permits had been taken from the account belonging to the Romanian arm of Swiss-based cement maker Holcim. Before these attacks the national registries of Greece, Poland, and Estonia had also been affected by transactions involving stolen permits. The hackers usually re-sell, or somehow pass on, these permits to other traders licensed to trade from the national registries of other member states. Despite every permit having a serial number, there appears to be very little to stop receipt of stolen permits. Traders can gain by selling more on to the market and governments could gain in the short term by having an illicit increase in the number of permits associated with their national registries.
Credibility Under Threat
Despite the short-term gains, the long view is of a system whose integrity is under threat, and this threat will not ultimately benefit member states. The European Union (EU) uses its ETS as a model for other nations and regional blocs to follow. The EU has been regarded as a trailblazer in its carbon reduction strategies. The illegal transfer of permits through hacking hits the EU in a number of ways. Other countries involved in the United Nations' global climate change framework negotiations could begin to question how efficient the EU's carbon mitigation strategies really are, potentially weakening the EU position in future global discussions. It also distorts the market and potentially undermines the national allocation plans (NAPs)—the process by which the EC decides how much carbon certain industries in each member state are allowed to emit each year. From a markets perspective, the psychological effect on the participants could be one of wariness, as traders do not know when or where the next hacking strike will occur. By extension, traders could in theory have doubts about the carbon permits already in their possession, or suspicions of new entrants. That the theft of Czech permits is merely the latest in a series, rather than a standalone incident, points to the huge variations in cyber defence capabilities across the EU, with some national registries being much more smartly defended than others.
Outlook and Implications
The EC has said it will proceed to determine together with national authorities what minimum security measures need to be put in place before the suspension of a registry can be lifted. In its current discussions with member states, the EC's hand is strengthened by having punished all 30 national registries with the suspension of trading, possibly meaning the well-defended member states could add to the pressure on others to beef up their electronic protection. In 2009, the EU adopted a revised ETS Directive that creates a centralised EU registry run by the EC from 2013. This new registry will replace all 30 EU ETS registries currently hosted in the member states (the 30 registries—which are essentially bank accounts—are made up of the EU 27, plus Norway, Iceland, and Liechtenstein). Member states had been very resistant to this centralisation of registries, and the extension of EU power. In the meantime, the EC has made clear that only the best protected registries will be trading the near term, as it needs to reassure the carbon market that the system will not unravel.