"European Network Security"

Ladies and Gentlemen,

I would like to thank the organiser for inviting me to talk about important cyber security issues and what our approach is to these in Europe.

 

Key policy concerns

Network and information security has become increasingly important with growing usage of the Internet and other information and communication technologies.

In today's society, much depends on networks and information systems. Additional requirements for security will rapidly increase as networking and computing develop further and electronic communications become part of all aspects of our daily lives. For instance broadband connections offer people the possibility to be "always on". This, of course, increases the vulnerability of systems and multiplies the probability of some sort of cyber-attack. Enhanced security is therefore a key element for the success of broadband.

New wireless applications will enable people to access the Internet from anywhere. The tendency to connect to the Internet everything from printers to central heating systems will continue. Just as people expand the ways they use the Internet, so the potential security risks multiply.

The malfunctioning of networks and information systems concerns everybody: citizens, businesses and public administrations.

Yet to fully realise the advantages of the information society, people need to be able to trust the systems. This is why security is becoming such an important issue.

Achieving cyber security is difficult and complex both technologically and politically. This complexity is still far from being successfully hidden from everyday users of services. They themselves still have to deal with the availability, integrity, authenticity, and confidentiality of data and services.

Technological complexity means not only that many components and actors must work together, but also that human behaviour has become a crucial factor.

From a policy perspective, cyber security itself consists of a number of complex issues, which are closely linked with other issues. I will come back

 

Cyber Security - striking the right balance

European activities related to network and information security fall into three broad categories.

Firstly, we have put in place a legislative framework for telecommunications and data protection.

Secondly we are witnessing the emergence of a policy on cyber crime including the protection of our infrastructures and information systems.

Thirdly, we are actively promoting improvements in network and information security through initiatives such as the two eEurope Action Plans and the establishment of the European Network and Information Security Agency. To a certain degree these three activities have overlaps.

 

Securing the Infrastructure

A new regulatory framework was adopted last year, and entered in force last July.

This covers all forms of electronic communications, including the Internet. Legislation now requires operators to ensure the security of the electronic communications they provide.

The new data protection provision was to be implemented by Member States last October. Infringement proceedings have been launched against those Member States which have not done their job yet.

The data protection directive makes no longer a distinction between data that travels over traditional networks and data sent via the Internet, that is, IP based networks.

The directive also prohibits unsolicited communications, or Spam. This is a very important step we have taken, to combat a growing problem. Unsolicited commercial e-mail - or spam - is far from being just a security issue.

However, it is a good illustration of how the lack of 'culture of security' could turn a damaging business practice into a fundamental problem for the Internet and, indeed, the Information Society.

Without going into the details, I will just recall that we have chosen for an opt-in system based on prior consent and applicable to e-mails, SMSs and MMSs without distinction.

We think this is a good approach because the opt-in respects user's privacy and consumer choice.

Obviously, EU Legislation alone will not be sufficient. In February, more than half of EU email traffic is estimated to be spam. This it is alarming.

Following consultations, we have therefore set out, in a Communication of January 2004 a series of actions to build on the EU rules and make the 'ban on spam' as effective as possible.

Action includes effective enforcement by Member States, technical and self-regulatory solutions by industry, and consumer awareness. International cooperation will also be important, since a lot of spam comes from outside the EU, not least from the US-based companies. In early February, I hosted an OECD workshop on spam in Brussels to precisely promote that international cooperation.

At the Telecom Council last week, EU Member States have unanimously and clearly signalled their broad agreement with our Communication. And there are encouraging signs out there.

We are seeing more cases of convicted spammers, including of US-based spammers. The industry and the Internet Community are committed to finding solutions to spam based on filtering or other solutions.

Consumer awareness campaigns are launched in many places in Europe and elsewhere.

Today however, I would like to stress one point: all this work can be reduced to almost zero if businesses and other users have no proper security policy.

Even simple security measures, such as the closing by default of open relays and proxies can, as of today, prevent huge amounts of spam. This is where the culture of security matters.

To conclude on this point, let me stress that all stakeholders need to play their part. There is no magic solution to spam. The key is in cooperative, integrated action. Better security, with better filtering, with responsible marketing, with more effective enforcement, with more international cooperation.

All of this is needed if we want to curtail spam.

 

Cyber crime

The next area of concern, especially in terms of legislation, is cyber crime. This is a global problem on which many jurisdictions have to co-operate and where legislation often differs from country to country.

Cyber crime is rarely confined within a single nation's borders. Indisputable factual information - considered well enough for use as evidence in courts - is very difficult to obtain from computer records. Such information must not only meet the legal requirements for evidence to be admissible in courts. It must also satisfy the basic principles of national and international legislation.

International co-operation is the only effective way to tackle cyber crime. The first important legislative instrument in this area, is the Council of Europe Cybercrime Convention. This is the result of almost five years of negotiations between experts in the field of criminal justice, in which the Commission also participated. It is seen by many as a model law, and all EU Member States are signatories and it is also open to signature by countries that are not members of Council of Europe, which gives this Convention a truly global potential.

Another relevant piece of legislation is the Framework decision on attacks against information systems, which I proposed jointly with Commissioner Vitorino in April 2002. This decision seeks to address cybercrime in a harmonised manner throughout Europe. It provides the approach for prosecuting perpetrators of attacks against critical civil infrastructures, like power plants, water supply systems, airports, hospitals and so on.

The Framework decision encourages and promotes information security, whilst ensuring that Europe's law enforcement authorities can take action against offences of illegal access - or hacking - and illegal interference with information systems, such as denial of service attacks, web-site defacements and viruses. It also contains provisions on the liability of legal persons and rules on applicable jurisdiction.

We are currently awaiting the adoption of this Framework decision, on whose major parts political agreement was already reached last year. I consider it to be a major step towards eliminating the so-called crime-havens in Europe.

 

Network and information security

Back in 2001, the Commission presented a first step towards a more holistic policy on network and information security.

The eEurope 2005 Action Plan, calls for stepped-up action. It stated that we should strive towards a "culture of security" and that we should put in place secure networks between administrations so that our authorities can communicate safely between themselves.

It also aims to assist Member States and the European institutions by putting a structure in place at EU-level to support Member States and the European institutions to improve security of networks and information systems.

This "structure" has now developed into the European Network and Information Security Agency, ENISA.

 

ENISA objectives

The European Union, and in particular the Internal Market, will benefit directly from higher levels of security in all Member States. ENISA has therefore to build on Member States' efforts to enhance network and information security, and increase the ability of Member States and EU Institutions to prevent and respond to network and information security problems.

We have discussed with Member States what should be done and what they are already doing in the area of information security.

It has become clear that they are at very different stages in their reflections and work. It also seems clear that their approaches vary.

The European Network and Information Security Agency (ENISA), which will be operational in the forthcoming months, should contribute to improve this situation.

The Agency is designed to develop a culture of network and information security for the benefit of citizens, consumers, businesses and the public sector.

The Agency is expected to provide high level of expertise and to use this for stimulating broad cooperation between the public and private sectors. However, to be clear from the outset, it does not have the task to act as a "super CERT".

The record high number of worms and viruses that plagued the Internet in 2003 made apparent the need for increased co-ordination between all relevant actors.

Efficient security policies should be based on well-developed risk assessment methods, both in the public and private sector. Risk assessment methods and procedures are currently used at different levels. There is no common practice on their efficient application.

Best practices for risk assessment and for risk management should be promoted within public and private sector organisations.

Network and information security problems are global issues.

There is a need for closer cooperation at global level to improve security standards, improve information, and promote a common global approach to network and information security issues, thereby contributing to the development of a culture of network and information security.

Efficient cooperation with third countries and the global community has become a task also at European level. To this end, the Agency should contribute to Community efforts to cooperate with third countries and with international organisations.

The setting up of ENISA, which is an entity with its own legal personality, is the most efficient way to achieve these objectives.

The ENISA independency should further trust and favour the direct involvement of industry in both identifying and solving security problems in Europe.

In its activities the Agency should pay particular attention to small and medium-sized enterprises. The direct involvement of industry is foreseen at two different levels: at the Management Board of the Agency and at its Permanent Stakeholders group.

The Management Board is entrusted with the necessary powers to establish the budget, verify its execution, approve the Agency's work programme, appoint and remove the Executive Director.

The Permanent Stakeholders Group will maintain a regular dialogue with the private sector, consumer's organisations and other relevant stakeholders. It will be established and chaired by the Executive Director, will focus on issues relevant to all stakeholders, and it will advise the Executive Director in drawing up a proposal for the Agency's work programme.

ENISA will ultimately serve as a centre of expertise where both Member States, EU Institutions and industry can seek advice on matters related to network and information security.

This expertise, coupled with the aim to installing a culture of security in Europe, will play a key role in developing Europe's digital economy and the information society in general.

 

ENISA - Tasks

The Agency's tasks will focus on:

·         Firstly, advising and assisting the Commission and the Member States on information security and in their dialogue with industry to address security-related problems in hardware and software.

·         Secondly, collecting and analysing data on security incidents in Europe and emerging risks;

·         Thirdly, promoting risk assessment and risk management methods to enhance our capability to deal with information security threats.

·         Finally, raising awareness and co-operation between different actors in the information security field, notably by developing public / private partnerships in this field.

In December 2003, the Heads of States decided on a package of all the remaining EU Agencies, and ENISA will be hosted by Greece. The Commission is presently preparing the establishment of the ENISA and we expect that the Management Board can be convoked for a first meeting in May and that the Executive Director should be nominated late summer.

Whilst ENISA currently takes a lot of our attention, we have a number of other activities related to network and information security.

First is the international dimension. Work is ongoing in international organisation in which the Commission and Member States are participating. This work concerns exchanges at practice within the G8 context, or the creation of a culture of security within the OECD and UN Framework.

At present we are in the second phase of the World Summit of Information Society where a Working Group on Internet Governance will be set up. I am sure questions of the resilience and security of the Internet will also be raised in this context.

Regarding the European dimension let me mention four activities: support to research, electronic signature, secure access and standardisation.

For many years, there has been a succession of security related projects supported by the Communities Framework Programmes for research. Recent calls for proposals under the 6^th Framework Programme have yielded a very high interest in research on dependability, privacy and asset management.

As a part of the response to the first Call of IST, a total of 89 proposals were received addressing network and information security as well as dependability issues. The evaluation and negotiation have led to 14 projects funded for an overall budget of around 70M€. 8 of these projects concern new research instruments (Integrated project, Network of Excellence).

The directive on Electronic Signature was adopted in 1999 and has been implemented in all Member States. The Commission shall now review the operation of this directive and will present a report in spring of this year.

Standardisation is important in obtaining secure and interoperable products and services, but as I said before, this is a task for industry, and not for the Commission.

What we have done, however, is to work with the standardisation organisations CEN and ETSI to make an inventory of existing security standards.

This inventory is currently being consolidated as a joint report of CEN and ETSI. As a next step, the Commission might consider mandating the European standardisation bodies to prepare a workprogramme to develop any additional standards found to be necessary.

Where there is the need for quick standardisation is in the area of biometric identifiers especially regarding travel documents. The work currently takes place at high speed in ISO. The Commission has made 2 proposals: last September a Proposal on Biometrics in Visa and Residency Permits for Third Country nationals, in February 2004 a Proposal on Biometrics in Passports.

We are also trying to improve secure access to IS services. The eEurope 2002 Action Plan launched a Smart Card Action to facilitate secure access across borders and across sectors. This activity brought together hundreds of companies and Public Administrations. It resulted in a set of common requirements and standardisation work in CEN and it has led to co-operation especially regarding electronic identification.

 

Conclusions

I would like to conclude with two important points for information security. Firstly, we need to see security as a business enabler.

Trustworthy systems encourage consumers and businesses to take real advantages of Europe's state-of-the-art communications infrastructure.

The establishment of ENISA must serve to help Europeans build-up trust and confidence in the new technologies.

Secondly, improvements in interconnectivity make us all vulnerable to new threats, big and small. Especially business relies heavily on information networks and infrastructures. Therefore business has to deepen its understanding of the operational risks of such vulnerabilities. This should lead to the development of a new risk management culture.

Risk preparedness and compliance with risk management standards will increasingly become an economic factor in the global supply chain. Ensuring business continuity will become an increasing challenge for Corporate Governance.

Network and information security affects everybody, in all countries and across all user groups.

We need to co-operate closely together, over national borders and over market sectors to come to terms with these security threats, and to prevent and defeat cyber crime.

Together with the European Parliament and the Council, the Commission sees the establishment of ENISA as an important driver for enhanced co-operation across sectors and among countries.

I hope that we can find more ways for governments and industry to co-operate on these issues. We share the same goal, and should make security an example of successful public/private partnership.

 

Thank you for your attention