Erkki Liikanen: "European Network Security" (EMEA partner meeting)

maandag 13 oktober 2003

Ladies and Gentlemen,

I would like to thank the Stonesoft for inviting me here in Helsinki, to talk about important cyber security issues and what is our approach to these in Europe.

Key policy concerns

Network and information security has become increasingly important with growing usage of the Internet and other information and communication technologies.

In today's society, much depends on networks and information systems. Additional requirements for security will rapidly increase as networking and computing develop further and electronic communications become part of all aspects of our daily lives. For instance broadband connections offer people the possibility to be "always on". This, of course, increases the vulnerability of systems and multiplies the probability of some sort of cyber-attack. Enhanced security is therefore a key element for the success of broadband.

New wireless applications will enable people to access the Internet from anywhere. The tendency to connect to the Internet everything from printers to central heating systems will continue. Just as people expand the ways they use the Internet, so the potential security risks multiply.

The malfunctioning of networks and information systems concerns everybody: citizens, businesses and public administrations.

Yet to fully realise the advantages of the information society, people need to be able to trust the systems. This is why security becomes such an important issue.

Security has turned out to be a difficult and complex task. This complexity is still far from being successfully hidden from everyday users of services. They themselves still have to deal with the availability, integrity, authenticity, and confidentiality of data and services.

The actual implementation of security is also a complex issue, both technologically and politically. Technological complexity means not only that many components and actors must work together, but also that human behaviour has become a crucial factor.

From a policy perspective, cyber security itself consists of a number of complex issues, which are closely linked with other issues. I will come back to this in a minute.

The need for European action

A 2002 survey from IDC/Bull showed that:

  • 75% of European companies had no security strategy in 2002.

  • In 2002, IT security investments in Europe touched 5 billion dollars (up 25% compared to 2001), i.e. only 1.8% of overall IT investments.

  • 18% of companies spent less than 1% on IT security.

  • 10% of companies have just 1 person in charge of security and 45% have between 2 to 5 people.

  • 50% of European companies identified the "underestimation of core business risks" as the major obstacle for investments in IT security.

  • Security is not strategic yet for 2 companies out of 3.(1)

These figures speak for themselves. If we are taking security questions seriously we need to act.

At EU-level security has become a major policy concern. Governments see a widening responsibility in this field. They want to promote security, for instance by giving support to warning and alert systems, support to research and to awareness raising campaigns. They also equip and train law enforcement to deal with computer and Internet related crime.

Cyber Security striking the right balance

European activities related to network and information security fall into three broad categories.

Firstly, we have put in place a legislative framework for telecommunications and data protection.

Secondly we witness an emerging policy on cybercrime, including the protection of critical infrastructures information systems.

Thirdly, we are actively promoting improvements in network and information security through initiatives such as the eEurope Action Plan and the establishment of the European Network and Information Security Agency. To a certain degree these three activities have overlaps.

Securing the Infrastructure

A new regulatory framework was adopted last year, and entered in force last July. This covers all forms of electronic communications, including the Internet. Legislation now requires operators to ensure the security of the electronic communications they provide.

The new data protection provision is to be implemented by Member States next October. There is no longer a distinction between data that travels over traditional networks and data sent via the Internet, that is, IP based networks.

The data protection directive also prohibits unsolicited communications, or spam. This is a very important step we have taken, to combat a growing problem. To give a couple of examples: In August this year Brightmail estimated that 50 % of global e-mail traffic was spam. At the Commission we calculate that 30 % of our incoming e-mail is just spam. Spam creates large costs for the Internet users and for telecommunications providers and it undermines the trust in the systems.

Without going into the details, I will just recall that we have chosen for an opt-in system based on prior consent and applicable to e-mails, SMSs and MMSs without distinction.

We think this is a good approach because the opt-in respects users' privacy and consumer choice. This is also going to be implemented by Member States before the end of October to transpose this into national law.

As a further step to combat spam I have decided to convene a public workshop next week to try and agree a series of actions building on the new rules, such as: effective enforcement, consumer awareness, industry self-regulation, technical solutions, international co-operation. This will lead to a Commission Communication on the subject, later this year.

Cyber Crime

The next area of concern, especially in terms of legislation, is cyber crime. This is a global problem where many jurisdictions have to co-operate and where legislation is often different in the various countries.

Cyber crime is rarely confined within a single nation's boundary. Indisputable factual information, considered good enough for use as evidence in courts - is very difficult to obtain from computer records. Such information must not only meet the legal requirements that specify what evidence is admissible in courts, but it must also meet the basic principles of national and international legislation.

International co-operation is the only effective way to tackle cyber crime. The first important legislative instrument in this area, is the Council of Europe Cybercrime Convention. This is the result of almost five years of negotiations between experts in the field of criminal justice, in which the Commission also participated. It is seen by many as a model law, and all EU Member States are signatory to the Convention. This is also open to signature by countries that are not members of Council of Europe, which gives this Convention a truly global potential.

Another relevant piece of legislation is the Framework decision on attacks against information systems, which I proposed jointly with Commissioner Vitorino in April last year. This decision seeks to address cybercrime in a harmonised manner throughout Europe. It provides the approach for prosecuting attacks against critical civil infrastructures, like power plants, water supply systems, airports, hospitals and so on.

The Framework decision encourages and promotes information security, whilst ensuring that Europe's law enforcement authorities can take action against offences of illegal access - or hacking - and illegal interference with information systems, such as denial of service attacks, web-site defacements and viruses. It also contains provisions on the liability of legal persons and rules on applicable jurisdiction.

We are currently awaiting the adoption of this Framework decision, on which there was political agreement earlier this year. I consider it to be a major step towards elimination of the so-called crime-havens in Europe.

Network and information security

In 2001, the Commission presented a first step towards a more holistic policy on network and information security. This communication presented a number of actions which where followed up by Member States in two Council resolutions, specifying what actions the Member States should take to improve network and information security.

To offer a secure information infrastructure the eEurope 2005 Action Plan, endorsed at Sevilla last year, calls for stepped-up action. It stated that we should strive towards a "culture of security" and that we should put in place secure networks between administrations so that our authorities can communicate safely between themselves. It also aims at assisting Member States and the European institutions by putting a structure in place at EU-level to assist Member States and the European Institutions in their efforts to improve security of networks and information systems. This "structure" has now developed into the European Network and Information Security Agency.

ENISA - objectives

The European Network and Information Security Agency (ENISA) was first conceived as a Cyber Security Task Force, but the initiative eventually developed into an proposal to establish a European Agency. As such, ENISA will be able to act more independently from both Member States and Commission. In other words, the Agency will be more trustworthy; which is a very important pre-requisite for security matters.

The proposal to establish the European Network and Information Security Agency was presented by the Commission in February this year and the Member States have already reached an initial agreement on the proposal. Largely they follow the Commission proposal, as does for the most part also the European Parliament. In the best case the legislation could be voted through already in November.

The agency is expected to be operational next year.

In our discussions with Member States on what should be done and what they are already doing in the area of information security, it has become clear that they are at very different stages of their work, at national level. It also seems that their approaches vary. Today there is no systematic cross-border co-operation on network and information security between Member States, although such security can never be an isolated issue for just one country.

All institutions; the European Parliament, the Council, and the Commission are advocating closer European co-ordination between the Member States on information security.

The European Union, and in particular the Internal Market, will benefit directly from higher levels of security in all Member States. A higher degree of co-operation amongst Member States on security matters would also significantly improve the functioning of the Internal Market.

This is the mission we have set for the Agency.

ENISA has therefore to build on Member States' efforts to enhance network and information security, and increase the ability of Member States and EU Institutions to prevent and respond to network and information security problems.

The Agency will ultimately serve as a centre of expertise where both Member States and EU Institutions can seek advice on matters relating to security.

This expertise, coupled with the aim to installing a culture of security in Europe, will play a key role in developing Europe's digital economy and the information society in general.

ENISA - Tasks

As the prime objective for the Agency is to support the Internal Market the tasks will be focussed on the following:

Firstly, Advisory and co-ordinating functions, Member States and Community bodies should be able to seek advice on information security and find the right contacts to discuss these issues

Secondly, Analysing data on security incidents in Europe, in support of EU policy development, and national initiatives.

Thirdly, Awareness-raising and co-operation, launching co-operation initiatives between different actors in the information security field, and developing public / private partnerships with industry in this field.

To us it is a key issue to have a close industry involvement in the Agency as they own most of the networks and they develop the systems.

Fourthly, Promotion of risk assessment and risk management methods to enhance our capability to deal with information security threats.

And finally, Follow standardisation efforts, in close collaboration with industry and building upon their expertise. I would like to re-assure industry that the Agency will not develop standards.

We know that network and information security issues are global, as electronic communication channels do not stop at European borders, any more than they do at National ones.

In an effort to improve international co-operation in this field, the Agency will provide support for European contacts with relevant parties in third countries.

Whilst ENISA currently takes a lot of our attention, we have a number of other on-going actions related to network and information security. Let me mention three of them, which are: support to research, electronic signature and standardisation.

For many years, there has been a succession of security related projects supported by the Communities Framework Programmes for research. Recent calls for proposals under the 6th Framework Programme have yielded a very high interest in research on dependability, privacy and asset management.

This directive was adopted in 1999 and has been implemented in all Member States. The Commission shall now review the operation of this directive and present a report sometime later this year.

Standardisation is important in obtaining secure and interoperable products and services, but as I said before, this is a task for industry, and not for the Commission.

What we have done, however, is to work with the standardisation organisations CEN and ETSI to make an inventory of existing security standards.

This inventory is currently being consolidated as a joint report of CEN and ETSI. As a next step, the Commission might consider mandating the European standardisation bodies to prepare a workprogramme for the development of any additional standards found to be necessary.

Conclusions

I would like to conclude with two important points for information security. Firstly, we need to see security as a business enabler.

Trustworthy systems encourage consumers and businesses to take real advantages of Europe's state-of-the-art communications infrastructure.

The establishment of ENISA must serve to help Europeans build-up trust and confidence in the new technologies, and so to realise the full potential of an information society.

Secondly, improvements in interconnectivity make us all vulnerable to new threats, big and small.

Network and information security affects everybody, in all countries and across all user groups.

We need to co-operate closely together, over national borders and over market sectors to come to terms with these security threats, and to defeat cyber crime.

Together with the European Parliament and the Council, the Commission sees the establishment of the ENISA as an important step to have this cross-sector and cross- country co-operation.

I hope that we can find more ways for governments and industry to co-operate on these issues as we have to a large extent the same goals.

Thank you for your attention

(1)Source: IDC/Bull survey conducted in 2002 with IT Division of 250 European companies with more than 1000 employees. Over 1000 companies were contacted