Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Hintergründe zur geplanten Cybersicherheits-Behörde der EU,

Will the new EU cyber-security agency actually deliver?

By Pablo Asbo

The European Commission initiatives eEurope 2002 and eEurope 2005 aim 
to extend the reach of the information society to the majority of 
Europeans by 2005, especially with broadband connections easily 
available to all. 

However, one of potential risks involved in being permanently online 
is that cyber attacks are more likely to happen. Indeed, European 
business faces huge financial losses every year through unauthorised 
intrusions in their IT systems, and this also affects consumers which 
are still reluctant to embrace e-commerce widely, fuelled by concerns 
about the security of payments. Authorities worldwide have woken up to 
the dangers posed by serious network failures, such as those that have 
been caused by computer worm "SQL Slammer," earlier this year. 
Moreover, the threat of cyber attacks on key installations such as 
electricity and water supply is something that seems to be of especial 
concern in the aftermath of the September 11 attacks. 

In its June 2001 "Communication on network and information security 
systems," the EC suggested a European Warning and Information System 
(EWIS). The e-Europe Plan 2002 of June 2000 has called for 
"public-private cooperation on dependability of information structure 
and improved co-operation among national computer emergency response 
teams." And, in the last action plan relating to these issues, the 
eEurope 2005 plan of May 2002, it was stated that one of its main aims 
was to "stimulate secure services, applications and content based on a 
widely based broadband infrastructure." 

It is against this background that the European Commission has 
proposed the creation of a "European Network and Information Security 
Agency" as a tool to co-ordinate national efforts as well the work 
done by business and consumer associations. The agency work will be 
based on spontaneous actions, because, as Commissioner Liikanen said, 
"This does not give us any power to impose cooperation". It is 
expected that, when realising that it is in the best interest of all, 
industries and national agencies come forward with information to 
quickly devise effective response to a cyber-attacks. 

In order to have a better understanding, we must first start to know 
what network and information security means. According to the 
Commission, "it is about ensuring the ability of a network or an 
information system to resist, with a given level of confidence, 
accidental events or malicious actions that compromise the 
availability, authenticity, integrity and confidentiality of data and 
the related services offered by or accessible via these networks and 
information systems."

In this definition, some elements deserve to be highlighted. Regarding 
availability and integrity, it means that in our "always-on" world, 
services and data must be made permanently and completely available. 
Otherwise, several of the commercial and national activities that are 
increasingly relying on networks or information systems can be grind 
to a halt. The authenticity and confidentially elements relate to 
national and international regulations on data protection. For 
instance, in the presentation of the proposal, Commissioner Erkii 
Liikanen, mentioned as one the most dangerous threats the cases of 
identity theft. This can is the situation where someone with access to 
private information of an individual uses it to sell to marketing 
companies or, even worse, his or her credit card. 

During the consultation with member states, several requirements 
stressed 'future work' as essential for the agency. Since we are 
working in a fast evolving sector, flexibility and efficiency are 
pivotal. This is why, it is proposed that new tasks can be added in 
order to keep up with the pace of technological developments and that 
a review of the agency?s work will take place every three years. In 
addition, the advice provided by the Agency will not be limited to the 
Commission, but also extended to the member states. 

The raison d?etre and the future activities of the Agency can be 
boiled down to two words: coordination and interoperability. Nowadays, 
the EU member states already operate crisis units -- called Computer 
Emergency Response Teams (CERTs) - against threats posed by internet 
hackers and computer viruses. But the system lacks central 
coordination. Besides, the certification of products still remains 
national, which leads to a lack of interoperability, thus harming the 
development of pan-European standards and the functioning of the 
internal market. 

The agency will act as a centre to gather industry and national 
government expertise where broad cooperation among the different 
stakeholders is a pre-requisite for secure European networks and 
information systems. It is proposed that the agency will provide 
support to national awareness raising campaigns and to the development 
of harmonised security legal and technical processes and procedures. 
Other important aspects include the standardisation of security 
standards which will allow the needed interoperability among the 
different national systems and international cooperation between 
similar agencies and relevant parties in third countries. 

It is proposed that the agency will have an executive director, who 
have a high degree of independence and who will be responsible for the 
preparation of the agency's work programme. Since the broadest 
participation is encouraged it is also proposed that in the management 
board representatives from the industry and consumers be included, 
along with members appointed by the Council and the Commission. 

It must be stressed, as the commission does, the importance of 
coordinated actions in the IT security and the interoperability of IT 
systems within the EU, if we want to strength our capacity to cope 
with current and future security threats and to secure the smooth 
functioning of the internal market. 

Indeed, several warnings were issued by experts last week at the 
European Voice E-confidence and the Consumer conference held in 
Brussels. The connection of company systems to the internet and 
increasing technical complexity are making computer networks highly 
vulnerable, said Olivier Paridaens, network security expert for 
electronics firm Alcatel. He described a scenario of coordinated 
terrorists attacks over electronic networks and power generation 
plants. Another expert from VeriSign, Mr. Quentin Gallivan said that 
lower level of awareness over network security exists in Europe than 
in the US, with the exception of European multinational companies who 
are on the same footing as their American counterparts. In the same 
vein, Microsoft's European President, Jean-Philippe Courtois, warned 
of possible retaliatory attacks by terrorists groups against European 
governments and companies' IT systems, as fall-out from a war with 

So, the question that arises is whether the proposed agency will be an 
adequate response to IT security concerns. First of all, the structure 
as an agency is, perhaps, the most that the Commission could have 
done, given the fact that sensitive issues for the Member States are 
touched upon plus that a flexible and adaptable scheme is needed to 
tackle effectively IT security. However, experts have expressed some 
doubts in this regard. For instance, John Russell, CEO of Weber 
Shandwick Adamson is skeptical as to whether this sort of 
public-private partnership, where representatives from the EU 
institutions, member states, industry and consumers are included, 
would work out and that whether the financial provision for the 
running of the agency and the number of the staff will be enough. 

The general rationale behind the agency has been characterised as a 
"light approach," which includes the notions of benchmarking, 
coordination and cooperation between, for instance, industry to 
harmonise its standards. One of the fundamental issues in which the 
agency may find itself struggling is in interoperability. Indeed, it 
has been pointed out by Russell that this is likely to be a delicate 
issue for industry and member states because it touches upon sensitive 
areas such as intellectual property and national security concerns, 
therefore it would be needed to have pressure applied to ensure they 
build interoperable systems. 

Another aspect in which the agency work can be really useful is in 
data privacy protection. Last week, for instance, several 
organisations and consumers have expressed their fears of possible 
violation of EU privacy laws through an agreement with the US 
government in which airlines passenger information will have to be 
provided in order to check whether any person has a criminal records 
or links with terrorist organizations. 

However, whether the agency would improve data privacy protection 
remains to be seen, some experts have warned. For instance, Russell 
has warned that this can be a "double edge", as when you have a highly 
sophisticated system, a potential threat to consumer over their data 
may arise. Thus, it is important that the agency keeps its procedures 
and recommendations as simple as possible. 

Finding the right balance between the different interests at stake is 
likely to be one of the main challenges for the EU in the incoming 
years in IT security issues. This is an area where sometimes extremely 
divergent interests may arise between consumers, industry and member 
states. However, what all interested parties must bear in mind is that 
all would gain when more secure and trusted IT systems and processes 
are built and, if even in the short term one may be fear losing in one 
aspect, at the end of the day, all stakeholders will be better off. 
The task for the agency itself would be a huge one then, since 
co-ordination at EU level has proven sometimes to level the playing 
field to the detriment of those member states that have more 
sophisticated and developed systems in order to achieve harmonisation. 
Thus, this is why the agency work needs a fine-tuned approach in 
dealing with these conflicting interests, if it wants to achieve its 

Pablo Asbo is a lawyer and Master in European Law (LLM) for Maastricht 
University-University of Nottingham. He has been interested in the 
interaction of new technologies and the law since his professional 
beginnings. He has worked for the Organization of American States, 
Casals & Associates and the U.S. Agency for International Development 
in Washington, DC. He also has advised the Secretariat General of the 
MERCOSUR in IT issues.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.