[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Hintergründe zur geplanten Cybersicherheits-Behörde der EU
Will the new EU cyber-security agency actually deliver?
By Pablo Asbo
The European Commission initiatives eEurope 2002 and eEurope 2005 aim
to extend the reach of the information society to the majority of
Europeans by 2005, especially with broadband connections easily
available to all.
However, one of potential risks involved in being permanently online
is that cyber attacks are more likely to happen. Indeed, European
business faces huge financial losses every year through unauthorised
intrusions in their IT systems, and this also affects consumers which
are still reluctant to embrace e-commerce widely, fuelled by concerns
about the security of payments. Authorities worldwide have woken up to
the dangers posed by serious network failures, such as those that have
been caused by computer worm "SQL Slammer," earlier this year.
Moreover, the threat of cyber attacks on key installations such as
electricity and water supply is something that seems to be of especial
concern in the aftermath of the September 11 attacks.
In its June 2001 "Communication on network and information security
systems," the EC suggested a European Warning and Information System
(EWIS). The e-Europe Plan 2002 of June 2000 has called for
"public-private cooperation on dependability of information structure
and improved co-operation among national computer emergency response
teams." And, in the last action plan relating to these issues, the
eEurope 2005 plan of May 2002, it was stated that one of its main aims
was to "stimulate secure services, applications and content based on a
widely based broadband infrastructure."
It is against this background that the European Commission has
proposed the creation of a "European Network and Information Security
Agency" as a tool to co-ordinate national efforts as well the work
done by business and consumer associations. The agency work will be
based on spontaneous actions, because, as Commissioner Liikanen said,
"This does not give us any power to impose cooperation". It is
expected that, when realising that it is in the best interest of all,
industries and national agencies come forward with information to
quickly devise effective response to a cyber-attacks.
In order to have a better understanding, we must first start to know
what network and information security means. According to the
Commission, "it is about ensuring the ability of a network or an
information system to resist, with a given level of confidence,
accidental events or malicious actions that compromise the
availability, authenticity, integrity and confidentiality of data and
the related services offered by or accessible via these networks and
In this definition, some elements deserve to be highlighted. Regarding
availability and integrity, it means that in our "always-on" world,
services and data must be made permanently and completely available.
Otherwise, several of the commercial and national activities that are
increasingly relying on networks or information systems can be grind
to a halt. The authenticity and confidentially elements relate to
national and international regulations on data protection. For
instance, in the presentation of the proposal, Commissioner Erkii
Liikanen, mentioned as one the most dangerous threats the cases of
identity theft. This can is the situation where someone with access to
private information of an individual uses it to sell to marketing
companies or, even worse, his or her credit card.
During the consultation with member states, several requirements
stressed 'future work' as essential for the agency. Since we are
working in a fast evolving sector, flexibility and efficiency are
pivotal. This is why, it is proposed that new tasks can be added in
order to keep up with the pace of technological developments and that
a review of the agency?s work will take place every three years. In
addition, the advice provided by the Agency will not be limited to the
Commission, but also extended to the member states.
The raison d?etre and the future activities of the Agency can be
boiled down to two words: coordination and interoperability. Nowadays,
the EU member states already operate crisis units -- called Computer
Emergency Response Teams (CERTs) - against threats posed by internet
hackers and computer viruses. But the system lacks central
coordination. Besides, the certification of products still remains
national, which leads to a lack of interoperability, thus harming the
development of pan-European standards and the functioning of the
The agency will act as a centre to gather industry and national
government expertise where broad cooperation among the different
stakeholders is a pre-requisite for secure European networks and
information systems. It is proposed that the agency will provide
support to national awareness raising campaigns and to the development
of harmonised security legal and technical processes and procedures.
Other important aspects include the standardisation of security
standards which will allow the needed interoperability among the
different national systems and international cooperation between
similar agencies and relevant parties in third countries.
It is proposed that the agency will have an executive director, who
have a high degree of independence and who will be responsible for the
preparation of the agency's work programme. Since the broadest
participation is encouraged it is also proposed that in the management
board representatives from the industry and consumers be included,
along with members appointed by the Council and the Commission.
It must be stressed, as the commission does, the importance of
coordinated actions in the IT security and the interoperability of IT
systems within the EU, if we want to strength our capacity to cope
with current and future security threats and to secure the smooth
functioning of the internal market.
Indeed, several warnings were issued by experts last week at the
European Voice E-confidence and the Consumer conference held in
Brussels. The connection of company systems to the internet and
increasing technical complexity are making computer networks highly
vulnerable, said Olivier Paridaens, network security expert for
electronics firm Alcatel. He described a scenario of coordinated
terrorists attacks over electronic networks and power generation
plants. Another expert from VeriSign, Mr. Quentin Gallivan said that
lower level of awareness over network security exists in Europe than
in the US, with the exception of European multinational companies who
are on the same footing as their American counterparts. In the same
vein, Microsoft's European President, Jean-Philippe Courtois, warned
of possible retaliatory attacks by terrorists groups against European
governments and companies' IT systems, as fall-out from a war with
So, the question that arises is whether the proposed agency will be an
adequate response to IT security concerns. First of all, the structure
as an agency is, perhaps, the most that the Commission could have
done, given the fact that sensitive issues for the Member States are
touched upon plus that a flexible and adaptable scheme is needed to
tackle effectively IT security. However, experts have expressed some
doubts in this regard. For instance, John Russell, CEO of Weber
Shandwick Adamson is skeptical as to whether this sort of
public-private partnership, where representatives from the EU
institutions, member states, industry and consumers are included,
would work out and that whether the financial provision for the
running of the agency and the number of the staff will be enough.
The general rationale behind the agency has been characterised as a
"light approach," which includes the notions of benchmarking,
coordination and cooperation between, for instance, industry to
harmonise its standards. One of the fundamental issues in which the
agency may find itself struggling is in interoperability. Indeed, it
has been pointed out by Russell that this is likely to be a delicate
issue for industry and member states because it touches upon sensitive
areas such as intellectual property and national security concerns,
therefore it would be needed to have pressure applied to ensure they
build interoperable systems.
Another aspect in which the agency work can be really useful is in
data privacy protection. Last week, for instance, several
organisations and consumers have expressed their fears of possible
violation of EU privacy laws through an agreement with the US
government in which airlines passenger information will have to be
provided in order to check whether any person has a criminal records
or links with terrorist organizations.
However, whether the agency would improve data privacy protection
remains to be seen, some experts have warned. For instance, Russell
has warned that this can be a "double edge", as when you have a highly
sophisticated system, a potential threat to consumer over their data
may arise. Thus, it is important that the agency keeps its procedures
and recommendations as simple as possible.
Finding the right balance between the different interests at stake is
likely to be one of the main challenges for the EU in the incoming
years in IT security issues. This is an area where sometimes extremely
divergent interests may arise between consumers, industry and member
states. However, what all interested parties must bear in mind is that
all would gain when more secure and trusted IT systems and processes
are built and, if even in the short term one may be fear losing in one
aspect, at the end of the day, all stakeholders will be better off.
The task for the agency itself would be a huge one then, since
co-ordination at EU level has proven sometimes to level the playing
field to the detriment of those member states that have more
sophisticated and developed systems in order to achieve harmonisation.
Thus, this is why the agency work needs a fine-tuned approach in
dealing with these conflicting interests, if it wants to achieve its
Pablo Asbo is a lawyer and Master in European Law (LLM) for Maastricht
University-University of Nottingham. He has been interested in the
interaction of new technologies and the law since his professional
beginnings. He has worked for the Organization of American States,
Casals & Associates and the U.S. Agency for International Development
in Washington, DC. He also has advised the Secretariat General of the
MERCOSUR in IT issues.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.