The struggle against cybercrime received a boost when the European Commission announced its proposal for a regulation to establish an agency to crack down on the threat in Europe. Such a move was also in line with the recommendations of the DDSI project.
The threat is from acts that cause damage to computers or computer systems. Such acts include the creation of viruses, data interception and data interference, illegal access, and denial of service attacks that can cause serious problems for both individuals and organisations. As the world becomes even more interconnected via complicated computer systems and the Internet the threat of a successful strike against its security increases.
To assist in the gathering information about the threat of cybercrime the Commission's DG Information Society launched the Dependability Development Support Initiative (DDSI) , run by international policy think tank RAND Europe, to discuss with public authorities and industry around the world the problems they faced and so create a viable roadmap to combat the threat.
At the DDSI final conference, on 10 October 2002 senior European and American officials met with top industry to discuss the findings of DDSI.Growing risks and growing awareness. At the conference, DDSI reported that the threat is growing at least on a par with Internet penetration and the number of attackers is expanding exponentially. Nonetheless, the ICT industry and its products are more robust. There is an untapped potential to further reduce the danger through even better products and services.Consequently, DDSI concluded that there is still time to forge a broader EU strategy and stronger measures.
DDSI however found that, despite growing awareness by European business and governments of the risks, efforts to manage the risks are very uneven across Europe.
One important measure would be more structured public-private cooperation at national and European levels to assess risks, provide solutions and raise awareness. Examples from The Netherlands (KWINT) , the UK (Information Assurance Advisory Council) and the US (Partnership for Critical Infrastructure Security) were outlined at the conference.
Among its findings DDSI called for “a European initiative to provide an appropriate level of security information, including warnings and alerts, threat assessments, help-desk services and educational products.”
Introducing the European Network and Information Security Agency. In June 2003, the European Commission and Member States agreed on the creation of a European Network and Information Security Agency, to promote the security of Europe's digital economy.
The agency's role will include providing advice to Member States and other European stakeholders on information security and raising awareness of the problems that security breaches can cause, thus closing any potential 'backdoors' through which hackers, criminals or terrorists might come and do harm.
“The EU will benefit from increased coordination between Member States to achieve a sufficiently high level of security in all countries,” said Erkki Liikanen, the Enterprise and Information Society Commissioner at the launch of the agency. “The European Network and Information Security Agency (ENISA) will build on national efforts to enhance network and information security and to increase the ability of Member States and EU institutions to prevent and respond to network and information security problems.”
The European Spring Council called for its creation by the end of 2003. To honour that target date, a general approach for the agency has been recently adopted.
A broad welcomeIndustry has in general welcomed the Commission's initiative, as it will help coordinate the fight against cybercrime in Europe.
UNICE, the Union of Industrial and Employers' Confederations of Europe, broadly welcomes its creation, as described in the Commission's proposal. UNICE's David Coleman believes its “most important role is in awareness raising and education, especially towards SMEs and the general public.” The Business Software Alliance also applauds establishing the Agency. They believe that by acting as a centre of expertise for the Commission and Member State governments, the Agency will help enhance the security of networks both in Europe and, by extension, throughout the world.
Prof Danilo Bruschi, President of the Italian Association for Information Security, CLUSIT, sees ENISA as “a model for other continents to follow and a key element of a global warning and information sharing infrastructure.” He feels it will play a key role in promoting and creating a security culture inside Europe: “It is time for Europe to start to actively contribute to the evolution of the network and information security field, and ENISA could be the right choice in such a direction.”
The views above are echoed by Olivier Paridaens, at Alcatel and EICTA's Issue Manager for Network Security. He also feels establishing the Agency is the “next step towards better coordination in Europe and throughout the world.” He believes that ENISA will facilitate interactions between security organisations across Europe, such as CSIRTs, and a single body in Europe will work efficiently with counterpart organisations elsewhere.
The need for improved legal analysis including data protection, competition and confidentiality was also a concern raised by Dr Lorenzo Valeri from RAND at the DDSI final conference.
From a standing start, the agency will need to come up with policies and initiatives that cover both the EU and the rest of the world, while also spreading a message about needing to improve cyber-defences and supporting the developments of standards that are necessary for a secure Web.
“It will have to cope with issues such as best practice, while communicating with industry and the Member States about the agency's role in EU policy, codifying the links within Europe and dealing with the threat from third-party countries,” according to one Brussels-based industry expert.
The Agency may also help in applying the Common Criteria standards to ensure appropriate levels of security to new products and services created by European companies. The Common Criteria have been created by various international fora over the past 20 years and are supported by the US, Japan, Australia and the EU. Customers and users of those products which have been certified by these criteria will also be reassured if this criteria is applied more vigorously, say industry observers.
Better standards can improve network and information security. Commissioner Liikanen said: “The growth of e-business in Europe and worldwide will be encouraged by the availability of a secure infrastructure. The European Standards Organisations have a key role to play to achieve this objective.”
To this end, the standards bodies, CEN/ISSS and ETSI, have assembled a Network Information Security focus group of technical experts, to produce recommendations on Network and Information Security standardisation.
Their draft final report notes that: “There are few security frameworks to guarantee multi-vendor systems will operate securely together. Also it is noted that there is a lack of appropriate certification in some areas. The result is fragmentation and uneven implementation in real networks, and insecurities remain despite some parts being very secure.” They recognise the “need for internationally recognised compatible certification standards against which an organisation's Information Security Management (ISM) system can be assessed” and recommend their speedy acceptance.
It seems the Commission's latest initiatives on combating cyber-criminals have been given a warm welcome by industry and its representatives, but it will be up to the Agency and the EU institutions to ensure that the agency has the resources and the firepower to fight what is a terrifying threat to a world that is becoming one big computer.
Contact Name : RATHMELL, Andrew (Dr)
Contact Organisation : RAND Europe
Address : Grafton House 64 Maids Causeway – CB5 8DD Cambridge – UNITED KINGDOM
Telephone Number : +44-1223-353329
Fax Number : +44-1223-358845
Electronic Mailbox : firstname.lastname@example.org