Andrea GLORIOSOEuropean Commission

DG INFSO.A3Andrea.Glorioso@ec.europa.eu

Towards a modernised Network Towards a modernised Network and Information Security policy and Information Security policy

for the European Unionfor the European Union

The EU framework and its The EU framework and its relevance to the rest of the worldrelevance to the rest of the world

Network and Information Security (NIS)Network and Information Security (NIS) The EU Policy FrameworkThe EU Policy Framework

• 2004: Establishment of the European Network and Information Security Agency - ENISA

• 2006: European Commission Strategy for a Secure Information Society - COM(2006)251

• 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01]

• 2008: Extension of ENISA’s mandate and launch of a debate on increased NIS

• Mar 2009: European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP -

• Nov 2009: Adoption of the revised telecoms regulatory package integrating provisions on security

• Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01]

• Dec 2009: EESC Opinion on the Communication on CIIP • May 2010: Adoption of the European Digital Agenda

Network and Information Security (NIS)Network and Information Security (NIS) The EU Policy FrameworkThe EU Policy Framework

• 2009: European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP -

• Nov 2009: Adoption of the revised telecoms regulatory package integrating provisions on security

• Dec 2009: EESC Opinion on the Communication on CIIP

• Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01]

• Summer 2010: Commission’s proposal for a modernized NIS Policy in the

EU (tentative)

Part 1

Network and Information Security policy (NIS)

• COM(2001) 298 final - Network and Information Security: Proposal for A European Policy Approach

Network and information security is defined as “the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems”

Network and information security (NIS)Network and information security (NIS)

A comprehensive EU approach to NIS

International Co-operationOECD, G8, Council of Europe, UN, ITU, ...

FP7 - ICT and Security research; Competitiveness and Innovation Programme; …

• Electronic Signature• Data protection in elect.

com., • e-signature, e-ID and e-

authentication• NIS & CIIP• Culture of security• ENISA• digital right management,

biometrics, smart card, IPv6, open source software

• …

Economic, business and social aspects of

security in Information Society

Research and Technology Information and Communication Technologies

External security / defence

• Common Foreign and Security Policy

• Dual use technology research

• Crisis management• External security• …

• Stockholm Programme• Framework Decision on

attacks against information systems

• Lawful interception• G8 CIIP• Data retention• biometrics in visas and

residence permit• Cyber crime• EPCIP & Directive• …

Cyber-crime, Internal security

Three angles for actions on NIS Policy

PREVENT PROSECUTE

NETWORK &INFO SECURITY

CYBERCRIME &TERRORISM

PRIVACY ANDDATA PROTECTION

Intrusion Data retention

Hacking

ID theft

PROTECT

COM(2006) 251 - Towards a secure COM(2006) 251 - Towards a secure Information SocietyInformation Society

DIALOGUEstructured and

multi-stakeholder

Open & inclusivemulti-stakeholder

debate

EMPOWERMENTcommitment to responsibilities

of all actors involved

PARTNERSHIPgreater awareness &better understanding

of the challenges

• Strategy for a Secure Information Society COM(2006)251– holistic approach for a comprehensive EU-wide strategy across “pillars”,

related policy and regulatory initiatives– “voluntary” activities stakeholders via dialogue, partnership and

empowerment– reinforce ENISA’s role in implementing the policy– importance of “resilience” strategy for CIIP, i.e. the ability to deal with

unexpected events

• Council Resolution 2007/C 68/01 on a Strategy for a Secure Information Society in Europe of 22 March 2007

– Endorses the key elements of the strategy, including the focus on resilience and the key role of ENISA

• Other policy initiatives related to NIS– Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks

against information systems.– fighting against spam, spyware and malware [COM(2006)688]– promoting data protection by PET [COM(2007)228]– fighting against cyber crime [COM(2007)267]– new Safer Internet Programme [COM(2008) 106]– …

NIS Policy and related RegulationsNIS Policy and related Regulations

• European Network and Information Security Agency (ENISA)– Established in March 2004 for 5 years– Main objective: assist the Commission and the MS, and in

consequence cooperate with the business community, in order to help them to meet the requirements of NIS

– Key tasks: collect information, risk analysis; develop ‘common methodologies’; contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; contribute to international cooperation

– Mid term evaluation in 2006 + public consultation in 2007 [COM(2007) 285]

– Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012

ENISAENISA

NIS in the revised RegulatoryFramework for Telecoms

Security and integrity of networks andservices within the Framework Directive

• New chapter on security and integrity– Art 13 a, paragraph 1&2 - Providers have to:

• Take appropriate measures to ensure a level of security appropriate to the risks

• Prevent/minimise impact of security incidents on users and interconnected networks

• Ensure the continuity of supply of services– Art 13 a, paragraph 3

• Providers to notify security breaches with significant impact on operations

• Competent national regulatory authority to inform other EU authorities, ENISA and the public when appropriate

• Auth to submit a yearly report to Commission and ENISA– Art 13a, paragraph 4

• The Commission, taking the utmost account of the opinion of ENISA, may adopt appropriate technical implementing measures with a view to harmonising § 1, 2 and 3

– Art 13b - Implementation and enforcement • Enhanced power of competent national regulatory authority

NIS in the revised RegulatoryFramework for Telecoms

Amendment to the ePrivacy Directive

• New provision on personal data breach notification– Providers have to notify the breach affecting

personal data to:• Competent national authority• Subscriber or individual when appropriate

NIS in the revised RegulatoryFramework for Telecoms

Motivations & Timeline

•Motivations– Reliable and secure e-communication is increasingly

central to the economy and society (recital 44 of FWD)– The new security chapter will stimulate the dialogue

between governments and private sector players + give visibility to network security and integrity

– Breach notification: Getting comprehensive, reliable, up-to-date and comparable data on security incidents is key:

• To develop a clear understanding of the challenges at stake• To feed into effective business decision and policy making• To assess the level of security and the success of previously

implemented regulatory, organisational and technical measures

•Role of ENISA– To contribute to the harmonisation of appropriate

technical and organisational measures (recital 46 FWD)

• Timeline: Transposition by 25 May 2011

Part 2

Critical Information Infrastructure Protection (CIIP)

What is at stake with CIIsWhat is at stake with CIIs

• The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major CII breakdown in the next 10 years, with a potential global economic cost of approximately $250 billion

• The US Business Roundtable in 2007 suggested that the economic costs of a month-long Internet disruption to the United States alone could be more than $200 billion.

• According to OECD report on “Malicious software”, the estimated annual loss to United States businesses caused by malware is USD 67.2 billion

• The macroeconomic costs of a major disruption to Switzerland, having an annual GDP of CHF 482 billion (EUR 317 billion) are estimated at CHF 6 billion (EUR 3.9 billion), i.e. 1.2% of GDP

Communication on CIIP - Communication on CIIP - COM(2009)149COM(2009)149 Objectives and scopeObjectives and scope

• High level objectives– Protect Europe from large scale cyber attacks and

disruptions – Promote security and resilience culture (first line of defense)

& strategy– Tackle cyber attacks & disruptions from a systemic

perspective

• Means– Enhance the CIIP preparedness and response capability in EU– Promote the adoption of adequate and consistent levels of

preventive, detection, emergency and recovery measures– Foster International cooperation, in particular on Internet

stability and resilience

• Approach – Build on national and private sector initiatives– Engage public and private sectors– Adopt an all-hazards approach– Be multilateral, open and all inclusive

Communication on CIIP Communication on CIIP COM(2009)149COM(2009)149 Specific objectivesSpecific objectives

The 5 specific objectives to be achieved:1. Foster cooperation and exchange of good

policy practices between MS 2. Develop a public-private partnership at

the European level on security and resilience of CIIs

3. Enhance incident response capability in the EU

4. Promote the organisation of national and European exercises on simulated large-scale network security incidents.

5. Reinforce international cooperation on global issues, in particular on resilience and stability of Internet

Communication on CIIP Communication on CIIP “Protecting Europe from large scale cyber-attacks “Protecting Europe from large scale cyber-attacks

and disruptions: enhancing preparedness, security and disruptions: enhancing preparedness, security and resilience” - and resilience” - COM(2009)149COM(2009)149

The five pillars of the CIIP Action Plan:

1. Preparedness and prevention

2. Detection and response

3. Mitigation and recovery

4. International Cooperation

5. Criteria for European CriticalInfrastructures in the ICT sector

CIIP Policy - CIIP Policy - COM(2009)149COM(2009)149 The Five Pillars of the CIIP Action PlanThe Five Pillars of the CIIP Action Plan

1. Preparedness and prevention– European Forum for MS to share information & policy practices - EFMS– European Public Private Partnership for Resilience EP3R– Baseline of capabilities and services for National/Governmental CERTs

2. Detection and response– Development of a European Information Sharing and Alert System –

EISAS dedicated to EU citizens and SMEs

3. Mitigation and recovery– National contingency planning and exercises– Pan-European exercises on large-scale network security incidents– Reinforced cooperation between National/Governmental CERTs

4. International Cooperation– Define European priorities, principles and guidelines for the long term

resilience and stability of the Internet– Promote the principles and guidelines at global level– Global cooperation on exercises on large-scale Internet incidents

5. Definition of criteria for the identification of European Critical Infrastructures in the ICT sector

The CIIP Action PlanThe CIIP Action Plan 1. Preparedness and prevention1. Preparedness and prevention

• Baseline of capabilities and services for pan-European cooperation between National/Governmental CERTs

Target: End of 2010 for agreeing on minimum standardsEnd of 2011 for well functioning National/Gov CERTs in all Member States

• European Public Private Partnership for Resilience (EP3R)

Target: End of 2009 for a roadmap and plan for EP3RMid of 2010 for establishing EP3REnd of 2010 for the first results

• European Forum for information sharing between Member

StatesTarget: End of 2009 for launching the Forum

End of 2010 for delivering the first results

With the support of ENISA and buildingupon its activities

The CIIP Action PlanThe CIIP Action Plan 3. Mitigation and recovery3. Mitigation and recovery

• National contingency planning and exercises– National/Governmental CERTs/CSIRTs to take the lead in

national contingency planning exercises and testingTarget: End of 2010 for running a national exercise in every MS

• Pan-European exercises on large-scale network security incidents– EC provides financial support in 2010

Target: End of 2010 for first pan-European exerciseEnd of 2010 for EU participation in international exercises

• Reinforced cooperation between National/Governmental CERTs– Support pan European cooperation also by expanding

existing cooperation schemes (like EGC)Target: End of 2010 for doubling the number of national bodies participating in EGC;

End of 2010 for ENISA to develop reference materials

The CIIP Action PlanThe CIIP Action Plan 4. International Cooperation (1/2)4. International Cooperation (1/2)

• Internet resilience and stability– Define European priorities on long term Internet

resilience and stabilityTarget: End of 2010 for EU priorities

– Define principles and guidelines for Internet resilience and stability at the European levelTarget: End of 2009 for a roadmap towards the principles & guidelinesTarget: End of 2010 for agreeing on first drafts(“focusing inter alia on regional remedial actions, mutual assistance agreements, coordinated recovery and continuity strategies, geographical distribution of critical Internet resources, technological safeguards in the architecture and protocols of the Internet, replication and diversity of services and data”)

– Promote the principles and guidelines for Internet resilience and stability at global levelTarget: Beginning of 2010 for a roadmap for international cooperation Target: End of 2010 for first drafts of international principles & guidelines(“strategic cooperation with third countries will be developed, notably in Information Society dialogues, as a vehicle to build global consensus”)

The CIIP Action PlanThe CIIP Action Plan 4. International Cooperation (2/2)4. International Cooperation (2/2)

• Global cooperation on exercises on large-scale Internet incidents

Practical way to extend at the global level National and pan- European exercises and to build upon regional contingency plans and capabilities

Target: End of 2010 to propose a framework and a roadmap

The CIIP Action PlanThe CIIP Action Plan The role of ENISAThe role of ENISA

• ENISA is called to

– Support the process of defining and agreeing on a baseline of capabilities and services for national/Governmental CERTs in support to pan-European cooperation

– Take stock of the results of the projects aiming the prototyping of EISAS and other national initiatives and produce a roadmap to further progress in the development and deployment of EISAS

– Support the exchange of good practices between Member States on national contingency planning and exercises

– Stimulate and support pan-European cooperation between National/Governmental CERTs and develop reference materials

Ministerial Conference on CIIPMinisterial Conference on CIIP27-28 April 2009, Tallinn, Estonia27-28 April 2009, Tallinn, Estonia

Presidency conclusions Presidency conclusions

• “There is an urgent need for Member States and all stakeholders to commit themselves to swift action in order to enhance the level of preparedness, security and resilience of Critical Information Infrastructures throughout the European Union”

• “The Communication by the European Commission on Critical Information Infrastructure Protection furnishes a solid basis for taking such urgent action as is necessary”

• See the Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 at: http://www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf

Council Resolution of 18 December 2009 Council Resolution of 18 December 2009 on a collaborative European approach to NISon a collaborative European approach to NIS

• The Council resolution invites Member States to:– Organise national exercises and participate to European exercises– Create CERTs and reinforce cooperation between national CERTs– Increase efforts on education, training and research programmes– Jointly react to cross-border incidents

• The Council resolution invites the European Commission to:– Initiate an awareness raising campaign with ENISA regarding the

importance of appropriate risk management– Identify incentives for providers of electronic communications– Encourage and improve multi-stakeholder models– Come forward with a holistic strategy on NIS including proposals for a

reinforced and flexible mandate for ENISA– Analyse in which areas further cooperation between CERTs is called for

• The Council resolution calls on ENISA to:– Support the implementation of NIS policies + CIIP Action Plan– Develop a framework of statistical data on the state of NIS

in Europe

EU policies on NIS and CIIP EU policies on NIS and CIIP Next stepNext step

• NIS has never been so high on the EU political agenda President Barroso “Political guidelines for the next Commission”, 3 September 2009:

• “The next Commission will develop a European Digital Agenda [] to tackle the main obstacles to a genuine digital single market, promote investment in high-speed Internet and avert an unacceptable digital divide. Because of the increasing dependence of our economies and societies on the Internet, a major initiative to boost network security will also be proposed.”

19 May 2010: Adoption of the European Digital Agenda

On going: Implementation of the CIIP Action Plan

Summer 2010 (tentative): EC proposals for the future of Network and Information Security in Europe

A Digital Agenda for Europe – A Digital Agenda for Europe – COM(2010)245COM(2010)245

The Seven Priority areas for action (1/3)The Seven Priority areas for action (1/3)

1. Creating a Digital Single Market2. Improving the framework conditions for

interoperability between ICT products and services

3. Boosting internet trust and security4. Guaranteeing the provision of much faster

internet access5. Encouraging investment in research and

development6. Enhancing digital literacy, skills and

inclusion7. Applying ICT to address social challenges

such as climate change, rising healthcare costs and the ageing population.

A Digital Agenda for Europe – A Digital Agenda for Europe – COM(2010)245COM(2010)245

Trust and securityTrust and security

Key actions:

“The Commission will present in 2010 measures aiming at a reinforced and high level Network and Information Security Policy, including legislative initiatives such as a modernised European Network and Information Security Agency (ENISA), and measures allowing faster reactions in the event of cyber attacks, including a CERT for the EU institutions;”

A Digital Agenda for Europe – A Digital Agenda for Europe – COM(2010)245COM(2010)245

Trust and securityTrust and security

Key actions:

“The Commission will present measures, including legislative initiatives, to combat cyber attacks against information systems by 2010, and related rules on jurisdiction in cyberspace at European and international levels by 2013;”

A Digital Agenda for Europe – A Digital Agenda for Europe – COM(2010)245COM(2010)245

Trust and securityTrust and security

Other actions:

• Establish a European cybercrime platform by 2012;

• Examine the feasibility by 2011 to create a European cybercrime centre;

• Work with global stakeholders notably to strengthen global risk management in the digital and in the physical sphere and conduct internationally coordinated targeted actions against computer-based crime and security attacks;

• Support EU-wide cyber-security preparedness exercises, from 2010;

A Digital Agenda for Europe – A Digital Agenda for Europe – COM(2010)245COM(2010)245

Trust and securityTrust and security

Other actions:

• As part of the modernisation of the EU personal data protection regulatory framework25 to make it more coherent and legally certain, explore the extension of security breach notification provisions;

• Give guidance by 2011 for the implementation of new Telecoms Framework with regard to the protection of individuals' privacy and personal data;

• Support reporting points for illegal content online and awareness campaigns on online safety for children run at national level and enhance pan-European cooperation and sharing of best practice in this field;

• Foster multi-stakeholder dialogue and self-regulation of European and global service providers, especially as regards use of their services by minors.

A Digital Agenda for Europe – A Digital Agenda for Europe – COM(2010)245COM(2010)245

Trust and securityTrust and security

Member States should:

• Establish by 2012 a well-functioning network of CERTs at national level covering all of Europe;

• In cooperation with the Commission carry out large scale attack simulation and test mitigation strategies as of 2010;

• Fully implement hotlines for reporting offensive or harmful online content, organise awareness raising campaigns on online safety for children, and offer teaching online safety in schools, and encourage providers of online services to implement self-regulatory measures regarding online safety for children by 2013;

• Set up or adapt national alert platforms to the Europol cybercrime platform, by 2012, starting in 2010.

Policies on NIS and CIIP Policies on NIS and CIIP US-EU cooperationUS-EU cooperation

•US-EU Summit declaration of 03/11/2009– US-EU agreed «to strengthen our cybersecurity dialogue to identify and prioritize areas where we can work together to help build a reliable, resilient, trustworthy digital infrastructure for the future»

•Recent contacts with– White House, DHS, DoS, DoC, and FCC

•EU Priority areas for cooperation– Common principles and approaches in the area of NIS & CIIP Policy

– Global awareness raising initiatives– More effective dialogue and cooperation on NIS on the global scale

– Global principles and guidelines for the resilience and stability of the Internet

– International cooperation on exercises to test thecapability to respond to large scale Internet incidents

The CIIP Action plan The CIIP Action plan State of Play of the ImplementationState of Play of the Implementation

31 March 2009 1st thematic workshop on EU policy dimension of vulnerability management and disclosure process (report on the web)

16 June 2009 1st EFMS meeting

17 June 2009 1st EP3R workshop (report on the web)

June – Sept 2009 Informal consultation with MS on EU principles for Internet resilience & stability

Sept – Oct 2009 Informal consultation with trade associations and individual companies on EP3R (e.g.

DigitalEurope, ETNO, ETIS, Euro-IX, GSMA, EOS, BSA, Internet Security Alliance, and TechAmerica)

12-13 Nov 2009 Follow-up Workshops on EFMS and EP3R

30 March 2010 Third EFMS meeting

29-30 June 2010 EFMS & EP3R meeting

On-going Studies & projectsENISA activities in support to the Commission NIS/CIIP policy and CIIP Action Plan

EU Policy on NIS and CIIPEU Policy on NIS and CIIP

Thanks!

Web SitesWeb Sites

• EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index_en.htm

• EU policy on Critical Information Infrastructure Protection – CIIP http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm

• Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 http://www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf

• Council Resolution on a collaborative European approach to Network and Information securityhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF

• Report on the public consultation “Towards a Strengthened Network and Information Security Policy in Europe” http://ec.europa.eu/information_society/policy/nis/nis_public_consultation/index_en.htm

• The reformed Telecom Regulatory Framework - November 2009 http://ec.europa.eu/information_society/policy/ecomm/tomorrow/index_en.htm

Links to EU Policy Document Links to EU Policy Document

• Communication of the European Commission on a Strategy for a Secure Information Society [COM(2006)251] of 31.5.2006 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0251:FIN:EN:PDF

• Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01] of 22.03.2007http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF

• Communication of the European Commission on Critical Information Infrastructure Protection - "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience " [COM(2009)149] of 30.3.2009http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF

• Council Resolution on a collaborative European approach to Network and Information security [2009/C 321/01] of 18.12.2009http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF