[ISN] Will the new EU cyber-security agency actually deliver?

From: InfoSec News (isnat_private)
Date: Wed Feb 26 2003 - 00:13:32 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis Khwaja"

    By Pablo Asbo
    The European Commission initiatives eEurope 2002 and eEurope 2005 aim 
    to extend the reach of the information society to the majority of 
    Europeans by 2005, especially with broadband connections easily 
    available to all. 
    However, one of potential risks involved in being permanently online 
    is that cyber attacks are more likely to happen. Indeed, European 
    business faces huge financial losses every year through unauthorised 
    intrusions in their IT systems, and this also affects consumers which 
    are still reluctant to embrace e-commerce widely, fuelled by concerns 
    about the security of payments. Authorities worldwide have woken up to 
    the dangers posed by serious network failures, such as those that have 
    been caused by computer worm "SQL Slammer," earlier this year. 
    Moreover, the threat of cyber attacks on key installations such as 
    electricity and water supply is something that seems to be of especial 
    concern in the aftermath of the September 11 attacks. 
    In its June 2001 "Communication on network and information security 
    systems," the EC suggested a European Warning and Information System 
    (EWIS). The e-Europe Plan 2002 of June 2000 has called for 
    "public-private cooperation on dependability of information structure 
    and improved co-operation among national computer emergency response 
    teams." And, in the last action plan relating to these issues, the 
    eEurope 2005 plan of May 2002, it was stated that one of its main aims 
    was to "stimulate secure services, applications and content based on a 
    widely based broadband infrastructure." 
    It is against this background that the European Commission has 
    proposed the creation of a "European Network and Information Security 
    Agency" as a tool to co-ordinate national efforts as well the work 
    done by business and consumer associations. The agency work will be 
    based on spontaneous actions, because, as Commissioner Liikanen said, 
    "This does not give us any power to impose cooperation". It is 
    expected that, when realising that it is in the best interest of all, 
    industries and national agencies come forward with information to 
    quickly devise effective response to a cyber-attacks. 
    In order to have a better understanding, we must first start to know 
    what network and information security means. According to the 
    Commission, "it is about ensuring the ability of a network or an 
    information system to resist, with a given level of confidence, 
    accidental events or malicious actions that compromise the 
    availability, authenticity, integrity and confidentiality of data and 
    the related services offered by or accessible via these networks and 
    information systems."
    In this definition, some elements deserve to be highlighted. Regarding 
    availability and integrity, it means that in our "always-on" world, 
    services and data must be made permanently and completely available. 
    Otherwise, several of the commercial and national activities that are 
    increasingly relying on networks or information systems can be grind 
    to a halt. The authenticity and confidentially elements relate to 
    national and international regulations on data protection. For 
    instance, in the presentation of the proposal, Commissioner Erkii 
    Liikanen, mentioned as one the most dangerous threats the cases of 
    identity theft. This can is the situation where someone with access to 
    private information of an individual uses it to sell to marketing 
    companies or, even worse, his or her credit card. 
    During the consultation with member states, several requirements 
    stressed 'future work' as essential for the agency. Since we are 
    working in a fast evolving sector, flexibility and efficiency are 
    pivotal. This is why, it is proposed that new tasks can be added in 
    order to keep up with the pace of technological developments and that 
    a review of the agency’s work will take place every three years. In 
    addition, the advice provided by the Agency will not be limited to the 
    Commission, but also extended to the member states. 
    The raison d’etre and the future activities of the Agency can be 
    boiled down to two words: coordination and interoperability. Nowadays, 
    the EU member states already operate crisis units -- called Computer 
    Emergency Response Teams (CERTs) - against threats posed by internet 
    hackers and computer viruses. But the system lacks central 
    coordination. Besides, the certification of products still remains 
    national, which leads to a lack of interoperability, thus harming the 
    development of pan-European standards and the functioning of the 
    internal market. 
    The agency will act as a centre to gather industry and national 
    government expertise where broad cooperation among the different 
    stakeholders is a pre-requisite for secure European networks and 
    information systems. It is proposed that the agency will provide 
    support to national awareness raising campaigns and to the development 
    of harmonised security legal and technical processes and procedures. 
    Other important aspects include the standardisation of security 
    standards which will allow the needed interoperability among the 
    different national systems and international cooperation between 
    similar agencies and relevant parties in third countries. 
    It is proposed that the agency will have an executive director, who 
    have a high degree of independence and who will be responsible for the 
    preparation of the agency's work programme. Since the broadest 
    participation is encouraged it is also proposed that in the management 
    board representatives from the industry and consumers be included, 
    along with members appointed by the Council and the Commission. 
    It must be stressed, as the commission does, the importance of 
    coordinated actions in the IT security and the interoperability of IT 
    systems within the EU, if we want to strength our capacity to cope 
    with current and future security threats and to secure the smooth 
    functioning of the internal market. 
    Indeed, several warnings were issued by experts last week at the 
    European Voice E-confidence and the Consumer conference held in 
    Brussels. The connection of company systems to the internet and 
    increasing technical complexity are making computer networks highly 
    vulnerable, said Olivier Paridaens, network security expert for 
    electronics firm Alcatel. He described a scenario of coordinated 
    terrorists attacks over electronic networks and power generation 
    plants. Another expert from VeriSign, Mr. Quentin Gallivan said that 
    lower level of awareness over network security exists in Europe than 
    in the US, with the exception of European multinational companies who 
    are on the same footing as their American counterparts. In the same 
    vein, Microsoft's European President, Jean-Philippe Courtois, warned 
    of possible retaliatory attacks by terrorists groups against European 
    governments and companies' IT systems, as fall-out from a war with 
    So, the question that arises is whether the proposed agency will be an 
    adequate response to IT security concerns. First of all, the structure 
    as an agency is, perhaps, the most that the Commission could have 
    done, given the fact that sensitive issues for the Member States are 
    touched upon plus that a flexible and adaptable scheme is needed to 
    tackle effectively IT security. However, experts have expressed some 
    doubts in this regard. For instance, John Russell, CEO of Weber 
    Shandwick Adamson is skeptical as to whether this sort of 
    public-private partnership, where representatives from the EU 
    institutions, member states, industry and consumers are included, 
    would work out and that whether the financial provision for the 
    running of the agency and the number of the staff will be enough. 
    The general rationale behind the agency has been characterised as a 
    "light approach," which includes the notions of benchmarking, 
    coordination and cooperation between, for instance, industry to 
    harmonise its standards. One of the fundamental issues in which the 
    agency may find itself struggling is in interoperability. Indeed, it 
    has been pointed out by Russell that this is likely to be a delicate 
    issue for industry and member states because it touches upon sensitive 
    areas such as intellectual property and national security concerns, 
    therefore it would be needed to have pressure applied to ensure they 
    build interoperable systems. 
    Another aspect in which the agency work can be really useful is in 
    data privacy protection. Last week, for instance, several 
    organisations and consumers have expressed their fears of possible 
    violation of EU privacy laws through an agreement with the US 
    government in which airlines passenger information will have to be 
    provided in order to check whether any person has a criminal records 
    or links with terrorist organizations. 
    However, whether the agency would improve data privacy protection 
    remains to be seen, some experts have warned. For instance, Russell 
    has warned that this can be a "double edge", as when you have a highly 
    sophisticated system, a potential threat to consumer over their data 
    may arise. Thus, it is important that the agency keeps its procedures 
    and recommendations as simple as possible. 
    Finding the right balance between the different interests at stake is 
    likely to be one of the main challenges for the EU in the incoming 
    years in IT security issues. This is an area where sometimes extremely 
    divergent interests may arise between consumers, industry and member 
    states. However, what all interested parties must bear in mind is that 
    all would gain when more secure and trusted IT systems and processes 
    are built and, if even in the short term one may be fear losing in one 
    aspect, at the end of the day, all stakeholders will be better off. 
    The task for the agency itself would be a huge one then, since 
    co-ordination at EU level has proven sometimes to level the playing 
    field to the detriment of those member states that have more 
    sophisticated and developed systems in order to achieve harmonisation. 
    Thus, this is why the agency work needs a fine-tuned approach in 
    dealing with these conflicting interests, if it wants to achieve its 
    Pablo Asbo is a lawyer and Master in European Law (LLM) for Maastricht 
    University-University of Nottingham. He has been interested in the 
    interaction of new technologies and the law since his professional 
    beginnings. He has worked for the Organization of American States, 
    Casals & Associates and the U.S. Agency for International Development 
    in Washington, DC. He also has advised the Secretariat General of the 
    MERCOSUR in IT issues.  
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 02:41:37 PST