http://www.europemedia.net/showfeature.asp?ArticleID=15110 By Pablo Asbo 25/02/2003 The European Commission initiatives eEurope 2002 and eEurope 2005 aim to extend the reach of the information society to the majority of Europeans by 2005, especially with broadband connections easily available to all. However, one of potential risks involved in being permanently online is that cyber attacks are more likely to happen. Indeed, European business faces huge financial losses every year through unauthorised intrusions in their IT systems, and this also affects consumers which are still reluctant to embrace e-commerce widely, fuelled by concerns about the security of payments. Authorities worldwide have woken up to the dangers posed by serious network failures, such as those that have been caused by computer worm "SQL Slammer," earlier this year. Moreover, the threat of cyber attacks on key installations such as electricity and water supply is something that seems to be of especial concern in the aftermath of the September 11 attacks. In its June 2001 "Communication on network and information security systems," the EC suggested a European Warning and Information System (EWIS). The e-Europe Plan 2002 of June 2000 has called for "public-private cooperation on dependability of information structure and improved co-operation among national computer emergency response teams." And, in the last action plan relating to these issues, the eEurope 2005 plan of May 2002, it was stated that one of its main aims was to "stimulate secure services, applications and content based on a widely based broadband infrastructure." It is against this background that the European Commission has proposed the creation of a "European Network and Information Security Agency" as a tool to co-ordinate national efforts as well the work done by business and consumer associations. The agency work will be based on spontaneous actions, because, as Commissioner Liikanen said, "This does not give us any power to impose cooperation". It is expected that, when realising that it is in the best interest of all, industries and national agencies come forward with information to quickly devise effective response to a cyber-attacks. In order to have a better understanding, we must first start to know what network and information security means. According to the Commission, "it is about ensuring the ability of a network or an information system to resist, with a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of data and the related services offered by or accessible via these networks and information systems." In this definition, some elements deserve to be highlighted. Regarding availability and integrity, it means that in our "always-on" world, services and data must be made permanently and completely available. Otherwise, several of the commercial and national activities that are increasingly relying on networks or information systems can be grind to a halt. The authenticity and confidentially elements relate to national and international regulations on data protection. For instance, in the presentation of the proposal, Commissioner Erkii Liikanen, mentioned as one the most dangerous threats the cases of identity theft. This can is the situation where someone with access to private information of an individual uses it to sell to marketing companies or, even worse, his or her credit card. During the consultation with member states, several requirements stressed 'future work' as essential for the agency. Since we are working in a fast evolving sector, flexibility and efficiency are pivotal. This is why, it is proposed that new tasks can be added in order to keep up with the pace of technological developments and that a review of the agency’s work will take place every three years. In addition, the advice provided by the Agency will not be limited to the Commission, but also extended to the member states. The raison d’etre and the future activities of the Agency can be boiled down to two words: coordination and interoperability. Nowadays, the EU member states already operate crisis units -- called Computer Emergency Response Teams (CERTs) - against threats posed by internet hackers and computer viruses. But the system lacks central coordination. Besides, the certification of products still remains national, which leads to a lack of interoperability, thus harming the development of pan-European standards and the functioning of the internal market. The agency will act as a centre to gather industry and national government expertise where broad cooperation among the different stakeholders is a pre-requisite for secure European networks and information systems. It is proposed that the agency will provide support to national awareness raising campaigns and to the development of harmonised security legal and technical processes and procedures. Other important aspects include the standardisation of security standards which will allow the needed interoperability among the different national systems and international cooperation between similar agencies and relevant parties in third countries. It is proposed that the agency will have an executive director, who have a high degree of independence and who will be responsible for the preparation of the agency's work programme. Since the broadest participation is encouraged it is also proposed that in the management board representatives from the industry and consumers be included, along with members appointed by the Council and the Commission. It must be stressed, as the commission does, the importance of coordinated actions in the IT security and the interoperability of IT systems within the EU, if we want to strength our capacity to cope with current and future security threats and to secure the smooth functioning of the internal market. Indeed, several warnings were issued by experts last week at the European Voice E-confidence and the Consumer conference held in Brussels. The connection of company systems to the internet and increasing technical complexity are making computer networks highly vulnerable, said Olivier Paridaens, network security expert for electronics firm Alcatel. He described a scenario of coordinated terrorists attacks over electronic networks and power generation plants. Another expert from VeriSign, Mr. Quentin Gallivan said that lower level of awareness over network security exists in Europe than in the US, with the exception of European multinational companies who are on the same footing as their American counterparts. In the same vein, Microsoft's European President, Jean-Philippe Courtois, warned of possible retaliatory attacks by terrorists groups against European governments and companies' IT systems, as fall-out from a war with Iraq. So, the question that arises is whether the proposed agency will be an adequate response to IT security concerns. First of all, the structure as an agency is, perhaps, the most that the Commission could have done, given the fact that sensitive issues for the Member States are touched upon plus that a flexible and adaptable scheme is needed to tackle effectively IT security. However, experts have expressed some doubts in this regard. For instance, John Russell, CEO of Weber Shandwick Adamson is skeptical as to whether this sort of public-private partnership, where representatives from the EU institutions, member states, industry and consumers are included, would work out and that whether the financial provision for the running of the agency and the number of the staff will be enough. The general rationale behind the agency has been characterised as a "light approach," which includes the notions of benchmarking, coordination and cooperation between, for instance, industry to harmonise its standards. One of the fundamental issues in which the agency may find itself struggling is in interoperability. Indeed, it has been pointed out by Russell that this is likely to be a delicate issue for industry and member states because it touches upon sensitive areas such as intellectual property and national security concerns, therefore it would be needed to have pressure applied to ensure they build interoperable systems. Another aspect in which the agency work can be really useful is in data privacy protection. Last week, for instance, several organisations and consumers have expressed their fears of possible violation of EU privacy laws through an agreement with the US government in which airlines passenger information will have to be provided in order to check whether any person has a criminal records or links with terrorist organizations. However, whether the agency would improve data privacy protection remains to be seen, some experts have warned. For instance, Russell has warned that this can be a "double edge", as when you have a highly sophisticated system, a potential threat to consumer over their data may arise. Thus, it is important that the agency keeps its procedures and recommendations as simple as possible. Finding the right balance between the different interests at stake is likely to be one of the main challenges for the EU in the incoming years in IT security issues. This is an area where sometimes extremely divergent interests may arise between consumers, industry and member states. However, what all interested parties must bear in mind is that all would gain when more secure and trusted IT systems and processes are built and, if even in the short term one may be fear losing in one aspect, at the end of the day, all stakeholders will be better off. The task for the agency itself would be a huge one then, since co-ordination at EU level has proven sometimes to level the playing field to the detriment of those member states that have more sophisticated and developed systems in order to achieve harmonisation. Thus, this is why the agency work needs a fine-tuned approach in dealing with these conflicting interests, if it wants to achieve its aims. -=- Pablo Asbo is a lawyer and Master in European Law (LLM) for Maastricht University-University of Nottingham. He has been interested in the interaction of new technologies and the law since his professional beginnings. He has worked for the Organization of American States, Casals & Associates and the U.S. Agency for International Development in Washington, DC. He also has advised the Secretariat General of the MERCOSUR in IT issues. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 02:41:37 PST