Achievements and next steps: towards global cyber-security

advertisement

EU policy on Network and Information

Security (NIS) and Critical Information

Infrastructure Protection (CIIP)

15 March 2012

Valérie ANDRIANAVALY

European Commission

Directorate General

Information Society and Media - DG INFSO

Unit A3 – Internet Governance; Network and Information Security

valerie.andrianavaly@ec.europa.eu

Main EU policy initiatives in the NIS & CIIP areas

2004: Establishment of ENISA - Regulation (EC) No 460/2004

2006: Commission’s proposal - Strategy for a Secure

Information Society - Dialogue, partnership, empowerment

2009: Commission’s proposal - Action Plan on Critical

Information Infrastructure protection

2009: Adoption of the revised Regulatory Framework for electronic communications – new security provisions including security breaches notifications (Art. 13 a and b)

2010: Trust and Security chapter of the Digital Agenda

Europe

2010: Commission’s proposal to modernise ENISA for

2011: Second Commission Communication on CIIP -

'Achievements and next steps: towards global cyber-security ’

Q3/2012: Commission’s proposal –

Internet Security

European Strategy for

Main EU policy initiatives in the NIS & CIIP areas

Strategy for a Secure Information Society COM(2006)251

“Voluntary” approach based on dialogue , partnership empowerment

Comprehensive and set of actions – risk management culture

Promote openness, diversity, interoperability, usability , competition as inherent security safeguards

Reinforce ENISA’s role in implementing the NIS policy

Importance of “ resilience ” of electronic communications

Action Plan on Critical Information Infrastructure

Protection COM(2009)149

Protect Europe from large scale cyber attacks and disruptions

Promote security and resilience as first line of defense

Enhance the CIIP preparedness and response capability in EU

Foster the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures

Foster International cooperation , in particular on Internet stability and resilience

CIIP Action Plan – Specific Objectives

Five specific objectives to be achieved:

Foster cooperation and exchange practices between MS (EFMS) of good policy

Develop a public-private partnership at the European level on security and resilience of CIIs (EP3R)

Enhance incident response capability in the EU

Promote national and European cyber contingency plans and exercises on simulated large-scale network security incidents.

Reinforce international cooperation on global issues, in particular on resilience and stability of Internet

1.

2.

3.

4.

5.

CIIP Action Plan – Five pillars

Preparedness and prevention

European Forum for MS to share information & policy practices -

EFMS

CERTs

Detection and response

European Public Private Partnership for Resilience EP3R

Baseline of capabilities and services for National/Governmental

Development of a European Information Sharing and Alert

System – EISAS dedicated to EU citizens and SMEs

Mitigation and recovery

• Reinforced cooperation between National/Governmental CERTs

International Cooperation

National contingency planning and exercises

Pan-European exercises on large-scale network security incidents

Define European priorities, principles and guidelines for the long term resilience and stability of the Internet

Promote the principles and guidelines at global level

Global cooperation on exercises on large-scale Internet incidents

Definition of criteria for the identification of European

Critical Infrastructures in the ICT sector

CIIP COM(2011)163

“Achievements and next steps: towards global cybersecurity”

Adopted on 31 March 2011

Takes stock

action plan of results achieved since 2009 CIIP

Builds

on existing policy initiatives, in particular

Digital Agenda for Europe, Stockholm Action

Plan

and

Internal Security Strategy

Highlights

next steps at

European

International

level and

CIIP COM(2011)163

“Achievements and next steps: towards global cybersecurity” – Areas of achievements

European Forum for Member States (EFMS)

European Public-Private Partnership for Resilience

(EP3R)

Baseline of capabilities and services for pan-European cooperation of national/governmental CERTs

European Information Sharing and Alert System

(EISAS)

National contingency planning and exercises

Pan-European exercise on large-scale network security incidents

Principles and guidelines on Internet resilience and stability

Sector specific criteria for identifying European Critical

Infrastructures in the ICT sector

CIIP COM(2011)163

“Achievements and next steps: towards global cybersecurity” – The way forward 1/2

Very positive results

within the EU achieved so far in CIIP

Further efforts are needed

MS to commit to: and the EC calls upon

-

-

-

Enhance EU preparedness by establishing a

network of well-functioning

National/Governmental CERTs by 2012;

A European cyber-incident contingency plan and regular National and pan-European

cyber exercises by 2012;

European coordinated efforts in

international fora and discussions on

enhancing Internet security and resilience.

CIIP COM(2011)163

“Achievements and next steps: towards global cybersecurity” – The way forward 2/2

Global coordination is important and necessary

The Commission will:

Promote principles for Internet resilience and

stability

*

developed within the EFMS;

Build strategic international partnerships (e.g.

EU-US Working Group on Cyber-security and

Cyber-crime) and pursue coordination in

International fora

Develop trust in the cloud

*http://ec.europa.eu/information_society/policy/nis/docs/principles_ciip/guideline s_internet_fin.pdf

7th EU Research Framework Programme

(2007-2013)

FP7 Cooperation Programme: 32,413 M€

The 10 Themes

Space; 1430; 4%

Security; 1400; 4%

Socio-economics; 623; 2%

Health; 6100; 19%

Transport; 4160; 13%

Food,

…; 1935; 6%

Environment; 1890; 6%

ICT Security & Trust

Energy; 2350; 7%

NMT; 3475; 11%

ICT; 9050; 28%

Call 7

70 M€

Call 8

80 M€

Call 8

70 M€

Call 7

20 M€

Call 8

25 M€

FP7 INFSO - Challenge 1.4

Pervasive and Trustworthy ICT

Call 7

30 M€

Call FI

90 M€

Call 8

160 M€

Call FI

Call 7

Call 8

20/07/10 – 02/12/10

28/09/10 – 18/01/11

26/07/11 – 17/01/12

••• 11

200 m€

Network infrastructures

ICT - Trust and Security: 58 projects of FP7 Call 1 and Call 5

Identity management, privacy, trust

Services infrastructures

4 projects

7 projects

40M€

8 projects

5 projects

60M€

4 projects

7 projects

48M€

Critical Infrastructure Protection

Enabling technologies

Biometrics, trusted computing, cryptography, secure SW

Networking, Coordination and Support

Research roadmaps, metrics and benchmarks, international cooperation, coordination activities

9 projects

20M€

4 projects

4 projects

27M€

4 projects

2 projects

5M€

••• 12

BIC: Building International Co-operation for Trustworthy ICT

Identify global trust and security challenges of mutual interest and benefit

Facilitate collaboration fora

- funding calls/EU mechanisms info.

-

- people/partner linkages

- funding organization linkages guidance on developing sustained longer-term global collaborations

Prioritisation of the visions and research directions amongst the countries, moving towards alignment of work programmes.

DG INFSO Unit F5 Coordination Action

Jan 2011-Dec. 2013

http://www.bic-trust.eu/

For more information, please contact

Jim Clarke <jclarke@tssg.org>

Competitiveness and Innovation Framework

Programme

Competitiveness and Innovation Framework

Programme - ICT Policy Support Programme (CIP-

ICT PSP) 2012 Annual Work Programme :

− Pilot B (8 M€) to establish a European-wide pilot platform for detecting, measuring, analysing, mitigating and eliminating botnets

− Accompanied by Thematic Network (1 M€)

− Call 6 open from 03 February until 15 May 2012

− Information day on 17.02.2012 (presentations and attendance list available at cordis web page http://cordis.europa.eu/fp7/ict/security/cip-callinfoday-content_en.html

)

Commission Work Programme 2012 announced a

European Strategy for Internet Security to be

adopted by Commission in Q3 2012

Outline

1. Policy Document

Context – EU activities and achievements to date and the need for EU action

Objectives of the ESIS and EU core values and principles

Strategic priorities and actions

Governance framework and monitoring of the implementation of the strategy

2. Legal instrument

European Strategy for Internet Security

Strategic objective:

“To ensure a safe, secure and resilient digital environment to all EU citizens, businesses and public authorities”

Specific objectives:

Foster close co-operation and early warning between MS' competent authorities, and between competent authorities and the private sector, by ensuring adequate capacities for prevention, detection, mitigation and response at national and EU level

Stimulate efforts services to improve security of in products, networks and

Ensure a strong EU response to cybercrime

Stimulate R&D investments

EU’s security industry and strengthen the competitiveness of

Foster global responses and reinforce cooperation with international partners

Elements of the future

European Strategy for Internet Security (1/4)

Preliminary ideas for legal measures ensuring the establishment of: aiming at

An effective network of National competent bodies and

Governmental CERTs at EU level (with the necessary protection of confidentiality)

Well-functioning National/Governmental CERTs capabilities

A " European Forum for Regulators ” (towards a model for pan-EU cooperation mechanisms – similarly to what is in place in other sectors)

A European cyber-incident contingency plan

General security breach notification obligation

13a FD beyond Telcos/ISPs)

(extending Article

Adoption of a risk management framework (identification of risks)

Adoption of relevant security measures

Supervision by competent bodies (including via audit)

− Notification mechanisms to competent bodies (possibly via CERT function) ensuring confidentiality

Mandatory security audits and authorisation mechanisms where this is already required by applicable law (e.g. banking, energy…)

Elements of the future

European Strategy for Internet Security (2/4)

Preliminary ideas for further measures security in networks and services: to improve

Incentives for the private sector to improve security in products and services, e.g. through IT security standards in public procurement

Incentives through the public procurement process (via guidelines and standards)

Stimulating a public-private partnership to reduce the spread of malware

Promotion of transparency and competitiveness in the internal market

(benchmarks, trusted data on incidents and vulnerabilities, information to users, compliance with standards, certification and self-certification to develop reassurance market)

Security of supply chain

measures and activities

Awareness raising

Mobilisation of Member States and stakeholders towards a EU-wide campaign

(for instance, a month for Network and Information Security for all)

National/European Cyber-security Competitions to foster development of skills

International synchronisation and coordination of awareness raising messages and campaigns (US and Japan)

Reinforced role of ENISA in promoting standards, good practices and a risk management culture

Elements of the future

European Strategy for Internet Security (3/4)

Preliminary ideas for further measures security in networks and services:

to improve

Making the best use of putting in place a research and innovation and robust industrial policy

Adoption of processes state-of-the-art technologies &

- Promote take up

− stimulate private and public demand (security to be an integral part of the provision of e-services, mandatory for eGov, pre-commercial procurement) develop standards improve usability

Reinforcing and coordinating R&D future security challenges for present and

H2020 LEIT = 450 M€ for R&D => make the technologies available

H2020 IIS = 700 M€ for Innovation => put technology to work

Underpin the technical feasibility of the cyber security policy and associated actions

Create partnerships in cyber-security

Elements of the future

European Strategy for Internet Security (4/4)

Preliminary ideas for further measures security in networks and services: to improve

Appropriate measures in the area of cybercrime cooperation with DG HOME)

(in

Putting the EU in the lead of international discussions on Internet security matters

- Promotion and engagement in multilateral cooperation

- Leveraging EU-US activities towards broader international participation

- Fighting Botnets

- Cyber-security of Industrial Control Systems and Smart grids

-

Promotion of EU interests in global Internet security

- Multi-stakeholder governance

- Market access

- European principles and guidelines for Internet resilience and stability

- COMPACT for the Internet

European Strategy for Internet Security

Consultation process

Exchange of views held so far:

Within INFSO and Commission-wide (ISG on Cybercrime and cyber-security, discussions on specific issues with relevant services)

Within EP (Roundtable on 30.11.2011; ITRE draft report on Critical Information Infrastructure Protection)

With MS via EFMS (on 7.12.2011) – input received from

10 MSs

With private sector via EP3R (on 16.02.2012)

• Informal discussions with MS and private stakeholders

General support for a EU framework and mechanisms to further enhance cooperation and coordination

Thanks!

Web Sites

EU policy on Critical Information Infrastructure Protection

– CIIP http://ec.europa.eu/information_society/policy/nis/strat egy/activities/ciip/index_en.htm

A Digital Agenda for Europe http://ec.europa.eu/information_society/digitalagenda/index_en.htm

EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index

_en.htm

European principles and guidelines for Internet resilience and stability http://ec.europa.eu/information_society/policy/nis/docs

/principles_ciip/guidelines_internet_fin.pdf

Links to policy documents

Council conclusions on Critical Information Infrastructure Protection http://register.consilium.europa.eu/pdf/en/11/st10/st10299.en11.pdf

Commission Communication on Critical Information Infrastructure

Protection – "Achievements and next steps: towards global cyber-security"

- COM(2011) 163 http://ec.europa.eu/information_society/policy/nis/docs/comm_2011/co mm_163_en.pdf

Digital Agenda for Europe - COM(2010)245 of 19 May 2010 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF

The EU Internal Security Strategy in Action: Five steps towards a more secure Europe COM(2010)673 http://ec.europa.eu/commission_2010-

2014/malmstrom/archive/internal_security_strategy_in_action_en.pdf

Commission Communication on Critical Information Infrastructure

Protection – "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" - COM(2009)

149 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF

For more information on Research Projects

FP7 http://cordis.europa.eu/fp7/ http://cordis.europa.eu/fp7/ict/

Trust & Security http://cordis.europa.eu/fp7/ict/security/

Future Internet http://ec.europa.eu/foi http://www.future-internet.eu/

E-mail

INFSO-TRUST-SECURITY@ec.europa.eu

••• 25

Download