Coverage of Security Issues Pascal Jacques ESTAT B0 Local Informatics Security Officer Eurostat The Context • Regulation (EC) No 223/2009 of the European Parliament and of the Council • • • • (pream) The confidential information which the national and Community statistical authorities collect for the production of European statistics should be protected, in order to gain and maintain the confidence of the parties responsible for providing that information. The confidentiality of data should satisfy the same principles in all the Member States. (pream) For that purpose, it is necessary to establish common principles and guidelines ensuring the confidentiality of data used for the production of European statistics and the access to those confidential data with due account for technical developments and the requirements of users in a democratic society. The NSIs and other national authorities and the Commission (Eurostat) shall take all necessary measures to ensure the harmonisation of principles and guidelines as regards the physical and logical protection of confidential data. COMMISSION DECISION of 17 September 2012 on Eurostat (2012/504/EU) • The Director-General of Eurostat shall, in addition, take all necessary measures to protect data whose disclosure would cause prejudice to Union interests, or to the interests of the Member State to which they relate Eurostat Challenges • 4 strategic directions of implementation of the vision • • • • Network • Secure connection of large databases (secured data warehouse architecture) • Transfer/Access of confidential information between ESS partners • Secure data formats and protocols • Networks integration Information Stores • More and more exchange of microdata sets for data linking • Combination of confidential/non confidential/administrative datasets. Security/confidentiality of the output? Modular Production • Towards more exchange of SW. Ensure shared SW is secure (certification?) Optimal Collaboration • Secured access to datasets/rules for validation • Procedures for collaboration/accesses/sharing/User management • AAA Protocol: Authentication/Autorisation/Auditing. Traceability/Privacy/Monitoring/Reporting Needs to increase IT security in order to build trust between ESS partners Eurostat The Threats • 2012 Data Breach Investigations Report (DBIR) • 855 incidents, 174 million compromised records in 2011. • • Security incidents are capable of rendering critical government functions unavailable for several days (i.e. the cyber-attacks against Estonia in 2007), which severely affected not only the provisioning of online services such as e-government and e-banking within the country, but also prevented citizens from accessing online services across borders. Businesses and other organisations can be seriously affected if the networks and information systems underpinning their industrial processes are compromised. In 2009, 16 % of enterprises in the EU-27 had experienced some kind of NIS (Network and Information Security) incident • (http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_cisce_ic&lang=en) Eurostat 2007 2008 2009 2010 2011 2012 --------------------------------------------------------------- Estonia --Monster.com Lithuania --Georgia --Cables cuts in the Mediterranean Google --- Stuxnet (origin 2007) --Verisign EU ETS €30M $175M Emission Trading System (EU ETS) --French Government --EC and EEAS --Sony --DigiNotar Flamer --10% probability Of a major CII breakdown in the next 10 years – potential global economic cost of over $250B (Source WEF) Global cybercrime: $388B/year 12-13 Jun 2012 5 Eurostat The Request • Creation of a new working group "ESS Security and Secure exchange of data" (E4SWG) • Further discuss its mandate • Agree and comments/contribute on the list of proposed actions Eurostat Role of the Working Group • Know better each other and our specificities • Exchange information and best practices on • Security measures used in MS for data protection, running the data centre, access to microdata for research purposes • Projects/programmes linked to information security • IT architecture in MS to better understand the MS’s capacity to join a future shared secured datawarehouse • Agree on common rules, procedures, guidelines and standards for secure communication (i.e. emails) and data storage, exchange and transfer • Agree on security level of shared applications, shared services, shared processes 7 Eurostat Related projects • ESSnet projects • ESS-VIP projects • data warehouse • decentralised access • EGR • • • • • • VIP projects • • • • • SICON Data Validation CENSUS Hub SIMSTAT Data Warehouse NAPS Data Warehouse SIMSTAT EBR ICT • FP7 projects • Data Without Boundaries • DASISH, ENGAGE, EUDAT 8 Eurostat Proposed Actions • Ask opinion of ITDG on the creation of the WG • Organise « Enterprise Architecture Security Workshop » on 1314/12/2012 to discuss further the mandate • Discuss the possibility and opportunity to use existing and under development infrastructure for exchange of secure messages like CCN/CCN 2 or sTesta/sTesta II • Visits to some NSIs to understand their infrastructure • Set up a shared secured repository on information on security aspects, people, roles, procedures, best practices and documentation of infrastructures in MS 12-13 Jun 2012 9 Eurostat State of Security 2012 McAfee/Evalueserve Eurostat