The European cyber security strategy is aimed at addressing insufficient national preparedness and boosting co-operation in the region, says a European Commission (EC) trust and security policy officer.
This is necessary in the face of increased threats, Ann-Sofie Ronnlund of the EC’s directorate-general for communication networks, content and technology told the ISSA London 2013 European Conference.
The strategy and an accompanying proposal for a Directive on Network and Information Security (NIS) across the European Union are expected to be published on 7 February.
In January, the EC called on leaders attending the World Economic Forum (WEF) meeting in Davos, Switzerland to establish strategies to cope with and respond to cyber attacks.
“We need to find a common level of cyber security and co-operation to ensure a safe and resilient digital environment in respect of fundamental rights and EU core values,” said Ronnlund.
The strategy has three main aims: to strengthen the security and resilience of networks and information security systems, to prevent and fight cyber crime, and to establish a more coherent cyber security policy across Europe.
The accompanying proposed legislation on network and information security (NIS) is mainly aimed at supporting the strategy’s first goal, which Ronnlund said includes fighting botnets, improving the security and resilience of industrial control systems and smart grids.
It also includes raising awareness, promoting public-private partnerships and developing industrial and technical resources at an EU level to establish a single market for cyber security solutions, develop cyber security standards and procurement policies, and foster investment in research.
The recently-opened European Cybercrime Centre (EC³) at Europol in The Hague, is a key element of the second goal of the strategy on cyber crime, said Ronnlund.
“The centre will provide support to enhance national capabilities to investigate and combat cyber crime, and encourage the swift implementation of cyber crime directives,” she said.
The third goal of the strategy around cyber defence policy, said Ronnlund, is aimed at developing capabilities in the EU, encouraging dialogue and co-operation between the military and civilian sectors, and establishing an international cyberspace policy.
Such a policy would be aimed at enshrining basic human rights and EU core values, establishing norms of behaviour, and building capacity for cyber resilience.
Another aim of the proposed NIS directive, said Ronnlund, is to set up a “virtuous circle” comprising national preparedness, EU-level co-operation and a culture of NIS across public and private sectors.
Establishing a minimum cyber defence capacity in each member state will ensure that all have a strategy. This in turn will foster greater regional co-operation around things like early warning, co-ordinated incident response, capacity building, and joint cyber defence exercises.
Another key component of the proposed directive is around risk management, which includes the potentially controversial requirement for data breach disclosures to national data protection authorities.
The EC is proposing to extend data breach disclosure obligation of the telecommunications sector to other sectors including energy, transport, healthcare, credit institutions and, most controversially, providers of key internet services such as search engines and ecommerce payment platforms.
However, Ronnlund emphasised that obligations to report data breaches will apply only to “significant” incidents from a “societal point of view” and not every data breach incident.
“We need to establish trust between states and end users through increased transparency,” she said.
Ronnlund said the aim is not to overburden organisations with data breach disclosure obligations, but to promote a risk management approach to cyber security and ensure that incidents potentially faced by other European organisations are reported to get co-operation working smoothly.
It will be up to individual national data protection authorities to decide whether or not it is necessary to make data breach disclosures public or not.
06 Feb 2013