Europe may ask Enisa to coordinate network security

The future role of the European Network and Information Security Agency (Enisa) is in question...

The future role of the European Network and Information Security Agency (Enisa) is in question if a new pan-European telecommunications regulatory authority is born of the present Telecoms Package negotiations to create a single continent-wide market in communications.

Now in its fifth year, Enisa was to be a central clearing house for expertise, advice and information on best practices in network and information security for EU member states, institutions and the private sector.

But there is a need for an organisation with a more operational role to coordinate pan-European responses to cyber attacks, and to monitor member states' network resilience, says Enisa COO Steve Purser.

Information security experts are uneasy about Enisa's future role. Paul Dorey, one of a group of experts that supports Enisa's work, says IS experts are worried that a reorganisation under a European regulator may focus Enisa's role to telecommunications and network security.

Although this is important at an infrastructural level, it would come just as networked applications, and therefore information security, become the predominant economic drivers, he says.

Dorey says that if the IS component of Enisa's role is minimised, it will immediately affect its ability to help public IS awareness programmes, such as British Airways' in-house information security awareness campaign, and programmes such as Get Safe Online.

Enisa might also lose its role as a source of independent research-based advice on the risks of non-telecom information services such as USB sticks, cloud computing, business continuity for small and medium enterprises, and other digital technologies.

This would be another hiccup in Enisa's short but difficult life. The organisation endured a difficult political birth before starting operations in September 2005. Large countries with well-developed economies and telecommunications industries saw little value in supporting an information sharing organisation, especially one that they did not control.

Setting up the agency in Crete, far from the mainstream of politics and technical expertise was seen as a sop to Greece, which had just joined the European Union.

However, out-going executive director Andrea Pirotti has managed to build an organisation that fulfilled a clear need. This was to bring new accession countries up to speed in network and information security, and to develop a clearing house for information useful to European and national information security authorities.

Some have criticised Enisa as a talking shop. However, Purser, who is also head of Enisa's technical competence department, says its role has always been one of "soft" advocacy based on reliable data and informed by expert opinion.

Its work to date has been to collect and disseminate key data on information security issues and to promote good information security practices to member states.

It is starting to fulfill its promise. Eight member states had CERTs (computer emergency response teams) when Enisa started; 16 do now; 10 more plan to, as do South Africa and most former Soviet republics, with Enisa's help.

Enisa is now pushing for every member state to have a CERT so that none is a weak link through which to attack the community.

This change came from Enisa's first clear deliverable, namely an inventory of European CERTs and their services. This enabled others to find counterparts with whom they could start to build relationships for dealing with phishing, denial of service and other cyberattacks on local users.

More recently Enisa published a 600-page benchmark description of the network and information security status in 30 European countries, along with the relevant authorities.

Purser says Enisa wants to expand this to help members improve the resilience of their networks and to help measure events such as the pan-European network failure exercise planned for 2010, which it is helping the commission to set up.

This takes Enisa close to the edge of becoming an operational body, something not in its present mandate, which ends in 2010. Purser says a more operational role would require a new mandate and a re-siting of Enisa from Pillar One to Pillar Three of the European legislation.

This may happen. The commission is already consulting on how to protect the community's critical information infrastructure, with specific questions about Enisa's future role.

Should Enisa have a more operational role, perhaps as a pan-European CERT or a network resilience auditor? Purser says it is up to member states, but it should be discussed. "Presently there is no equivalent body," he says.

The person to steer Enisa through the next stage is Udo Helmbrecht, the president of the German Federal Office for Information Society (BSI). Helmbrecht takes over from Pirotti on 16 October.

Observers have mixed reactions to Helmbrecht's appointment. Some see it as a tribute to Pirotti's success in making Enisa a credible, value-adding entity. Others believe it is the precursor to bringing Enisa closer to the heart of both the political and technical action.

What that means for information users remains to be seen. But Enisa appears to have done enough to justify a role looking at the security of networked applications, irrespective of the networks themselves.

Read more on Networking hardware