EC calls for action on cyber strategy at WEF meeting

EC has called on leaders attending the World Economic Forum meeting to establish strategies to cope with and respond to cyber attacks

The European Commission (EC) has called on leaders attending the World Economic Forum (WEF) meeting in Davos, Switzerland to establish strategies to cope with and respond to cyber attacks.

“We also need to transform the risk story into a growth story,” said Neelie Kroes, vice-president of the EC responsible for the Digital Agenda.

“The big opportunities of the digital economy will not be realised if people are worried about security and do not trust networks and systems,” Neelie Kroes said.

There were specific challenges that need to be addressed in that context, reiterating that cyber security is a global problem that requires a global response, she said. “Awareness is not enough. What is required is investment and action."

Kroes called on the public sector to provide incentives to companies to invest more in security and to be transparent regarding threats and incidents.

According to Eurostat, in January 2012, she said that only 26% of enterprises in the EU had a formally defined ICT security policy with a plan for regular review.

This year, Kroes is to present a cyber security strategy for the EU, that will propose a comprehensive vision on cyber security within the EU and internationally.

“The strategy will focus on the need to improve the overall resilience of network and information systems, including by stimulating the competitiveness of the ICT industry as well as user demand for security functionalities in ICT products and services,” said Kroes.

Those initiatives will be complemented by stepping up the fight against cyber crime; by strengthening the external EU cyber security policy; and by exploring synergies between the civilian and the military sectors.

The strategy, said Kroes, will be accompanied by a proposal for a Directive on Network and Information Security (NIS) across the EU.

The proposed directive will require member states to be appropriately equipped and the relevant authorities to co-operate with each other at EU level.

“The European Network and Information Security Agency (ENISA) is to support this process by providing its technical expertise and advice,” said Kroes.

Adopt risk management measures

The EC will also propose to extend the obligations to adopt NIS risk management measures and to report significant incidents to national authorities, to new sectors that are vital to the economy such as energy, transport, banking, healthcare and key Internet companies.

The strategy will also include actions aimed at developing an integrated market for secure ICT solutions and foster R&D investments, said Kroes.

“After a series of consultations, I have become convinced that the matter of cyber security is too important to be left to the goodwill of companies,” she said.

The proposed data breach reporting obligations have been received largely in a positive way, with the security industry acknowledging that this is an essential part of confronting cyber threats head-on.

“Organisations, which up until now have been able to conceal details of a breach from the general public and avoid the inevitable consequences this brings, will have a duty of care to appropriately and proactively safeguard the sensitive data held within their networks,” said Matt Middleton-Leal, UK & Ireland regional director for security firm Cyber-Ark.

“This will also enable security managers to begin to build business cases that justify the appropriate spend for their organisations versus the limited budget they are provided,” he said.

According to Middleton-Leal, traditional security methods are no longer working, and therefore organisations need to take a closer look at their systems and identify any vulnerabilities.

“Taking an inside-out approach and locking down networks and data accessible via administrative accounts and other privileged credentials will be vital to achieving this,” he said.

Middleton-Leal also cautioned that like all compliance requirements, the proposed measure should be viewed as a starting point for organisations and not the end-goal. 

“Organisations need to take this proposal as a call to action to proactively defend their, and their customers’, critical assets,” he said.

Read more on Hackers and cybercrime prevention