In a recent communication titled, "A Strategy for a Secure Information Society - Dialogue, Partnership and Empowerment" (COM(2006)251), the European Commission underscores the importance of continuous cooperation among different stakeholders to improve and information security (NIS). This communication is mainly aimed at "updating" the Commission's previous strategy - which dates from 2001 - in light of the newest security challenges that the Information Society is facing today.
Key Challenges for ICT Security
There are several reasons why the Commission considers it necessary to revitalize the existing European strategy for network and information security. First of all, cross-border attacks on NIS are increasingly driven by economic motives, which make them even more harmful than attacks that only have disruptive effects on networks. Spam, for example, is becoming a popular medium for infecting networks with spyware, phishing or other types of malicious software. The increasing use of mobile devices, mobile-based network services and the application of so-called "ambient intelligence" (i.e. RFID technology) in daily life also are adding a complicating factor to the debate over how to ensure NIS. In addition, the Commission is particularly concerned that increased use of "off-the-shelf"-software may lead to "monocultures" of certain software solutions, which would make it easier to spread security threats such as malware and viruses on a large scale, quickly. The most important challenge, however, appears to be the fact that businesses and individuals in Europe still underestimate the risks of using Information and Communication Technologies (ICTs) that are not sufficiently secure. The Commission has expressed concerns that individuals do not always realize that their home equipment is often the weakest link in overall network security. Many companies view security measures purely as a 'negative cost,' rather than appreciating the opportunity to bolster their business through enhanced security. Individuals, as well as businesses, using ICTs are currently failing to take up their "responsibility in the global security chain," at least according to the Commission.
Threefold Approach to Security Enhancement
In the Commission's view, effective network and information security calls for a coordinated strategy involving all three levels of action currently undertaken by the European Community. Since 2001, specific measures have been taken at the EU level to improve NIS, including the creation of the European Network Information Agency (ENISA). Based on the Isle of Crete (Greece), ENISA assists the Commission and EU member states in addressing security-related issues, for instance by providing advice, recommendations and data analysis services. ENISA started its operations in Crete in September 2005, but is expected to play a more prominent role with regard to NIS-enhancement in the years to come.
In parallel with specific NIS-measures, the EU regulatory framework for electronic communications, as well as general EU data privacy rules, include provisions aimed at promoting security and confidentiality of online communications. Article 4 of the E-Privacy Directive, for example, requires that a provider of electronic communications services takes "appropriate technical and organizational measures to safeguard security of its services." What constitutes an "appropriate" security measure under Article 4 likely is to be interpreted differently from one member state to another - a divergence which complicates the provision of cross-border electronic communications services in particular. The
regulatory framework for electronic communications currently is being reviewed by the Commission, but whether or not the existing security provisions will be amended, is still unclear at this point.
A third area of security enhancement efforts the Commission intends to coordinate more closely is the fight against cybercrime. Noteworthy initiatives to combat cybercrime via international cooperation include the Convention of Cybercrime (adopted by the Council of Europe in 2001) and the 2002 Proposal for a Council Framework Decision on attacks against Information systems. In addition, the UN-driven World Summits on the Information Society (held in 2003 and 2005) resulted in the "Tunis Agenda" and the "Tunis Commitments," which emphasize the need for a global alliance against cybercrime, while ensuring the protection of human rights and fundamental freedoms - including privacy and freedom of expression.
A Policy Based on Dialogue, Partnerships and Empowerment
To develop a secure Information Society, the Commission is proposing a new policy that requires the active participation of public administrations, companies, as well as individual users of ICTs. Such policy should be based on open and enhanced dialogue, the establishment of strategic partnerships and empowerment of each stakeholder group.
- Dialogue: ENISA will be asked to be involved in the benchmarking of existing NIS-related policies at the member state-level, the purpose of which is to identify "best practices." These "best practices" could then be used by public administrations in the different member states to evaluate and, if necessary, optimize their security policies. In addition, the Commission intends to organize separate events targeting industry and end-users with the aim of raising awareness for NIS-issues. The upcoming Conference "i2010 -Towards a Ubiquitous European Information Society" and the public consultation on RFID that is ongoing, also are expected to foster stakeholder dialogue.
- Partnerships: The Commission is convinced that, without reliable and updated information regarding security trends, incidents and challenges throughout Europe, it would be difficult to adopt the necessary policymaking decisions. The Commission is planning to ask ENISA to develop a partnership among the EU member states and other stakeholders to set up a data collection framework for that particular purpose. Furthermore, it is expected that ENISA also will conduct a feasibility study on the establishment of a pan-European, multilingual portal for sharing information on security treats, risks and alerts.
- Empowerment: According to the Commission, private sector stakeholders should play a vital role in enhancing NIS, and in its recent communication, the Commission has identified a number of private initiatives that industry should consider. For instance, companies should cooperate to develop affordable security certification schemes for ICT products and services, in sync with EU privacy requirements. The Commission also encouraged the development of good security practices and specific training programs for providers of electronic communications services. Also, the insurance sector should be involved, possibly through the development of specific risk-management solutions and products that focus on ICT-related risks. EU member states, on the other hand, are not only expected to cooperate in the above-mentioned benchmarking exercise, but they also should support security awareness campaigns as well as the inclusion of NIS-programs in higher education curricula. Through their e-government services, member states should promote "good security practices" so they are a source of inspiration for other sectors.
EU Initiatives Expected in 2006
The Commission has announced that it would take several initiatives in the course of this year to enhance network and information security, which include a communication on the evolution of spam and malware, as well as a specific communication on cybercrime (with a focus on how to improve cooperation among national law enforcement agencies). In the broader context of global efforts to improve network and information security, the Commission recently confirmed that the EU will continue to play an active role in the upcoming discussions on Internet security at the Internet Governance Forum, which is expected to hold its next meeting in Athens, Greece, on Oct. 30, 2006.
Wim Nauwelaerts is a lawyer in the Brussels' office of Hogan & Hartson L.L.P., specializing in EU privacy and data protection law. He can be reached by email at email@example.com or via telephone at +32 2 505 09 11.