Legal base	—
Document originated	30 March 2009
Deposited in Parliament	7 April 2009
Department	Business, Enterprise and Regulatory Reform
Basis of consideration	EM of 28 April 2009
Previous Committee Report	None; but see (27570) 10248/06: HC 34-xxxv (2005-06), chapter 8 (12 July 2006). Also see (29300) 16840/07: HC 16-xxiii (2007-08), chapter 12 (4 June 2008); and (27466) 8841/06: HC 41-xxi (2006-07), chapter 15 (9 May 2007)
To be discussed in Council	To be determined
Committee's assessment	Politically important
Committee's decision	Not cleared; further information requested

Background

2.1  As the Commission notes, Information and Communication Technologies (ICTs) are increasingly intertwined in our daily activities, with some of these ICT systems, services, networks and infrastructures (in short, ICT infrastructures) forming a vital part of European economy and society, either providing essential goods and services or constituting the underpinning platform of other critical infrastructures, and being "typically regarded as critical information infrastructures (CIIs) as their disruption or destruction would have a serious impact on vital societal functions." The Commission gives as recent examples the large-scale cyber-attacks targeting Estonia in 2007 and the breaks of transcontinental cables in 2008.

2.2  The Commission recalls its "strategy for a secure information society", which was adopted in 2006,[4] where it says "ownership and implementation by stakeholders appears insufficient".

2.3  The Commission refers to the place in this strategy of the European Network and Information Security Agency (ENISA), established in 2004 to "contribute to the goals of ensuring a high and effective level of NIS within the Community and developing a culture of NIS for the benefit of EU citizens, consumers, enterprises and administrations" — a mandate extended "à l'identique" until March 2012, but subject to "further discussion on the future of ENISA and on the general direction of the European efforts towards an increased network and information security", as a result of which the Commission launched last November an online public consultation,[5] the analysis of which will be made available shortly.

2.4  Other elements in the Policy Context to which the Commission refers are:

1.  the European Programme for Critical Infrastructure Protection (EPCIP)[6] and the Directive[7] on the identification and designation of European Critical Infrastructures,[8] which identifies the ICT sector as a future priority sector, and the Critical Infrastructure Warning Information Network (CIWIN);[9]

2.  the Commission proposal to reform the Regulatory Framework for electronic communications networks and services,[10] and particularly the provisions to strengthen operators' obligations to ensure that appropriate measures are taken to meet identified risks, guarantee the continuity of supply of services and notify security breaches,[11] which the Commission says is "conducive to the general objective of enhancing the security and resilience of CIIs", and which the European Parliament and the Council "broadly support";

3.  complementarity with existing and prospective measures in the area of police and judicial cooperation to prevent, fight and prosecute criminal and terrorist activities targeting ICT infrastructures, as envisaged inter alia by the Council Framework Decision on attacks against information systems[12] and its planned update;[13]

4.  NATO activities on common policy on cyber defence, i.e. the Cyber Defence Management Authority and the Cooperative Cyber Defence Centre of Excellence;

5.   the G8 principles on CIIP15;[14]

6.  the UN General Assembly Resolution 58/199 Creation of a global culture of cybersecurity; and

7.  the protection of critical information infrastructures and the recent OECD Recommendation on the Protection of Critical Information Infrastructures.

The Commission Communication

2.5  The Commission says that, within this policy context, the Communication "focuses on prevention, preparedness and awareness and defines a plan of immediate actions to strengthen the security and resilience of CIIs."

WHAT IS AT STAKE?

2.6  The ICT sector is vital for both business and the public sector; cyber-attacks have risen to an unprecedented level of sophistication; the high dependence on CIIs, their cross-border interconnectedness and interdependencies with other infrastructures, as well as the vulnerabilities and threats they face "raise the need to address their security and resilience in a systemic perspective as the frontline of defence against failures and attacks." To ensure that ICT infrastructures are used to their maximum extent, all stakeholders must have a high level of confidence and trust in them; this depends on ensuring their high level of security and resilience, which the Commission says is "a shared responsibility: no single stakeholder has the means to ensure the security and resilience of all ICT infrastructures and to carry all the related responsibilities", which in turn "calls for a risk management approach and culture, able to respond to known threats and anticipate unknown future ones, without over-reacting and stifling the emergence of innovative services and applications."

2.7  A "purely national approach" runs the risk of "fragmentation and inefficiency", which in turn means that "a low level of security and resilience of CIIs in a country has the potential to increase vulnerabilities and risks in other ones". So, "a European effort is needed". But this poses "peculiar governance challenges", due to the fact while "Member States remain ultimately responsible for defining CII-related policies", their implementation depends on the involvement of the private sector, which owns or controls a large number of CIIs. But, says the Commission (though without explaining why private entities would have any less of an interest than public ones), "the markets do not always provide sufficient incentives for the private sector to invest in the protection of CIIs at the level that governments normally demand". At national level, public-private partnerships (PPPs) have emerged. But:

"despite the consensus that PPPs would also be desirable on a European level, European PPPs have not materialised so far. A Europe-wide multi-stakeholder governance framework, which may include an enhanced role of ENISA, could foster the involvement of the private sector in the definition of strategic public policy objectives as well as operational priorities and measures. This framework would bridge the gap between national policy-making and operational reality on the ground."

2.8  There is also limited European early warning and incident response capability. Governments "have the ultimate responsibility to ensure the security and well-being of citizens". But the processes for monitoring and reporting network security incidents differ significantly across Member States, with under-developed cooperation and information-sharing between them and EU-wide "cyber-security exercises … still in an embryonic state". Mutual aid is essential to a proper response to large-scale threats and attacks on CIIs. A strong European early warning and incident response capability has to rely on well-functioning National/Governmental Computer Emergency Response Teams (CERTs), with a common baseline in terms of capabilities and them acting "as national catalysers of stakeholders' interests and capacity for public policy activities" and engaging "in effective cross-border cooperation and information exchange, possibly leveraging existing organisations such as the European Governmental CERTs Group (EGC)[15]".

2.9  At the international level, the Internet generates a "divergence of views on the criticality of the elements making up the Internet [which] partly explains the diversity of governmental positions expressed in international fora and the often contradicting perceptions of the importance of this matter". Nonetheless, as "a global and highly distributed network of networks, with control centres not necessarily following national boundaries", it calls for:

"a specific, targeted approach in order to ensure its resilience and stability, based on two converging measures. First, achieving a common consensus on the European priorities for the resilience and stability of the Internet, in terms of public policy and of operational deployment. Secondly, engaging the global community to develop a set of principles, reflecting European core values, for Internet resilience and stability, in the framework of our strategic dialogue and cooperation with third countries and international organisations."

THE WAY FORWARD: TOWARDS MORE EU COORDINATION AND COOPERATION

2.10  The Commission says "a multi-stakeholder, multi-level approach is essential, taking place at the European level while fully respecting and complementing national responsibilities." This would require strengthening the existing instruments for cooperation, including ENISA, and, if necessary, creating new tools.

2.11  A thorough understanding of the environment and constraints is also necessary, e.g, the distributed nature of the Internet, "where edge nodes can be used as vectors of attack, e.g. botnets,[16]" is a both concern but also a key component of stability and resilience that can help a faster recovery than would normally be the case with overformalised, top-down procedures — "this calls for a cautious, case-by-case analysis of public policies and operational procedures to put in place."

2.12   The time horizon is also important — "there is a clear need to act now and put rapidly in place the necessary elements to build a framework that will enable us to respond to current challenges and that will feed into the future strategy for network and information security."

2.13   Five pillars are proposed to tackle these challenges:

1.  Preparedness and prevention: to ensure preparedness at all levels;

2.  Detection and response: to provide adequate early warning mechanisms;

3.  Mitigation and recovery: to reinforce EU defence mechanisms for CII;

4.  International cooperation: to promote EU priorities internationally;

5.  Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructures.[17]

THE ACTION PLAN

2.14  The Commission then proposes, under these headings, ten actions, each with a target date for completion.

(i)  Baseline of capabilities and services for pan-European cooperation. Target: end of 2010 for agreeing on minimum standards; end of 2011 for establishing well functioning National/Governmental Computer Emergency Response Teams (CERTS) in all Member States

(ii)  European Public Private Partnership for Resilience (EP3R). Target: end of 2009 for a roadmap and plan for EP3R; mid of 2010 for establishing EP3R; end of 2010 for EP3R to produce its first results.

(iii)  European Forum for information sharing between Member States. Target: end of 2009 for launching the Forum; end of 2010 for delivering the first results.

(iv)  European Information Sharing and Alert System (EISAS). Target: end of 2010 for completing the prototyping projects; end of 2010 for the roadmap towards a European- system.

(v)  National contingency planning and exercises, with ENISA "to support the exchange of good practices among Member States". Target: end of 2010 for running at least one national exercise in every Member State.

(vi)  Pan-European exercises on large-scale network security incidents, with Commission financial support: Target: end of 2010 for the design and run of the first pan-European exercise; end of 2010 for pan-European participation in international exercises.

(vii)  Reinforced cooperation between National/Governmental CERTs: Member States invited to strengthen the cooperation between National/Governmental CERTs, with an active stimulus and support role for ENISA. Target: end of 2010 for doubling the number of national bodies participating in ECG; end of 2010 for ENISA to develop reference materials to support pan-European cooperation.

(viii)  Internet resilience and stability. The Commission will "drive a Europe-wide debate, involving all relevant public and private stakeholders, to define EU priorities for the long term resilience and stability of the Internet". Target: end of 2010 for EU priorities on critical Internet components and issues.

(ix)  Principles and guidelines for Internet resilience and stability (European level). The Commission will work with Member States to define guidelines for the resilience and stability of the Internet, focusing inter alia on regional remedial actions, mutual assistance agreements, coordinated recovery and continuity strategies, geographical distribution of critical Internet resources, technological safeguards in the architecture and protocols of the Internet, replication and diversity of services and data. Target: end of 2009 for a European roadmap towards principles and guidelines for Internet resilience and stability; end of 2010 for agreeing on the first draft of such principles and guidelines.

(x)  Principles and guidelines for Internet resilience and stability (global level). The Commission will work with Member States on a roadmap to promote principles and guidelines at the global level. Strategic cooperation with third countries will be developed, notably in Information Society dialogues, as a vehicle to build global consensus. Target: beginning of 2010 for a roadmap for international cooperation on principles and guidelines for security and resilience; end of 2010 for the first draft of internationally recognised principles and guidelines to be discussed with third countries and in relevant fora, including the Internet Governance Forum.

(xi)  Global exercises on recovery and mitigation of large scale Internet incidents. The Commission invites European stakeholders to reflect on a practical way to extend at the global level the exercises being conducted under the mitigation and recovery pillar, building upon regional contingency plans and capabilities. Target: end of 2010 for the Commission to propose a framework and a roadmap to support the European involvement and participation in global exercises on recovery and mitigation of large-scale Internet incidents.

(xii)  ICT sector specific criteria. Continue to develop, in cooperation with Member States and all relevant stakeholders, the criteria for identifying European critical infrastructures for the ICT sector. Target: first half of 2010 for the Commission to define the criteria for the European critical infrastructures for the ICT sector.

2.15  The Commission says that the success of these actions depends on building upon and benefiting public and private activities and on the commitment and full participation of Member States, European Institutions and stakeholders. To this end, a Ministerial Conference will take place on 27-28 April 2009 to discuss the proposed initiatives with Member States and to mark their commitment to the debate on a modernised and reinforced NIS policy in Europe; and the Commission will initiate a stock-taking exercise toward the end of 2010, in order to evaluate the first phase of actions and to identify and propose further measures, as appropriate.

The Government's view

2.16  In his Explanatory Memorandum of 28 April, the Minister for Communications, Technology and Broadcasting at the Department for Business, Enterprise and Regulatory Reform (Lord Carter of Barnes) notes that the elements of this Action Plan are "aspirational and not binding". He says that the UK has been involved in helping develop critical information infrastructure protection policy at a European level for some time, and supports the drive from the Commission to achieve higher levels of resilient information infrastructure. He also approves of the indications of the importance that the Commission attaches to working with industry and taking a risk-based approach to work in this area — "an approach which HMG strongly supports and promotes as the most effective way to enhance resilience and increase CII".

2.17  The UK, the Minister says, "is generally ahead of the game in addressing critical information infrastructure protection and resilience to ensure availability of communications, and the overarching objectives of this Communication are part of core infrastructure resilience policy." He says that this has been achieved through — amongst other things — "continued close working with industry and across Government, through the Electronic Communications Resilience and Response Group (EC-RRG), security advice given by the Centre for the Protection of National Infrastructure (CPNI), as well as resilience requirements on key telecoms providers under the Civil Contingencies Act 2003". In addition, "BERR and OGDs continue to work with industry to ensure that security and preparedness measures such as emergency response and protective security plans are in place; these are tested on a regular basis [and] the Cabinet Office has been leading work on a Cyber Security Strategy since September 2008."

2.18  All this said, the Minister does have "some concerns" about the Communication:

"in some cases the evidence base provided is relatively weak, and on occasion supports analysis which could be considered alarmist. Nevertheless, this should not detract from the fact that further work needs to be done at individual Member State level to enhance CII as well as further useful coordinating work at EU level;

"HMG believes the current timetable to be highly aspirational, and unlikely to be achievable across the EU — especially where emergency response exercises are concerned (these can take up to a year to organise). Experience has demonstrated that this is an area of work where preparedness needs to be built up in individual Member States before becoming effective at an EU level;

"The Communication seems to have adopted a relatively narrow view with regard to the resilience and stability solely of internet components — by apparently aiming to identify these globally. We are waiting to see how the Commission is aiming to achieve this without any kind of EU-wide consensus in the arena of Internet security. There is also no indication of where such a debate would take place."

2.19  Finally, the Minister says that he believes that the Commission's long-term strategy is "to develop these areas of work into legal minimum levels and standards of resilience, preparedness and security", but "there is no timetable or detail set out for this yet."

Conclusion

2.20  We find it odd that the Minister makes no mention of the April 2009 Ministerial conference or of the 2010 stock-take, at which point the Commission makes it clear that it expects to propose further measures. In the first instance, we should like the Minister to write to us with his assessment of the conference and its outcomes.

2.21  We should also like the Minister to elaborate more fully on those aspects of the Communication (which he sums up very briefly in his Explanatory Memorandum) that he regards as based on relatively weak evidence or alarmist analysis. As he says, preparedness undoubtedly needs to be built up in individual Member States before becoming effective at an EU level. But the case for developing a capacity for Member States to work together effectively seems to be self-evident. No doubt the Commission's timetable is unrealistic; time will tell. But, in saying that he "supports the drive from the Commission to achieve higher levels of resilient information infrastructure", the Minister does not make clear whether his concern is over only the level of ambition of the Commission's timetable, or over the Commission's proposals for a greater role for the Commission in general and the European Network and Information Security Agency (ENISA). Nor, in saying what he thinks the Commission's long-term strategy is, does he say what he thinks about it. We should like him to explain his views more fully about the best way ahead.

2.22  We also find it odd that the Minister makes no mention of ENISA at all, given that it was the subject of prolonged discussion with his department in 2007-08.[18] That discussion was about the proposal to which the Commission itself refers, i.e., the extension of its mandate until 2012. This was contentious because the independent evaluation in 2006 required by its statutes had revealed an unhappy state of affairs, at the heart of which was the Commission's rejection of the review's most important finding — that the decision, left to the Greek government during its then-Presidency, to locate ENISA on Crete, should be revisited. The Government of Greece maintained that the case against Crete was not soundly based and, at that time, was said to be "working hard to address the most obvious problems". A year on, the Commission is now proposing an expanded role for it in developing a pan-European framework without, so far as we are aware, any indication that the agency is any more effective at doing its present job than it was when the critical review was produced. We should like the Minister to bring us up to date on what has been done and to let us know if he considers that ENISA is up to the task that the Commission has in mind for it.

2.23  The Minister also suggests that he is unhappy with the Commission's thoughts on this aspect of Internet governance (c.f. paragraph 0.09 above), which he says are "without any kind of EU-wide consensus in the arena of Internet security". In 2006-2007, we considered an earlier Commission Communication on Internet governance, which sought to assess the results of the second World Summit on the Information Society (which was held in Tunis in November 2005). [19] It was designed to reach conclusions on the two unresolved issues —financial mechanisms and Internet governance. The latter was resolved via the creation of an Internet Governance Forum (IGF) as a new forum for multi-stakeholder policy dialogue. Last November, the Minister's colleague, Baroness Vadera, told us that the UK, the EU and the US were all of one mind on "ensuring this multi-stakeholder process is a success", and that security was likely to be one of the main issues to be addressed at the third IGF Forum, to be held in Hyderabad on 1-5 December 2008 — which she described as "global dialogue on Internet governance and the future direction of the IGF at this crucial mid-way point in its 5-year life span". There is, however, no mention of the IGF by either the Commission or the Minister. We should therefore be grateful if the Minister would explain more fully what he finds wrong with the Commission approach, and why there is no mention of what would otherwise seem to be a key component in developing an effective international response to the threat in question.

2.24  In the meantime, we shall retain the document under scrutiny.

5   http://ec.europa.eu/information_society/newsroom/cf/itemlongdetail.cfm?item_id=4464  Back

6   COM(2006) 786  Back

7   2008/114/EC Back

8   http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressData/en/gena/104617.pdf  Back

9   COM(O8) 676 Back

10   COM(07) 697, COM(07) 698, COM(07) 699 Back

11   Art. 13 Framework Directive Back

12   2005/222/JHA Back

13   COM(08) 712 Back

14   http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf Back

15   http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/large_scale/ Back

16   a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. See http://en.wikipedia.org/wiki/Botnet for additional information.  Back

17   Council Directive 2008/114/EC Back

18   See headnote; HC 16-xxiii (2007-08), chapter 12 (4 June 2008). Back

19   See headnote; (27466) 8841/06: HC 41-xxi (2006-07), chapter 15 (9 May 2007). Back