Legal base	—
Department	Business, Innovation and Skills
Basis of consideration	Minister's letter of 11 June 2009
Previous Committee Report	HC 19-xvi (2008-09), chapter 2 (6 May 2009); also see (27570) 10248/06: HC 34-xxxv (2005-06), chapter 8 (13 July 2006). Also see (29300) 16840/07: HC 16-xxiii (2007-08), chapter 12 (4 June 2008); and (27466) 8841/08: HC 41-xxi (2006-07), chapter 15 (9 May 2007)
To be discussed in Council	To be determined
Committee's assessment	Politically important
Committee's decision	Not cleared; further information requested

Background

1.1 As the Commission notes, Information and Communication Technologies (ICTs) are increasingly intertwined in our daily activities, with some of these ICT systems, services, networks and infrastructures (in short, ICT infrastructures) forming a vital part of European economy and society, either providing essential goods and services or constituting the underpinning platform of other critical infrastructures, and being "typically regarded as critical information infrastructures (CIIs) as their disruption or destruction would have a serious impact on vital societal functions." The Commission gives as recent examples the large-scale cyber-attacks targeting Estonia in 2007 and the breaks of transcontinental cables in 2008.

1.2 The Commission recalls its "strategy for a secure information society", which was adopted in 2006,[1] where it says "ownership and implementation by stakeholders appears insufficient".

1.3 The Commission refers to the place in this strategy of the European Network and Information Security Agency (ENISA),[2] established in 2004 to "contribute to the goals of ensuring a high and effective level of NIS within the Community and developing a culture of NIS for the benefit of EU citizens, consumers, enterprises and administrations" — a mandate extended "à l'identique" until March 2012, but subject to "further discussion on the future of ENISA and on the general direction of the European efforts towards an increased network and information security", as a result of which the Commission launched last November an online public consultation,[3] the analysis of which will be made available shortly.

1.4 Other elements in the Policy Context to which the Commission refers are:

—  the European Programme for Critical Infrastructure Protection (EPCIP)[4] and the Directive[5] on the identification and designation of European Critical Infrastructures,[6] which identifies the ICT sector as a future priority sector, and the Critical Infrastructure Warning Information Network (CIWIN)[7]

—  the Commission proposal to reform the Regulatory Framework for electronic communications networks and services,[8] and particularly the provisions to strengthen operators' obligations to ensure that appropriate measures are taken to meet identified risks, guarantee the continuity of supply of services and notify security breaches,[9] which the Commission says is "conducive to the general objective of enhancing the security and resilience of CIIs", and which the European Parliament and the Council "broadly support"

—  complementarity with existing and prospective measures in the area of police and judicial cooperation to prevent, fight and prosecute criminal and terrorist activities targeting ICT infrastructures, as envisaged inter alia by the Council Framework Decision on attacks against information systems[10] and its planned update;[11]

—  NATO activities on common policy on cyber defence, i.e. the Cyber Defence Management Authority and the Cooperative Cyber Defence Centre of Excellence;

—   the G8 principles on CIIP15;[12]

—  the UN General Assembly Resolution 58/199 Creation of a global culture of cybersecurity; and

—  the protection of critical information infrastructures and the recent OECD Recommendation on the Protection of Critical Information Infrastructures.

The Commission Communication

1.5 The Communication (which is summarised in greater detail in our previous Report)[13] develops the case for enhancing resilience within CII infrastructure within Member States as well as across the EU, and developing a European capacity to counter cyber attack. The Commission says "a multi-stakeholder, multi-level approach is essential, taking place at the European level while fully respecting and complementing national responsibilities." This would require strengthening the existing instruments for cooperation, including ENISA, and, if necessary, creating new tools.

1.6 The intention is to promote an integrated European approach to cyber security issues by focusing on the need for a more coherent approach to the protection and resilience of CII. The disparity in Member States' capacity is important because of the pan-national and cross border nature in which CII and the internet functions. Because the sector is extremely competitive and has a large number of players operating and using national, European and global infrastructure, the Commission is advocating "Public Private Partnerships" in individual Member States, as well as a "Europe-wide multi stakeholder governance framework", to foster EU level cooperation between public and private sectors. With this in mind, the Commission proposes five areas of work:

—  Preparedness and Prevention: to ensure preparedness at all levels (through closer cooperation);

—  Detection and Response: to provide adequate early warning mechanisms;

—  Mitigation and Recovery: to reinforce EU defence mechanisms for CII (through Member State and pan-EU exercises);

—  International cooperation: to promote EU priorities internationally (through further debate and the development of a European roadmap on principles and guidelines for resilience and stability, and on international cooperation and engagement);

—  Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructure.

1.7 Under these headings, ten actions are proposed, each with a target date for completion (also set out in detail in our previous Report). The Commission says that the success of these actions depends on building upon and benefiting public and private activities and on the commitment and full participation of Member States, European Institutions and stakeholders. To this end, a Ministerial Conference was to take place on 27-28 April 2009 to discuss the proposed initiatives with Member States and to mark their commitment to the debate on a modernised and reinforced NIS policy in Europe; and the Commission would initiate a stock-taking exercise toward the end of 2010, in order to evaluate the first phase of actions and to identify and propose further measures, as appropriate.

1.8 In his Explanatory Memorandum of 28 April, the Minister for Communications, Technology and Broadcasting at the Department for Business, Enterprise and Regulatory Reform (Lord Carter of Barnes) noted that the elements of this Action Plan were "aspirational and not binding". The UK had been involved in helping develop critical information infrastructure protection policy at a European level for some time, and supported the drive from the Commission to achieve higher levels of resilient information infrastructure. He also approved of the indications of the importance that the Commission attached to working with industry and taking a risk-based approach to work in this area — "an approach which HMG strongly supports and promotes as the most effective way to enhance resilience and increase CII".

1.9 The UK, the Minister said, was "generally ahead of the game in addressing critical information infrastructure protection and resilience to ensure availability of communications, and the overarching objectives of this Communication are part of core infrastructure resilience policy." This had been achieved through — amongst other things — "continued close working with industry and across Government, through the Electronic Communications Resilience and Response Group (EC-RRG), security advice given by the Centre for the Protection of National Infrastructure (CPNI), as well as resilience requirements on key telecoms providers under the Civil Contingencies Act 2003". In addition, "BERR and OGDs continue to work with industry to ensure that security and preparedness measures such as emergency response and protective security plans are in place; these are tested on a regular basis [and] the Cabinet Office has been leading work on a Cyber Security Strategy since September 2008."

1.10 All this said, the Minister did have "some concerns" about the Communication:

"…in some cases the evidence base provided is relatively weak, and on occasion supports analysis which could be considered alarmist. Nevertheless, this should not detract from the fact that further work needs to be done at individual Member State level to enhance CII as well as further useful coordinating work at EU level.

"HMG believes the current timetable to be highly aspirational, and unlikely to be achievable across the EU — especially where emergency response exercises are concerned (these can take up to a year to organise). Experience has demonstrated that this is an area of work where preparedness needs to be built up in individual Member States before becoming effective at an EU level.

"The Communication seems to have adopted a relatively narrow view with regard to the resilience and stability solely of internet components — by apparently aiming to identify these globally. We are waiting to see how the Commission is aiming to achieve this without any kind of EU-wide consensus in the arena of Internet security. There is also no indication of where such a debate would take place."

1.11 Finally, the Minister said that he believed that the Commission's the long-term strategy was "to develop these areas of work into legal minimum levels and standards of resilience, preparedness and security", but "there is no timetable or detail set out for this yet."

Our assessment

1.12 We found it odd that the Minister made no mention of the April 2009 Ministerial conference or of the 2010 stock-take, the Commission having made it clear that at this point it expected to propose further measures. In the first instance, we asked the Minister to write to us with his assessment of the conference and its outcomes.

1.13 We also asked the Minister to elaborate more fully on those aspects of the Communication (which he summed up very briefly in his Explanatory Memorandum) that he regarded as based on relatively weak evidence or alarmist analysis. As he said, preparedness undoubtedly needed to be built up in individual Member States before becoming effective at an EU level. But the case for developing a capacity for Member States to work together effectively seemed to us to be self-evident. No doubt the Commission's timetable was unrealistic; time would tell: but, in saying that he supported "the drive from the Commission to achieve higher levels of resilient information infrastructure", the Minister did not make clear whether his concern was over only the level of ambition of the Commission's timetable, or over the Commission's proposals for a greater role for the Commission in general and ENISA in particular. Nor, in saying what he thought the Commission's long-term strategy was, did the Minister say what he thought about it. So we asked him to explain his views more fully about the best way ahead.

1.14 We also found it odd that the Minister made no mention of ENISA at all, given that it was the subject of prolonged discussion with his department in 2007-08.[14] That discussion was about the proposal to which the Commission itself referred, i.e., the extension of its mandate until 2012. This was contentious because the independent evaluation in 2006 required by its statutes had revealed an unhappy state of affairs, at the heart of which was the Commission's rejection of the review's most important finding — that the decision, left to the Greek government during its then-Presidency, to locate ENISA on Crete, should be revisited. The Government of Greece maintained that the case against Crete was not soundly based and, at that time, was said to be "working hard to address the most obvious problems". A year on, the Commission was now proposing an expanded role for it in developing a pan-European framework without, so far as we are aware, any indication that the agency is any more effective at doing its present job than it was when the critical review was produced. We therefore ask the Minister to bring us up to date on what had been done and to let us know if he considered that ENISA was up to the task that the Commission had in mind for it.

1.15 The Minister also suggested that he was unhappy with the Commission's thoughts on this aspect of Internet governance (c.f. paragraph 1.10 above), which he said was "without any kind of EU-wide consensus in the arena of Internet security". In 2006-07, we considered an earlier Commission Communication on Internet governance, which sought to assess the results of the second World Summit on the Information Society (which was held in Tunis in November 2005).[15] It was designed to reach conclusions on the two unresolved issues — financial mechanisms and Internet governance. The latter was resolved via the creation of an Internet Governance Forum (IGF) as a new forum for multi-stakeholder policy dialogue. Last November, the Minister's colleague, Baroness Vadera, told us that the UK, the EU and the US were all of one mind on "ensuring this multi-stakeholder process is a success", and that security was likely to be one of the main issues to be addressed at the third IGF Forum, to be held in Hyderabad on 1-5 December 2008 — which she described as "global dialogue on Internet governance and the future direction of the IGF at this crucial mid-way point in its 5-year life span". There was, however, no mention of the IGF by either the Commission or the Minister. We therefore asked the Minister to explain more fully what he found wrong with the Commission approach, and why there was no mention of what otherwise seemed to be a key component in developing an effective international response to the threat in question.

1.16 In the meantime, we retained the document under scrutiny.

The Minister's letter of 11 June 2009

1.17 In his letter, the Minister responds as follows:

MINISTERIAL CONFERENCE

"The Committee requested that I report back on the Tallinn Ministerial Conference on protecting Critical Information Infrastructure which took place on the 27 and 28^th April. I am happy to do so. I could not attend the event myself, and indeed very few Ministers were able to attend, but the UK was represented at official level. The event itself was a successful part of the drive to raise the political profile of the issues around protecting critical information infrastructure and I believe launched the issue as a discreet [sic] policy area within the EU.

"The discussion centred on the aims outlined in the Commission Communication: Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience (8375/09). The Commission did not announce any new initiatives but Commissioner Reding attended and spoke forcefully in support of the Commission's work in this area and emphasised its importance. The Communication received support from Member States, and the general consensus was that going forward, we should focus on identifying what the main priorities should be and how these can be delivered.

"The main outcomes of the conference (outlined below) indicate that action is required and the main need is to focus on enhancing coordination and cooperation amongst Member States and with industry to deliver enhanced infrastructure protection:

• "A clear and coherent strategy for the coming years, based first and foremost on strong coordination and cooperation among Member States, the private sector and all concerned stakeholders, is needed; and action to enhance preparedness, security and resilience of Critical Information Infrastructure across the EU should be accompanied by a thorough discussion on the future of EU policy towards Network and Information Security
• "Each Member State shall act domestically to enhance the protection of its own Critical Information Infrastructures as a necessary building block towards an enhanced EU preparedness
• "A joint EU exercise on Critical Information Infrastructure Protection should be organised and staged by 2010 (in line with the Commission's action plan).
• "ENISA (European Network and Information Security Agency) has the potential to be a valuable instrument for bolstering EU-wide cooperative efforts in this field. However, the new and long lasting challenges ahead require a thorough rethinking and reformulation of the Agency's mandate in order to better focus on EU priorities and needs
• "Dialogue between public authorities and the private sector should be stimulated to ensure responsibilities of Member States to protect their citizens as well as the practical constraints faced by businesses are well understood
• "Public and private sectors should be engaged at the EU level in developing an appropriate policy, economic framework and the incentives to support the uptake of security and resilience measures. An instrument serving to facilitate information sharing and dissemination of good practice between Member States would help to maximise the overall capability and level of expertise across the EU
• "Arrangements such as Public-Private Partnerships or a Forum of Member States are essential to ensure that understanding and information exchange is followed by concrete action at the strategic and tactical levels

"These outcomes are clearly a solid base from which to enhance network resilience and preparedness and you will note largely support the aims of the Communication. That is not to say that all of the elements of the Communication were accepted without question — particularly in relation to the reality of the timetable. The meeting concluded that we needed to address levels of preparedness and security that vary significantly across Member States by helping Member States build up resilience.

"It is very positive that the Commission continues to focus on engaging both the public and private sectors. This is a good basis for the next stage of policy development in prioritising the areas it believes are key to the broader objective of strengthening information systems in the EU. This will be taken as a discussion point at the 11 June Telecoms Council and I have written to you on that point."

EVIDENCE AND FUTURE

"The Committee has requested clarification on why I expressed concern regarding the evidence base of the Communication. As the Committee has stated, the case for developing a capacity for Member States to work together effectively is clearly self-evident. I would not deny this but would only say that the approach taken by the Commission smacks of hobbling [sic] together whatever evidence they can put their hands on and then interpreting it in a dramatic way. I therefore agree with you that we should not argue with the need for policy developments in this area but one of the issues going forward will be how to measure success and it does not auger well for meeting that challenge that this document is so light on analysis and relevant data. So I would say my concern is more on the principles of better regulation and evidence-based decision making rather than what is proposed.

"A particular point of concern in this regard is the way in which the attacks on Estonia are presented as a watershed. Undoubtedly, the attacks had a severe impact, yet nevertheless Commission policy should not be determined by reference to one incident and an incident on which there is little information in the public domain as to what actually happened. Additionally, many different cost estimates and risk assessments — the basis of which is not always clear — have been cited when referring to the cost of loss or disruption of information systems. The UK approach to protecting critical infrastructure is based on broad risk analysis and a detailed understanding of the UK telecoms system to achieve a measured approach across the system as a whole, and I am hopeful that the Commission, having stated in the Communication that it will adopt a risk-based approach, will move away from broad-brush high-level risks and embrace a more targeted approach to analysis and measurement."

ENISA

"I think it is important to note that the Commission Communication really only deals with things that the Agency can do in the next two years — that is before its extended mandate expires. I have absolutely no problem with this. In recent years, ENISA has collated and analysed different approaches to resilience and is in a good position to share good practice on the ways of building and enhancing resilience in individual Member States. This seems a sensible way to extract the maximum value from the Agency and the quality of the work produced so far is of a standard that I believe, answers your question whether the Agency is 'up to the task'.

"Your comments refer to the review of the Agency and where things stand. As you know, the Agency was extended by two years to tie in with the review of the Framework regulation for the Communications Sector. This was seen as an opportunity to review in depth the EU approach to Network and Information Security in its widest sense. The approach to CIIP (Critical Information Infrastructure Protection) is a more narrowly focused precursor to the development of that wider policy. Clearly, the review of the policy will include reaching a view on what should be done with ENISA. There may be an assumption in the Communication and elsewhere that the Agency should continue in a modified form. Indeed, one of the conclusions drawn at the Tallinn conference was that ENISA could be 'a valuable instrument for bolstering EU-wide cooperative efforts in this field. However, the new and long lasting challenges ahead require a thorough rethinking and reformulation of the Agency's mandate in order to better focus on EU priorities and needs'. I am not convinced that we should rush to conclusions on this point. It seems self-evident to me that you should decide on your policy objectives first and then review what instruments you might need to achieve them. The UK will make this point at the forthcoming Telecoms Council discussion referred to above."

INTERNET GOVERNANCE

"As the Committee has noted in its response to the EM, I have expressed some concerns regarding the Commission's proposals regarding the development of Principles and Guidelines for Internet resilience and stability at a global level. My concern here is not to query whether there are questions around internet security and resilience that need to be addressed at the global level — examples are the protection of undersea cables, the security of the domain name system and the protection of peering points — but rather that we do not want the Commission to have enhanced powers in this area.

"As your note makes clear, the whole issue of internet governance has been fraught and we have fully supported the IGF (Internet Governance Forum) process as a way of addressing global issues through gaining consensus on solutions; this process relies on the contribution of all stakeholders to build global consensus, including the contribution [of] individual EU member states. The Commission's principal engagement in the IGF process is through working with Member States, the Council of Europe and European parliamentarians on preparations for a second regional forum, the European Dialogue on Internet Governance. We are happy with this process and I will wish to ensure through the development of the international element of the Communication that this does not become a 'land grab' by the Commission to buy them increased influence at UK expense in fora such as the IGF."

Conclusion

1.18 We are grateful to the Minister for his comprehensive response. His position is clear: that the Commission has a role in addressing levels of preparedness and security that vary significantly across Member States by helping Member States build up resilience; that it is very positive that the Commission continues to focus on engaging both the public and private sectors, as the next stage of policy development in prioritising the areas it believes are key to the broader objective of strengthening information systems in the EU; and that, while internet security and resilience needs to be addressed at the global level, he does not want the Commission to have enhanced powers in this area.

1.19 At the moment, that is not a live issue; but there is every reason not to take this for granted. Here and now, the Minister says, the Commission is preparing a European Dialogue on Internet Governance, which he wishes to ensure "does not become a "land grab" by the Commission to buy them increased influence at UK expense in fora such as the IGF." We would like the Minister to write to us about the outcome of this exercise in due course, and in particular whether he then judges that the Commission is on the course that he prefers, or is showing any signs of wishing to acquire the sort of control that he opposes.

1.20 In the meantime we shall continue to retain the document under scrutiny.

2   According to its website, ENISA "was set up to enhance the capability of the European Union, the EU Member States and the business community to prevent, address and respond to network and information security problems. In order to achieve this goal, ENISA is a Centre of Expertise in Network and Information Security and is stimulating the cooperation between the public and private sectors." See http://www.enisa.europa.eu/index.htm for full information on ENISA. Back

3   http://ec.europa.eu/information_society/newsroom/cf/itemlongdetail.cfm?item_id=4464  Back

4   COM(2006) 786  Back

5   2008/114/EC Back

6   http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressData/en/gena/104617.pdf  Back

7   COM(O8) 676 Back

8   COM(07) 697, COM(07) 698, COM(07) 699 Back

9   Art. 13 Framework Directive Back

10   2005/222/JHA Back

11   COM(08) 712 Back

12   http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf Back

13   HC 19-xvi (2008-09), chapter 2 (6 May 2009); see headnote. Back

14   See headnote; HC 16-xxiii (2007-08), chapter 12 (4 June 2008). Back

15   See headnote; (27466) 8841/08: HC 41-xxi (2006-07), chapter 15 (9 May 2007). Back