Legal base	—
Department	Business Innovation and Skills
Basis of consideration	Minister's letter of 21 December 2009
Previous Committee Report	HC 19-xxi (2008-09), chapter 1 (24 June 2009) and HC 19-xvi (2008-09), chapter 2 (6 May 2009); also see (27570) 10248/06: HC 34-xxxv (2005-06), chapter 8 (13 July 2006). Also see (29300) 16840/07: HC 16-xxiii (2007-08), chapter 12 (4 June 2008); and (27466) 8841/08: HC 41-xxi (2006-07), chapter 15 (9 May 2007)
To be discussed in Council	To be determined
Committee's assessment	Politically important
Committee's decision	Not cleared; further information requested

Background

6.1 As the Commission notes, Information and Communication Technologies (ICTs) are increasingly intertwined in our daily activities, with some of these ICT systems, services, networks and infrastructures (in short, ICT infrastructures) forming a vital part of European economy and society, either providing essential goods and services or constituting the underpinning platform of other critical infrastructures, and being "typically regarded as critical information infrastructures (CIIs) as their disruption or destruction would have a serious impact on vital societal functions." The Commission gives as recent examples the large-scale cyber-attacks targeting Estonia in 2007 and the breaks of transcontinental cables in 2008.

6.2 The Commission recalls its "strategy for a secure information society", which was adopted in 2006,[9] where it says "ownership and implementation by stakeholders appears insufficient".

6.3 The Commission refers to the place in this strategy of the European Network and Information Security Agency (ENISA),[10] established in 2004 to "contribute to the goals of ensuring a high and effective level of NIS within the Community and developing a culture of NIS for the benefit of EU citizens, consumers, enterprises and administrations" — a mandate extended "à l'identique" until March 2012, but subject to "further discussion on the future of ENISA and on the general direction of the European efforts towards an increased network and information security", as a result of which the Commission launched last November an online public consultation,[11] the analysis of which will be made available shortly.

6.4 Other elements in the Policy Context to which the Commission refers are:

—  the European Programme for Critical Infrastructure Protection (EPCIP)[12] and the Directive[13] on the identification and designation of European Critical Infrastructures,[14] which identifies the ICT sector as a future priority sector, and the Critical Infrastructure Warning Information Network (CIWIN);[15]

—  the Commission proposal to reform the Regulatory Framework for electronic communications networks and services,[16] and particularly the provisions to strengthen operators' obligations to ensure that appropriate measures are taken to meet identified risks, guarantee the continuity of supply of services and notify security breaches,[17] which the Commission says is "conducive to the general objective of enhancing the security and resilience of CIIs", and which the European Parliament and the Council "broadly support";

—  complementarity with existing and prospective measures in the area of police and judicial cooperation to prevent, fight and prosecute criminal and terrorist activities targeting ICT infrastructures, as envisaged inter alia by the Council Framework Decision on attacks against information systems[18] and its planned update;[19]

—  NATO activities on common policy on cyber defence, i.e. the Cyber Defence Management Authority and the Cooperative Cyber Defence Centre of Excellence;

—   the G8 principles on CIIP15;[20]

—  the UN General Assembly Resolution 58/199: Creation of a global culture of cybersecurity; and

—  the protection of critical information infrastructures and the recent OECD Recommendation on the Protection of Critical Information Infrastructures.

The Commission Communication

6.5 The Communication (which is summarised in greater detail in our Report of 6 May 2009)[21] develops the case for enhancing resilience within CII infrastructure within Member States as well as across the EU, and developing a European capacity to counter cyber attack. The Commission says "a multi-stakeholder, multi-level approach is essential, taking place at the European level while fully respecting and complementing national responsibilities." This would require strengthening the existing instruments for cooperation, including ENISA, and, if necessary, creating new tools.

6.6 The intention is to promote an integrated European approach to cyber security issues by focusing on the need for a more coherent approach to the protection and resilience of CII. The disparity in Member States' capacity is important because of the pan-national and cross border nature in which CII and the internet functions. Because the sector is extremely competitive and has a large number of players operating and using national, European and global infrastructure, the Commission is advocating "Public Private Partnerships" in individual Member States, as well as a "Europe-wide multi stakeholder governance framework", to foster EU level cooperation between public and private sectors. With this in mind, the Commission proposes five areas of work:

—  Preparedness and Prevention: to ensure preparedness at all levels (through closer cooperation);

—  Detection and Response: to provide adequate early warning mechanisms;

—  Mitigation and Recovery: to reinforce EU defence mechanisms for CII (through Member State and pan-EU exercises);

—  International cooperation: to promote EU priorities internationally (through further debate and the development of a European roadmap on principles and guidelines for resilience and stability, and on international cooperation and engagement);

—  Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructure.

6.7 Under these headings, ten actions are proposed, each with a target date for completion (also set out in detail in our earlier Report). The Commission says that the success of these actions depends on building upon and benefiting public and private activities and on the commitment and full participation of Member States, European Institutions and stakeholders. To this end, a Ministerial Conference was to take place on 27-28 April 2009 to discuss the proposed initiatives with Member States and to mark their commitment to the debate on a modernised and reinforced NIS policy in Europe; and the Commission would initiate a stock-taking exercise toward the end of 2010, in order to evaluate the first phase of actions and to identify and propose further measures, as appropriate.

6.8 In his Explanatory Memorandum of 28 April, the then Minister for Communications, Technology and Broadcasting at the Department for Business, Enterprise and Regulatory Reform (Lord Carter of Barnes) noted that the elements of this Action Plan were "aspirational and not binding". The UK had been involved in helping develop critical information infrastructure protection policy at a European level for some time, and supported the drive from the Commission to achieve higher levels of resilient information infrastructure. He also approved of the indications of the importance that the Commission attached to working with industry and taking a risk-based approach to work in this area — "an approach which HMG strongly supports and promotes as the most effective way to enhance resilience and increase CII".

6.9 The UK, the then Minister said, was "generally ahead of the game in addressing critical information infrastructure protection and resilience to ensure availability of communications, and the overarching objectives of this Communication are part of core infrastructure resilience policy." This had been achieved through — amongst other things — "continued close working with industry and across Government, through the Electronic Communications Resilience and Response Group (EC-RRG), security advice given by the Centre for the Protection of National Infrastructure (CPNI), as well as resilience requirements on key telecoms providers under the Civil Contingencies Act 2003". In addition, "BERR and OGDs continue to work with industry to ensure that security and preparedness measures such as emergency response and protective security plans are in place; these are tested on a regular basis [and] the Cabinet Office has been leading work on a Cyber Security Strategy since September 2008."

6.10 All this said, the then Minister had some concerns about the Communication:

—  in some cases the evidence base was relatively weak, and on occasion supported analysis which could be considered alarmist (though, he said, this should not detract from the need for further work at individual Member State level to enhance CII as well as further useful coordinating work at EU level);

—  the current timetable was "highly aspirational", and unlikely to be achievable across the EU — especially where emergency response exercises were concerned , where

—  experience had demonstrated that this is an area of work where preparedness needs to be built up in individual Member States before becoming effective at an EU level.

—  the Communication seemed "to have adopted a relatively narrow view with regard to the resilience and stability solely of internet components — by apparently aiming to identify these globally; he was waiting to see how the Commission was aiming to achieve this without any kind of EU-wide consensus in the arena of Internet security; there was also no indication of where such a debate would take place;

—  he believed the Commission's the long-term strategy was "to develop these areas of work into legal minimum levels and standards of resilience, preparedness and security", but there no timetable or detail was yet set out for this.

Our assessment

6.11 We found it odd that the Minister made no mention of the April 2009 Ministerial conference or of the 2010 stock-take, the Commission having made it clear that at this point it expected to propose further measures. In the first instance, we asked the Minister to write to us with his assessment of the conference and its outcomes.

6.12 We also asked the Minister to elaborate more fully on those aspects of the Communication (which he summed up very briefly in his Explanatory Memorandum) that he regarded as based on relatively weak evidence or alarmist analysis. As he said, preparedness undoubtedly needed to be built up in individual Member States before becoming effective at an EU level. But the case for developing a capacity for Member States to work together effectively seemed to us to be self-evident. No doubt the Commission's timetable was unrealistic; time would tell: but, in saying that he supported "the drive from the Commission to achieve higher levels of resilient information infrastructure", the Minister did not make clear whether his concern was over only the level of ambition of the Commission's timetable, or over the Commission's proposals for a greater role for the Commission in general and ENISA in particular. Nor, in saying what he thought the Commission's long-term strategy was, did the Minister say what he thought about it. So we asked him to explain his views more fully about the best way ahead.

6.13 We also found it odd that the Minister made no mention of ENISA at all, given that it was the subject of prolonged discussion with his Department in 2007-08.[22] That discussion was about the proposal to which the Commission itself referred, i.e., the extension of its mandate until 2012. This was contentious because the independent evaluation in 2006 required by its statutes had revealed an unhappy state of affairs, at the heart of which was the Commission's rejection of the review's most important finding — that the decision, left to the Greek government during its then-Presidency, to locate ENISA on Crete, should be revisited. The Government of Greece maintained that the case against Crete was not soundly based and, at that time, was said to be "working hard to address the most obvious problems". A year on, the Commission was now proposing an expanded role for it in developing a pan-European framework without, so far as we are aware, any indication that the agency is any more effective at doing its present job than it was when the critical review was produced. We therefore asked the Minister to bring us up to date on what had been done and to let us know if he considered that ENISA was up to the task that the Commission had in mind for it.

6.14 The Minister also suggested that he was unhappy with the Commission's thoughts on this aspect of Internet governance (c.f. paragraph 6.10 above), which he said was "without any kind of EU-wide consensus in the arena of Internet security". In 2006-2007, we considered an earlier Commission Communication on Internet governance, which sought to assess the results of the second World Summit on the Information Society (which was held in Tunis in November 2005).[23] It was designed to reach conclusions on the two unresolved issues — financial mechanisms and Internet governance. The latter was resolved via the creation of an Internet Governance Forum (IGF) as a new forum for multi-stakeholder policy dialogue. Last November, the Minister's colleague, Baroness Vadera, told us that the UK, the EU and the US were all of one mind on "ensuring this multi-stakeholder process is a success", and that security was likely to be one of the main issues to be addressed at the third IGF Forum, to be held in Hyderabad on 1-5 December 2008 — which she described as "global dialogue on Internet governance and the future direction of the IGF at this crucial mid-way point in its 5-year life span". There was, however, no mention of the IGF by either the Commission or the Minister. We therefore asked the Minister to explain more fully what he found wrong with the Commission approach, and why there was no mention of what otherwise seemed to be a key component in developing an effective international response to the threat in question.

6.15 In the meantime, we retained the document under scrutiny.

The then Minister's letter of 11 June 2009

6.16 The then Minister's very comprehensive letter covered the following areas:

MINISTERIAL CONFERENCE

Discussion at the April 2009 Tallinn Ministerial Conference had centred on the aims outlined in the Commission Communication. The then Commissioner, Viviane Reding, had spoken forcefully in support of the Commission's work in this area and emphasised its importance. The Communication had received support from Member States, and the general consensus was that the future focus should be on identifying what the main priorities should be and how these can be delivered. The main outcomes indicated that action was required and that the main need was to focus on enhancing coordination and cooperation amongst Member States and with industry to deliver enhanced infrastructure protection:

• a clear and coherent strategy for the coming years, based first and foremost on strong coordination and cooperation among Member States, the private sector and all concerned stakeholders;
• action to enhance preparedness, security and resilience of Critical Information Infrastructure across the EU should be accompanied by a thorough discussion on the future of EU policy towards Network and Information Security;
• each Member State should act domestically to enhance the protection of its own Critical Information Infrastructures as a necessary building block towards an enhanced EU preparedness;
• a joint EU exercise on Critical Information Infrastructure Protection should be organised and staged by 2010 (in line with the Commission's action plan);
• ENISA (European Network and Information Security Agency) had the potential to be a valuable instrument for bolstering EU-wide cooperative efforts in this field. However, the new and long lasting challenges ahead require a thorough rethinking and reformulation of the Agency's mandate in order to better focus on EU priorities and needs;
• dialogue between public authorities and the private sector should be stimulated to ensure responsibilities of Member States to protect their citizens as well as the practical constraints faced by businesses are well understood;
• public and private sectors should be engaged at the EU level in developing an appropriate policy, economic framework and the incentives to support the uptake of security and resilience measures;
• an instrument serving to facilitate information sharing and dissemination of good practice between Member States would help to maximise the overall capability and level of expertise across the EU;
• arrangements such as Public-Private Partnerships or a Forum of Member States were essential to ensure that understanding and information exchange is followed by concrete action at the strategic and tactical levels.

The then Minister described these outcomes as "clearly a solid base from which to enhance network resilience and preparedness" and as largely supporting the aims of the Communication; not all of the elements of the Communication were accepted without question — particularly in relation to the reality of the timetable, where the meeting concluded that the varying levels of preparedness and security across Member States needed to address by helping them build up resilience. He regarded as "very positive that the Commission continues to focus on engaging both the public and private sectors", which he regarded as "a good basis for the next stage of policy development in prioritising the areas it believes are key to the broader objective of strengthening information systems in the EU" and which would be taken as a discussion point at the 11 June 2009 Telecoms Council.

THE EVIDENCE BASE OF THE COMMUNICATION AND THE COMMISSION'S APPROACH

The case for developing a capacity for Member States to work together effectively was, the then Minister said, clearly self-evident: but the approach taken by the Commission "smacks of hobbling [sic] together whatever evidence they can put their hands on and then interpreting it in a dramatic way". One of the issues going forward would be how to measure success, and it did not augur well that this document "is so light on analysis and relevant data"; his concern was "more on the principles of better regulation and evidence-based decision making rather than what is proposed." A case in point was the way in which the attacks on Estonia were presented as a watershed; though they had undoubtedly had a severe impact, Commission policy should not be determined by reference to one incident where there was little information in the public domain as to what had actually happened. Additionally, many different cost estimates and risk assessments — the basis of which was not always clear — had been cited when referring to the cost of loss or disruption of information systems. The UK approach to protecting critical infrastructure was based on broad risk analysis and a detailed understanding of the UK telecoms system to achieve a measured approach across the system as a whole; he was "hopeful that the Commission, having stated in the Communication that it will adopt a risk-based approach, will move away from broad-brush high-level risks and embrace a more targeted approach to analysis and measurement."

ENISA

The review of the Framework regulation for the Communications Sector was seen as an opportunity to review in depth the EU approach to Network and Information Security in its widest sense. The approach to CIIP (Critical Information Infrastructure Protection) was a more narrowly focused precursor to the development of that wider policy. The policy review would include reaching a view on what should be done with ENISA. One of the conclusions drawn at the Tallinn conference was that ENISA could be a valuable instrument for bolstering EU-wide cooperative efforts in this field. However, the new and long lasting challenges ahead required, in the then Minister's view, "a thorough rethinking and reformulation of the Agency's mandate in order to better focus on EU priorities and needs"; he was "not convinced that we should rush to conclusions on this point"; it seemed "self-evident …. that you should decide on your policy objectives first and then review what instruments you might need to achieve them" — a point that the UK would be making at the forthcoming Telecoms Council discussion referred to above.

INTERNET GOVERNANCE

The then Minister's concerns regarding the Commission's proposals regarding the development of Principles and Guidelines for Internet resilience and stability at a global level was not over "whether there were questions around internet security and resilience that need to be addressed at the global level — examples are the protection of undersea cables, the security of the domain name system and the protection of peering points — but rather that we do not want the Commission to have enhanced powers in this area." The whole issue of internet governance "has been fraught and we have fully supported the IGF (Internet Governance Forum) process as a way of addressing global issues through gaining consensus on solutions; this process relies on the contribution of all stakeholders to build global consensus, including the contribution [of] individual EU member states." The Commission's principal engagement in the IGF process is "through working with Member States, the Council of Europe and European parliamentarians on preparations for a second regional forum, the European Dialogue on Internet Governance." He professed himself happy with this process and said that he would wish to ensure, through the development of the international element of the Communication, that this "does not become a 'land grab' by the Commission to buy them increased influence at UK expense in fora such as the IGF."

Our further assessment

6.17 We found the then Minister's position clear, viz., that:

—  the Commission has a role in addressing Member States' varying levels of preparedness and security by helping them build up resilience;

—  it was very positive that the Commission continued to focus on engaging both the public and private sectors, as the next stage of policy development in prioritising the key areas consistent with the broader objective of strengthening EU information systems; and

—  while internet security and resilience needed to be addressed at the global level, he did not want the Commission to have enhanced powers in this area;

—  in particular, he did not wish to see the European Dialogue on Internet Governance that the Commission was preparing become a means of securing increased influence at UK expense in fora such as the IGF.

6.18 While not at the moment a live issue, we felt that there was every reason not to take this for granted. We therefore asked the Minister to write to us about the outcome of this exercise in due course, and in particular to say whether he then judged that the Commission was on the course that he preferred, or was showing any signs of wishing to acquire the sort of control that he opposes.

6.19 In the meantime we continued to retain the document under scrutiny.[24]

The Minister's letter of 21 December 2009

6.20 The Minister for Digital Britain (Stephen Timms) begins by apologising for the time taken to respond, which he says was because "it seemed advisable to provide input to the House of Lords inquiry centred on this Communication before giving you an update."

6.21 With regard to his predecessor's concern set out in his letter of 11 June — "that the ideas for agreed European positions on global priorities to achieve internet stability should not become the rationale for an increase in Commission competence — thereby reducing Member State influence in fora such as the IGF" — the Minster says:

"We have yet to see the proposed road map on internet stability but the Commission are making efforts to consult on and discuss the key deliverables from the Communication although, at this stage, it is not possible to describe in any detail what these initiatives might look like. That said, I believe our evidence to the House of Lords indicates that we remain broadly supportive of the intentions of the Communication and have no problem with a discussion around global internet stability issues. I took some comfort from the evidence given by Mr Servida of the Commission in which he took great pains to emphasise that the Commission's main role in this area was to facilitate closer co-operation between the Member States and to promote a greater involvement by the private sector. In addition, we have seen no attempt by the Commission to play a greater role in co-ordinating Member State positions for the Internet Governance Forum (IGF) on the back of concerns about internet stability. Indeed, I believe that the Commission played a strong supportive role in recent IGF in Sharm-el-Sheikh."

6.22 Referring again to his Department's evidence to the House of Lords Inquiry to which he refers, the Minister says that he thinks this "confirms the positive impression we have of the direction of travel of the Communication", and concludes by expressing the hope that the Committee "will take comfort from this letter that we have not identified any evidence to support the concerns alluded to" in the Committee's previous Report.

Conclusion

6.23 As the Minister says, there is at present no indication of what next steps the Commission will put forward under the proposed European Dialogue on Internet Governance. We look forward to hearing further from the Minister as and when they emerge.

6.24 We also wish to make it clear that, should it be decided to put the Communication to the Council for adoption, we would expect the Minister to write to us beforehand with details of the Conclusions that he would expect to see adopted.

6.25 In the meantime, we shall continue to retain the Communication under scrutiny.

10   According to its website, ENISA "was set up to enhance the capability of the European Union, the EU Member States and the business community to prevent, address and respond to network and information security problems. In order to achieve this goal, ENISA is a Centre of Expertise in Network and Information Security and is stimulating the cooperation between the public and private sectors." See http://www.enisa.europa.eu/index.htm for full information on ENISA. Back

11   http://ec.europa.eu/information_society/newsroom/cf/itemlongdetail.cfm?item_id=4464.  Back

12   COM(2006) 786.  Back

13   2008/114/EC. Back

14   http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressData/en/gena/104617.pdf.  Back

15   COM(O8) 676. Back

16   COM(07) 697, COM(07) 698, COM(07) 699. Back

17   Art. 13 Framework Directive. Back

18   2005/222/JHA. Back

19   COM(08) 712. Back

20   http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf. Back

21   HC 19-xvi (2009-09), chapter 2 (6 May 2009); see headnote. Back

22   See headnote; HC 16-xxiii (2007-08), chapter 12 (4 June 2008). Back

23   See headnote; (27466) 8841/08: HC 41-xxi (2006-07), chapter 15 (9 May 2007). Back

24   See headnote: HC 19-xxi (2008-09), chapter 1 (24 June 2009). Back