Documents considered by the Committee on 3 November 2010, including the following recommendations for debate: Financial Management - European Scrutiny Committee Contents

8 Protecting information networks from cyber attacks



+ ADDs 1-4

COM(09) 149

Commission Communication: Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience

Legal base
DepartmentBusiness Innovation and Skills
Basis of considerationMinister's letter of 28 October 2010
Previous Committee ReportHC 5-v (2009-10), chapter 6 (6 January 2010); HC 19-xxi (2008-09), chapter 1 (24 June 2009) and HC 19-xvi (2008-09), chapter 2 (6 May 2009); also see (27570) 10248/06: HC 34-xxxv (2005-06), chapter 8 (13 July 2006). Also see (29300) 16840/07: HC 16-xxiii (2007-08), chapter 12 (4 June 2008); and (27466) 8841/08: HC 41-xxi (2006-07), chapter 15 (9 May 2007)
To be discussed in CouncilTo be determined
Committee's assessmentPolitically important
Committee's decisionCleared


8.1 As the Commission notes, Information and Communication Technologies (ICTs) are increasingly intertwined in our daily activities, with some of these ICT systems, services, networks and infrastructures (in short, ICT infrastructures) forming a vital part of European economy and society, either providing essential goods and services or constituting the underpinning platform of other critical infrastructures, and being "typically regarded as critical information infrastructures (CIIs) as their disruption or destruction would have a serious impact on vital societal functions." The Commission gives as recent examples the large-scale cyber-attacks targeting Estonia in 2007 and the breaks of transcontinental cables in 2008.

8.2 The Commission recalls its "strategy for a secure information society", which was adopted in 2006,[41] where it says "ownership and implementation by stakeholders appears insufficient".

8.3 The Commission refers to the place in this strategy of the European Network and Information Security Agency (ENISA), established in 2004 to "contribute to the goals of ensuring a high and effective level of NIS within the Community and developing a culture of NIS for the benefit of EU citizens, consumers, enterprises and administrations" — a mandate extended "à l'identique" until March 2012, but subject to "further discussion on the future of ENISA and on the general direction of the European efforts towards an increased network and information security".

8.4 Other elements in the Policy Context to which the Commission refers are:

— the European Programme for Critical Infrastructure Protection (EPCIP)[42] and the Directive[43] on the identification and designation of European Critical Infrastructures,[44] which identifies the ICT sector as a future priority sector, and the Critical Infrastructure Warning Information Network (CIWIN);[45]

— the Commission proposal to reform the Regulatory Framework for electronic communications networks and services,[46] and particularly the provisions to strengthen operators' obligations to ensure that appropriate measures are taken to meet identified risks, guarantee the continuity of supply of services and notify security breaches,[47] which the Commission says is "conducive to the general objective of enhancing the security and resilience of CIIs", and which the European Parliament and the Council "broadly support";

— complementarity with existing and prospective measures in the area of police and judicial cooperation to prevent, fight and prosecute criminal and terrorist activities targeting ICT infrastructures, as envisaged inter alia by the Council Framework Decision on attacks against information systems[48] and its planned update;[49]

— NATO activities on common policy on cyber defence, i.e. the Cyber Defence Management Authority and the Cooperative Cyber Defence Centre of Excellence;

— the G8 principles on CIIP15;[50]

— the UN General Assembly Resolution 58/199: Creation of a global culture of cybersecurity; and

— the protection of critical information infrastructures and the recent OECD Recommendation on the Protection of Critical Information Infrastructures.

The Commission Communication

8.5 The Communication (which is summarised in greater detail in the previous Committee's Report of 6 May 2009)[51] develops the case for enhancing resilience within CII infrastructure within Member States as well as across the EU, and developing a European capacity to counter cyber attack. The Commission says "a multi-stakeholder, multi-level approach is essential, taking place at the European level while fully respecting and complementing national responsibilities." This would require strengthening the existing instruments for cooperation, including ENISA, and, if necessary, creating new tools.

8.6 The intention is to promote an integrated European approach to cyber security issues by focusing on the need for a more coherent approach to the protection and resilience of CII. The disparity in Member States' capacity is important because of the pan-national and cross border nature in which CII and the internet functions. Because the sector is extremely competitive and has a large number of players operating and using national, European and global infrastructure, the Commission is advocating "Public Private Partnerships" in individual Member States, as well as a "Europe-wide multi stakeholder governance framework", to foster EU level cooperation between public and private sectors. With this in mind, the Commission proposes five areas of work:

— Preparedness and Prevention: to ensure preparedness at all levels (through closer cooperation);

— Detection and Response: to provide adequate early warning mechanisms;

— Mitigation and Recovery: to reinforce EU defence mechanisms for CII (through Member State and pan-EU exercises);

— International cooperation: to promote EU priorities internationally (through further debate and the development of a European roadmap on principles and guidelines for resilience and stability, and on international cooperation and engagement);

— Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructure.

8.7 Under these headings, ten actions are proposed, each with a target date for completion (also set out in detail in the previous Committee's Report of 6 May 2009). The Commission says that the success of these actions depends on building upon and benefiting public and private activities and on the commitment and full participation of Member States, European Institutions and stakeholders. To this end, a Ministerial Conference was to take place on 27-28 April 2009 to discuss the proposed initiatives with Member States and to mark their commitment to the debate on a modernised and reinforced NIS policy in Europe; and the Commission would initiate a stock-taking exercise toward the end of 2010, in order to evaluate the first phase of actions and to identify and propose further measures, as appropriate.

8.8 In his Explanatory Memorandum of 28 April 2009, the then Minister (Lord Carter of Barnes) noted that the elements of this Action Plan were "aspirational and not binding". The UK had been involved in helping develop critical information infrastructure protection policy at a European level for some time, and supported the drive from the Commission to achieve higher levels of resilient information infrastructure. He also approved of the indications of the importance that the Commission attached to working with industry and taking a risk-based approach to work in this area — "an approach which HMG strongly supports and promotes as the most effective way to enhance resilience and increase CII".

8.9 The UK, the then Minister said, was "generally ahead of the game in addressing critical information infrastructure protection and resilience to ensure availability of communications, and the overarching objectives of this Communication are part of core infrastructure resilience policy." This had been achieved through — amongst other things — "continued close working with industry and across Government, through the Electronic Communications Resilience and Response Group (EC-RRG), security advice given by the Centre for the Protection of National Infrastructure (CPNI), as well as resilience requirements on key telecoms providers under the Civil Contingencies Act 2003". In addition, "BERR and OGDs continue to work with industry to ensure that security and preparedness measures such as emergency response and protective security plans are in place; these are tested on a regular basis [and] the Cabinet Office has been leading work on a Cyber Security Strategy since September 2008."

8.10 All this said, the then Minister had some concerns about the Communication:

— in some cases the evidence base was relatively weak, and on occasion supported analysis which could be considered alarmist (though, he said, this should not detract from the need for further work at individual Member State level to enhance CII as well as further useful coordinating work at EU level);

— the current timetable was "highly aspirational", and unlikely to be achievable across the EU — especially where emergency response exercises were concerned;

— where experience had demonstrated that this is an area of work where preparedness needs to be built up in individual Member States before becoming effective at an EU level;

— the Communication seemed "to have adopted a relatively narrow view with regard to the resilience and stability solely of internet components — by apparently aiming to identify these globally; he was waiting to see how the Commission was aiming to achieve this without any kind of EU-wide consensus in the arena of Internet security; there was also no indication of where such a debate would take place;

— he believed the Commission's the long-term strategy was "to develop these areas of work into legal minimum levels and standards of resilience, preparedness and security", but there no timetable or detail was yet set out for this.

The previous Committee's assessment

8.11 The previous Committee found it odd that the then Minister made no mention of the April 2009 Ministerial conference or of the 2010 stock-take, the Commission having made it clear that at this point it expected to propose further measures. In the first instance, we asked the Minister to write to us with his assessment of the conference and its outcomes.

8.12 The previous Committee also asked him to elaborate more fully on those aspects of the Communication (which he summed up very briefly in his Explanatory Memorandum) that he regarded as based on relatively weak evidence or alarmist analysis. As he said, preparedness undoubtedly needed to be built up in individual Member States before becoming effective at an EU level. But the case for developing a capacity for Member States to work together effectively seemed to the previous Committee to be self-evident. No doubt the Commission's timetable was unrealistic; time would tell: but, in saying that he supported "the drive from the Commission to achieve higher levels of resilient information infrastructure", the then Minister did not make clear whether his concern was over only the level of ambition of the Commission's timetable, or over the Commission's proposals for a greater role for the Commission in general and ENISA in particular. Nor, in saying what he thought the Commission's long-term strategy was, did the then Minister say what he thought about it. So the previous Committee asked him to explain his views more fully about the best way ahead.

8.13 The previous Committee also found it odd that the then Minister made no mention of ENISA at all, given that it was the subject of prolonged discussion with his Department in 2007-08.[52] That discussion was about the proposal to which the Commission itself referred, i.e., the extension of its mandate until 2012. This was contentious because the independent evaluation in 2006 required by its statutes had revealed an unhappy state of affairs, at the heart of which was the Commission's rejection of the review's most important finding — that the decision, left to the Greek government during its then-Presidency, to locate ENISA on Crete, should be revisited. The Government of Greece maintained that the case against Crete was not soundly based and, at that time, was said to be "working hard to address the most obvious problems". A year on, the Commission was now proposing an expanded role for it in developing a pan-European framework without, so far as the previous Committee was aware, any indication that the agency was any more effective at doing its present job than it was when the critical review was produced. The previous Committee therefore asked the then Minister to bring it up to date on what had been done and to let it know if he considered that ENISA was up to the task that the Commission had in mind for it.

8.14 The then Minister also suggested that he was unhappy with the Commission's thoughts on this aspect of Internet governance (c.f. paragraph 3.10 above), which he said was "without any kind of EU-wide consensus in the arena of Internet security". In 2006-2007, the previous Committee considered an earlier Commission Communication on Internet governance, which sought to assess the results of the second World Summit on the Information Society (which was held in Tunis in November 2005).[53] It was designed to reach conclusions on the two unresolved issues — financial mechanisms and Internet governance. The latter was resolved via the creation of an Internet Governance Forum (IGF) as a new forum for multi-stakeholder policy dialogue. Last November, the then Minister's colleague, Baroness Vadera, told the previous Committee that the UK, the EU and the US were all of one mind on "ensuring this multi-stakeholder process is a success", and that security was likely to be one of the main issues to be addressed at the third IGF Forum, to be held in Hyderabad on 1-5 December 2008 — which she described as "global dialogue on Internet governance and the future direction of the IGF at this crucial mid-way point in its 5-year life span". There was, however, no mention of the IGF by either the Commission or the then Minister. The previous Committee therefore asked him to explain more fully what he found wrong with the Commission approach, and why there was no mention of what otherwise seemed to be a key component in developing an effective international response to the threat in question.

8.15 In the meantime, the previous Committee retained the document under scrutiny.

The then Minister's letter of 11 June 2009

8.16 The then Minister's comprehensive letter covered the following areas:


8.17 Discussion at the April 2009 Tallinn Ministerial Conference had centred on the aims outlined in the Commission Communication. The then Commissioner, Viviane Reding, had spoken forcefully in support of the Commission's work in this area and emphasised its importance. The Communication had received support from Member States, and the general consensus was that the future focus should be on identifying what the main priorities should be and how these can be delivered. The main outcomes indicated that action was required and that the main need was to focus on enhancing coordination and cooperation amongst Member States and with industry to deliver enhanced infrastructure protection:

  • a clear and coherent strategy for the coming years, based first and foremost on strong coordination and cooperation among Member States, the private sector and all concerned stakeholders;
  • action to enhance preparedness, security and resilience of Critical Information Infrastructure across the EU should be accompanied by a thorough discussion on the future of EU policy towards Network and Information Security;
  • each Member State should act domestically to enhance the protection of its own Critical Information Infrastructures as a necessary building block towards an enhanced EU preparedness;
  • a joint EU exercise on Critical Information Infrastructure Protection should be organised and staged by 2010 (in line with the Commission's action plan);
  • ENISA (European Network and Information Security Agency) had the potential to be a valuable instrument for bolstering EU-wide cooperative efforts in this field. However, the new and long lasting challenges ahead require a thorough rethinking and reformulation of the Agency's mandate in order to better focus on EU priorities and needs;
  • dialogue between public authorities and the private sector should be stimulated to ensure responsibilities of Member States to protect their citizens as well as the practical constraints faced by businesses are well understood;
  • public and private sectors should be engaged at the EU level in developing an appropriate policy, economic framework and the incentives to support the uptake of security and resilience measures;
  • an instrument serving to facilitate information sharing and dissemination of good practice between Member States would help to maximise the overall capability and level of expertise across the EU;
  • arrangements such as Public-Private Partnerships or a Forum of Member States were essential to ensure that understanding and information exchange is followed by concrete action at the strategic and tactical levels.

8.18 The then Minister described these outcomes as "clearly a solid base from which to enhance network resilience and preparedness" and as largely supporting the aims of the Communication; not all of the elements of the Communication were accepted without question — particularly in relation to the reality of the timetable, where the meeting concluded that the varying levels of preparedness and security across Member States needed to address by helping them build up resilience. He regarded as "very positive that the Commission continues to focus on engaging both the public and private sectors", which he regarded as "a good basis for the next stage of policy development in prioritising the areas it believes are key to the broader objective of strengthening information systems in the EU" and which would be taken as a discussion point at the 11 June 2009 Telecoms Council.


8.19 The case for developing a capacity for Member States to work together effectively was, the then Minister said, clearly self-evident: but the approach taken by the Commission "smacks of hobbling [sic] together whatever evidence they can put their hands on and then interpreting it in a dramatic way". One of the issues going forward would be how to measure success, and it did not augur well that this document "is so light on analysis and relevant data"; his concern was "more on the principles of better regulation and evidence-based decision making rather than what is proposed." A case in point was the way in which the attacks on Estonia were presented as a watershed; though they had undoubtedly had a severe impact, Commission policy should not be determined by reference to one incident where there was little information in the public domain as to what had actually happened. Additionally, many different cost estimates and risk assessments — the basis of which was not always clear — had been cited when referring to the cost of loss or disruption of information systems. The UK approach to protecting critical infrastructure was based on broad risk analysis and a detailed understanding of the UK telecoms system to achieve a measured approach across the system as a whole; he was "hopeful that the Commission, having stated in the Communication that it will adopt a risk-based approach, will move away from broad-brush high-level risks and embrace a more targeted approach to analysis and measurement."


8.20 The review of the Framework regulation for the Communications Sector was seen as an opportunity to review in depth the EU approach to Network and Information Security in its widest sense. The approach to CIIP (Critical Information Infrastructure Protection) was a more narrowly focused precursor to the development of that wider policy. The policy review would include reaching a view on what should be done with ENISA. One of the conclusions drawn at the Tallinn conference was that ENISA could be a valuable instrument for bolstering EU-wide cooperative efforts in this field. However, the new and long lasting challenges ahead required, in the then Minister's view, "a thorough rethinking and reformulation of the Agency's mandate in order to better focus on EU priorities and needs"; he was "not convinced that we should rush to conclusions on this point"; it seemed "self-evident ... that you should decide on your policy objectives first and then review what instruments you might need to achieve them" — a point that the UK would be making at the forthcoming Telecoms Council discussion referred to above.


8.21 The then Minister's concerns regarding the Commission's proposals regarding the development of Principles and Guidelines for Internet resilience and stability at a global level was not over "whether there were questions around internet security and resilience that need to be addressed at the global level — examples are the protection of undersea cables, the security of the domain name system and the protection of peering points — but rather that we do not want the Commission to have enhanced powers in this area." The whole issue of internet governance "has been fraught and we have fully supported the IGF (Internet Governance Forum) process as a way of addressing global issues through gaining consensus on solutions; this process relies on the contribution of all stakeholders to build global consensus, including the contribution [of] individual EU member states." The Commission's principal engagement in the IGF process is "through working with Member States, the Council of Europe and European parliamentarians on preparations for a second regional forum, the European Dialogue on Internet Governance." He professed himself happy with this process and said that he would wish to ensure, through the development of the international element of the Communication, that this "does not become a 'land grab' by the Commission to buy them increased influence at UK expense in fora such as the IGF."

The previous Committee's further assessment

8.22 The previous Committee found the then Minister's position clear, viz., that:

— the Commission has a role in addressing Member States' varying levels of preparedness and security by helping them build up resilience;

— it was very positive that the Commission continued to focus on engaging both the public and private sectors, as the next stage of policy development in prioritising the key areas consistent with the broader objective of strengthening EU information systems; and

— while internet security and resilience needed to be addressed at the global level, he did not want the Commission to have enhanced powers in this area;

— in particular, he did not wish to see the European Dialogue on Internet Governance that the Commission was preparing become a means of securing increased influence at UK expense in fora such as the IGF.

8.23 While not at the moment a live issue, the previous Committee felt that there was every reason not to take this for granted. The previous Committee therefore asked the Minister to write about the outcome of this exercise in due course, and in particular to say whether he then judged that the Commission was on the course that he preferred, or was showing any signs of wishing to acquire the sort of control that he opposes.

8.24 In the meantime the previous Committee continued to retain the document under scrutiny.[54]

The then Minister's letter of 21 December 2009

8.25 The then Minister for Digital Britain (Stephen Timms) began by apologising for the time taken to respond, which he said was because "it seemed advisable to provide input to the House of Lords inquiry centred on this Communication before giving you an update."

8.26 With regard to his predecessor's concern set out in his letter of 11 June — "that the ideas for agreed European positions on global priorities to achieve internet stability should not become the rationale for an increase in Commission competence — thereby reducing Member State influence in fora such as the IGF" — the then Minster said that he had yet to see the proposed road map on internet stability; the Commission were making efforts to consult on and discuss the key deliverables from the Communication although, at this stage, it was not possible to describe in any detail what these initiatives might look like. That said, the then Minister believed that his evidence to the House of Lords indicated that the then Government remained broadly supportive of the intentions of the Communication and had no problem with a discussion around global internet stability issues. The then Minister said that he :

"took some comfort from the evidence given by Mr Servida of the Commission in which he took great pains to emphasise that the Commission's main role in this area was to facilitate closer co-operation between the Member States and to promote a greater involvement by the private sector. In addition, we have seen no attempt by the Commission to play a greater role in co-ordinating Member State positions for the Internet Governance Forum (IGF) on the back of concerns about internet stability. Indeed, I believe that the Commission played a strong supportive role in recent IGF in Sharm-el-Sheikh."

8.27 Referring again to his Department's evidence to the House of Lords, the then Minister thought that this "confirms the positive impression we have of the direction of travel of the Communication", and concluded by expressing the hope that the previous Committee would "take comfort from this letter that we have not identified any evidence to support the concerns alluded to" in the Committee's previous Report.

The previous Committee's further assessment

8.28 The previous Committee noted that, as the then Minister said, there was at present no indication of what next steps the Commission would put forward under the proposed European Dialogue on Internet Governance, and looked forward to hearing further from the Minister as and when they emerged.

8.29 The previous Committee also wished to make it clear that, should it be decided to put the Communication to the Council for adoption, it expected the then Minister to write beforehand with details of the Conclusions that he would expect to see adopted.

8.30 In the meantime, it continued to retain the Communication under scrutiny.

The Minister's letter 28 October 2010

8.31 The Minister for Culture, Communications and Creative Industries in the Department for Business, Innovation and Skills/Department for Culture, Media and Sport (Ed Vaizey) begins his letter by referring to the results of the House of Lords Inquiry into the subject matter of the Commission Communication, the reply on behalf of the Government by his Ministerial colleague (Baroness Pauline Neville-Jones) and the debate in the House of Lords, professing himself glad to note that there was a large measure of agreement between the Lords Committee and the Government "about the protection of critical information infrastructures being a challenge for the whole of the European Union and worth of [sic] further work at that level."

8.32 With regard to the outstanding issues raised by the previous Committee, the Minister says:

"I should make clear that I have no doubt that my predecessors were right to express caution about the Commission's role in the international aspects of the policy they were promoting. Indeed, I hope it is clear that our policy is even stronger on challenging the Commission on issues of competence.

"That said, at the point at which the Minister wrote in June 2009, it was not clear quite how far the scepticism of the Commission's possible intentions was justified. I can now report that this does not appear to be the problem that might have been envisaged.

"To be clear on one point, I am not convinced that the earlier correspondence from the then Minister meant to imply that we saw the Commission's involvement in the European Dialogue on Internet Governance as a potential "land grab" by the Commission. The UK continues to support the global Internet Governance Forum (IGF) and believe that the success of that is enhanced by regional multi-stakeholder discussions such as that facilitated for the EU by the European Dialogue on Internet Governance (known as EuroDIG) which is sponsored by the Council of Europe. The third EuroDIG meeting held in Madrid on 29-30 April was generally regarded as successful and we see no reason to challenge the Commission's contribution to EuroDIG in promoting dialogue on internet governance issues with stakeholders in the EU."

8.33 The Minister then turns to the previous Committee's concern that the Commission would seek to impose a common approach to the issue of how best to promote internet stability and resilience, and says:

"Things have moved on in this regard. The Commission has, according to the proposal set out in the Communication, discussed a set of principles that might govern policies on internet stability and resilience. These are of a very high-level and general nature — for example identifying the need to promote risk management and involve stakeholders in the formulation of policy. This document is at present in draft and the Commission have produced this in close co-operation with the Member States.

"We do not yet know whether this document will be published but I do not see the formulation of this set of principles as in any way justifying concern about an extension of competence by the Commission."

8.34 The Minister expresses the hope therefore that the Committee will now consider clearing the Communication from scrutiny:

"This is not the end of the story in this policy area. I have already submitted an Explanatory Memorandum on the future of the European Network and Information Security Agency that foresees an ongoing role for the Agency in some of the activities proposed by the Communication.[55] We have also gathered that the Commission propose a new Communication next year that takes the ideas that are being developed in relation to principles governing policy on internet stability and turns those into concrete actions for the various parties concerned. At that stage, we will again need to be vigilant that the Commission do not seek to extend their competence in that context."

8.35 The Minister concludes his letter by referring to the Government's Strategic Defence and Security Review, in which he says "the challenge of cyber-security is one of the biggest challenges facing the UK and it is important that the Commission, Agencies such as ENISA and the EU generally, play their role in addressing a common challenge."


8.36 We are grateful to the Minister for this further information, which we report to the House because of the importance of this issue. As the Minister indicates, the next step is the proposed Commission Communication on internet stability.

8.37 In the meantime, we clear this Communication from scrutiny.

41   Which the Committee reported to the House on 18 July 2006: see (27570) 10248/06: HC 34-xxxv (2005-06), chapter 8 (13 July 2006). Back

42   COM(06) 786.  Back

43   2008/114/EC. Back

44  Back

45   COM(O8) 676. Back

46   COM(07) 697, COM(07) 698, COM(07) 699. Back

47   Art. 13 Framework Directive. Back

48   2005/222/JHA. Back

49   COM(08) 712. Back

50 Back

51   See headnote: HC 19-xvi (2009-09), chapter 2 (6 May 2009). Back

52   See headnote: HC 16-xxiii (2007-08), chapter 12 (4 June 2008). Back

53   See headnote: (27466) 8841/08: HC 41-xxi (2006-07), chapter 15 (9 May 2007). Back

54   See headnote: HC 19-xxi (2008-09), chapter 1 (24 June 2009). Back

55   See chapter 2 of this report for our consideration of the latest developments regarding ENISA. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2010
Prepared 12 November 2010