EU Strategy for an Open, Safe and
Secure Cyberspace
The Committee consisted of the following Members:
† Bradley, Karen (Staffordshire Moorlands) (Con)
† Clappison, Mr James (Hertsmere) (Con)
† Ellwood, Mr Tobias (Bournemouth East) (Con)
† Evans, Jonathan (Cardiff North) (Con)
† Farron, Tim (Westmorland and Lonsdale) (LD)
Hendrick, Mark (Preston) (Lab/Co-op)
† Hilling, Julie (Bolton West) (Lab)
† Hopkins, Kelvin (Luton North) (Lab)
† Lidington, Mr David (Minister for Europe)
† Reynolds, Emma (Wolverhampton North East) (Lab)
Shannon, Jim (Strangford) (DUP)
† Stewart, Rory (Penrith and The Border) (Con)
† Vaz, Valerie (Walsall South) (Lab)
Lloyd Owen, Committee Clerk
† attended the Committee
European Committee B
Monday 8 July 2013
[Miss Anne McIntosh in the Chair]
EU Strategy for an Open, Safe and Secure Cyberspace
[Relevant document: European Scrutiny Committee, 35 th Report of the Session 2012-13, HC 86-xxxv, Chapter 3.]
4.30 pm
The Chair: Does a member of the European Scrutiny Committee wish to make a brief explanatory statement? I remind them that this should be brief and refer to the relevant documents.
Mr James Clappison (Hertsmere) (Con): I have that responsibility, Miss McIntosh. May I say first what a great pleasure it is to serve under your chairmanship? I shall do my best to follow your first instruction, which is to be brief. It might be helpful if I explain a little of the background, however.
The joint communication presents a context and rationale for the cyber-security strategy and sets out a series of proposals on which the EU might focus. The strategy makes it clear that the private sector, Governments and civil society have substantive parts to play. It sets out five priority areas: achieving cyber-resilience; drastically reducing cybercrime; developing cyber-defence policy and capabilities relating to the common security and defence policy; developing the industrial and technological resources for cyber-security; and establishing a coherent EU international cyberspace policy and promoting core EU values.
The Minister for Europe told the European Scrutiny Committee that, unlike the communication, the associated Council conclusions
“will be binding on the Commission and Member States”—
a position that the Committee has long argued is the case. They therefore warrant prior scrutiny. Setting aside the Government’s insistence that they will not submit any Council conclusions for scrutiny, the Committee asked the Minister to set out the main points that he expected to be included in those conclusions in good time before the June Council meeting at which they were to be adopted.
The European Scrutiny Committee noted that the Commission’s approach appeared to be essentially collaborative. There appeared to be no need for EU legislative compulsion. However, as the Committee noted in the separate, contemporaneous report tagged to this debate, questions arose immediately in the case of the proposed directive on network and information security. That is aimed at putting measures in place to avert or minimise the risk of a major attack on or technical failure of information and communication infrastructures.
The subsequent response from my right hon. Friend the Minister for Universities and Science to the Committee’s queries made it more plain than ever that the Commission’s proposals are highly prescriptive, will require significant changes to UK law and have not been properly costed
by the Commission, and raises serious questions as to their justification. Although, as both Ministers acknowledge, a degree of EU co-ordination is no doubt beneficial because of the cross-border context, the EU already has an agency—the European Network and Information Security Agency—whose role it is to facilitate that. As well as ENISA, other non-legislative options are open to the Commission.However, the Commission appears to be deaf to anything other than legislation. The Government—with an eye, no doubt, on the qualified-majority-voting basis of the proposal—appear to be resigned to damage limitation. The European Scrutiny Committee would like to have known whether other member states share the concerns that I have set out or whether the Government are alone in preferring a collaborative approach. The Committee saw this debate on the joint communication as an opportunity for the Government to clarify that.
On 13 March, the European Scrutiny Committee recommended this debate. The Council adopted conclusions running to nine pages and 49 paragraphs on 25 June. The Committee was not provided with any substantive indication of their likely contents. It was the Committee’s clear intention that they should form part of the material that would inform this debate and that it should be held before the Council meeting. The Minister will no doubt explain why the Government chose to order business in such a way as to stymie the prior scrutiny that the Committee recommended.
The Chair: I call the Minister to make an opening statement.
4.33 pm
The Minister for Europe (Mr David Lidington): Like my hon. Friend the Member for Hertsmere, I very much welcome the fact that you are chairing the Committee, Miss McIntosh.
In February of this year, the European Commission and the European External Action Service published a joint communication on a “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”. The communication brought a number of existing strands of EU work being carried out in different parts of the Commission and within the External Action Service into a single overall strategy. It set out a strategic vision for how better cyber-security could be achieved in the European Union and the role that the EU could play in promoting better cyber policy internationally. The communication set cyber-security firmly in the context of advancing economic prosperity and protecting and promoting the EU’s fundamental values, which of course are set out in article 2 of the treaty on European Union. In framing previously disparate strands of work in the context of an overall strategic document, the European Union institutions were mirroring what the United Kingdom Government have done in publishing their own cyber-strategy, which brought together work spread out among a number of Departments and agencies.
The communication sets out five priority areas, which my hon. Friend the Member for Hertsmere listed in his remarks. The Government welcomed the communication through the June General Affairs Council conclusions, which helpfully underlined the importance of not only Governments, but the private sector and civil society, in
the governance of the internet. The conclusions set the communication firmly in the context of values such as human rights; set out measures for better promoting the digital economy as a driver of growth and innovation; and encouraged the raising of cyber standards across the European Union. The communication’s approach is consistent with our national cyber-strategy and the broad approach to cyber issues that we promoted at the 2011 London conference on cyberspace.The conclusions stress the importance of respect for the existing mandates of EU institutions and agencies, including ENISA, Europol and the European Cybercrime Centre. They call on the Commission and the European External Action Service to consult member states before taking forward dialogues on cyber issues with third countries or in international forums. They call on the Commission and the High Representative to produce a progress report by February 2014. They propose that the friends of the presidency group on cyber issues, in particular, assists the EU to set cyber priorities and strategic objectives, as well as reviewing and supporting implementation of the strategy.
The Government have worked hard to ensure that the Council conclusions fully respect the United Kingdom’s concerns, which all of us share, about competence creep and external representation. Since the strategy’s publication, it has been discussed in 27 working groups, indicating the complexities in the EU of working on cross-cutting issues such as cyber. I stress that the communication is not a legislative proposal, but we will, of course, ensure that any specific proposals flowing from it are fully consistent with the conclusions and with existing competence. The legal bases for action on cyber issues, and our assessment of competence, are therefore likely to vary depending on what specific proposals are brought forward—whether, for example, they fall under article 114 of the treaty on the functioning of the European Union on the single market, under the common foreign and security policy or under article 218 of TFEU.
As I have explained, the communication is not a legislative proposal. However, the European Scrutiny Committee has cross-referenced today’s debate on the communication with the separate EU legislative proposal for a directive on network and information security, which is the responsibility of Ministers at the Department for Business, Innovation and Skills. My hon. Friend the Member for Hertsmere set out the Committee’s concerns about that directive. Negotiations on it have only just commenced in working groups, so it is relatively far from the co-decision legislative process. My right hon. and hon. Friends in BIS are working hard to shape those proposals. They are working closely with other member states and the European Parliament.
The draft directive’s intention is to put in place measures to ensure a high level of network and information security across the EU. It proposes that every member state produces a national cyber-security strategy and establishes a national computer emergency response team, or CERT, and a competent authority for network and information security. It also mandates information sharing between member states and establishes a pan-EU co-operation plan, as well as co-ordinated early warnings and a co-ordinated response for cyber-incidents. It would also impose duties on the private sector through the introduction of mandatory security disclosure in a wide range of sectors.
The Government support the directive’s high-level objective of improving the network and information security capabilities of all member states—after all, cyber-attacks do not respect borders. We therefore need to co-operate with other countries, in the EU and beyond, to manage cyber-risks better. For that reason, we are not opposing the directive outright. In our view, the EU has a role to play in improving the capabilities of member states and cross-border collaboration.
This country has an important role to play in ensuring that any measures that are finally brought forward are practical and will genuinely assist in achieving progress. We also want to ensure that the UK and the EU internal market are safe places in which to do business and that member states know with whom to make contact in the event of a cyber-incident and are able to work together effectively. At the same time, it is important that the directive does not make information sharing and co-operation harder to carry out or jeopardise our ability to respond to incidents by putting unwieldy bureaucracy in the way of common-sense, practical measures. We want to ensure that any measures are compatible with the current UK approach and that any new structures created as a result of the directive are able to align with existing UK bodies, rather than lead to the creation of new organisations. We will also seek to ensure that the proposals in the directive do not place unnecessary burdens upon businesses.
The Government will seek to ensure that any reporting requirements remain as light-touch as possible and do not cut across the voluntary measures that we have put in place in this country. We need to ensure, too, that the directive does not introduce perverse incentives for businesses to avoid looking for or addressing incidents. The Department for Business, Innovation and Skills is currently undertaking an impact assessment of the proposals, informed by a call for evidence that will provide greater information on the potential impact and benefits of the proposals.
The negotiations on the directive are at a very early stage in Council, and they are likely to progress slowly due to the many concerns shared by a wide range of member states. The issues of subsidiarity and proportionality highlighted by the European Scrutiny Committee will remain at the forefront of our considerations throughout the negotiations. We intend to ensure that the proposals that eventually emerge are informed by our significant national expertise and experience. We believe that the communication sets out the right strategic ambition and direction for the EU. We do not agree with everything in the first draft of the directive, but we believe it is right that the United Kingdom should engage constructively to shape those proposals in a way that will serve our national interest and the interest of our partners.
The Chair: We now have until 5.30 pm for questions to the Minister. I remind Members that questions should be brief. It is open to a Member, subject to my discretion, to ask related supplementary questions.
Emma Reynolds (Wolverhampton North East) (Lab): It is a pleasure to serve under your chairmanship, Miss McIntosh.
The EU strategy for an open, safe and secure cyberspace mentions the vital role of the European Cybercrime Centre, Europol and Eurojust. Will the Minister explain
whether, if the Government decide to exercise the block opt-out on justice and home affairs legislation, it would affect the UK’s ability to play a role in those organisations and in addressing cybercrime in co-ordination with our European partners?Mr Lidington: I know that the hon. Lady is impatient to hear the statement from my right hon. Friend the Home Secretary, which is planned for the near future, but she will have to contain her impatience for a little longer. Such operational consideration has certainly been at the forefront of the Home Secretary’s thinking when weighing up the decision that she and other Ministers have to take on the 2014 justice and home affairs opt-outs. In the event that this country decides to opt out of certain measures permanently, one key element of the decision will be the extent to which it is possible to put in place bilateral measures that are equally as effective as the EU measures.
Emma Reynolds: On the related Commission draft directive, which was cross-referenced by the European Scrutiny Committee, the Minister for Universities and Science states in his explanatory memorandum that the designation of a single competent authority
“may require the creation of a new body”.
Will the Minister confirm whether the Government will have to set up an entirely new body, or whether they will be able to designate an existing body?
Mr Lidington: Our intention in the negotiations is to get the directive into a state where a new body would not be needed, so that an existing United Kingdom agency could be designated as the competent authority. My right hon. Friend the Minister for Universities and Science was right to highlight the risk in his explanatory memorandum, but, as I said earlier, we are at a very early stage of the negotiations, and one of our objectives is to ensure that we do not have to create a new body.
Emma Reynolds: The Minister for Universities and Science also expressed concern about the impact on small businesses, although micro-businesses are exempted. Has there been any progress with regard to that concern?
Mr Lidington: This is one important element in the call for evidence and additional impact assessment that colleagues in the Department for Business, Innovation and Skills are working on. They have had representations already and hope to conclude their work and publish the results as soon as possible after the summer recess. At that point, we will have an informed view of the impact on small and medium-sized enterprises in this country and possible changes to the initial draft directive that would enable us to help protect their position.
Kelvin Hopkins (Luton North) (Lab): It is a great pleasure to serve under your chairmanship, Miss McIntosh, not for the first time in recent weeks. This is not an area in which I have expertise, but does the Minister agree that the major English-speaking nations will perhaps have a dominant role in cyber matters, given that English is the most international of languages and that the
major financial centres are here and in the United States of America? Have we got something to give to the negotiations that others might need?Mr Lidington: I never want to sound complacent in these debates, but we do take some pride in the fact that we convened the London conference on cyber-security in 2011. My right hon. Friend the Foreign Secretary developed the idea of that conference not only to embrace cyber-security in the narrow sense in which it is usually defined of attacks on systems that are important to national well-being, but to address issues such as freedom of access to the internet. One of our consistent approaches has been to say that internet governance is not a matter that should be left to Governments alone; it involves the private sector, civil society and ordinary, individual citizens.
The hon. Member for Luton North is right to say that countries in the English-speaking world have an important role to play; it is a fact of life that English is the prime language for international business use these days. For that reason, it is also the language used on the worldwide web. The United States, Australia, Canada and New Zealand also have an interest in this agenda. Germany and France have a key interest as well and quite developed policy thinking on cyber issues, so I would not want to suggest that only English-speaking countries have an interest or developed thinking here.
Motion made, and Question proposed,
That the Committee takes note of European Union Document No. 6225/13, a Joint Communication on a Cybersecurity Strategy for the European Union: An Open, Safe and Secure Cyberspace; supports the Government in welcoming the strategic vision of the Strategy; and notes the Council Conclusions on Cybersecurity.— (Mr Lidington.)
4.49 pm
Emma Reynolds: Cybercrime, threats and attacks do not stop at national borders, as the Minister explained in his opening remarks. It is therefore sensible to improve co-operation between member states at a European level to improve our ability to counter cyber risks, crime and threats. We are considering two principal documents. As has already been mentioned, the first is a joint communication from the Commission and the European Parliament that sets out the new strategy for cyber-security. The second is a related Commission proposal for a directive of the European Parliament and the Council concerning measures to ensure a high common level of network and information security across the Union.
Over the last two decades, cyberspace has transformed society; our daily lives, fundamental rights, social interactions and economies now depend on information and communications technology working seamlessly. That technology now underpins key sectors in our economy and public sector such as health, finance, energy and transport. As the European Scrutiny Committee acknowledges in its report, many business models are now built on the uninterrupted availability of the internet.
In that context, cyber-security incidents have increased at an alarming pace, as the European Scrutiny Committee rightly said. Those can be criminal, terrorist and, sometimes, state-sponsored attacks. At other times, they take other forms. Recent reports suggest that the 2012 London Olympics opening ceremony might have come under
cyber attack. Those reports highlight fears about the vulnerability of Britain’s national infrastructure to such attacks.Last week, the European Parliament agreed to toughen criminal penalties across the EU for cyber attacks, especially those that threaten national infrastructure or are deemed to be aimed at stealing sensitive data. These recent developments underline how topical cyber-security is; indeed, it was a major subject raised by the Obama Administration in its first substantive, face-to-face discussions with the new Chinese leadership earlier this year.
It is therefore important that the UK has a robust cyberspace strategy to deal with that challenge. As we know, the UK has a national strategy, but I welcome the Minister stating that the Government are keen to co-operate more closely with European partners to tackle these new threats. As the joint communication makes clear, national responses by themselves are unlikely to be sufficient. Cyberspace is an increasingly important international issue and that is why the Opposition support a cyber-security strategy at European level, which will help us and our European partners to tackle this threat better.
The strategy contains five priority areas: achieving cyber-resilience; drastically reducing cybercrime; developing cyber-defence policies; developing the industrial and technological resources for cyber-security; and establishing a coherent international cyberspace policy for the EU and promoting core EU values. The Commission also produced a proposal for a draft directive on network and information security, which aims to increase the level of network and information security within the EU by widening legislation that currently concerns only the telecoms industry to include, among others, the financial, energy and health sectors.
As the Minister set out, the directive contains a number of proposals that fall into three significant categories. The first is to require all member states to ensure that they have in place a minimum level of national capability. As he said, there is a diversity of capabilities across member states and it is in all of our interests that capabilities are increased in those member states where there is not adequate national capability.
Rory Stewart (Penrith and The Border) (Con): Will the hon. Lady speculate a little about how to get a European consensus on some of these issues? Given that there is serious confusion between cyber-defence, cyber-security and the offensive cyber-capabilities of intelligence agencies within Europe, and the potential conflicts between what we do to other countries and other countries do to us, and the close connection of that to our own national security, where does she think the limits of the European cyber-security policy will be? At which moment does that touch the national interests of individual states?
Emma Reynolds: The hon. Gentleman is right that this is a very sensitive area regarding national interests and security. I believe that at a European level we have more in common than separates us. Threats outside the EU probably drive the strategy for improved co-ordination. That is not to say that this will be an easy discussion. As the Minister says, it will require sensitive handling. But
I am optimistic that co-operation can be achieved, especially given that the threats that European Union member states face are often pretty similar and come from outside the EU. Therefore if EU Governments can focus on those collective threats we can drive forward with collective action and agreement.The second element of the directive is that the competent authorities that I was asking the Minister about earlier should co-operate within a network to enable secure and effective co-ordination of information. Finally, public administration and companies should adopt what the Commission terms appropriate and proportionate measures to ensure network information security. We agree that there needs to be a levelling of the capabilities of member states in this area. We agree with the push for more European co-ordination but, as the Minister said, the proposal is at an early stage. Discussions are ongoing at the Council of Ministers. We will wait to see the final shape of the directive before commenting further, but it certainly seems on the level of principle that European Union member states should work more closely together given that we face common external threats which are becoming increasingly worrying and serious.
4.57 pm
Mr Lidington: I thank the hon. Member for Wolverhampton North East for her contribution. It is clear from what she said that there is considerable consensus across the Committee on both the importance of this issue and the right response. I agree that the challenge posed by cyber-security issues is growing. She mentioned attacks upon the critical infrastructure of this country. Other countries in Europe—I think of Estonia a few years ago—have been at the receiving end of concerted cyber attack. But also we are dealing with potentially crippling attacks upon key private sector systems or, for that matter, attacks upon the computers and information systems of families and individuals in this country and every part of Europe.
It is also important that we recognise that while there are national responsibilities for every member state of the European Union, this is an issue that requires an international as well as a national response. The European Union is not the only multilateral institution involved. Organisations such as the Organisation for Security and Co-operation in Europe are also turning their attention increasingly to how the development of modern information and communications technology impacts on their political remit. It is very important that we take seriously the concerns that my hon. Friend the Member for Hertsmere expressed about competence and subsidiarity. The European Scrutiny Committee recognised in its report on the joint communication that there is a legitimate role for the European Union to play. There are aspects of the cyber- security question that fall legitimately under the heading of the single market, where the Commission and the institutions have a right to act under article 114 of the treaty on the functioning of the European Union.
Of course, any measure or initiative that was brought forward under the articles of the treaties relating to common foreign and security policy would require the unanimous agreement of member states rather than a qualified majority vote. I hope that it is of some reassurance to the Committee that it is also the case that article 4 of the treaty on European Union explicitly reserves national security as a competence for member states and member
states alone. The Government will be vigilant in looking at how the strategy is taken forward and at the detail of individual measures that may be brought forward as a result of that strategy, to ensure that the proper boundaries of competence, as specified in the treaties, are being adhered to. Of course, in respect of any directive, regulation or formal Council decision emerging as a consequence of the strategy, we shall be submitting those documents to the European Scrutiny Committee in the normal way.Concerns have been expressed—rightly—by the European Scrutiny Committee about the risk that the draft directive might propose unnecessary burdens upon business, or additional and unwelcome bureaucracy. It is important that we remind ourselves that there are already sectors of private industry that are subject to statutory duties in respect of cyber-security. For example, specific obligations have been imposed by law on telecommunications companies in this field. Also, while the obligations on financial services companies do not have regard to cyber-security alone, those companies are under a duty to report to the competent authorities any potential threat to the integrity and security of their systems. That general duty applies to cyber-security as much as to other questions.
The strategy that we are debating today is a sensible and proportionate response by the European Union to what is a European and global challenge as well as a national one. It fits well with the approach adopted at the London cyber-security conference and in the United Kingdom’s own national cyber-strategy. The draft directive gives rise to a number of concerns and legitimate questions, but we are at a very early stage of the negotiations about it. I undertake that we will continue to work hard to ensure, in alliance with like-minded member states, that the final version of the document delivers what we want in terms of more effective cyber-security for public and private sectors alike throughout Europe, while at the same time minimising bureaucracy and avoiding the imposition of unnecessary additional burdens upon the private sector, especially upon small and medium-sized enterprises.
I am sure that my right hon. Friend the Minister for Universities and Science will make certain that the European Scrutiny Committee is kept abreast of further developments in the negotiation of the directive.
I commend the Government’s motion to the Committee.