Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 932 - 939)



  Q932  Chairman: Commissioner, we are very grateful indeed to you for offering to talk to us about this topic that we are studying and going to be writing a report on, so thank you very much for being available to us. As you will gather, we are the House of Lords Science and Technology Committee and I am the Chairman of the Committee. We are well into this inquiry into personal Internet security and it will be extremely valuable to us to be able to talk to you to get your views, especially the views of the EU on this important issue. Shall we go straight into our questions?

  Commissioner Reding: Thank you, Chairman. I think that will be the most efficient way because there is no need for me now to make a speech here. I think you have questions so let us try to go to the heart of the matter if you wish.

  Q933  Chairman: Excellent. Let me start with the very general question that we asked some of your officials earlier and that is who, in your opinion, is responsible for Internet security? Mr Sevida gave us an answer that of course this is a distributed responsibility but we would particularly like to get your view as to how that responsibility might be distributed and then perhaps to go on and talk about how the responsibility is attributed within the EU.

  Commissioner Reding: That is a very large question, Chairman. Of course, the Commission is responsible on the basis of Article 95 of the Treaty, which is the internal market responsibility, so when there are breaches of security which hamper the functioning of the internal market, the Commission has a direct responsibility, and it is on the basis of these Article 95 procedures that all the communications or proposals which come out of my house are based. Having said that, our rule is as follows: try only to intervene when the intervention is absolutely necessary, that is, leave it to public/private partnership as much as possible in order to solve the problems and, most of all, recall that there is a very strong industry responsibility which I would like to be much more proactive, by the way, but which I would like to be based on self-regulation. My belief is that we should not come in with European regulation if self-regulation works. It is only when self-regulation does not work that we should come in on this. Now there are of course elements of responsibility which go beyond the internal market problem and there it is Internet security—I am speaking about cybercrime for instance—and I am speaking about the responsibility which I have taken for a safer Internet for kids for protecting our children. When it comes of course to police co-operation that is not my responsibility any more. I just make this point in order to describe how we see our responsibility. Secondly, we have created legislation, a programme, a fund where we help parents' organisations, for instance, and awareness-raising organisations to tell parents and to tell kids about the dangers. At the same time I have been working together with the industry, for instance with the mobile phone operators who have signed a memorandum of understanding last February that they will provide to parents and grandparents the necessary tools so that parents know about the difficulties which can arise from 3G technology, chatrooms and so on and so forth, and also the filters which are available to parents. The third element is of course when it comes to direct crime when there is a risk of paedophilia. Then of course it is no longer the internal market, then it goes directly to the Commissioner. (Video link broken)

  Q934  Chairman: I think we failed in integrity if not security. If you will continue please, Commissioner.

  Commissioner Reding: I have finished my answer. In case you did not hear it all, the last sentence I said was about the responsibility of my colleague Commissioner Frattini as concerns internal security aspects and police collaboration.

  Chairman: Thank you for that. I am going to turn now to Lord Sutherland to ask you the second question.

  Q935  Lord Sutherland of Houndwood: Commissioner, is it possible to make an estimate of the direct and indirect costs of Internet-related crime and its impact on the European economy?

  Commissioner Reding: I cannot give you accurate figures now but we know that the costs are very, very high indeed. With the analysis we have done on awareness we have found that unfortunately that most businesses, and most of all small and medium-sized businesses, are not fully aware of their responsibility in the security chain which then makes the security chain become very weak, and the loss of ability and the loss of income due to this lack of security is very high, so we have started, on the basis of that, awareness-raising initiatives with the chambers of commerce, for instance, with business groups to inform most of all the SMEs about their responsibility to get their security systems right. The Business Software Alliance also organised an information security awareness day on 27 February this year in order to address these information challenges that technology providers are facing. and this is the first of an annual series which is going to be developed from now on. We know that 90 per cent of EU businesses use the Internet and 50 per cent of consumers, roughly, so you can see the threat through the Internet which can hamper the business world.

  Q936  Lord Sutherland of Houndwood: Thank you very much, Commissioner. I wonder if I can ask two very short supplementary questions. One is you indicated that you do not have the figures in question. Are they available outside this series of interviews in any form that your officials could transmit to us separately? That is question one and the second is, is there any indication that countries that have a higher broadband penetration are more vulnerable to the economic impact of such crime?

  Commissioner Reding: To answer your first question, it is very difficult and that is why you see me being very hesitant to give you an accurate answer on this. It is very difficult because we get figures from different Member States which are not on the same level, so to put them all together and make an average would be a false answer to your question, and that is the reason why we have asked for ENISA to develop a framework with indicators which all EU Member States agree upon so that we can get these figures, so maybe in time I could answer your question but I hesitate to launch a figure because this will be then questioned everywhere. The second part of your question was on broadband. There again your vulnerability depends both on the sophistication of the users and of the infrastructure. New methods of fraud are emerging all the time. Broadband going mobile will be a supplementary problem. We do not see it as only one; we see it as a whole chain, so we do not see here governments intervening and then the problem being solved. No, everybody in the chain has to know that he is part of the chain, so if you have a weak part in the chain then that will be a problem. Studies have identified that the penetration of broadband facilitates these attacks because you are always on. If you are always on and you utilise broadband for everything your vulnerability grows unless you have taken very sophisticated counter-measures. Globally the harm done by malware (and these are 2005 figures) is estimated as €11 billion and the phishing element is included in that. That is also the reason why you cannot make it a national issue. Europe-wide is the minimum way to defend ourselves but that again is not enough. That is why I brought this to the attention of the World Conference on Internet Governance which took place for the first time in Tunis and then the last time in Athens and in October it will be in Brazil, so I bring it to the attention of the international community because we do have to fight that together.

  Lord Sutherland of Houndwood: Thank you.

  Chairman: May I turn to Baroness Sharp now please.

  Q937  Baroness Sharp of Guildford: Commissioner, can I say that we take on board what you said at the beginning about the degree to which your responsibilities are based on Article 95 and the internal market and your wish to use your powers as lightly as possible, to intervene only where necessary, but can I nevertheless ask you how far you see the EU having a role of driving up standards and how far, given that you rely very much on Member States to do this, you feel you have the powers to bring Member States into line to do the things that you would like them to do?

  Commissioner Reding: Yes, my Lady, you are absolutely right because we cannot fight this in a regional way any more. We have to fight it at a minimum at the European level and for this we need co-ordination of our actions. If in one Member State nothing is done and in another Member State the maximum is done, both will not have done any good because it is only if we are strong together and if we do not have a weak element in the chain that we can be strong enough to fight. That is also why I have taken the initiative in this May 2006 communication on a strategy for a secure information society where I have appealed to all stakeholders to do their part of the work and that is why we had the November 2006 communication on fighting spam where I asked for a strong commitment by central governments to put adequate resources into the enforcement authorities. That is why in the review of the Regulatory Framework for Electronic Communications, which is due to come this summer, we will address security more closely than has been the case so far. We had a public consultation last year and we got for this more than 200 responses from Member States' national regulatory authorities, the industry and interested parties, so we are really going to work on that to make the security aspect in this new piece of legislation very strong. In December 2006, we adopted a proposal for a European programme on critical infrastructure protection. There is a communication and a proposal for a Directive, thus for binding law on the identification and designation of European critical infrastructures, and on the basis of this work we will take the initiative as a Commission in 2008. In addition to this ENISA is supporting public/private partnerships between Member States and the private sector to reinforce the EU work on standards because that is again another question which we have to take on, and of course my colleague Frattini is proposing now a communication on cybercrime which will complement my internal market initiatives from the point of view of internal security law enforcement.

  Baroness Sharp of Guildford: Thank you very much. I think that is very helpful.

  Q938  Chairman: Commissioner, may I ask you a general question about working within the EU between, for example, your first pillar on the internal market and the third pillar on justice and freedom. Do you have formal ways of working together on some of these issues?

  Commissioner Reding: Yes and no! When I get a communication, for instance a general communication on critical infrastructure protection, I propose this communication or this draft legislation but of course the other Commissioners who are linked to this come in with their proposals, so it is something which I issue but in the end it is a Commission paper which comes out which is binding for the whole Commission. We have an inter-service dialogue which is permanent on these kinds of issues. The difference now between the proposals I can put on the table to the European Parliament and to the Council of Ministers is that those proposals on the basis of Article 95 internal market rules will be decided upon by majority vote whereas Commissioner Frattini's proposals in the third pillar on security issues are by unanimity, which means that it is very, very difficult in this field to arrive at a common position because any Member State can use the veto.

  Chairman: That is very useful to us. Lord Harris, can I turn to you for the next question please.

  Q939  Lord Harris of Haringey: The importance of promoting the information society is clearly your responsibility, Commissioner, and clearly for the public to have confidence in the information society they must have confidence in their personal Internet security, and one of the keys to improving that is going to be to get the incentives right so that those who are best placed to tackle poor security are incentivised to do so. Are you satisfied that the Commission is doing enough to improve the alignment of those incentives?

  Commissioner Reding: I am never satisfied that the work that we are doing is enough. Most of all, when you have the difficulty of bringing 27 Member States to a common line in order to be efficient and, not only that, if then also you have to rely on the Member States to apply what has been decided at home in a very a very efficient way, we cannot put a policeman behind every minister to see if he or she is doing their homework so that makes not deciding on common action difficult but applying it very difficult, and it makes it even more difficult if we are in the third pillar in the realm of security because there we are depending on unanimity by the Member States and this is very difficult to reach. By the way, in the Constitutional Treaty two very important things are suggested on this issue. The first one is to have a majority vote on third pillar decisions to make the efficiency of our fight against crime better, and the second one is to permit cross-pillar activities, which are not possible under today's Treaty. We try as much as possible to work together but we do not have a legal base to do that, between the internal market and security affairs for instance. Regarding security, in the review of electronic communications, which are the telecom rules if you want, those are five European Directives which are in place already today but which I will review in the summer, and they are introducing an obligation for service providers and for network operators to inform their customers and competent authorities about breaches of security which result in loss or destruction of personal data. There we will also have an element for updating the provisions on the integrity of networks in order to reflect the technological convergence and the growing importance of IPEA mobile networks in modern society and to improve the implementation and the enforcement mechanisms in order to ensure that the national regulators have adequate and necessary powers to implement and enforce the law. I would also like to recall that we have an E-Privacy (?) Directive which gives the possibility of co-ordinated action Europe-wide but there again the grass-roots implementation, if I may say so, is very different according to the different Member States.

  Chairman: Could we go to your question, Lord Sutherland, on breach law.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007