We all rely on the Internet, at every level: individuals, small firms, large companies, international corporations, and at national level. Yet at every level our Internet communications are vulnerable. The Internet is run by private companies, but it is an increasingly important part of the critical national infrastructure (CNI); and we have always expected States to take significant responsibility for CNI.
The issue of large-scale cyber-attacks on the Internet has moved up the international agenda in recent months. In this inquiry we have been looking at how States and their major organisations can defend themselves and their critical information infrastructures (CIIs) against such attacks, whether these attacks are criminally or politically motivated; along with the similar issues which arise when considering how to reduce the risk of disruptions to the CII caused by natural or man-made disasters.
Individual States bear primary responsibility for their CNI, but the infrastructures of the Member States of the European Union are heavily interdependent. This has led to EU legislation beginning to regulate the extent and manner of cooperation between the Member States. However, the Internet is a global network of networks where individual States and groups of States cannot be viewed in isolation, so we started by considering whether intervention at an EU level was appropriate. We concluded that it was.
There are wide differences between the Member States. Some, like Estonia, are very heavily reliant on the Internet but haveor had until very recentlydefences wholly inadequate to protect their CII against even minor attacks. Some, and the United Kingdom is among them, also rely heavily on the Internet, but have sophisticated and well-developed defences to guard against attacks or disruptions. Yet other Member States rely less on the Internet, but their defences are insufficient. We concluded that all Member States have an interest in bringing the defences of the lowest up to those of the highest, and that this is a matter of legitimate concern to the EU as a whole.
In 2009 the Commission published a Communication with proposals for enhancing the preparedness, security and resilience of the Member States in protecting their CIIs from large-scale cyber-attacks and disruptions. This document is central to our inquiry. The Communication does not put forward legislation, but makes a large number of proposals for common action by the Member States. Some, like the development of national and governmental Computer Emergency Response Teams (CERTs), will be of great benefit to many less advanced Member States. In the case of other suggestions, like enhanced EU action at global level, it is hard to see exactly what is being proposed. But we believe that there is much in the Communication that should be supported.
Lastly we looked at ENISA, the European Network and Information Security Agency. This small body has been useful as a platform for the exchange of views and of best practice, but is not helped by being in Crete, on the periphery of the EU. We believe that with a widening of its mandate to include some former third pillar matters it can play a more significant part in the developments envisaged by the Communication.