29.  The protection of Europe against cyber-attacks is undoubtedly a matter to be dealt with at every level: by individual firms, by network providers, by Governments, and by global initiatives. In this chapter we consider to what extent there is a role for the EU.

A legitimate role

30.  There was consensus among our witnesses that this was a legitimate area for the EU to be concerned about, and that it had some role to play, but there was no unanimity as to what that role should be, and just how extensively the EU as such should be involved. Witnesses generally agreed with the proposition that Internet security issues were either extremely local, or were global in nature. Nonetheless they saw value in regional action, provided that it was proposed within a wider framework and led on to global initiatives. However the Communication, and most of the witnesses, were vague about what form such global initiatives should take.

31.  On 8 December 2008 the Council adopted a Directive on Critical Infrastructure Protection,[21] the purpose of which was to identify and designate European Critical Infrastructures (ECI) which would benefit from a common approach to the improvement of their protection. The first draft of the Directive[22] included "Information, Communication Technologies, ICT" in the long list of critical infrastructure sectors in Annex 1. This Committee had considered that draft in the course of its normal scrutiny of EU legislation and took the view, which the Government shared, that the designation of many categories of sensitive infrastructure as ECI would, because of the wide sharing of information this would entail, not so much protect the infrastructure as potentially put it at risk. During the course of negotiations the scope of the Directive was greatly reduced, and the Directive as adopted, which will in any case not come into force until 2011, includes only energy and transport as ECI sectors. However Mr Andrea Servida from the Commission Directorate General Information, Society and Media, who was one of the authors of the Communication, explained (QQ 111, 116) that the next ECI sector in line was to be the IT sector.[23]

32.  Perhaps surprisingly, those of our witnesses who were most positive about the role the EU could play were two US companies. In written evidence Mr Chantzos, for Symantec, explained: "A European wide approach to critical infrastructure protection would enable the development of a common, shared level of understanding and recognition of the specific critical infrastructures within Member States that need to be protected from online attacks. Also more importantly a pan-European approach is necessary to identify the interdependencies that currently exist in the critical infrastructures shared across Member States [and] ensure risks are identified, assessed and addressed in a way that protects these critical systems against possible attack" (p 54). And Dr Nazario told us: "The EU has a major role to play; it is a common economic system, with common political goals … Engaging with the US is going to be key, I think, for connectivity purposes … So being able to communicate as a single economic voice or a unified voice to software vendors around the world will have a significant impact at raising, for example, software quality standards and software features" (Q 152).

33.  Professor Anderson was also very positive: "I do believe that the European Union has a significant role to play in Internet policy, broadly defined, and that it is going to have an even larger role in the future ... Of course the European Union is going to have a role to play in this. Of course it should have a centre of technical expertise" (Q 263).

Member States with less resilient systems

34.  A number of witnesses saw the main role of the EU as bringing the Member States with less developed systems for handling cyber-attacks up to the level of the most advanced—among which the United Kingdom was always seen as prominent. Improvements would include the addition of redundant capacity as a back-up for existing capacity,[24] and the development of Computer Emergency Response Teams (CERTs).[25] Thus Symantec believed that effectively securing Europe's critical infrastructure network meant having in place a common European-wide approach and strategy. "This is seen as particularly important given that many Member States are at different stages of Internet development and levels of understanding regarding the interconnected nature of networks and level of risk to possible cyber-attack" (p 53).

35.  The same point was made by Europol: "There is clear asymmetrical development; some MS [Member States] are forging ahead with great advances in certain areas, whilst other MS lag behind in terms of technology" (p 124). Mr Geoffrey Smith from the Department for Business, Innovation and Skills (BIS), who with Dr Steve Marsh gave evidence on behalf of the Government, felt that there was a lot the EU could do to improve national protection, in particular encouraging the Member States which were the laggards up to the speed of the front runners (Q 3).

National security

36.  One recurring theme was that, whatever the role of the EU, national security was the exclusive preserve of the Member States. In the first Cyber Security Strategy of the United Kingdom,[26] issued at the same time as the 2009 update of the National Security Strategy of the United Kingdom,[27] the Government undertook to establish the Office of Cyber Security (OCS).[28] This would, among other things, "be responsible for bringing greater coherence to the UK's work with overseas partners and international organisations";[29] but the Cyber Security Strategy contains not a single reference to the EU by name.

37.  Mr Smith, while agreeing that it was only right that the EU should use its influence to enhance the ability of Member States to protect their critical infrastructures, added: "We have to be very clear on what the role of the European Union is, and this is an area where we get into a well trod problem area of national security and what is the responsibility of Member States versus the role of the Community" (Q 3). This was a view shared by Mr Chantzos. He emphasised that "when we are talking about information security we are talking about the issues which impinge upon national sovereignty" (QQ 149, 151).

The wider global context

38.  A second theme, one stressed by the great majority of our witnesses, was that, as the Government said in their written evidence, "the Internet operates as a global phenomenon and does not recognise borders; this is something which should be reflected in any work which takes place to ensure availability of Internet services" (p 9). SOCA, the Serious Organised Crime Agency, though operationally independent of the Government, took the same line: "The imposition of boundaries within Internet Governance is a difficult if not futile issue. Certainly policy and process can be developed nationally or within a European framework but any regulatory control will be limited by the extent to which the offending infrastructure actually sits within such regulation. SOCA's projects are globally focused and engagement with the Council of Europe and the European Commission are important … The best solution is a global one …" (p 160).

39.  Mr Servida, an author of the Communication, gave his reasons for believing that there was a European dimension, but continued: "The real dimension is a global dimension but we think that there is no possibility for Europe as a region to cope, to work in the globalised environment of electronic communication networks and services unless there is first a kind of unified way of approaching the problem" (Q 112).

40.  At present the global initiatives that tackle security threats are mainly organised on an entirely ad hoc basis, with loose groupings of people from relevant parts of industry coming together to address particular incidents. The CERTs (and in particular CERT/CC at Carnegie Mellon University, Pennsylvania—the very first CERT to be created) often play a key role in recruiting experts to join these working groups. A recent example of this type of global initiative is the Conficker Working Group[30] who have spent the last year ensuring that the criminals who built a botnet of 7-million compromised computers (bots) have not had the chance to exploit its power. Mr Chantzos described this as "a very good example where the industry stuck together" (Q 149).

A second best?

41.  There was also a third recurrent theme. A number of witnesses, while somewhat reluctantly conceding that there was a role for the EU, saw it very much as a second best. These are only some of the views expressed:

• "Until a worldwide strategy can be defined and agreed upon a European-centric approach should be pursued." (Phillip Ineson on behalf of Boxing Orange Ltd, p 123);
• "In the absence of a concerted and committed global response to the issue, a European-centric policy may be the simplest and most compelling option to protect European interests." (Dr Stefan Fafinski , p 136);
• "International companies and any enterprise with an international customer base will generally seek a global rather than a European solution. In the absence of an international response, however, a European response is a step in the right direction." (Joint ISSA-UK and BCS evidence, paragraph 3.3, p 145).

42.  We agree that the protection of the Member States and their critical infrastructures from large-scale cyber-attacks is a matter of legitimate concern to the EU.

43.  We regard the primary role of the EU as being to coordinate the activities of the Member States, spread best practices, and bring the slowest Member States up to the speed of the fastest.

44.  The national security of Member States, and the protection of critical information infrastructure as part of it, is not a matter for the EU as such.

45.  Any assessment of the role of the EU must be made in a global context, recognising that the Internet has no borders, and that many multinational companies operate both within and outside the EU.

46.  We believe that the Government and the EU should be giving greater attention to how cyber-security could be developed on a global basis. In particular, consideration needs to be given to the gradual development of international rules which will effectively discourage the launching of proxy attacks from within the jurisdiction of some of the main users of the Internet.

22   Proposal for a Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection (COM (2006) 787 final, Council Document 16933/06 of 18 December 2006), together with Commission Communication on a European Programme for Critical Infrastructure Protection (COM (2006) 786 final, Council Document 16932/06). Back

23   Directive, Article 3(3): "Priority shall be given to the ICT sector". Back

24   See paragraphs 22 to 28 on Resilience. Back

25   See paragraphs 57 et seq. Back

26   Cm 7642, June 2009. Back

27   Cm 7590, June 2009. Back

28   The two Houses of Parliament have established a Joint Committee on the National Security Strategy (JCNSS) to keep the National Security Strategy under review. The Committee met for the first time on 9 February 2010. The Committee has yet to decide whether its work should extend to consideration of the Cyber Security Strategy. Back

29   Paragraph 3.18. Back

30   http://www.confickerworkinggroup.org/wiki/  Back