CHAPTER 3: IS THERE A ROLE FOR THE
29. The protection of Europe against cyber-attacks
is undoubtedly a matter to be dealt with at every level: by individual
firms, by network providers, by Governments, and by global initiatives.
In this chapter we consider to what extent there is a role for
A legitimate role
30. There was consensus among our witnesses that
this was a legitimate area for the EU to be concerned about, and
that it had some role to play, but there was no unanimity as to
what that role should be, and just how extensively the EU as such
should be involved. Witnesses generally agreed with the proposition
that Internet security issues were either extremely local, or
were global in nature. Nonetheless they saw value in regional
action, provided that it was proposed within a wider framework
and led on to global initiatives. However the Communication, and
most of the witnesses, were vague about what form such global
initiatives should take.
31. On 8 December 2008 the Council adopted a
Directive on Critical Infrastructure Protection,
the purpose of which was to identify and designate European Critical
Infrastructures (ECI) which would benefit from a common approach
to the improvement of their protection. The first draft of the
"Information, Communication Technologies, ICT" in the
long list of critical infrastructure sectors in Annex 1. This
Committee had considered that draft in the course of its normal
scrutiny of EU legislation and took the view, which the Government
shared, that the designation of many categories of sensitive infrastructure
as ECI would, because of the wide sharing of information this
would entail, not so much protect the infrastructure as potentially
put it at risk. During the course of negotiations the scope of
the Directive was greatly reduced, and the Directive as adopted,
which will in any case not come into force until 2011, includes
only energy and transport as ECI sectors. However Mr Andrea
Servida from the Commission Directorate General Information, Society
and Media, who was one of the authors of the Communication, explained
(QQ 111, 116) that the next ECI sector in line was to be
the IT sector.
32. Perhaps surprisingly, those of our witnesses
who were most positive about the role the EU could play were two
US companies. In written evidence Mr Chantzos, for Symantec,
explained: "A European wide approach to critical infrastructure
protection would enable the development of a common, shared level
of understanding and recognition of the specific critical infrastructures
within Member States that need to be protected from online attacks.
Also more importantly a pan-European approach is necessary to
identify the interdependencies that currently exist in the critical
infrastructures shared across Member States [and] ensure risks
are identified, assessed and addressed in a way that protects
these critical systems against possible attack" (p 54).
And Dr Nazario told us: "The EU has a major role to
play; it is a common economic system, with common political goals
Engaging with the US is going to be key, I think, for connectivity
So being able to communicate as a single economic
voice or a unified voice to software vendors around the world
will have a significant impact at raising, for example, software
quality standards and software features" (Q 152).
33. Professor Anderson was also very positive:
"I do believe that the European Union has a significant role
to play in Internet policy, broadly defined, and that it is going
to have an even larger role in the future ... Of course the European
Union is going to have a role to play in this. Of course it should
have a centre of technical expertise" (Q 263).
Member States with less resilient
34. A number of witnesses saw the main role of
the EU as bringing the Member States with less developed systems
for handling cyber-attacks up to the level of the most advancedamong
which the United Kingdom was always seen as prominent. Improvements
would include the addition of redundant capacity as a back-up
for existing capacity,
and the development of Computer Emergency Response Teams (CERTs).
Thus Symantec believed that effectively securing Europe's critical
infrastructure network meant having in place a common European-wide
approach and strategy. "This is seen as particularly important
given that many Member States are at different stages of Internet
development and levels of understanding regarding the interconnected
nature of networks and level of risk to possible cyber-attack"
35. The same point was made by Europol: "There
is clear asymmetrical development; some MS [Member States] are
forging ahead with great advances in certain areas, whilst other
MS lag behind in terms of technology" (p 124). Mr Geoffrey
Smith from the Department for Business, Innovation and Skills
(BIS), who with Dr Steve Marsh gave evidence on behalf of
the Government, felt that there was a lot the EU could do to improve
national protection, in particular encouraging the Member States
which were the laggards up to the speed of the front runners (Q 3).
36. One recurring theme was that, whatever the
role of the EU, national security was the exclusive preserve of
the Member States. In the first Cyber Security Strategy of the
United Kingdom, issued
at the same time as the 2009 update of the National Security Strategy
of the United Kingdom,
the Government undertook to establish the Office of Cyber Security
(OCS). This would,
among other things, "be responsible for bringing greater
coherence to the UK's work with overseas partners and international
but the Cyber Security Strategy contains not a single reference
to the EU by name.
37. Mr Smith, while agreeing that it was
only right that the EU should use its influence to enhance the
ability of Member States to protect their critical infrastructures,
added: "We have to be very clear on what the role of the
European Union is, and this is an area where we get into a well
trod problem area of national security and what is the responsibility
of Member States versus the role of the Community" (Q 3).
This was a view shared by Mr Chantzos. He emphasised that
"when we are talking about information security we are talking
about the issues which impinge upon national sovereignty"
(QQ 149, 151).
The wider global context
38. A second theme, one stressed by the great
majority of our witnesses, was that, as the Government said in
their written evidence, "the Internet operates as a global
phenomenon and does not recognise borders; this is something which
should be reflected in any work which takes place to ensure availability
of Internet services" (p 9). SOCA, the Serious Organised
Crime Agency, though operationally independent of the Government,
took the same line: "The imposition of boundaries within
Internet Governance is a difficult if not futile issue. Certainly
policy and process can be developed nationally or within a European
framework but any regulatory control will be limited by the extent
to which the offending infrastructure actually sits within such
regulation. SOCA's projects are globally focused and engagement
with the Council of Europe and the European Commission are important
The best solution is a global one
" (p 160).
39. Mr Servida, an author of the Communication,
gave his reasons for believing that there was a European dimension,
but continued: "The real dimension is a global dimension
but we think that there is no possibility for Europe as a region
to cope, to work in the globalised environment of electronic communication
networks and services unless there is first a kind of unified
way of approaching the problem" (Q 112).
40. At present the global initiatives that tackle
security threats are mainly organised on an entirely ad hoc basis,
with loose groupings of people from relevant parts of industry
coming together to address particular incidents. The CERTs (and
in particular CERT/CC at Carnegie Mellon University, Pennsylvaniathe
very first CERT to be created) often play a key role in recruiting
experts to join these working groups. A recent example of this
type of global initiative is the Conficker Working Group
who have spent the last year ensuring that the criminals who built
a botnet of 7-million compromised computers (bots) have not had
the chance to exploit its power. Mr Chantzos described this
as "a very good example where the industry stuck together"
A second best?
41. There was also a third recurrent theme. A
number of witnesses, while somewhat reluctantly conceding that
there was a role for the EU, saw it very much as a second best.
These are only some of the views expressed:
- "Until a worldwide strategy can be defined
and agreed upon a European-centric approach should be pursued."
(Phillip Ineson on behalf of Boxing Orange Ltd, p 123);
- "In the absence of a concerted and committed
global response to the issue, a European-centric policy may be
the simplest and most compelling option to protect European interests."
(Dr Stefan Fafinski , p 136);
- "International companies and any enterprise
with an international customer base will generally seek a global
rather than a European solution. In the absence of an international
response, however, a European response is a step in the right
direction." (Joint ISSA-UK and BCS evidence, paragraph 3.3,
42. We agree that the protection of the Member
States and their critical infrastructures from large-scale cyber-attacks
is a matter of legitimate concern to the EU.
43. We regard the primary role of the EU as
being to coordinate the activities of the Member States, spread
best practices, and bring the slowest Member States up to the
speed of the fastest.
44. The national security of Member States,
and the protection of critical information infrastructure as part
of it, is not a matter for the EU as such.
45. Any assessment of the role of the EU must
be made in a global context, recognising that the Internet has
no borders, and that many multinational companies operate both
within and outside the EU.
46. We believe that the Government and the
EU should be giving greater attention to how cyber-security could
be developed on a global basis. In particular, consideration needs
to be given to the gradual development of international rules
which will effectively discourage the launching of proxy attacks
from within the jurisdiction of some of the main users of the
21 Council Directive 2008/114/EC of 8 December 2008
on the identification and designation of European critical infrastructures
and the assessment of the need to improve their protection (OJ
L345, 23 December 2008, p 75). Back
Proposal for a Directive of the Council on the identification
and designation of European Critical Infrastructure and the assessment
of the need to improve their protection (COM (2006) 787 final,
Council Document 16933/06 of 18 December 2006), together with
Commission Communication on a European Programme for Critical
Infrastructure Protection (COM (2006) 786 final, Council Document
Directive, Article 3(3): "Priority shall be given to the
ICT sector". Back
See paragraphs 22 to 28 on Resilience. Back
See paragraphs 57 et seq. Back
Cm 7642, June 2009. Back
Cm 7590, June 2009. Back
The two Houses of Parliament have established a Joint Committee
on the National Security Strategy (JCNSS) to keep the National
Security Strategy under review. The Committee met for the first
time on 9 February 2010. The Committee has yet to decide whether
its work should extend to consideration of the Cyber Security
Paragraph 3.18. Back