47.  The sub-title of the Commission Communication is "Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience."[31] The Communication is set out in full in Appendix 4. It is accompanied by over four hundred pages of impact assessment which we do not print.[32]

48.  The Communication "focuses on prevention, preparedness and awareness, and defines a plan of immediate actions to strengthen the security and resilience of CIIs [Critical Information Infrastructures]." Five "pillars" are proposed to tackle these challenges:

• Preparedness and prevention: to ensure preparedness at all levels;
• Detection and response: to provide adequate early warning mechanisms;
• Mitigation and recovery: to reinforce EU defence mechanisms for CII;
• International cooperation: to promote EU priorities internationally; and
• Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructures (see paragraph 31).

49.  The Commission does not intend, at least for the present, to propose a binding legislative framework to carry its proposals into effect. Initially the Communication and Action Plan would provide the framework for coordination and cooperation "to engage Member States, the private sector and civil society." The Commission envisages that the Communication could be endorsed by the Council, and that the European Parliament may also decide to contribute to the discussion. It is only once the consequences of this work had been assessed that the Commission might consider putting forward proposals for legislation.[33]

Reaction to the Communication

50.  ENISA, which we consider in more detail in the following chapter, has an important role in the EU plans. It was perhaps predictable that they warmly welcomed the Communication as "providing the clearest framework yet for enabling Europe to act in case of major disruptions" (p 70).[34] But the Government also "very much welcomed the communication … we thought that was a positive step forward, and I think you may recall that our explanatory memorandum[35] said that we welcomed the initiative. We had some concerns around the action plan and the realistic deliverability of some components of that, but in terms of should the European Union be providing some degree of leadership in this area we have no problem with that in principle—we think it is a good thing" (Smith, Q 3).

51.  A more common reaction was to say that the Communication was fine as far as it went, but that it did not go very far. This is not necessarily a criticism. As Mr Chantzos said, the Communication is a policy statement; it is not a programme itself, but a statement of intentions—what the Commission would like the EU to do in this particular area. He thought the first requirement for the Communication to have an impact was that it should actually be followed through. It was for the Commission to do the different things that it talked about: the work on early warning, on common exercises, on information exchange, and on the review of the ENISA mandate (Q 141).

52.  Others too, like Mr Cormack, thought it was hard to assess the Communication without knowing what would follow from it: "If I am feeling optimistic I can read the communication as very positive in supporting and extending the existing networks. I do not think there is anything in there that automatically gives me nightmares but as with many communications from governments it can be read in many ways, so it may be trite to say the devil is in the detail" (Q 105). And Mr Smith thought that the section of the Communication dealing with what needed to be done globally to improve Internet resilience was "one of the least clear parts of the Communication … even today I am not sure that I could give you a clear account of where this work might take us" (Q 3).

53.  We agree with those of our witnesses who believe that a full assessment of the value of the Communication as a whole will only be possible when we can see how it is followed up, and whether it has in fact contributed to "protecting Europe from large-scale cyber-attacks and disruptions by enhancing preparedness, security and resilience", as its title envisages. Meanwhile we share the broadly positive view of most of our witnesses.

54.  The Communication says little about the role of the EU in a global context. In any proposals for specific action, the Commission will need to pay particular attention to the way they will fit into a global framework. We believe that the more advanced Member States, the United Kingdom among them, have an influential role to play in broadening the dialogue with other principal international players, in particular the US, Russia and China.

Specific actions

55.  The Communication, though addressed to the Council, does not make specific proposals for the Council to adopt. However it envisages specific actions, some of which are already beginning to take place:

• Making National/Government CERTs a key component of national capabilities;
• Creating an EU-level Public/Private Partnership for resilience;
• Launching an EU-level forum for Member States to share good practice and information relating to CIIs;
• Creating an EU-level information sharing and alert system;
• Running a national contingency planning exercise in every Member State, then a pan-European exercise, and planning for a global one; and
• Working at EU and global levels on principles and guidelines for Internet resilience and stability.

56.  We consider some of these actions in the remainder of this chapter.

Computer Emergency Response Teams (CERTs)

57.  A Computer Emergency Response Team, or CERT, is an organisation that studies computer and network security in order to provide incident response services to victims of attacks, to publish alerts concerning vulnerabilities and threats, and to offer other information to help improve computer and network security.[36] A closely related organisation is the "abuse team" run by most Internet Service Providers to handle reports of incidents involving their customers.

58.  In the United Kingdom there are a number of CERTs; many large private sector companies have their own, and so do organisations with a common interest. An example is JANET. Their Chief Regulatory Adviser, Mr Andrew Cormack, explained that JANET is the United Kingdom's education network connecting all universities, colleges, regional schools networks and research organisations together and to the Internet. JANET is a large computer network used by up to 16 million people in the United Kingdom either as school pupils, as university students, as teachers or as researchers, "though most of them were probably unaware that we exist" (Q 49).

59.  The Government explained that CERTS are a critical part of dealing with Internet incidents, as they have the relevant expertise and experience to deal rapidly with any problems. Their view was that the CERT model found in the United Kingdom had so far proved very effective. But it was important that CERTS did not work in isolation, but maintained a close working relationship with other organisations with an interest in cyber incidents, such as the private sector and law enforcement (p 8). This was a view shared by ISSA-UK and the BCS: "CERTs are a useful, effective and essential response measure but they demand high standards of skills, training and rehearsal, and they are unlikely to have sufficient capacity to deal with widespread, multiple incidents, as might be encountered in a large-scale major cyber incident" (p 145).

60.  There are a number of Government CERTs set up to deal with Internet incidents. GovCertUK is the Government CERT for the public sector system, housed within GCHQ. It provides warnings, alerts and assistance in resolving serious IT incidents for the public sector. It works closely with the CPNI (Centre for the Protection of National Infrastructure, the Government authority that provides protective security advice to businesses and organisations across the national infrastructure) and with relevant law enforcement agencies, international CERT networks and, increasingly, the recently established CSOC (Cyber Security Operations Centre, the Government body responsible for defence against cyber-attacks, located in GCHQ). In addition to emergency response, GCHQ and CPNI provide warnings, alerts and assessment of information security products and services (pp 1-2).

61.  The United Kingdom does not currently have a national CERT in addition to sector and company specific CERTs. However the Commission propose that all Member States should set up national CERTs. Section 5.1 of the Communication invites Member States to "define … a minimum level of capabilities and services for National/Governmental CERTs and incident response operations in support to pan-European cooperation", and to "make sure National/Governmental CERTs act as the key component of national capability for preparedness, information sharing, coordination and response." The target for this is "end of 2011 for establishing well functioning National/Governmental CERTs in all Member States."

62.  On the face of it, this appears to be suggesting that all Member States, even those which like the United Kingdom already have a large and sophisticated CERT network, should establish a national CERT. If this is what is intended, there was a marked lack of support for the proposal from our witnesses.

63.  One of those most opposed to the Commission trying to impose national CERTs on Member States was Professor Anderson: "The problem is that national CERTs only have a fraction of the necessary expertise, and if you limit effective action to government bodies then you are in effect cutting out the communication service providers, the electric power companies, and the various other private utilities which, like it or not, control most of Europe's critical national infrastructure. You are also cutting out various NGOs and academics and others who have good expertise, and are also, for example in the case of the UK, probably marginalising other government bodies that have or are building relevant expertise, such as the National Physical Laboratory" (Q 239).

64.  Despite the apparently unequivocal language of the Communication, it is possible that the Commission intend this proposal to apply only to those Member States with less developed capacity to resist cyber-attacks. The Government thought it likely that the Commission were seeking to address the problem of Member States with little or no CERT capacity, and that it was unlikely that they would seek to impose a "one size fits all" model on Member States such as the United Kingdom which were "far advanced in this area" (p 9). Lord West of Spithead, the Parliamentary Under-Secretary of State at the Home Office and Minister for Security, said: "… we need to keep that under review, whether we should have a 'national' CERT or not, and it is something we are looking at. When one looks at some of the countries in the EU, they have no CERTs at all and they need to get a kick-start" (Q 288).

65.  Support for this interpretation of the Commission's true intention came from Mr Servida: "How you organise it [CERTs], whether it is just a national one or, the model which is the UK, different ones, is really up to the Member States" (Q 134). As one of the authors of the Communication, Mr Servida can be assumed to know what was intended. If that is the true intention, the words "all Member States" were poorly chosen.

66.  It is certainly the case that a number of Member States, mainly Eastern European, have very few CERTs. Until 2007 Estonia was a glaring example. ENISA told us that they focused their efforts on supporting the development of CERTs in Member States that were less well-developed than countries such as the United Kingdom through brokering relations between potential partners. They had worked with Hungary to provide expertise in the establishment of a national CERT in Bulgaria (p 74). The Government thought ENISA might be able to support less established CERTs in meeting the standards of trust and competence required to join the EGC (EU Government CERTs), a forum which does not currently cover every Member State (p 10).

67.  Dr Udo Hembrecht, the Executive Director of ENISA, agreed that in smaller Member States with a less mature Internet industry a national CERT initially made sense, but thought this should not preclude them from subsequently having sector-specific CERTs as they became more sophisticated. It had been shown in the past that sector-specific CERTs worked very well because they understood the business. "In the end if we have CERTs in every sector or every Member State in a trusted communication then we shall have really improved something" (QQ 206-207).

68.  We believe that the Commission proposal as described in evidence to us and as defined in the preceding paragraphs could prove valuable and should be supported. Mr Cormack pointed out that still only about 25 per cent of European IP addresses had a CERT or an abuse team sitting somewhere above them. "There is therefore definitely a role for Government, European bodies, anyone, please, to try and help fill in those blanks on the map, the 75 per cent of IP addresses which, when I get an incident from them, I can do nothing about because I have no trusted contact" (Q 69).

69.  The Commission propose establishing national CERTs in all Member States. We agree that those Member States where there are too few or inadequate CERTs should be encouraged to set up national CERTs to replace or supplement them. The Government should support this proposal.

70.  None of our witnesses have suggested that the United Kingdom's current system of sector and company specific CERTs should be replaced by a national United Kingdom CERT, and we agree with them that there would be no advantage in this. The Government should explain that any suggestion that the United Kingdom and any other countries with a sophisticated CERT network should have to establish national CERTs would make no sense and would bring no added protection.

71.  We urge the Commission, when responding to our report, to clarify their intentions in this respect.

Public private partnerships

72.  Despite the fact that so much of the Internet infrastructure is privately owned and operated, an important lesson from the attack on Estonia was that when the extent of the problem became apparent, it was to the Government that people looked to sort the problem out. Not only do governments themselves believe that Critical National Infrastructure is a matter for them, but in times of crisis, citizens agree with that analysis. The importance of a genuine public private partnership is clear.[37]

73.  This seems in principle to be well understood. In their written evidence the Government told us that the United Kingdom had adopted a public private partnership model, where Government maintained a close working relationship with industry on a voluntary basis to ensure communications resilience—including that of the Internet. Their view was that to date this model had proved successful in enhancing the resilience of the communications sector. This, they thought, was something which the European Commission had realised, and they saw value in the Commission exploring what might be done on a multilateral basis within the European Union and how that might link with global initiatives in this area (p 8).

74.  We put to a number of witnesses the extent to which the Internet industry relies on the skills of private entrepreneurs, and asked them whether the often-repeated intention of involving them in this work was matched on the ground. For the Commission, Mr Servida went so far as to say: "The very pillar for intervention is the European public private partnership for resilience for which we have launched the idea." But when pressed to say what exactly was being done, the most he could say was: "We have started a process to engage at the European level with private sector and public bodies in Member States in order to see how to establish it. By the end of this year [2009] we will come forward with the road map and the plan is to launch it by mid 2010." He added that the Commission, while agreeing on the need to engage the private sector, saw this as a reason "why the private sector should come forward" (QQ 128, 129). We suggest that, on the contrary, this is a reason for the Commission to take the initiative, rather than wait for the private sector to do so.

75.  We would be better placed to assess the extent of the problem if we had received evidence from United Kingdom ISPs, but the only ISP which replied to our call for evidence was XS4ALL, a Dutch company. With the single exception of JANET(UK), the United Kingdom's networking companies, Internet trade bodies and Internet exchange points showed a similar lack of interest.

76.  We regret that United Kingdom Internet Service Providers and the rest of the commercial United Kingdom Internet industry should not have shown more interest in submitting evidence to this inquiry. This may be a reflection of their view that the Commission Communication will have little effect on them.

77.  Mr Smith told us that the Government had recast the European Communications Resilience and Response Group (ECRRG) "to try and bring the industry more into the centre of it, rather than Government leading this process" (Q 17).[38] Lord West explained that historically the Government had been involved with the industry, and that he had spoken to various groups in the telecommunications industry; the Communications and Electronic Security Group had been closely involved with them and there were very close Government links with BT and other providers. He added: "We need to develop mechanisms where we are talking to a much broader range of the innovative entrepreneurial businesses in the UK, but it is difficult to see quite how we can do that and still maintain this trusted environment, and that is the challenge we have" (QQ 278, 280).

78.  We agree that there is a challenge, and it seems plain to us that it has yet to be met. We share the view of ISSA-UK and the BCS: "In the security field, public-private partnerships tend to be talking shops rather than joint ventures. They are useful for sharing best practices but by themselves are unlikely to drive through the required levels of change" (p 145). Talking to the industry, and emphasising the importance of doing so, is a far cry from fully involving experienced Internet entrepreneurs in the formulation of Government policy. We regard this as essential if the policy is to be firmly grounded in reality, for the benefit of users and of the industry.

79.  It is clear to us that, despite good intentions, the involvement of Internet entrepreneurs in the formulation of Government policy is as yet at best superficial. Both the Government and the Commission seem to think that it is for the private sector to come forward. We think that, on the contrary, it is for the public sector to take the initiative and to offer to experienced Internet entrepreneurs a real say in how public private partnerships are best developed.

The EU and NATO

80.  The EU and NATO have a considerable overlap in their respective memberships. In an earlier report dealing with civil protection we have drawn attention to inadequate cooperation and coordination between the two bodies, so that the work of each tends too often to duplicate the work of the other, rather than complementing it.[39] Where cyber-attacks are launched against NATO Member States it is perhaps natural that NATO should see itself as having a significant part to play. We asked our witnesses whether NATO should in fact have a role, and if so, what this should be.

81.  Since the attacks on Estonia in 2007, NATO itself has been in no doubt that defending its Member States against cyber-attacks is one of its responsibilities. In October 2008 the Cooperative Cyber Defence Centre of Excellence, which had been set up in Tallinn in May 2008, was accredited to NATO by a decision of the North Atlantic Council. In April 2008 NATO had launched its Policy on Cyber Defence which allows for extended cyber defence if requested from NATO Member States. The new policy envisages a common coordinated approach to cyber defence and any response to cyber-attacks. It does not allow for pre-emptive operations, but reflects an understanding that militarised cyber-war is inherently escalatory. Through its Cyber Defence Management Authority (CDMA) established by the Policy, NATO has the authority to respond immediately to cyber-attacks on its Member States and to deploy support teams. It holds annual "red team" exercises aimed at engendering cooperation and awareness across the NATO community. NATO evidently hopes that its operations can provide a model of best practice that can filter down to national levels.[40]

82.  Dr Marsh told us: "There is no one way to protect the Internet; many organisations have a role to play in this and clearly NATO has a role itself in protecting certain networks, the EU has a role and national bodies have a role as well" (Q 34). However, Lord West was more doubtful that NATO had any part to play. Asked whether we should be looking more to NATO to protect the Internet, he replied that he did not regard them as the appropriate body unless an individual member's security was threatened: "If the security of one nation was involved we could draw on some of their abilities" (Q 275).

83.  Professor Anderson explained his reservations about NATO having a role. "First, on the technical side, NATO tried for many, many years and failed, for example, to get agreement between NATO Member States on technical standards for identifying friend and foe in the military ... The second reservation that I have about that is that, if you make NATO lead agency rather than the European Union or ENISA, you intrinsically make cooperation with the Russians much harder" (Q 250).

84.  It is unclear what the Commission's own views are about the involvement of NATO. The Communication itself has a single reference to NATO: "This initiative takes into account NATO activities on common policy on cyber defence, i.e. the Cyber Defence Management Authority and the Cooperative Cyber Defence Centre of Excellence." Just what account is taken of these matters, and whether, and if so how, they affect the Commission's proposals, is not vouchsafed. Nor, when we put to Mr Servida the question of cooperation between the two institutions, did we get a very satisfactory answer: "The relationship of the institution with NATO is mostly with Solana, the Office of External Relations and I must say that, in preparation of the policy proposal that is on the table today, Commissioner Reding actually met the Secretary-General of NATO at that time to address a very specific aspect, that is the aspect of how to work with the private sector" (Q 117). Mr Servida then explained some of the initiatives of NATO with the private sector, but we are still in the dark as to how the EU and NATO will, in planning protection against and combating major cyber-attacks, complement each other's work rather than duplicating it.

85.  The Communication mentions NATO only once. The EU and NATO should urgently develop their thinking on working together, and the Government should encourage this to happen, to achieve cooperation rather than duplication.

86.  Just as with other aspects of civil protection, there is considerable overlap between the roles of the EU and NATO in relation to cyber-attacks, and cooperation between them should be put on a more formal basis.

87.  The institutional changes introduced by the Treaty of Lisbon, and in particular the merging of the external relations responsibilities of the Commission and the Council Secretariat, should enable a more coherent approach to be taken.

Resilience exercises

88.  When he gave evidence to us early in November 2009 Mr Smith explained that on 11 and 12 November the Government would be running Exercise White Noise, the first major test in the United Kingdom of a (simulated) catastrophic communications failure (Q 39). The exercise would test the Government's strategic response to a widespread failure of the United Kingdom telecommunications system, lasting for a number of days. It was part of an ongoing programme of civil contingencies exercises that rehearsed and thereby improved the efficiency of the United Kingdom response to a range of emergency scenarios. A month after the exercise Mr Smith gave further details.

89.  Mr Smith told us that the exercise was a success, as judged by the participants (over 95% of whom stated in the post-exercise survey that they had learned from the exercise), by Exercise Control and by the Department for Business, Innovation and Skills (BIS) as lead Department. The exercise identified some key areas where the response could be improved. These were being reviewed, and action would be taken over the coming year to address the issues (p 24). On 12 February 2010 Stephen Timms MP, a Parliamentary Under-Secretary of State at BIS, wrote to say he thought the exercise was realistic in terms of the pressure such an event would place on ministers and officials. It was in particular clear that the Government needed to work with the industry "to avoid the obvious problem of not being able to manage a communications failure through lack of communications" (p 111).

90.  In their Communication the Commission invite Member States "to develop national contingency plans and organise regular exercises for large-scale network security incident response and disaster recovery, as a step towards closer pan-European coordination". The target is for each Member State to run at least one national exercise by the end of 2010. This would lead to pan-European exercises on large-scale network security incidents; again, the target was to design and run the first such exercise by the end of 2010. Dr Udo Helmbrecht, the Executive Director of ENISA, told us that it was now part of ENISA's work programme that there should be an exercise in 2010. He added: "I know that the military community has a lot of expertise in how to do exercises, so we do not have to invent the wheel again" (Q 201).

91.  With the exception of Sweden, other Member States have not yet run such exercises, so it may be that a pan-European exercise would be premature and of limited use until at least the majority of Member States with a developed cyber system have run their own national exercises. As the Government said, this is an area where preparedness needs to be built up in individual Member States before becoming effective at EU level.[42] We understand from NATO's exercise director, Major Carlos S. Torralba, that NATO has run two cyber-exercises in the last two years, and that although the United Kingdom has participated in these only as an observer, it will play a full part in the exercise planned for 2010. Further annual exercises are planned, evidence of the importance which NATO continues to attach to the need for robust defences against cyber-attacks.

92.  We hope that the United Kingdom and other Member States with a capacity for protection against cyber-attacks will shape Commission thinking as to when a pan-European exercise might be of value. An exercise involving the US might be beneficial. This points again to the need for close cooperation between the EU and NATO.

Timescales

93.  In the case of much that is proposed in the Communication, our witnesses thought the suggested timetables were unrealistic, but particularly in the case of resilience exercises. In their Explanatory Memorandum, submitted in April 2009 less than a month after the publication of the Communication, and so still 20 months from the end of 2010, the Government described the timetable for emergency response exercises as "highly aspirational".[43] Mr Smith, who on the day he gave evidence to us was just concluding the organisation of Exercise White Noise, and was therefore particularly well-placed to speak, told us frankly: "What we worry about is how realistic this would be to expect every country to do this by the end of 2010—frankly, that is not going to happen—how realistic it is to have really large-scale exercises in Europe ... Again, that would be a major challenge, to put it politely, to do that in the next 18 months" (Q 39). Lord West felt able to be more forthright: "…the thought of a pan-European exercise on the scale they are talking about [by the end of 2010] is really not a starter. If they tried to do it, and it would be then probably without proper preparation, you would not learn anything from it, it would just be a bit of a mess." He suggested that the Commission should set their sights lower and do a rather smaller-scale exercise first of all, learn the lessons from that, see what problems and issues arose, and only then move to something bigger (Q 286).

94.  We agree with the Government that the Commission's timetable for a pan-European exercise in the course of this year is unrealistic. Instead, as a first step, they should encourage the majority of Member States to have carried out national resilience exercises by the end of the year.

95.  It is not only in the case of exercises that our witnesses thought many of the Commission's target dates over-ambitious. The Government referred to the view expressed in their Explanatory Memorandum, and added: "We have now clear evidence that the Commission is seeking to make progress on all of the key activities in the timescale envisaged. We still believe that some of the ideas for what Member States should do—particularly in terms of carrying out exercises—will prove to be unrealistic" (p 11).

96.  ISSA-UK and the BCS thought there were potential short-term matters, such as the establishment of a shared, global infrastructure and response capability to detect botnets, which could be achieved by the end of 2010, but added: "It is hard to imagine that any major change could be driven thorough in such a short timescale. Cyber security demands immediate attention but most change needs to evolve through distinct stages of process maturity over a number of years" (p 146). The Payments Council, the organisation responsible for developing tactical and strategic responses to threats to payment services, concluded: "This is an enduring problem that will require a well thought-through strategic response and it will therefore not be feasible to implement this by the end of 2010. Existing structures have taken many years to evolve and become effective following a process of trial and effort and numerous false starts. We recommend that the Commission takes this opportunity to adopt a more flexible approach that takes a longer term view, and that builds on existing successes rather than attempt to create too much that is new" (p 157).

97.  Mr Cormack, looking at the effect the proposed timetable would have on ENISA, described it as "quite an aggressive timescale," and thought that with their current resources ENISA would struggle with it (Q 102).

98.  It is not only in the case of resilience exercises that our witnesses thought many of the Commission's target dates over-ambitious. We hope the Commission will accept that changes that are meticulously prepared will be more valuable than any designed only to meet artificial deadlines.

32   The impact assessment is in three parts and can be found at:
http://register.consilium.europa.eu/pdf/en/09/st08/st08375-ad01.en09.pdf,
http://register.consilium.europa.eu/pdf/en/09/st08/st08375-ad02.en09.pdf
and http://register.consilium.europa.eu/pdf/en/09/st08/st08375-ad03.en09.pdf.
A summary of the impact assessment can be found at:
http://register.consilium.europa.eu/pdf/en/09/st08/st08375-ad03.en09.pdf .  Back

33   Summary of impact assessment, sections 4 and 5. Back

34   It is clear from the remainder of ENISA's evidence that it does not think it is for the EU as such "to act in case of major disruptions". Back

35   http://10.160.3.10:81/PIMS/Static%20Files/Extended%20File%20Scan%20Files/EUROPEAN_ SCRUTINY/European%20Explanatory%20Memorandum/ES%2030528.pdf  Back

36   Definition taken from "Inventory of CERT activities in Europe", ENISA, September 2007. Back

37   The expression "public private partnership" is often used to describe the forum for the Private Finance Initiative (PFI). Like the Commission and the majority of our witnesses, we use it simply to indicate a close working relationship between governments and the private sector.  Back

38   The Group brings together representatives of the telecommunications industry and the relevant Government departments, Ofcom and other bodies. It is chaired by a representative of the industry. Back

39   Civil Protection and Crisis Management in the European Union (6th Report, Session 2008-09, HL Paper 43). Back

40   Written evidence of Tim Stevens, p 162. See also the report of the NATO Parliamentary Assembly "NATO and Cyber Defence", http://www.nato-pa.int/Default.asp?SHORTCUT=1782. Back

41   Extracted from the supplementary evidence from the Department for Business, Innovation and Skills (BIS), pp 23-24.  Back

42   Explanatory Memorandum, 28 April 2009, paragraph 14. Back

43   Ibid. Back