Resilience of the Internet

121.  We are conscious that cyber-attacks, or natural or man-made disasters, can cause acute disruption to the Internet in the short term. However we believe that the United Kingdom is reasonably well placed to cope with such disruptions. We note that it is thought to be a leader among Member States, with developed practices that set benchmarks for others to adopt. (paragraph 28)

Is there a role for the EU?

122.  We agree that the protection of the Member States and their critical infrastructures from large-scale cyber-attacks is a matter of legitimate concern to the EU. (paragraph 42)

123.  We regard the primary role of the EU as being to coordinate the activities of the Member States, spread best practices, and bring the slowest Member States up to the speed of the fastest. (paragraph 43)

124.  The national security of Member States, and the protection of critical information infrastructure as part of it, is not a matter for the EU as such. (paragraph 44)

125.  Any assessment of the role of the EU must be made in a global context, recognising that the Internet has no borders, and that many multinational companies operate both within and outside the EU. (paragraph 45)

126.  We believe that the Government and the EU should be giving greater attention to how cyber-security could be developed on a global basis. In particular, consideration needs to be given to the gradual development of international rules which will effectively discourage the launching of proxy attacks from within the jurisdiction of some of the main users of the Internet. (paragraph 46)

The Commission Communication

REACTION TO THE COMMUNICATION

127.  We agree with those of our witnesses who believe that a full assessment of the value of the Communication as a whole will only be possible when we can see how it is followed up, and whether it has in fact contributed to "protecting Europe from large-scale cyber-attacks and disruptions by enhancing preparedness, security and resilience", as its title envisages. Meanwhile we share the broadly positive view of most of our witnesses. (paragraph 53)

128.  The Communication says little about the role of the EU in a global context. In any proposals for specific action, the Commission will need to pay particular attention to the way they will fit into a global framework. We believe that the more advanced Member States, the United Kingdom among them, have an influential role to play in broadening the dialogue with other principal international players, in particular the US, Russia and China. (paragraph 54)

COMPUTER EMERGENCY RESPONSE TEAMS (CERTS)

129.  The Commission propose establishing national CERTs in all Member States. We agree that those Member States where there are too few or inadequate CERTs should be encouraged to set up national CERTs to replace or supplement them. The Government should support this proposal. (paragraph 69)

130.  None of our witnesses have suggested that the United Kingdom's current system of sector and company specific CERTs should be replaced by a national United Kingdom CERT, and we agree with them that there would be no advantage in this. The Government should explain that any suggestion that the United Kingdom and any other countries with a sophisticated CERT network should have to establish national CERTs would make no sense and would bring no added protection. (paragraph 70)

131.  We urge the Commission, when responding to our report, to clarify their intentions in this respect. (paragraph 71)

PUBLIC PRIVATE PARTNERSHIPS

132.  We regret that United Kingdom Internet Service Providers and the rest of the commercial United Kingdom Internet industry should not have shown more interest in submitting evidence to this inquiry. This may be a reflection of their view that the Commission Communication will have little effect on them. (paragraph 76)

133.  It is clear to us that, despite good intentions, the involvement of Internet entrepreneurs in the formulation of Government policy is as yet at best superficial. Both the Government and the Commission seem to think that it is for the private sector to come forward. We think that, on the contrary, it is for the public sector to take the initiative and to offer to experienced Internet entrepreneurs a real say in how public private partnerships are best developed. (paragraph 79)

THE EU AND NATO

134.  The Communication mentions NATO only once. The EU and NATO should urgently develop their thinking on working together, and the Government should encourage this to happen, to achieve cooperation rather than duplication. (paragraph 85)

135.  Just as with other aspects of civil protection, there is considerable overlap between the roles of the EU and NATO in relation to cyber-attacks, and cooperation between them should be put on a more formal basis. (paragraph 86)

136.  The institutional changes introduced by the Treaty of Lisbon, and in particular the merging of the external relations responsibilities of the Commission and the Council Secretariat, should enable a more coherent approach to be taken. (paragraph 87)

RESILIENCE EXERCISES

137.  We hope that the United Kingdom and other Member States with a capacity for protection against cyber-attacks will shape Commission thinking as to when a pan-European exercise might be of value. An exercise involving the US might be beneficial. This points again to the need for close cooperation between the EU and NATO. (paragraph 92)

TIMESCALES

138.  We agree with the Government that the Commission's timetable for a pan-European exercise in the course of this year is unrealistic. Instead, as a first step they should encourage the majority of Member States to have carried out national resilience exercises by the end of the year. (paragraph 94)

139.  It is not only in the case of resilience exercises that our witnesses thought many of the Commission's target dates over-ambitious. We hope the Commission will accept that changes that are meticulously prepared will be more valuable than any designed only to meet artificial deadlines. (paragraph 98)

ENISA (European Network and Information Security Agency)

MANAGEMENT AND STAFF

140.  Even if there is no extension of ENISA's mandate, we believe that consideration should be given to increasing the number of staff to enable it to perform all its tasks satisfactorily. (paragraph 105)

THE IMPACT OF THE COMMUNICATION ON ENISA'S MANDATE

141.  We hope that ENISA, though not formally involved in the EU legislative process, will through its Executive Director, its Management Board and its Permanent Stakeholders Group have an important voice in the drafting of the new mandate. (paragraph 110)

142.  We hope that agreement can be reached, well before the expiry of the current mandate, on extending the work of ENISA to matters such as police and judicial cooperation over criminal use of the Internet, with a commensurate increase in resources. (paragraph 111)

LOCATION

143.  From the evidence we have received (though not that of the Executive Director) we are convinced that the decision to site ENISA at Heraklion was not taken on the basis of a careful cost/benefit analysis, and that it has led and continues to lead to problems over the recruitment and retention of staff, and over the scheduling of meetings. (paragraph 118)

144.  We welcome the fact that, to meet some of these problems, the government of Greece has recently made facilities available in Athens for ENISA meetings. We hope that any conference facilities which ENISA may need there will be provided so that it can function as efficiently as possible. (paragraph 119)

145.  We urge the Government to ensure that, when the question of location of EU agencies arises in the future, the Member State in which the agency is to be located should take into account the views of other Member States on the choice of site within that country, and that all such decisions should be taken only on the basis of a rigorous cost/benefit analysis. (paragraph 120)

Conclusion

146.  We recommend this report to the House for debate. (paragraph 6)