Sub-Committee F (Home Affairs) of the House of Lords Select Committee on the European Union is conducting an inquiry into EU policy on protecting Europe from large scale cyber-attacks.

Following on from the EU Directive 2008/114/EC "on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection", in March 2009 the EU Commission published a Communication on Critical National Infrastructure Protection entitled "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" (COM(2009)149 final, Council document 8375/09). This document was accompanied by 400+ pages of "Impact Assessment" (COM(2009)399 and 400, Council document 8375/09 ADD 1-4) setting out the background to the Commission's approach to this issue.

The Commission is concerned that an increasing number of vital services depend on digital systems, and in particular on a working Internet. Major economic or social damage could be caused if these digital systems are disrupted, either by "hacking" or "spamming" attacks, or as a result of technical failures, or as a side-effects of a natural disaster.

The Commission is especially concerned that intentional "cyber-attacks" are growing in sophistication and frequency, and that the risks that services now run are poorly understood and insufficiently analysed.

The proposal has four specific goals:

• bridge gaps in national policies for security and resilience of critical systems;
• enhance European governance of this area;
• improve Europe's incidence response capability;
• improve the resilience and stability of the Internet.

This inquiry will focus on what are the proper roles for the EU and its Member States in this important area, where many of the critical systems involved are operated by private industry and not—as was once the case for communications providers—by public bodies. The Sub-Committee welcomes evidence on all aspects of the inquiry, but in particular on the following issues:

Threat analysis

• How vulnerable is the Internet to wide-spread technical failures? To what extent is it likely to be affected by natural disasters?
• Are commercial companies doing enough to ensure the resilience and stability of the Internet, or is regulatory intervention unavoidable?
• The Commission is particularly concerned about cyber-attacks, and draws attention to events in Estonia in Spring 2007 and Georgia in August 2008. Is this concern justified?
• How concerned should be we be about criminally operated "botnets"? What evidence do we have that shows the scale of this problem, and the extent to which it can be tackled at the European level?

International responses

• The Commission believes that a pan-European approach is needed to identify and designate European Critical Infrastructures, and that national responses will be fragmented and inefficient. Is this analysis correct? Would multi-national companies be especially in favour of multi-national policies?
• The Commission draws attention to the emergence of "public-private partnerships" as the reference model for governance issues relating to critical infrastructure protection. However, they see no such partnerships at the European level and wish to encourage them. Are the Commission correct in this aim?
• Are there indeed market failures occurring so that there is inadequate preparation for high impact, low probability events? And if so, how should they be addressed?
• The Commission supports the European Information Sharing and Alert System (EISAS). Is it appropriate to develop this type of pan-European early warning and incident response capability?
• Are Government operated Computer Emergency Response Teams (CERTs) an appropriate mechanism for dealing with Internet incidents?
• Will the UK's existing approaches to this policy area be adversely affected by fitting in with a European-wide system—or will this lead to improvements?
• Is it sensible to develop European-centric approaches at all, or should there be much more emphasis on a worldwide approach? In particular, are US policies consistent with the proposed European approach to the problem?

European Network and Information Security Agency (ENISA)

• The Commission see a major role for ENISA in developing national CERTs, and in assessing the development and deployment of EISAS. Is ENISA an appropriate body for this work?
• Is ENISA being effective in its role, or does it need reform?

Timescales

• Most of the Commission's plans are to be put into practice by the end of 2010. Is this timescale realistic?