APPENDIX 3: CALL FOR EVIDENCE
Sub-Committee F (Home Affairs) of the House of Lords
Select Committee on the European Union is conducting an inquiry
into EU policy on protecting Europe from large scale cyber-attacks.
Following on from the EU Directive 2008/114/EC "on
the identification and designation of European critical infrastructures
and the assessment of the need to improve their protection",
in March 2009 the EU Commission published a Communication on Critical
National Infrastructure Protection entitled "Protecting Europe
from large scale cyber-attacks and disruptions: enhancing preparedness,
security and resilience" (COM(2009)149 final, Council document
8375/09). This document was accompanied by 400+ pages of "Impact
Assessment" (COM(2009)399 and 400, Council document 8375/09
ADD 1-4) setting out the background to the Commission's approach
to this issue.
The Commission is concerned that an increasing number
of vital services depend on digital systems, and in particular
on a working Internet. Major economic or social damage could be
caused if these digital systems are disrupted, either by "hacking"
or "spamming" attacks, or as a result of technical failures,
or as a side-effects of a natural disaster.
The Commission is especially concerned that intentional
"cyber-attacks" are growing in sophistication and frequency,
and that the risks that services now run are poorly understood
and insufficiently analysed.
The proposal has four specific goals:
- bridge gaps in national policies for security
and resilience of critical systems;
- enhance European governance of this area;
- improve Europe's incidence response capability;
- improve the resilience and stability of the Internet.
This inquiry will focus on what are the proper roles
for the EU and its Member States in this important area, where
many of the critical systems involved are operated by private
industry and notas was once the case for communications
providersby public bodies. The Sub-Committee welcomes evidence
on all aspects of the inquiry, but in particular on the following
- How vulnerable is the Internet to wide-spread
technical failures? To what extent is it likely to be affected
by natural disasters?
- Are commercial companies doing enough to ensure
the resilience and stability of the Internet, or is regulatory
- The Commission is particularly concerned about
cyber-attacks, and draws attention to events in Estonia in Spring
2007 and Georgia in August 2008. Is this concern justified?
- How concerned should be we be about criminally
operated "botnets"? What evidence do we have that shows
the scale of this problem, and the extent to which it can be tackled
at the European level?
- The Commission believes that a pan-European approach
is needed to identify and designate European Critical Infrastructures,
and that national responses will be fragmented and inefficient.
Is this analysis correct? Would multi-national companies be especially
in favour of multi-national policies?
- The Commission draws attention to the emergence
of "public-private partnerships" as the reference model
for governance issues relating to critical infrastructure protection.
However, they see no such partnerships at the European level and
wish to encourage them. Are the Commission correct in this aim?
- Are there indeed market failures occurring so
that there is inadequate preparation for high impact, low probability
events? And if so, how should they be addressed?
- The Commission supports the European Information
Sharing and Alert System (EISAS). Is it appropriate to develop
this type of pan-European early warning and incident response
- Are Government operated Computer Emergency Response
Teams (CERTs) an appropriate mechanism for dealing with Internet
- Will the UK's existing approaches to this policy
area be adversely affected by fitting in with a European-wide
systemor will this lead to improvements?
- Is it sensible to develop European-centric approaches
at all, or should there be much more emphasis on a worldwide approach?
In particular, are US policies consistent with the proposed European
approach to the problem?
European Network and Information Security Agency
- The Commission see a major role for ENISA in
developing national CERTs, and in assessing the development and
deployment of EISAS. Is ENISA an appropriate body for this work?
- Is ENISA being effective in its role, or does
it need reform?
- Most of the Commission's plans are to be put
into practice by the end of 2010. Is this timescale realistic?