Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection: "Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience"

1. Introduction

Information and Communication Technologies (ICTs) are increasingly intertwined in our daily activities. Some of these ICT systems, services, networks and infrastructures (in short, ICT infrastructures) form a vital part of European economy and society, either providing essential goods and services or constituting the underpinning platform of other critical infrastructures. They are typically regarded as critical information infrastructures (CIIs) as their disruption or destruction would have a serious impact on vital societal functions. Recent examples include the large-scale cyber-attacks targeting Estonia in 2007 and the breaks of transcontinental cables in 2008.

The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major CII breakdown in the next 10 years, with a potential global economic cost of approximately 250 billion US$.

This Communication focuses on prevention, preparedness and awareness and defines a plan of immediate actions to strengthen the security and resilience of CIIs. This focus is consistent with the debate launched at the request of the Council and the European Parliament to addresses the challenges and priorities for network and information security (NIS) policy and the most appropriate instruments needed at EU level to tackle them. The proposed actions are also complementary to those to prevent, fight and prosecute criminal and terrorist activities targeting CIIs and synergetic with current and prospective EU research efforts in the field of network and information security, as well as with international initiatives in this area.

2. The Policy Context

This Communication develops the European policy to strengthen the security of and the trust in the information society. Already in 2005, the Commission highlighted the urgent need to coordinate efforts to build trust and confidence of stakeholders in electronic communications and services. To this end a strategy for a secure information society was adopted in 2006. Its main elements, including the security and resilience of ICT infrastructures, were endorsed in Council Resolution 2007/068/01. However, ownership and implementation by stakeholders appear insufficient. This strategy also strengthens the role, on tactical and operational levels, of the European Network and Information Security Agency (ENISA), established in 2004 to contribute to the goals of ensuring a high and effective level of NIS within the Community and developing a culture of NIS for the benefit of EU citizens, consumers, enterprises and administrations.

In 2008 ENISA's mandate was extended 'à l'identique' until March 2012. At the same time, the Council and the European Parliament called for "further discussion on the future of ENISA and on the general direction of the European efforts towards an increased network and information security." To support this debate, the Commission launched last November an on-line public consultation, the analysis of which will be made available shortly.

The activities planned in this Communication are conducted under and in parallel to the European Programme for Critical Infrastructure Protection (EPCIP). A key element of EPCIP is the Directive on the identification and designation of European Critical Infrastructures, which identifies the ICT sector as a future priority sector. Another important element of EPCIP is the Critical Infrastructure Warning Information Network (CIWIN).

On the regulatory side, the Commission proposal to reform the Regulatory Framework for electronic communications networks and services contains new provisions on security and integrity, in particular to strengthen operators' obligations to ensure that appropriate measures are taken to meet identified risks, guarantee the continuity of supply of services and notify security breaches. This approach is conducive to the general objective of enhancing the security and resilience of CIIs. The European Parliament and the Council broadly support these provisions.

The actions proposed in this Communication complement existing and prospective measures in the area of police and judicial cooperation to prevent, fight and prosecute criminal and terrorist activities targeting ICT infrastructures, as envisaged inter alia by the Council Framework Decision on attacks against information systems and its planned update.

This initiative takes into account NATO activities on common policy on cyber defence, i.e. the Cyber Defence Management Authority and the Cooperative Cyber Defence Centre of Excellence.

Lastly, due account is given to international policy developments, in particular to the G8 principles on CIIP; the UN General Assembly Resolution 58/199 Creation of a global culture of cybersecurity and the protection of critical information infrastructures and the recent OECD Recommendation on the Protection of Critical Information Infrastructures.

3. What is at Stake

3.1. Critical information infrastructures are vital for the economy and societal growth of the EU

The economic and societal role of the ICT sector and ICT infrastructures is highlighted in recent reports on innovation and economic growth. This includes the Communication on i2010 mid-term review, the Aho Group report and the European Union yearly economic reports. The OECD underlines the importance of ICTs and the Internet "to boost economic performance and social well-being, and to strengthen societies' capacity to improve the quality of life for citizens worldwide". It further recommends policies that strengthen confidence in the Internet infrastructure.

The ICT sector is vital for all segments of society. Businesses rely on the ICT sector both in terms of direct sales and for the efficiency of internal processes. ICTs are a critical component of innovation and are responsible for nearly 40% of productivity growth. ICTs are also pervasive for the work of governments and public administrations: the uptake of eGovernment services at all levels, as well as new applications such as innovative solutions related to health, energy and political participation, make the public sector heavily dependent on ICTs. Last, not least, citizens increasingly rely on and use ICTs in their daily activities: strengthening CII security would increase citizens' trust in ICTs, not least thanks to a better protection of personal data and privacy.

3.2. The risks to critical information infrastructures

The risks due to man-made attacks, natural disasters or technical failures are often not fully understood and/or sufficiently analysed. Consequently, the level of awareness across stakeholders is insufficient to devise effective safeguards and countermeasures. Cyber-attacks have risen to an unprecedented level of sophistication. Simple experiments are now turning into sophisticated activities performed for profit or political reasons. The recent large scale cyber-attacks on Estonia, Lithuania and Georgia are the most widely covered examples of a general trend. The huge number of viruses, worms and other forms of malware, the expansion of botnets and the continuous rise of spam confirm the severity of the problem.

The high dependence on CIIs, their cross-border interconnectedness and interdependencies with other infrastructures, as well as the vulnerabilities and threats they face raise the need to address their security and resilience in a systemic perspective as the frontline of defence against failures and attacks.

3.3. Security and resilience of critical information infrastructures to boost confidence in the information society

In order to ensure that ICT infrastructures are used to their maximum extent, thus fully realising the economic and social opportunities of the information society, all stakeholders must have a high level of confidence and trust in them. This depends on various elements, the most important of which is ensuring their high level of security and resilience. Diversity, openness, interoperability, usability, transparency, accountability, auditability of the different components and competition are key drivers for security development and stimulate the deployment of security-enhancing products, processes and services. As the Commission already highlighted, this is a shared responsibility: no single stakeholder has the means to ensure the security and resilience of all ICT infrastructures and to carry all the related responsibilities.

Taking up such responsibilities calls for a risk management approach and culture, able to respond to known threats and anticipate unknown future ones, without over-reacting and stifling the emergence of innovative services and applications.

3.4. The challenges for Europe

In addition and complementarily to all the activities related to the implementation of the Directive on the identification and designation of the European Critical Infrastructures, in particular the identification of ICT sector-specific criteria, a number of broader challenges need to be addressed in order to strengthen the security and resilience of CIIs.

3.4.1. Uneven and uncoordinated national approaches

Although there are commonalities among the challenges and the issues faced, measures and regimes to ensure the security and resilience of CIIs, as well as the level of expertise and preparedness, differ across Member States.

A purely national approach runs the risk of producing a fragmentation and inefficiency across Europe. Differences in national approaches and the lack of systematic cross-border cooperation substantially reduce the effectiveness of domestic countermeasures, inter alia because, due to the interconnectedness of CIIs, a low level of security and resilience of CIIs in a country has the potential to increase vulnerabilities and risks in other ones.

To overcome this situation a European effort is needed to bring added value to national policies and programmes by fostering the development of awareness and common understanding of the challenges; stimulating the adoption of shared policy objectives and priorities; reinforcing cooperation between Member States and integrating national policies in a more European and global dimension.

3.4.2. Need for a new European governance model for CIIs

Enhancing the security and the resilience of CIIs poses peculiar governance challenges. While Member States remain ultimately responsible for defining CII-related policies, their implementation depends on the involvement of the private sector, which owns or controls a large number of CIIs. On the other hand, markets do not always provide sufficient incentives for the private sector to invest in the protection of CIIs at the level that governments would normally demand.

To address this governance problem public-private partnerships (PPPs) have emerged at the national level as the reference model. However, despite the consensus that PPPs would also be desirable on a European level, European PPPs have not materialised so far. A Europe-wide multi-stakeholder governance framework, which may include an enhanced role of ENISA, could foster the involvement of the private sector in the definition of strategic public policy objectives as well as operational priorities and measures. This framework would bridge the gap between national policy-making and operational reality on the ground.

3.4.3. Limited European early warning and incident response capability

Governance mechanisms will be truly effective only if all participants have reliable information to act upon. This is particularly relevant for governments that have the ultimate responsibility to ensure the security and well-being of citizens.

However, processes and practices for monitoring and reporting network security incidents differ significantly across Member States. Some do not have a reference organisation as a monitoring point. More importantly, cooperation and information sharing between Member States of reliable and actionable data on security incidents appears underdeveloped, being either informal or limited to bilateral or limitedly multilateral exchanges. In addition, simulating incidents and running exercises to test response capabilities are strategic in enhancing the security and resilience of CIIs, in particular by focusing on flexible strategies and processes for dealing with the unpredictability of potential crises. In the EU, cybersecurity exercises are still in an embryonic state. Exercises running across national boundaries are very limited. As recent events showed, mutual aid is an essential element of a proper response to large-scale threats and attacks to CIIs.

A strong European early warning and incident response capability has to rely on well-functioning National/Governmental Computer Emergency Response Teams (CERTs), i.e. having a common baseline in terms of capabilities. These bodies need to act as national catalysers of stakeholders' interests and capacity for public policy activities (including those related to information and alert sharing systems reaching out to citizens and SMEs) and to engage in effective cross-border cooperation and information exchange, possibly leveraging existing organisations such as the European Governmental CERTs Group (EGC).

3.4.4. International cooperation

The rise of the Internet as a key CII requires particular attention to its resilience and stability. The Internet, thanks to its distributed, redundant design has proven to be a very robust infrastructure. However, its phenomenal growth produced a rising physical and logical complexity and the emergence of new services and uses: it is fair to question the capability of the Internet to withstand the rising number of disruptions and cyber-attacks.

The divergence of views on the criticality of the elements making up the Internet partly explains the diversity of governmental positions expressed in international fora and the often contradicting perceptions of the importance of this matter. This could hinder a proper prevention of, preparedness for and ability to recover from threats affecting the Internet. For example, the consequences of the transition from IPv4 to IPv6 should also be assessed in terms of CII security.

The Internet is a global and highly distributed network of networks, with control centres not necessarily following national boundaries. This calls for a specific, targeted approach in order to ensure its resilience and stability, based on two converging measures. First, achieving a common consensus on the European priorities for the resilience and stability of the Internet, in terms of public policy and of operational deployment. Secondly, engaging the global community to develop a set of principles, reflecting European core values, for Internet resilience and stability, in the framework of our strategic dialogue and cooperation with third countries and international organisations. These activities would build upon the recognition by the World Summit on Information Society of the key importance of the stability of the Internet.

4. The Way Forward: towards more EU Coordination and Cooperation

Because of the Community and international dimension of the problem an integrated EU approach to enhance the security and resilience of CIIs would complement and add value to national programmes as well as to the existing bilateral and multilateral cooperation schemes between Member States.

Public policy discussions in the aftermath of the events in Estonia suggest that the effects of similar attacks can be limited by preventive measures and by coordinated action during the actual crisis. A more structured exchange of information and good practices across the EU could considerably facilitate fighting cross-border threats.

It is necessary to strengthen the existing instruments for cooperation, including ENISA, and, if necessary, create new tools. A multi-stakeholder, multi-level approach is essential, taking place at the European level while fully respecting and complementing national responsibilities.

A thorough understanding of the environment and constraints is necessary. For example, the distributed nature of the Internet, where edge nodes can be used as vectors of attack, e.g. botnets, is a concern. However, this distributed nature is a key component of stability and resilience and can help a faster recovery than would normally be the case with overformalised, top-down procedures. This calls for a cautious, case-by-case analysis of public policies and operational procedures to put in place.

The time horizon is also important. There is a clear need to act now and put rapidly in place the necessary elements to build a framework that will enable us to respond to current challenges and that will feed into the future strategy for network and information security.

Five pillars are proposed to tackle these challenges:

(1)  Preparedness and prevention: to ensure preparedness at all levels;
(2)  Detection and response: to provide adequate early warning mechanisms;
(3)  Mitigation and recovery: to reinforce EU defence mechanisms for CII;
(4)  International cooperation: to promote EU priorities internationally;
(5)  Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructures.

5. The Action Plan

5.1. Preparedness and prevention

5.2. Detection and response

5.3. Mitigation and recovery

5.4. International cooperation

5.5. Criteria for European Critical Infrastructures in the ICT sector

6. Conclusions

Security and resilience of CIIs are the frontline of defence against failures and attacks. Their enhancement across the EU is essential to reap the full benefits of the information society. To achieve this ambitious objective an action plan is proposed to reinforce the tactical and operational cooperation at the European level. The success of these actions depends on their effectiveness to build upon and benefit public and private sector's activities, on the commitment and full participation of Member States, European Institutions and stakeholders.

To this end, a Ministerial Conference will take place on 27-28 April 2009 to discuss the proposed initiatives with Member States and to mark their commitment to the debate on a modernised and reinforced NIS policy in Europe.

Lastly, enhancing the security and resilience of CIIs is a long term objective, whose strategy and measures need regular assessments. Therefore, since this goal is consistent with the general debate on the future of network and information security policy in the EU after 2012, the Commission will initiate a stock-taking exercise toward the end of 2010, in order to evaluate the first phase of actions and to identify and propose further measures, as appropriate.