APPENDIX 4: THE COMMISSION COMMUNICATION
Communication from the Commission to the European
Parliament, the Council, the European Economic and Social Committee
and the Committee of the Regions on Critical Information Infrastructure
Protection: "Protecting Europe from large-scale cyber-attacks
and disruptions: enhancing preparedness, security and resilience"
Information and Communication Technologies (ICTs)
are increasingly intertwined in our daily activities. Some of
these ICT systems, services, networks and infrastructures (in
short, ICT infrastructures) form a vital part of European economy
and society, either providing essential goods and services or
constituting the underpinning platform of other critical infrastructures.
They are typically regarded as critical information infrastructures
(CIIs) as their disruption or destruction would have a serious
impact on vital societal functions. Recent examples include the
large-scale cyber-attacks targeting Estonia in 2007 and the breaks
of transcontinental cables in 2008.
The World Economic Forum estimated in 2008 that there
is a 10 to 20% probability of a major CII breakdown in the next
10 years, with a potential global economic cost of approximately
250 billion US$.
This Communication focuses on prevention, preparedness
and awareness and defines a plan of immediate actions to strengthen
the security and resilience of CIIs. This focus is consistent
with the debate launched at the request of the Council and the
European Parliament to addresses the challenges and priorities
for network and information security (NIS) policy and the most
appropriate instruments needed at EU level to tackle them. The
proposed actions are also complementary to those to prevent, fight
and prosecute criminal and terrorist activities targeting CIIs
and synergetic with current and prospective EU research efforts
in the field of network and information security, as well as with
international initiatives in this area.
2. The Policy Context
This Communication develops the European policy to
strengthen the security of and the trust in the information society.
Already in 2005, the Commission highlighted the urgent need to
coordinate efforts to build trust and confidence of stakeholders
in electronic communications and services. To this end a strategy
for a secure information society was adopted in 2006. Its main
elements, including the security and resilience of ICT infrastructures,
were endorsed in Council Resolution 2007/068/01. However, ownership
and implementation by stakeholders appear insufficient. This strategy
also strengthens the role, on tactical and operational levels,
of the European Network and Information Security Agency (ENISA),
established in 2004 to contribute to the goals of ensuring a high
and effective level of NIS within the Community and developing
a culture of NIS for the benefit of EU citizens, consumers, enterprises
In 2008 ENISA's mandate was extended 'à
l'identique' until March 2012. At the same time, the Council
and the European Parliament called for "further discussion
on the future of ENISA and on the general direction of the European
efforts towards an increased network and information security."
To support this debate, the Commission launched last November
an on-line public consultation, the analysis of which will be
made available shortly.
The activities planned in this Communication are
conducted under and in parallel to the European Programme for
Critical Infrastructure Protection (EPCIP). A key element of EPCIP
is the Directive on the identification and designation of European
Critical Infrastructures, which identifies the ICT sector as a
future priority sector. Another important element of EPCIP is
the Critical Infrastructure Warning Information Network (CIWIN).
On the regulatory side, the Commission proposal to
reform the Regulatory Framework for electronic communications
networks and services contains new provisions on security and
integrity, in particular to strengthen operators' obligations
to ensure that appropriate measures are taken to meet identified
risks, guarantee the continuity of supply of services and notify
security breaches. This approach is conducive to the general objective
of enhancing the security and resilience of CIIs. The European
Parliament and the Council broadly support these provisions.
The actions proposed in this Communication complement
existing and prospective measures in the area of police and judicial
cooperation to prevent, fight and prosecute criminal and terrorist
activities targeting ICT infrastructures, as envisaged inter alia
by the Council Framework Decision on attacks against information
systems and its planned
This initiative takes into account NATO activities
on common policy on cyber defence, i.e. the Cyber Defence Management
Authority and the Cooperative Cyber Defence Centre of Excellence.
Lastly, due account is given to international policy
developments, in particular to the G8 principles on CIIP; the
UN General Assembly Resolution 58/199 Creation of a global culture
of cybersecurity and the protection of critical information infrastructures
and the recent OECD Recommendation on the Protection of Critical
3. What is at Stake
3.1. Critical information infrastructures are
vital for the economy and societal growth of the EU
The economic and societal role of the ICT sector
and ICT infrastructures is highlighted in recent reports on innovation
and economic growth. This includes the Communication on i2010
mid-term review, the Aho Group report and the European Union yearly
economic reports. The OECD underlines the importance of ICTs and
the Internet "to boost economic performance and social
well-being, and to strengthen societies' capacity to improve the
quality of life for citizens worldwide". It further recommends
policies that strengthen confidence in the Internet infrastructure.
The ICT sector is vital for all segments of society.
Businesses rely on the ICT sector both in terms of direct sales
and for the efficiency of internal processes. ICTs are a critical
component of innovation and are responsible for nearly 40% of
productivity growth. ICTs are also pervasive for the work of governments
and public administrations: the uptake of eGovernment services
at all levels, as well as new applications such as innovative
solutions related to health, energy and political participation,
make the public sector heavily dependent on ICTs. Last, not least,
citizens increasingly rely on and use ICTs in their daily activities:
strengthening CII security would increase citizens' trust in ICTs,
not least thanks to a better protection of personal data and privacy.
3.2. The risks to critical information infrastructures
The risks due to man-made attacks, natural disasters
or technical failures are often not fully understood and/or sufficiently
analysed. Consequently, the level of awareness across stakeholders
is insufficient to devise effective safeguards and countermeasures.
Cyber-attacks have risen to an unprecedented level of sophistication.
Simple experiments are now turning into sophisticated activities
performed for profit or political reasons. The recent large scale
cyber-attacks on Estonia, Lithuania and Georgia are the most widely
covered examples of a general trend. The huge number of viruses,
worms and other forms of malware, the expansion of botnets and
the continuous rise of spam confirm the severity of the problem.
The high dependence on CIIs, their cross-border interconnectedness
and interdependencies with other infrastructures, as well as the
vulnerabilities and threats they face raise the need to address
their security and resilience in a systemic perspective as the
frontline of defence against failures and attacks.
3.3. Security and resilience of critical information
infrastructures to boost confidence in the information society
In order to ensure that ICT infrastructures are used
to their maximum extent, thus fully realising the economic and
social opportunities of the information society, all stakeholders
must have a high level of confidence and trust in them. This depends
on various elements, the most important of which is ensuring their
high level of security and resilience. Diversity, openness, interoperability,
usability, transparency, accountability, auditability of the different
components and competition are key drivers for security development
and stimulate the deployment of security-enhancing products, processes
and services. As the Commission already highlighted, this is a
shared responsibility: no single stakeholder has the means to
ensure the security and resilience of all ICT infrastructures
and to carry all the related responsibilities.
Taking up such responsibilities calls for a risk
management approach and culture, able to respond to known threats
and anticipate unknown future ones, without over-reacting and
stifling the emergence of innovative services and applications.
3.4. The challenges for Europe
In addition and complementarily to all the activities
related to the implementation of the Directive on the identification
and designation of the European Critical Infrastructures, in particular
the identification of ICT sector-specific criteria, a number of
broader challenges need to be addressed in order to strengthen
the security and resilience of CIIs.
3.4.1. Uneven and uncoordinated national approaches
Although there are commonalities among the challenges
and the issues faced, measures and regimes to ensure the security
and resilience of CIIs, as well as the level of expertise and
preparedness, differ across Member States.
A purely national approach runs the risk of producing
a fragmentation and inefficiency across Europe. Differences in
national approaches and the lack of systematic cross-border cooperation
substantially reduce the effectiveness of domestic countermeasures,
inter alia because, due to the interconnectedness of CIIs, a low
level of security and resilience of CIIs in a country has the
potential to increase vulnerabilities and risks in other ones.
To overcome this situation a European effort is needed
to bring added value to national policies and programmes by fostering
the development of awareness and common understanding of the challenges;
stimulating the adoption of shared policy objectives and priorities;
reinforcing cooperation between Member States and integrating
national policies in a more European and global dimension.
3.4.2. Need for a new European governance model
Enhancing the security and the resilience of CIIs
poses peculiar governance challenges. While Member States remain
ultimately responsible for defining CII-related policies, their
implementation depends on the involvement of the private sector,
which owns or controls a large number of CIIs. On the other hand,
markets do not always provide sufficient incentives for the private
sector to invest in the protection of CIIs at the level that governments
would normally demand.
To address this governance problem public-private
partnerships (PPPs) have emerged at the national level as the
reference model. However, despite the consensus that PPPs would
also be desirable on a European level, European PPPs have not
materialised so far. A Europe-wide multi-stakeholder governance
framework, which may include an enhanced role of ENISA, could
foster the involvement of the private sector in the definition
of strategic public policy objectives as well as operational priorities
and measures. This framework would bridge the gap between national
policy-making and operational reality on the ground.
3.4.3. Limited European early warning and incident
Governance mechanisms will be truly effective only
if all participants have reliable information to act upon. This
is particularly relevant for governments that have the ultimate
responsibility to ensure the security and well-being of citizens.
However, processes and practices for monitoring and
reporting network security incidents differ significantly across
Member States. Some do not have a reference organisation as a
monitoring point. More importantly, cooperation and information
sharing between Member States of reliable and actionable data
on security incidents appears underdeveloped, being either informal
or limited to bilateral or limitedly multilateral exchanges. In
addition, simulating incidents and running exercises to test response
capabilities are strategic in enhancing the security and resilience
of CIIs, in particular by focusing on flexible strategies and
processes for dealing with the unpredictability of potential crises.
In the EU, cybersecurity exercises are still in an embryonic state.
Exercises running across national boundaries are very limited.
As recent events showed, mutual aid is an essential element of
a proper response to large-scale threats and attacks to CIIs.
A strong European early warning and incident response
capability has to rely on well-functioning National/Governmental
Computer Emergency Response Teams (CERTs), i.e. having a common
baseline in terms of capabilities. These bodies need to act as
national catalysers of stakeholders' interests and capacity for
public policy activities (including those related to information
and alert sharing systems reaching out to citizens and SMEs) and
to engage in effective cross-border cooperation and information
exchange, possibly leveraging existing organisations such as the
European Governmental CERTs Group (EGC).
3.4.4. International cooperation
The rise of the Internet as a key CII requires particular
attention to its resilience and stability. The Internet, thanks
to its distributed, redundant design has proven to be a very robust
infrastructure. However, its phenomenal growth produced a rising
physical and logical complexity and the emergence of new services
and uses: it is fair to question the capability of the Internet
to withstand the rising number of disruptions and cyber-attacks.
The divergence of views on the criticality of the
elements making up the Internet partly explains the diversity
of governmental positions expressed in international fora and
the often contradicting perceptions of the importance of this
matter. This could hinder a proper prevention of, preparedness
for and ability to recover from threats affecting the Internet.
For example, the consequences of the transition from IPv4 to IPv6
should also be assessed in terms of CII security.
The Internet is a global and highly distributed network
of networks, with control centres not necessarily following national
boundaries. This calls for a specific, targeted approach in order
to ensure its resilience and stability, based on two converging
measures. First, achieving a common consensus on the European
priorities for the resilience and stability of the Internet, in
terms of public policy and of operational deployment. Secondly,
engaging the global community to develop a set of principles,
reflecting European core values, for Internet resilience and stability,
in the framework of our strategic dialogue and cooperation with
third countries and international organisations. These activities
would build upon the recognition by the World Summit on Information
Society of the key importance of the stability of the Internet.
4. The Way Forward: towards more EU Coordination
Because of the Community and international dimension
of the problem an integrated EU approach to enhance the security
and resilience of CIIs would complement and add value to national
programmes as well as to the existing bilateral and multilateral
cooperation schemes between Member States.
Public policy discussions in the aftermath of the
events in Estonia suggest that the effects of similar attacks
can be limited by preventive measures and by coordinated action
during the actual crisis. A more structured exchange of information
and good practices across the EU could considerably facilitate
fighting cross-border threats.
It is necessary to strengthen the existing instruments
for cooperation, including ENISA, and, if necessary, create new
tools. A multi-stakeholder, multi-level approach is essential,
taking place at the European level while fully respecting and
complementing national responsibilities.
A thorough understanding of the environment and constraints
is necessary. For example, the distributed nature of the Internet,
where edge nodes can be used as vectors of attack, e.g. botnets,
is a concern. However, this distributed nature is a key component
of stability and resilience and can help a faster recovery than
would normally be the case with overformalised, top-down procedures.
This calls for a cautious, case-by-case analysis of public policies
and operational procedures to put in place.
The time horizon is also important. There is a clear
need to act now and put rapidly in place the necessary elements
to build a framework that will enable us to respond to current
challenges and that will feed into the future strategy for network
and information security.
Five pillars are proposed to tackle these challenges:
(1) Preparedness and prevention: to ensure
preparedness at all levels;
(2) Detection and response: to provide adequate early warning
(3) Mitigation and recovery: to reinforce EU defence mechanisms
(4) International cooperation: to promote EU priorities internationally;
(5) Criteria for the ICT sector: to support the implementation
of the Directive on the Identification and Designation of European
5. The Action Plan
5.1. Preparedness and prevention
5.2. Detection and response
5.3. Mitigation and recovery
5.4. International cooperation
5.5. Criteria for European Critical Infrastructures
in the ICT sector
Security and resilience of CIIs are the frontline
of defence against failures and attacks. Their enhancement across
the EU is essential to reap the full benefits of the information
society. To achieve this ambitious objective an action plan is
proposed to reinforce the tactical and operational cooperation
at the European level. The success of these actions depends on
their effectiveness to build upon and benefit public and private
sector's activities, on the commitment and full participation
of Member States, European Institutions and stakeholders.
To this end, a Ministerial Conference will take place
on 27-28 April 2009 to discuss the proposed initiatives with Member
States and to mark their commitment to the debate on a modernised
and reinforced NIS policy in Europe.
Lastly, enhancing the security and resilience of
CIIs is a long term objective, whose strategy and measures need
regular assessments. Therefore, since this goal is consistent
with the general debate on the future of network and information
security policy in the EU after 2012, the Commission will initiate
a stock-taking exercise toward the end of 2010, in order to evaluate
the first phase of actions and to identify and propose further
measures, as appropriate.