The European Network and Information Security Agency (ENISA) very much welcomes this inquiry. Critical Information Infrastructures are nowadays an essential component underpinning economic and social life and development. Computing and communications networks are now becoming as ubiquitous as those for electricity supply—and the functioning of the electricity and computing and communications infrastructures have nowadays to be inter-twined in order to operate successfully! The security of communication networks and information systems is therefore of the highest concern to society.

In this regard, ENISA warmly welcomes the EU Commission's Communication on Critical Information Infrastructure Protection (CIIP) in providing the clearest framework yet for enabling Europe to act in case of major disruptions. Attacks in Estonia and elsewhere underline the importance of increasing Europe's capacity to protect information infrastructure. And increased resilience is required even against prosaic accidents and natural disasters if these infrastructures are to fully support the demands for ever-higher levels of service quality and sustainability put on them by contemporary commercial and social activity. But we realise that many of the decisive details for the practical implementation of this framework have still to be identified and refined. This area of good practice is where ENISA fits in and plays an active role.

  In our contributions below, we will endeavour to provide answers to the questions that are as informative and useful as possible. It will be appreciated that the specifics of ENISA's mandate means that it would be inappropriate for us to address all the questions and that we have to be circumscribed in answering others. But we hope that it is equally appreciated that we need to address more than the two specific ones concerning ENISA directly in order to provide the necessary context.

1.  THREAT ANALYSIS

1(a)  How vulnerable is the Internet to wide-spread technical failures? To what extent is it likely to be affected by natural disaster?

  The Internet is a complex system of interconnected networks and services (hence inter-net). There is no security-by-design to it. The functioning and security of this system is dependent upon the contributions of a range of actors that are at the moment largely un-coordinated, and with many reluctant and/or unable to take responsibility for ensuring the security of the system as a whole. This makes the Internet vulnerable to the growth in threats and their inter-connected nature.

  Due to a high level of redundancy, the Internet should be able to withstand many disruptive events better than traditional communication technologies, which have an architecture that are often highly robust but only to critical break-points. Internet communications, by contrast, while more sustainable than traditional ones in acute situations, degrade quickly in quality such that only the most basic data services (eg excluding speech and even more so video) are viable. In addition, it is worth noting that the Internet is implemented using a standard set of communications protocols—any failure within this "protocol stack" could have devastating consequences.

1(b)  Is the Internet industry doing enough to ensure the resilience and stability of the Internet, or is regulatory intervention unavoidable? What are the cost implications if the industry volunteers, or is forced, to do more?

  The short answer is no. The "Internet industry" is actually a composite of many sets of commercial activity, from basic access provision, through service provision of many kinds to applications development. In addition, provision of these activities for Internet communications by commercial entities overlap with provision of the same, similar or related ones in other markets. It is thus hard to say who should be doing what "to ensure the resilience of the Internet" in a singular sense.

  A consequence of this is that businesses often see network and information security as a cost, rather than something positive. This is particularly true for SMEs, who have fewer resources than large corporate to both spend on assessing the risks they might face online, or to implement ongoing improvements and security updates.

  Simple regulatory intervention to significantly address this situation would be difficult, however, because of the plethora of different entities and the markets that they might actually be properly designated as relevant to (eg telecommunications, media, software). Partly as a result of this, but also because of the how the un-regulated nature of the Internet has enabled innovation (including in security and threat technological development!) to flourish, improving resilience is primarily being addressed by focusing on the identification and development of best practices and appropriate technologies, and on cooperative frameworks for disseminating these amongst relevant entities.

  Having said this, no one would claim that the current generation of Internet technologies are the best possible for ensuring sustainable, high-quality communications. The current Internet has grown faster and more widely than its original designers had any conception of.

  But the various sectors that make up the "Internet industry" have been cooperating intensively on developing a range of more robust and secure next-generation technologies such as DNSSEC, [|]. The main hold-up in the deployment of these has to do with factors not of a regulatory kind, but of market incentives and leadership.

1(c)  The Commission is particularly concerned about cyber-attacks, and draws attention to events in Estonia in Spring 2007 and Georgia in August 2008. Is this concern justified?

  ENISA believes that this concern is justified. Cyber-attacks are part of a wide range of factors that can impact the resilience of communications networks and undermine the economic activities that rely upon them. We share the Commission's concern; we would also note that cyber-attacks are of particular concern for three reasons.

  First, they are structured. As mentioned above, while the Internet is able to withstand a certain degree of disruption to infrastructure communications; with structured attacks this disruption can be modulated and directed to thwart responses to disruption in any one part of the infrastructure. For instance, internet routers of traffic will identify when another router is overloaded or made inactive by an attack or natural disaster and will then search for other routers that are still available through sending requests of availability. Attacks can be designed to do exactly the same thing (perhaps through hijacking the routers software that performs this function) and then use this information to overload or otherwise disable those routers that had indicated they were available.

  Second, as attacks become more sophisticated in their technological design (able to be more targeted) they become potentially capable of bringing down ever more specific services according to the agenda of the attacker. To take an analogy, large, unsophisticated nuclear weapons were not of much use other than in catastrophic survival scenarios; more sophisticated, targeted and varied capacity nuclear weapons are far more capable of being deployed to achieve a menu of objectives.

  Third, we do not know the magnitude, extent or intent of the "botnets" that are often used to launch such attacks. As a result, it is harder to build calculated models of resilience and response than with natural disasters (other than of a cataclysmic kind, of course).

  Fourth, the probability of cyber attacks is increasingly high in comparison with natural disasters. Indeed, small attacks occur on a daily basis.

1(d)  The events in Estonia led to a more public involvement by NATO in cyber-protection issues. Should the military be more involved in protecting the Internet?

  The Internet plays a critical role in supporting the internal market. It therefore seems appropriate that the internal market should be capable of providing the the leading role in developing mechanisms for enabling the Internet to continue to function adequately almost of the time. ENISA can play a significant role here by working together with member States to identify weaknesses and recommending appropriate solutions.

  The military should only be involved in protecting the Internet under certain well-defined conditions. If attacks are assessed as of a military nature aimed at the security of European states or pan-European security, the military should obviously become involved. When military intervention is required, there should be a framework in place to ensure that military and commercial actors act in a coherent manner and collaborate towards a common goal. The delineation of ENISA's mandate to economic issues means, however, that we are unable to assess or comment on when such situations would be the case, nor how responses should be organised.

1(e)  How concerned should be we be about criminally operated "botnets"? What evidence do we have that shows the scale of this problem, and the extent to which it can be tackled at the European level?

  Because ENISA's existing mandate confines our work to economic issues, we have not attempted to collect law enforcement data. However, criminally operated "botnets" can have significant impact on commercial entities and their economic performance. Though attacks are at the moment often one-off events, as indicated above, it is hard to get a good idea of what might be "out there" waiting to occur. Botnets are a consequence of poorly protected end-user equipment and thus must be taken as a serious challenge.

2.  INTERNATIONAL RESPONSES

2(a)  The Commission believes that a pan-European approach is needed to identify and designate European Critical Infrastructures, and that national responses will be fragmented and inefficient. Is this analysis correct? Would multi-national companies be especially in favour of multi-national policies?

  In the modern global economy, supply chains (or "webs") for the production and delivery of most goods and many services often stretch across different national boundaries and between companies of varying capabilities size and geographical structure. While the final delivery of goods and services may be regulated on a national basis, functional operations may be geographically dispersed and outsourced in quite a complex layering of contractual relations. In a digital and online environment, this can be extreme,

  This aspect of modern economic activity can make identification of critical assets and infrastructures challenging. Organisations need to identify precisely the assets they have, asses their criticality to their performance as well as their vulnerability to threats, and what an attack would mean for the organisation in terms of financial, operational or reputational damage. This makes the question of governance for the protection of even traditional "critical infrastructures" such as telecommunications or finance difficult. For example, would the data processing operations of say, a UK telecoms operator or bank that have been outsourced to a country in, say, central Europe a critical asset and therefore part of the UK's critical national infrastructure? The answer would largely depend upon the function outsourced to the central European country to the operational performance of the telco or bank.

  A national regulator, however, might not be able to assess that the necessary risk profiling had been done without a European-wide view of the market and of companies' operations within it. Such analysis is needed to ensure the protection of European-wide critical information infrastructures.

  Within this scenario, the question of whether multinational companies or others ones are more interested in European Critical Information Protection is not particularly germane. It might be that multi-national companies have the resources to be able to risk profile their extended international supply chains than purely national or local ones. But in a high value online environment, the multi-national might be a company of fewer than 50 people—traditionally an SME—that is perhaps too small to have the resources to make such an analysis. So the question is really of who is best placed to do this—individual market entities, national regulator, or someone at an EU level? The answer is most probably some combination of all three.

2(b)  The Commission draws attention to the emergence of "public-private partnerships" as the reference model for governance issues relating to critical infrastructure protection. However, they see no such partnerships at the European level and wish to encourage them. Are the Commission correct in this aim?

  ENISA believes that PPPs are a useful instrument but should not be seen as a "silver bullet".Modern communications markets are quite de-centralised, with a mix of different entities providing networks and services. A simple command-and-control system of regulation in network and information security is probably as hard as in other issues to do with these markets. So getting active and positive cooperation of key players is the most constructive approach: this consideration is the basis of the public-private partnership, and clearly has to be a central feature of public-private cooperation in one form or another.

  But a one-size-fits-all approach is probably not viable in any way. A mix of regulation and various cooperative/partnership developed frameworks and tools will probably be most effective in addressing threats that are becoming ever more sophisticated in their technological and physical structures.

2(c)  Are there indeed market failures occurring so that there is inadequate preparation for high impact, low probability events? And if so, how should they be addressed?

  The concept of market failure might be inappropriate to describe the adequacy of market responses to what is a fast changing and complex social and technological phenomenon. Or it might be that the concept is appropriate in some markets—such as for certain social groups and micro-enterprises—but not more generally. ENISA is committed to consider this question in its 2010 Work Programme.

2(d)  The Commission supports the European Information Sharing and Alert System (EISAS). Is it appropriate to develop this type of pan-European early warning and incident response capability?

  Yes. Early warning and incident response capabilities will—if organised and operated effectively—be of immense benefit to Europe's ability to assess and respond to cyber-attacks. As already suggested, the most appropriate overall response to the growing sophistication and targeting of attacks will consist of a variety of information sharing and incident response mechanisms. EISAS—along with WARPs in the UK—are designed to facilitate the development of information sharing and incident response arrangements amongst less close-knit communities than CERTs at a national level. They are actually established by national authorities, so the question of "appropriateness" should refer to a relative allocation of resources rather than of regulation. As EISAS are designed for citizens and SMEs—one of the most vulnerable groups in terms of risk assessment and awareness—a relative emphasis on the development of these would seem highly justifiable if combined with awareness raising campaigns. ENISA is working on identifying good practices in both.

2(e)  Are Government operated Computer Emergency Response Teams (CERTs) an appropriate mechanism for dealing with Internet incidents?

  They are one of the mechanisms. National and governmental CERTS are a critical part of Europe's necessary security architecture. It is essential that these do not work in isolation but maintain close working relationships with other organisations that deal with cyber incidents such in the private sector and with law enforcement agencies. Apart from their inherent value in protecting governmental or key national systems, in some of the newer EU Member States, national and governmental CERTS can also play a key leadership role in establishing organisational disciplines and professional development that can then be adopted by other organisations.

  It should be noted however that there is currently no centralised body that has a mandate for comprehensively coordinating the efforts of Member States to recover from a large scale Cyber Attack. Within the current framework, such a recovery would depend on the ability of member States to quickly establish and manage the appropriate bi-lateral contacts.

2(f)  Will the UK's existing approaches to this policy area be adversely affected by fitting in with a European-wide system—or will this lead to improvements?

  No. The UK, along with a limited number of other Member States, is considered a leader in this area with developed practices that set benchmarks for others to adopt. So there is little chance that the UK will be adversely affected by developments elsewhere; on the contrary, as other countries develop information sharing and incident response capabilities for dealing with ever-changing threats they will be able to share experiences that will give the UK prior warning of what it may face but may well find useful in enhancing its capabilities. In other words, though the UK currently has highly developed governance infrastructures, in a rapidly evolving threat environment, the UK can only benefit from the development of greater European capabilities in information sharing and incident response.

2(g)  Is it sensible to develop European-centric approaches at all, or should there be much more emphasis on a worldwide approach? In particular, are US policies consistent with the proposed European approach to the problem?

  As the UK Government has emphasised in its evidence, the internet is a global phenomenon and does not recognise borders; this is something which should be reflected in any work which takes place to ensure availability of internet services. Having said that, it is important to recognise the reality that the United States is probably the leader in network and information security capabilities, the development of security capabilities and information sharing and incident response mechanisms.

  However, Europe is able to offer little by way of partnership to the US unless and until it has got its own act sorted out. An overly prescriptive European approach would be problematic; but, given the extensive commercial, technological and law enforcement cooperation that exists in organisations in this area, a Europe-alone approach is unlikely to develop and would almost certainly prove non-viable. As it is, Europe and the US cooperate closely within existing international organisations and initiatives, and ENISA is involved in many of these. ENISA also has extensive representation of leading US companies and professional representatives on the Permanent Stakeholders Group which advises the Executive Director on our Work Programme and strategic orientation; we also include such companies and professional representatives in the work of our expert groups.

3.  EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY (ENISA)

3(a)  The Commission sees a major role for ENISA in developing national CERTs, and in assessing the development and deployment of EISAS. Is ENISA an appropriate body for this work?

  ENISA has focused its efforts on supporting the development of CERTs in European Member States that are not as well-developed in this field as countries such as the UK through brokering relations between potential partners. For instance, we worked with Hungary to provide expertise in the establishment of a national CERT in Bulgaria. It should be emphasised that these brokerage activities are always done at the request of Member States and is not something imposed on them.

  As suggested above, ENISA's CERT work benefits directly from the leadership and experience of the UK, and the UK's WARP concept forms the fundamental basis of the EISAS model. UK plays a leading role on our Management Board (BIS), and has a large number of business and academic experts on our Permanent Stakeholder Group (PSG). The voluntaristic, partnership model of cooperation between public and private sector actors that lies at the heart of the UK approach is reflected, in fact, in ENISA's remit explicitly establishing the PSG as a formal part of our decision making apparatus and focus on identifying and disseminating good practices. It would therefore be surprising if the UK did not see ENISA as an appropriate body for work on the development of CERTs and EISAS in Europe. The more telling question is what role ENISA should play in this developmental work.

3(b)  Is ENISA being effective in its role, or does it need reform?

  The Agency has faced challenges in establishing itself and identifying how to optimise the positive impact of its limited resources. But we have benefited greatly from the generous support provided by the Greek government and our hosts at the FORTH institute in Heraklion.

  It would have been inappropriate for the Agency to pretend to take a leadership role at an early stage of development. We have now become well established and mature enough as an organisation to assist in organising the discussions around the implementation of the Commission's programme and Member States' needs.

4.  TIMESCALES

4(a)  Most of the Commission's plans are to be put into practice by the end of 2010. Is this timescale realistic?

  Different parts of the Commission have various responsibilities for implementing their overall plans. ENISA is working extremely hard to meet the requirements necessary to fulfil the responsibilities it has in supporting the Commission. But we are unable to comment on this question overall.

December 2009