You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Lords Select Committees > European Union > European Union
Protecting Europe against large-scale cyber-attacks - European Union Committee Contents

Examination of Witnesses (Questions 180 - 199)

WEDNESDAY 16 DECEMBER 2009

Dr Udo Helmbrecht and Dr Jeremy Beale

  Q180  Lord Richard: You have 27 Member States.

  Dr Helmbrecht: And three representatives from the Commission, so the Management Board has 30 members and the Management Board is responsible for approving appointment of the Executive Director.

  Q181  Lord Richard: How often does it meet?

  Dr Helmbrecht: It meets two times a year as a whole body. The other formal structure is the Permanent Stakeholder Group, which is appointed by the Executive Director and has members from academia and universities, and from industry; and from the citizen point of view from the, let us say, associations or businesses from the Member States representing users. So these are the formal bodies; and in addition to these we have so-called National Liaison Officers. These are representatives of national governments who act as a single point-of-contact. In addition when we are running our work programmes, we typically have experts for technical expertise; this is the basic structure. If you look at, for example, financial regulations, we have work package processes where ENISA makes proposals, which we discuss with the Permanent Stakeholder Group and the Management Board, and these proposals are then presented to the Management Board to discuss and approve; so this is the basis of our work. This means it is influenced by industry, private sector users, by governments, by the Member States, and by the Commission—and the results are also in the end presented to them; and for the annual account for the financial area I have to go to the European Parliament for them to "discharge" to use an accounting term.

  Q182  Lord Richard: You have national representatives in ENISA?

  Dr Helmbrecht: Yes.

  Q183  Lord Richard: Do you have ENISA representatives in the individual countries?

  Dr Helmbrecht: We do not have representatives of our own in countries; so this means that we with our Agency are located on Crete. For projects, for meetings we often go abroad; so this is something where the interaction is done on a project and working in them.

  Q184  Lord Richard: What I do not quite understand—and I would be grateful to hear the explanation—is who decides what you actually do?

  Dr Helmbrecht: It is a process. On the one hand it is the expertise of ENISA. The second step is that we discuss it with the community. This is on the one hand the Permanent Stakeholder Group, which has expertise of sectors of the private sector—such as the banking sector, the IT sector; the universities—so the representatives who say where the technology is going, for example. So this is a discussion when in the end topics and priorities are set and then because this is also discussed with the Management Board, it is then discussed with the Member States and with the Commission. So there is a picture where this whole group then says, "These are the topics we should address for the next years." Currently we have a three-year plan, so at the beginning of the year we discuss it for the next year and by this process we try to cover all interests, all aspects from the political level to the technical level.

  Dr Beale: If I may, there is a final formal written approval of the work programme and the budget by the Management Board. So there is a formal process of approval there.

  Q185  Lord Richard: That is only twice a year, is it not?

  Dr Helmbrecht: At the beginning of the year we start with the process; in March we have the first Management Board meeting and this is the first discussion. Then we have in the mostly in the middle of the year a discussion between the Management Board and the Permanent Stakeholder Group; then in October it is the final approval of the work package and the annual budget and by this you have the process involving other people and the formal decision by the Management Board.

  Q186  Lord Richard: I am sure it is my fault and I am trying to not get entangled in bureaucratic spaghetti, if you follow me, because there are an awful lot of strands in this, but really what I would like to know is who takes the actual decision as to what the work is going to be? If something is happening rather more quickly than others you cannot let it emerge from a 12-month process?

  Dr Helmbrecht: Of course, as something which is my responsibility, I will say that there are certain topics I believe are important, from my experience and from my discussion with the Member States and with the industry. Of course I will try to put these issues on the table and then to discuss them and push them forward. On the other hand, if something comes up like a threat or something where we have to act in the short term, I am able in these circumstances to decide to remove resources and say that this project is done on a longer timescale and we have to do this; this is management through shifting resources. And if it affects something in detail I can always discuss it with the Chair of the Management Board and the whole Management Board. So, if it is; in the short term, it is a direct communication with the Chairman and an ongoing discussion, it is a usual management way to set varying priorities.

  Q187  Lord Hannay of Chiswick: That is very helpful. So if I am right the stakeholder forum is purely advisory and has no decision-making or executive function. The Management Board, which has one representative from each Member State and three from the Commission, takes decisions but within the mandate that has been set for ENISA. How would you change that mandate? If you wished to make some really radical changes what would be the body that would change it? Secondly—and this is probably a bit more difficult really and it is not a question only to ENISA—are we not reaching a point where the management structures that involve representatives of 27 Member States and three representatives of the Commission are becoming hopelessly unwieldy? No university in this country is now allowed to have a council which is as big as that on the grounds that it is utterly ineffective when you get as big as that. I understand how the European Union has got where it has got to, but at some stage it is surely going to have to re-think these structures because they are going to become unworkable?

  Dr Helmbrecht: I will first answer the question about the mandate. It is not the task of ENISA to talk about the mandate; this is a political process and a political decision. This starts in the Commission, then as a Communication of the Commission you have the co-decision process between Council and Parliament, so this is the way the mandate can change. ENISA has a limited mandate until March 2012 and this discussion starts now and this will be starting officially in the next half year probably. So this is where there can be some informal discussion, of course, but the basic procedure is the way I have just told you.

  Q188  Lord Hannay of Chiswick: The Council of Ministers—which Council would it be that would take the decision?

  Dr Helmbrecht: Within the telecommunication working group?

  Q189  Lord Hannay of Chiswick: Yes.

  Dr Helmbrecht: If you talk about the Management Board of course it is a challenge if you have 30 people, but it is a question of how you do it in daily work. One way is that there is a close connection between the Executive Director and the Chairman; so this means that if something has to be discussed in the short term, it is no problem today to pick up the phone or to have an email or to have a discussion. Then what happens is that usually you have Member States who are interested in different topics—because the IT security level is very different in Europe—and you have other Member States who do not put so much effort into it, so in the end it usually turns out that there are some active groups and some who are just following what is the mainstream. My approach is to have discussions with the board members, get the interest of the Member States and if you do this over time you get an impression of where there is a compromise to be found or where there are some challenges to face. Then if you prepare—and I think this is important—a Management Board meeting with a tough agenda with information beforehand you can challenge this.

  Q190  Lord Hodgson of Astley Abbotts: I think you said that in October of each year you came to a conclusion of what will be next year's work programme. I do not have a record—I apologise if I missed it—of what is on your programme for 2010. What are your key tasks for 2010? Perhaps at the same time what are you looking at for 2011 and 2012 since you take a three years view?

  Dr Helmbrecht: If we look at 2010 we have in our work programme some tasks which I will mention in a second, which we started and will then finish, and we have some new work packages—we call it preparatory actions—which start next year. So, we have done a lot of work on the topic of network resilience. Due to the Commission Communication on Critical Infrastructure Protection—CIIP—we are also concentrating on the resilience framework within the CIIP. Then we have our support of the Member States building up CERTs; then we have our risk assessment in this area. So these are some main programmes we are running, which we will continue. And we start a new activity on identity and trust and this is to start in the next year. So these are the main topics.

  Q191  Baroness Billingham: I just wondered if you have any direct links at all with the Member States of the European Parliament or do you always work through other agencies?

  Dr Helmbrecht: If you talk about the European Parliament there is the so-called ITRE Committee. This is a Committee which on one hand has to approve the election of the Executive Director and on the other hand it is a committee where ENISA has a chance to present itself. I am accountable for the financial aspects to the European Parliament. On the other hand, it is on an ad hoc basis if there are any other engagements with the European Parliament.

  Q192  Chairman: How often does the Chairman of the Management Committee change?

  Dr Helmbrecht: I do not know this off the top of my head but currently it is Professor Posch from Austria and I think he has been doing it now for one and a half, two years and will do it until next year.

  Q193  Chairman: This Committee has had problems in the past with various European organisations where the chairmanship of the management committees changes much too quickly and the person doing it hardly gets a chance to get their feet under the table. Do you find that the Chairman of the Management Committee has enough time to really get to understand the problems?

  Dr Helmbrecht: I think in this case for ENISA currently we are very lucky because on the one hand the Chairman, Professor Posch, has done it for some time and does it also in this, let us say, transition phase with a new Director. Secondly, he is the Chief Information Officer of the Austrian Government so he knows his topic and this means that not only on a political level but also on a technical level there is an information exchange and because he is involved in a lot of other European topics I think for ENISA it provides for good communication with the Chairman.

  Q194  Baroness Garden of Frognal: You mentioned in a reply to an earlier question that you were looking to resilience and to critical national infrastructure and we understand from previous witnesses that those used to be off limits for ENISA. So has that change been successful, incorporating those into your work, or is it too early to tell?

  Dr Helmbrecht: The answer is basically yes. I think that the challenge for ENISA in the starting phase was that it was being built up in 2004; you had to recruit people and it takes some time to get familiar with the organisation before you can really work. I think this was a challenge also for the former Director. Then the question always is, if you look at the European level have you understood the interests of the Member States and also the limits of the Member States? Then if you look at the regulation it is something where you then have to look at what are the tasks and to put the tasks in to deliver. So if you look to the general discussion about critical infrastructure over the last years in Europe there have been some discussions in the past but on the European level it took some time really to be aware of how to put this into a co-operational level in the European Union. So when the European Commission then made this communication of CIIP ENISA was prepared to take up this task and we are lucky that it fits into our skills, our work packages that we can address, and that if we do something in this area we can be successful.

  Q195  Baroness Garden of Frognal: So it was not a policy decision as such; you are saying that it was a timing and administrative decision that you did not take it on initially but you then broadened your remit?

  Dr Helmbrecht: Yes. I would say that sometimes when you look at this discussion it is always a question of what is in the interests of the Member States and when do you pick this up on a European level.

  Dr Beale: If I may, I also think that it is a trust issue; that ENISA had reached the point where trust had been built with the member countries and the Commission. If I could just say from my past experience at the CBI when the discussions about setting up ENISA were going on we were concerned and we did not want a European agency getting involved in national security issues. That was appropriate for Member States; we did not think it was appropriate that at the European level the competence existed there. ENISA did not do that; it did not try getting into areas where it would not be helpful. So I think the fact that it was asked to take on this work in resilience was actually a compliment and showed that there was that trust, and I think that the results since then have shown that that trust was well-deserved. I hope I am not breaking a confidentiality issue but we were just at CPNI before we came here and they said that some of those materials generated by that work they were finding very useful. So, so far so good.

  Q196  Lord Harrison: I thought I would ask my own question first and go back, if I may, because I think we are touching on areas in this way. Good morning, gentlemen. I have read the written evidence that you have presented where you say that the clearest framework yet for enabling Europe to act in the case of major disruptions has been clarified, but you realise that the practical implementation of this framework has still to be identified and refined and that this area of good practice is where ENISA fits in and plays an active role. I am wondering whether you would like—and I know that you have already said, Dr Helmbrecht, that you resist commenting on the mandate that you presently have—to see ENISA tackling a wider range of issues and would you like to see a change of role perhaps involving more operational issues. It seems to me from both what you and Dr Beale have been saying that you are straining at the bit here; that there are opportunities and opportunities that whilst they may well be a matter of trust that you do not trespass into that area, nevertheless seem to be an open goal, as it were, for ENISA to become more involved, more active and to help the ultimate aims of yourselves and of what the European Union would want.

  Dr Helmbrecht: When we look at the current mandate of ENISA it was written and decided in 2003. So from this time on we have two basic developments; one is that we had the enlargement, so we now have the chance to involve new Member States and help them to improve IT security in general. The other thing that we have is the Lisbon Treaty since December now, which also gives some opportunity for the future. The basic point I want to make is that when we from the ENISA side look at IT security, it is first prevention—IT security is something that is needed in society today—and how can we put IT security into e-commerce, e-government and all that we are doing here. On the other hand, this is tied to the smooth working of the European market. So what I want to say is that when I look at this from ENISA's perspective, even with the current mandate there is enough to do. And to look at how can we improve IT security on the internet if we have electronic communication? We need a lot of awareness and education of how to be competitive in Europe with our IT industry or industry in general, looking to other areas like Asia or the United States. If you look from this industry, from the private/public sector, which affects our everyday life, this is something where we have—if we do it in the right way in the interpretation of the mandate—a lot of possibilities. It means that where we can have our priorities, that we need to be sure they really add value for us before we start the discussion of how much to extend the mandate of ENISA, which in my view should be a long term discussion. Because, if you talk about operational things, it is sometimes a little bit of interpretation. For example, the department where we do most of our formal Work Programme activity is carried out now, we call an operational department, in contrast to where we do our administrative tasks. But if you talk about operational things like doing 24 hours, seven days a week, 365 days a year, running a CERT, then you will need some other resources, for example. So, what I mean by this is IT security is so big that I want to concentrate with our limited resources on the priority, on the European Common Market.

  Q197  Lord Harrison: There could come a time where you outgrow that original mandate and it could be useful by expanding that mandate, but at the moment you are curbed by resources. This area of good practice is where ENISA fits in and plays an active role—active in the sense of promoting what can be done—in promoting good practice, and then already you are beginning to change the mandate, are you not?

  Dr Helmbrecht: Yes. I see it currently as a situation where for me as a Director I wear two hats. One is that I am responsible for running this Agency and with these resources for the next year, doing the best for you all. On the other hand, of course, I am someone who wants to stimulate the discussion about the future of IT security in Europe with different aspects. To give you one example, a concrete example: currently we do not have a connection with law enforcement and I would not talk about ENISA being involved in law enforcement currently, so there is a clear red line. You had another question about NATO and it is also clear that ENISA is not involved in any NATO topics—there is a clear border. But if you, for example, look today at threats on the internet, you have different laws in different Member States and it is difficult if you have a botnet if somebody is abroad attacking some country in Europe, so we need in the future some improvement in international law and IT security. This is something where I would stimulate the discussion but for the moment I would keep ENISA out of this role to have a strict reduction to the mandate.

  Q198  Lord Harrison: Before I come to the NATO question perhaps I could ask Dr Beale, who laid great emphasis on his CBI perspective when he was there that trust was of the essence that ENISA did not outgrow its role. Are you at one with Dr Helmbrecht on this, that there may have to be change to reflect changing circumstances?

  Dr Beale: Yes, I think there will be and there are changes. One of the reasons why I certainly went to ENISA was because I felt that I had been working on these issues here in the UK but that a lot of the areas that needed to be addressed increasingly were at the European level; so that generated my interest and I felt that ENISA had an important role to play there. I should just say, though, that one of the things that I learned at the CBI—it is a similar thing that we are debating at ENISA—is just because there is a problem that needs to be addressed you should not try to be the ones to address all the aspects of it. It is a matter of learning to identify who the key partners are and to working with them. We had to do that at the CBI—there were many problems our members had and we had to identify who in our membership could make the difference and help them to work with others. In many cases that is what we are doing at ENISA. Dr Helmbrecht referred earlier to the way that there are certain leading Member countries. Part of my responsibility as Head of Stakeholder Relations is to identify who in the private sector—and which countries—have the lead, have the ideas, can help set the agenda and to work with them so that they can, rather than ENISA, try to do more of what is needed than we can be ourselves. The question about the mandate comes in where, in that architecture of all actors being active, should ENISA play a role—and I think that Dr Helmbrecht outlined the key issues of concern in terms of what that debate should be about.

  Q199  Lord Harrison: Dr Helmbrecht, you have partly answered the next question: do you liaise with NATO or indeed other military groups? Under the main question, do your plans involve the engagement and encouragement of defences against cyber warfare?

  Dr Helmbrecht: As I said, ENISA will not be involved in NATO topics. On the other hand I want to stress that with the problem or challenge of the internet you have the same technology and the same tools that you use in the private area and in the military area. This means that from my perspective there should be approaches in the Member States and if the Member States look from their national security at how they deal with things then they have to find solutions. Then of course there must be, for example, from a NATO level also some solution for this; but, as I said before, for ENISA we can deliver best practice and we can deliver information and if you read our reports where we discuss technology evolution, impact of technology and threat analysis, these things of course can be used by other stakeholders in other areas.

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2010