You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Lords Select Committees > European Union > European Union
Protecting Europe against large-scale cyber-attacks - European Union Committee Contents

Examination of Witnesses (Questions 200 - 219)

WEDNESDAY 16 DECEMBER 2009

Dr Udo Helmbrecht and Dr Jeremy Beale

  Q200  Lord Hannay of Chiswick: Could I just follow that up. I understand and respect what you say about the red line and NATO but it is of course a self-imposed red line by the European Union and it does sound to me from your reply that it is a bit of an inhibition to have two organisations—the EU through ENISA and NATO—with a very big overlap in membership, and given that there is a similarity between cyber warfare manifestations originating from States and those originating from criminals or the private sector, that this red line in the longer term is a bit of an inhibition to the sort of co-operation that there ought to be between a European institution and NATO. Is that not something that Lisbon will help to address that can be reduced as a red line, or is it absolutely un-crossable and something that is going to govern your work for the foreseeable future?

  Dr Helmbrecht: I think we should look from the responsibility point of view. For example, if you talk about military threats you have national structures. Also, if you look for IT security you have a lot of Member States—let us just say the old Member States or big Member States—who have experience with this, which have agencies, and so you have established structures there. Also in other sectors you have found ways of how to work together with different sectors and government, private sector, military and so on. So if you put this on the European level the question is: what responsibility do you want to put into a European agency like ENISA? Of course I agree that if we now have the Lisbon Treaty that it must be a political question—what do you want with such an agency—and we can also participate in this discussion from the technical input. But in the end it is a question of what do you want to have here and I think that if you look at other cases, for example at telecommunication, at internet service providers, if you talk about vendors producing IT products you are talking about a huge amount of area where as a daily business what we are doing is faced with, let us say, the classical threats of the internet like botnets, Trojan horses, phishing, getting money off other people—so a lot of things which in this area are not connected to what are NATO topics. Of course, on the other hand we have to have some kind of information exchange but this can be on another level which must not be something that you put in a mandate with responsibility. If you talk about responsibility and you talk about how to run the European Market, how to have things involved also as they do it with other sectors, then it is an approach where you can keep this line and say that this is national responsibility, this is European responsibility and this we put to ENISA.

  Q201  Chairman: Can I pursue the NATO side of this. I am sure you are aware that NATO is an organisation which is prepared to come to the aid of a stricken nation if they request it in the event of a major terrorist attack or a major natural disaster. Each year they have an exercise. I attended one some years ago in Croatia where they had a simulated hijack, a simulated biological attack, a simulated earthquake, a simulated major oil spill and a major transportation breakdown. They are having another one in September in Armenia. They have them each year and they are very well attended—not just military—particularly with civilian aid organisations and emergency services coming from countries right across the NATO alliance. I ought to know but I do not know whether they have ever had a simulated cyber attack, but I would be very surprised if they have not. For instance, they have had a simulated dirty bomb. I feel sure at some time they will have had or will have in the future a simulated cyber attack. Have you ever been approached or involved in taking part, even as observers, in those exercises; and, if not, do you think that it would be worthwhile if you were involved, even as observers, because there are quite a lot of observers, as I know very well.

  Dr Helmbrecht: The answer is we have not been invited or involved in NATO exercises and I think what you are discussing is different when you talk about something that is part of a mandate. If NATO invited ENISA to put their experience on the table, of course this would be no problem. If we discuss this topic we are also talking about exercises in the IT security community; so from the European Commission Communication it is intended, and it is now our work programme, that there should be an exercise in 2010, so what we are preparing is how to do this. But if you talk about exercises I know that the military community has a lot of expertise in how to do exercises, so we do not have to invent the wheel again. This means that of course you can have discussion, exchange information, exchange best practice and experience, but, on the other hand—and I think this is the question that you raised—if you talk about crisis management, if something happens, how to react, this is not something different from what we have to discuss for the future, and how do we want to deal with a civil crisis and military crisis in the future if a significant IT threat was involved. What I want to say is that there are a lot of topics which must be addressed. One is the ENISA mandate, one is our work, one is how to work together. You can use the connections in participating in conferences and exercises but we have to carefully distinguish what we are talking about at this level.

  Q202  Lord Dear: Gentlemen, last week when we were taking evidence a witness suggested that in his opinion you had failed to engage with the global security groups that are operated by the internet industry. I wonder whether you would agree with what he said and whether he was right in talking about the organisation way back in the past or even currently and whether you have any plans to extend your activity and your interface with the industry?

  Dr Helmbrecht: I can understand this remark because, as I said, ENISA was building up connections and, like Jeremy said, building up trust and building up this community, so what we want to improve in the future is the following. On the one hand we have the so-called Permanent Stakeholder Group; we have members coming out of Europe, so this means that we have on an expert level built up in this community. You have other organisations like the OECD or ICANN for the internet. So this means that we are starting to have a dialogue with them and this means that step by step we will improve this global network. What is also something positive for us is that we get invitations or questions from organisations from abroad, for example from Asia or even other countries, asking us if we could give a presentation of this or that, so we get invitations. This is something that will evolve in the future as ENISA works on these topics and extends its network. Does that answer your question?

  Q203  Lord Dear: I am grateful to you for that but in my experience the internet itself is a very fast expanding entity and the industry that supports it has to be very fast as well—one drives the other. So we are talking about something which is changing almost on a daily basis and I wonder whether you are able to work up to a speed where you can interface at the same sort of speed or whether you are constantly, as I understand from your last answer, trying to catch up to something which is disappearing further and further into the distance?

  Dr Helmbrecht: My aim is to overtake them. My approach is if you look at the current situation, for example let us take the CERT community, we had to face, as Jeremy said, building up trust so that we are accepted by European organisations like the Trans-European Research and Educational Network Association's CERT Task Force (a part of the FIRST global association) and others, so by being part of this community; and then immediately you have contacts to Asia, the United States and so on, so this is something which spreads out. Of course, on the other hand—and this is what is important for us—to be in contact with the research community and the industry community, so that, for example, I am now able to select a new PSG because it is just in a phase of changing and I am looking for people and I have a lot of applicants who are coming from industry—let us say, for example, companies like Nokia and France Telecom or British companies. So, other companies are participating here and we also have American IT companies with subsidiaries in Europe and this means that my aim is to have a close connection to them so that you can have by this an immediate response—what other technologies are taking place and what threats are coming up. This is something that starts working and so if you have these connections you are aware of their company strategies and what they are doing and thinking and what is changing.

  Q204  Lord Dear: You have talked a lot about trust in your evidence so far and I appreciate that because it is the bedrock to most human relationships and organisational relationships, but as I understood you before—and you must correct me if I have got hold of the wrong end of that stick—the trust I thought you were describing was between Member States within the EU. But I think what you are now talking about is building up trust with the security industry itself and I am surprised to hear you say that because I would have thought that they would have welcomed involvement by an organisation such as your own, representing the whole of Europe, to help them to deal with something which is a burgeoning problem. Am I not seeing the same scenario as you?

  Dr Helmbrecht: Yes, but there are maybe two different approaches to what is happening and on two different levels. One is, which Jeremy addressed, that if you talk with Member States about critical infrastructure the question is what is in the interests of a Member State to have under its own responsibility and what to put on a European level? So in this discussion if you have ENISA then you have two levels: one is you have the organisational trust and do you trust that ENISA keeps information confidential and how do you share it? And the other is personal trust. If you talk about CERT topics it is a lot about personal trust, you know each other and to share information. On the other hand, if you then go to industry we did not really until now establish a public/private partnership model. So what we do currently is have projects and have experts and discuss it with them. But the question is, for example, what I want to do—I start it next year—that if we talk about the internet we have to have close co-operation with the telecom providers, with ISPs, to have also some kind of early warning system, technology and other things. So it is not that the industry comes and say, "Hi, there; it is ENISA," it is something where you have to talk to them because the question is what is the added value from a European perspective for a global acting company. This is something where we are having some discussion and also to have this trust by the industry that they have an added value if we work together with them.

  Dr Beale: If I could just add to that and, again, if I can draw from my experience at the CBI? There are a lot of agendas out there in the industry side and there is a difference between suppliers and users and between the different communities of suppliers and what they are supplying, and I think the value added that ENISA would bring will be to be smart about its agenda and to identify which interests again can work best together and this is particularly pertinent in those public/private partnerships—or models of co-operation is maybe a better term because sometimes PPPs can be a specific legal form. The task is about identifying what the agendas are that are going to bring the actors in so that ENISA is not seen, for instance, as just representing the interests of network operators or software suppliers or business users but a forward-looking agenda which helps each of those entities or those sectors and others move forward on an information security agenda for Europe. That is where we are still, as Dr Helmbrecht has said, engaged in defining the terms in that debate and that is a maturity aspect of our development. We are still a young Agency but I think that the new Permanent Stakeholders Group will be very, very helpful to us in refining that agenda along with the advice from the Member States because the Member States will of course get that lobbying from the industry too.

  Q205  Lord Dear: In about a year or two years' time do you think that your organisation will be able to work at the same speed as the internet industry?

  Dr Beale: My personal experience from the two months that Dr Helmbrecht has been with ENISA is that we might have overtaken aspects of them too. He is working us very hard!

  Dr Helmbrecht: I did not tell him to say that!

  Lord Hannay of Chiswick: Could we look at the issue of CERTs now?

  Chairman: Just for the record, Computer Emergency Response Teams.

  Q206  Lord Hannay of Chiswick: It is like the Today programme! The Commission's Communication puts a lot of emphasis on the desirability of setting up national CERTs which would cover more than simply public sector infrastructure. That in a way is slightly different from the approach that is being followed in this country, as you know, where we have industry-specific, sector-specific and company-specific CERTs. You are presumably doing a lot of work on this; do you regard those two approaches as being mutually inconsistent or do you think that in some countries, perhaps smaller Member States or Member States with a less mature internet industry, a national CERT makes more sense but that in others the sort of approach in the UK makes more sense? Could you perhaps give us some thoughts on that?

  Dr Helmbrecht: I think both approaches in the end match together because, as you said, you have small Member States who do not have any CERTs and the question then is how to build it up, and because you have from ENISA's side this connection to the Member States, to the Management Board and other people, you can then build up governmental and national CERTs. But I would also appreciate in support if such Member States would then have academic CERTs and so on. I think it has been shown in the past that sector-specific CERTs work very well because they understand the business. It is different if you have an academic part where you have a lot of students and teachers or if you have an insurance company or a stock brokerage where you need seconds of reactions and you need other procedures of CERT interaction. So if you have sector-specific CERTs and if they interact, as I said, on this trusted communication you can improve it. So it is my approach, wherever we have a structure like a well defined and working structure in the UK, is to take this as best practice and to use it and interconnect it and support the interconnection and support smaller or new Member States to go this way; and in the end if we have CERTs—and this would be my vision—in every sector or every Member State in a trusted communication then we have really improved something.

  Q207  Lord Hannay of Chiswick: If I were to take that a little further, setting up a national CERT in a small Member State that does not have a very mature internet industry might be the obvious first step but it would not preclude them subsequently having sector-specific or company-specific CERTs as they became more sophisticated and as their involvement built up?

  Dr Helmbrecht: Yes.

  Q208  Lord Mackenzie of Framwellgate: Good morning, gentlemen. Lord Jopling mentioned earlier about simulated cyber attacks and of course a lot of your tasks emanate from EU Communications and large-scale cyber attacks. On the question of resources, do you think you have sufficient resources to do this work and do you expect to deliver on time?

  Dr Helmbrecht: For every agency there are never enough resources. The question is if you take the topics and you take the resources how to set priorities. So it is very important to discuss these things, in our case with the Management Board and the responsible stakeholders, as to what priorities we want to put into our work programme. I can say that for 2009 we delivered all on time. Of course, we have a tough work programme for 2010 and, as was mentioned before, if something comes up it is always a management challenge then to move resources. I think if you connect it to our current situation for 2010 and 2011 this is what we can foresee, by setting the priorities and discussing this. From the Member State perspective you know what we can do and this is where we can also say that with our resources we can reach these goals. What I currently do is to optimise the processes within the Agency and to get resources from the administrative area module and operational area, but in the end it will be discussion. As I mentioned before, if you talk about this new process of the mandate it is then your decision of how much resources you give ENISA because I am well aware that in the end it is the citizens who pay taxes.

  Q209  Lord Mackenzie of Framwellgate: Just to follow that up, you mentioned that it was a management challenge to move resources around but if there was a surge of demand, for whatever reason, do you have the mechanism for actually increasing resources, even on the short term?

  Dr Helmbrecht: It is limited of course but we have a part of our budget which we have for projects and which we can use for contract agents.

  Q210  Lord Mackenzie of Framwellgate: Like a contingency fund of some kind.

  Dr Helmbrecht: It is not in this way that there is some reserve in the Agency but it would depend on the stage of the year. If it is in the early stage of the year I can always decide and say that if there is something really urgent we can do this in this way. On the other hand, if it is at a later stage of the year I would go another way and say is there some support of some Member State or some company with resources, because also in this community sometimes it may be an advantage for somebody in the private sector where you can say, "Could you also help us on this topic?" So there may be ways out if it really gets very critical.

  Q211  Lord Hodgson of Astley Abbotts: You are looking at the challenges of a virtual industry—a virtual and fast moving industry, as Lord Dear reminds us. I note that in your evidence you said some very nice words about the Greek Government's generosity in the facilities in Heraklion. Could you say something about the challenges that you have in recruiting people (a) who can be at the leading edge of the developments which were the subject of Lord Dear's question; and (b) whether the fact that it is based in Crete assists or detracts from that ability to recruit?

  Dr Helmbrecht: It is not a black and white question, of course. If you decide that European agencies are spread around Europe then it is the responsibility of the Member States to define the seat and I appreciate all that the Greek authorities do in this regard. But, of course, there are some challenges. Most of the burden is taken by the employees because it means travelling for them and travelling always means for a mission here because you can never do it on one day. On the other hand it is currently a difficult situation for families with children because you do not have a well established European School in Heraklion, so if you have parents with children from the ages of, say, 12 to 18 it is nearly impossible currently. This means for some employees the family situation is difficult, but this does not mean that it is difficult in general because we get a lot of applications for vacancy notices—although it is not really spread around Europe on the whole. We get a lot of skills from the public and private sector, so it is not a problem if we have a vacancy notice to get somebody there. But in the end you get, as I said before, a limited social mix in such an agency.

  Q212  Lord Hannay of Chiswick: Could you elaborate slightly on this? When you advertise your vacant posts are you getting the same sort of uptake that you would expect if you were, let us say, in Frankfurt or London or somewhere like that? Or are you really being inhibited by the fact of the geographical situation of the Agency? Are you achieving the retention period that you need if you are to have professional people who understand their jobs really well, or is the fact that the Agency is situated in a place where it is quite difficult to get to and from and that there is not a European School, and so on, is causing problems both of retention and of recruitment? It would be helpful to have an idea as to that. What we were struck by when we looked at the origins of ENISA was that it was rather odd that Greece was allocated ENISA but was then left to choose whereabouts in Greece it should put ENISA. The normal practice, from my own experience, is that the bid of a country for an agency like this should be accompanied by a proper analysis of the place that they were offering to put it and its ability to help on these things like recruitment and retention.

  Dr Helmbrecht: If you discuss this topic there are always some points of advantages and disadvantages and in a second I can give you an advantage of the location. The basic point I want to make is that this is not only a question that challenges ENISA, it challenges also some other European agencies, but in the end if you put this Agency somewhere else in Europe you would always have travelling and you would have this discussion. So if you go deeper into this discussion it becomes difficult because in the end you would say that every agency should be in Brussels and maybe this solution could also be questioned. So from the principal approach it has some different aspects. You have an advantage if you look at Heraklion that you have a big university campus; you have a research institute called FORTH, which is working on computer science and intelligence and other things, so this is something, from a technology point of view when you are looking where is the technology going, something which is an advantage for ENISA. The other thing is of course that if you look in the end—and this has to be discussed honestly—at somebody who has worked in London and then goes to Heraklion and he is in the situation that he has two children and a wife then it becomes a problem if the wife does not get a job there immediately because of the situation. The point I want to make is that we get staff—that is not a problem; we get enough applicants for vacancy notices that we can choose high quality; we get it from government and we get it from industry, so this is not the problem. But, in the end, if somebody says, "I want to have this one in this family situation" then it is not possible because they will not come.

  Dr Beale: If I may add something here? It is also in many senses the agenda that an organisation has that attracts people. They will put up with lots of things if it is an exciting, dynamic, important place to work. I think it is over the last 18 months that three British people have joined ENISA to work there where previously there were none; and there is a reason for that. As I mentioned for myself, it was because I felt that a lot of the issues were becoming important and—and he is too modest to say—that Dr Helmbrecht, who was President of the German BSI before, has also come to work there. There is no inherent barrier where ENISA is to attracting high-calibre candidates, if I could be so bold as to put myself under that umbrella. The key thing becomes about how you work and what you do—and that is really the focus of our efforts: it is now on improving our interaction with our stakeholders and being more at the centre of the debate. We have also opened a branch office in Athens with the support of the Greek Government so that we can hold meetings there that will make it easier for the people we interact with to come and participate and, as Dr Helmbrecht mentioned earlier I do believe, we also hold meetings in Brussels, in Vienna, in Madrid, in Paris and we have held one in London too. So we can be flexible and I think that is the more important thing—not getting trapped as a result of where we are.

  Q213  Lord Hodgson of Astley Abbotts: I heard you say that of course it is people with young families where the major problem is. In my experience this is a young person's industry and it is young people, people who will have families who are going to be leading the charge on taking the industry forward; they are the people who have the mental agility and the intellect. So it does seem to me that there is quite a disadvantage if young people with families do not want to go to Heraklion for the reasons that you have identified. Could you just confirm that all the 65 of your staff are based in Heraklion? And it would really help me greatly if you could tell me how many nights the two of you spend in Crete each year?

  Dr Helmbrecht: I can give you the figures, of course, but not in detail. I can give you an approximation. I can say that for young families, if it is kindergarten and the first years at school it is possible; so now it is an evaluation to say that if you have parents aged up to 35/40 years it is not a problem if the wife does not work. But then it becomes a problem if the parents are between 40 and 50 years old because then you have this family situation which makes it difficult. On the other hand, all staff live on Crete because it is a condition, if you sign your contract, that you move there. Of course you can fly back and forth when you want. What happens in some cases is that the man or the wife who works for the Agency lives on Crete and the family does not live on Crete—we have some examples of this—because of the situation, and this then makes it difficult for those parents who are let us say 45 years old. But if you want to have the figures I can give them to you in detail.

  Q214  Lord Dear: Gentlemen, this is more of a statement I suppose rather than a question. I remain uncertain of the validity of what you have told us, from my perspective. Let me tell you where I am coming from. I think if we were looking into some deep-rooted problem in the motor industry we would be surprised to find if any EU Commission set up to deal with that was not located in the Ruhr or in Turin or some other centre of motor manufacturing. Similarly, this is a global problem and if it is being approached in a global way I think we would be surprised not to find the international organisation located in Silicon Valley in California or in Cambridge, UK. I speak as the Chairman of a high-tech company, which is located in Guildford, and much as it would cost us money to relocate we are seriously thinking of relocating to Cambridge because that is where the centre of excellence is for high-tech in this country, and that is quite a short move. I am surprised—and this is what I want to put on record—that we are talking about something which is as fast moving and internationalised as the cyber problem and the location that you have has been chosen in the way that it has. I would have thought that there must be a great difficulty—although you tell us that there is not—in attracting and relating on a daily basis face-to-face with the sort of people who are up to speed with the problems, and how that can be done from the fringes of the EU with no huge tradition of dealing with these sorts of problems still defeats me. That is more of a statement than anything but I wonder if you would like to respond to it.

  Dr Helmbrecht: One remark to this is what we can improve in the future using the technology really in a daily way in which we are dealing with internet security. For example, if you have a video conference system, if you have some kind of tailored working this may reduce some of the difficulties in the future. On the other hand, if you are looking to the industry it is an industry where you have, at least in Europe, too much dependency on plant locations. Of course, I follow your argument that if you look around Europe where do you have the IT industry but this means in the end that it is more of a community that we are dealing with, to say "Where do we meet?" So for us it is more an issue of saying we have this community of experts, of working programmes and we come together with the Management Board, with the PSG and we are doing our projects and we are running our exercises and we are doing this, as Jeremy said, in different countries of Europe—wherever is most appropriate for that body or project. So we meet this challenge today by saying that we look to have the right place for where we are working together at any one time or on any one issue in the Community. The other thing is what we have talked about before—the location for the staff. So it is more a challenge for the staff and not for the everyday working for the future.

  Q215  Chairman: I want to move a shift on this question, from those who work for the Agency to those who have to visit it. From which European hubs can you fly to Crete, apart from Athens? I am asking where are the direct flights to Crete from European hubs, capitals if you like, besides Athens.

  Dr Helmbrecht: From most European main cities you have direct flights to Greece, to Thessaloniki and Athens. In the summer you have flights to Heraklion. This is during the tourist season from about March/April to October, so you can have direct flights by the different companies which bring tourists to the island.

  Q216  Chairman: Most of those will be charter flights, will they not?

  Dr Helmbrecht: Yes, most of them are of course charter flights.

  Q217  Chairman: Do I take it from your answer that it is only really from Athens that there are regular direct flights?

  Dr Helmbrecht: Yes.

  Q218  Chairman: How many flights a day are there into Crete to and from Athens?

  Dr Helmbrecht: I do not know but I can give you a typical example. When we go back to Heraklion in a typical way we leave London in late evening, have a flight to Athens and stay overnight at Athens Airport and take the first flight on Thursday morning. So that is the typical way that you go from Brussels, Frankfurt, Paris or whatever in the evening and have an overnight stay. On the other hand if it is a question that you have a meeting early in the morning then it is the same the other way round; or if you have a late morning meeting sometimes you can take the first flight from Heraklion and then be here another time. So it depends a little bit on the time schedule but let us say for a one-day meeting you need to spend two nights.

  Q219  Chairman: My question was how many flights a day are there regularly between Athens and Crete?

  Dr Beale: I do not know the exact number but there are numerous flights during the day from which one can select to go either to or from Heraklion to Athens or back.

  Dr Helmbrecht: For this afternoon there are three flights to Athens from London, for example.

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2010