CHAPTER 5: Cyber-security|
115. Cyber-security is an issue of increasing
concern to governments, businesses and individuals. The Government
published the first Cyber Security Strategy for the United Kingdom
in 2009, and in
the 2010 revision of the National Security Strategy (NSS) "hostile
attacks upon UK cyber space by other states and large scale cyber
crime" were raised to a Tier One priority risk, second only
to international terrorism.
Professor Joseph Nye has categorised cyber attacks into four
categories: (i) cybercrime; (ii) cyber espionage; (iii) cyber
terrorism; and (iv) cyber warfare between States.
We regard this as a useful distinction.
116. The Communication has as its third objective
the "rais[ing of] levels of security in cyberspace"
and the actions proposed bear primarily upon the first of Professor Nye's
categories, though there are proposals also to improve capability
for dealing with and responding to cyber attacks from any source.
A recent report for the United Kingdom Office of Cyber Security
and Information Assurance (OCSIA) estimated the cost of cybercrime
to the United Kingdom on the most likely scenario to be £27
billion per annum.
The Director of Europol noted that within the EU over the previous
year "approximately 100 billion of VAT fraud was committed
by enterprising criminals on line, and that is just one aspect
of it". "It [cybercrime] is a very good example of a
transnational problem without a natural home."
117. All of our witnesses thought it right that
the EU should pay greater attention to cyber threats. We agree,
and are glad to see the emphasis placed on cyber-security in the
118. The Commission had already published in
April 2009 a Communication to the Council giving its views as
to how the Member States might through the EU strengthen the security
and resilience of their critical information infrastructures (CIIs)
and develop their defences against cyber-attacks.
This was the subject of an earlier inquiry of this Committee which
led to our report Protecting Europe against large-scale cyber-attacks.
In that report we gave the attacks on Estonia in April and
May 2007 as well-known examples of the way even relatively minor
attacks can cripple the infrastructure of a State which is ill-prepared
for them. Since then Stuxnet has provided a further example of
the use of hostile cyber-attack.
Stuxnet is a computer virus, first reported in June
2010, which is widely thought to have been designed by a major
Western power, possibly together with Israel, specifically to
disable, and possibly destroy, centrifuges at an Iranian uranium
enrichment plant by greatly increasing their speed while disguising
the fact that this was happening. President Ahmadinejad acknowledged
at a news conference that "they succeeded in creating problems
for a limited number of our centrifuges with the software they
had installed in electronic parts."
119. A more recent example, closer to home, shows
the inadequacy of security measures in some Member States, and
how this can be an invitation to cybercrime on a grand scale.
The EU Emissions Trading System (ETS) is the largest carbon-trading
scheme in the world with a turnover of more than 90bn in
2010. It is dealt with by the 30 national registries of the EEA
States. After a number of security breaches in previous months
in Austria, Greece, Poland and Estonia, a major cyber-attack on
the Czech registry on 18 January 2011 led to the loss of some
30m worth of carbon allowances. The following day the Commission
suspended transactions at all national registries until they could
provide proof of adequate security measures. The United Kingdom
was among the first five States allowed to resume operations on
4 February 2011. But it was only on 20 April 2011, more than three
months after the attack, that security in the last five States
was thought adequate for them to be allowed to resume trading.
120. In 2012 the EU is to open its own registry
for emissions trading, taking over from the national registries.
This is likely to be a potential target for cyber-criminals, and
it surprises us that, as Sir Richard Mottram told us, the
EU does not seem to have realised that it is itself an attractive
target, and that it should focus more on the security of its own
Thompson, the Director of the Office of Cyber Security and Information
Assurance (OCSIA), stressed that EU institutions were not immune;
that the EU could eliminate some of the weaknesses in its system
by reducing the number of portals it operates; and that whoever
had responsibility for the EU ETS had to take responsibility for
its IT security. This, he said, was a matter of "basic computer
121. When we took evidence from the European
External Action Service (EEAS) Mr Lars-Gunnar Wigemark, the
Head of Security Policy at the Directorate-General for External
Relations at the Commission (DG RELEX, the precursor of the EEAS),
emphasised the importance of cyber-security which, he said, was
much broader than cybercrime and involved national security interests.
He thought that Member States had been reluctant to develop common
positions, but he did not mention the security of the EU institutions.
He might have done so if he had known that DG RELEX and the EEAS
would on 23 March 2011 be hit by a major cyber-attack which forced
them to shut down external access to emails and the institutions'
intranet, and required all staff to change their passwords. This
was followed by an attack on the European Parliament the next
day which was still continuing a week later.
122. We congratulate the Government on the
priority they give to cyber-security in the United Kingdom National
Security Strategy. But there is no room for complacency. All Member
States, individually and collectively, must devote greater resources
and urgency to meeting this challenge, given that their overall
security is only as strong as the weakest link.
123. The EU institutions should take the lead
by ensuring the security of their own networks and agencies. They
are a natural target for malicious and criminal attack; weaknesses
have been and will be exploited. They must take responsibility
for their own cyber-security; it is in the interests of the United
Kingdom to help them to do so.
The role of the EU
124. A number of our witnesses gave their views
about the challenges of creating greater security in cyber space.
Dr Cornish thought that cyberspace was a largely unregulated
no-man's land in which a criminal could work with relative impunity.
Mr Thompson talked of the "scale, pace and complexity
of the cyber-security challenge", creating what he called
a policy lag.
He also emphasised the importance of connecting with the private
sector; in our
earlier report we too stressed the need for a close working relationship
between Governments and the private sector.
125. In that report we also stressed that cyber-security
is a global matter to combat a global problem, and that the EU
had an important role to play in coordinating the parts played
by the Member States.
Symantec, a worldwide leader in internet security, wrote: "It
is important to remember however that different Member States
will be at different stages of understanding, and perhaps experience,
of cyber related threats. The ISS can therefore play an important
role in creating a common European understanding and recognition
of the threat from cyber criminals who are increasingly organised,
coordinated and targeted in their operations
The danger of a fragmented response by Member States with different
legal regimes, different offences and different prosecution systems
was explained by CEPS, which gave the Wikileaks affair as an example
of the problems raised.
126. We strongly welcome the emphasis on cyber-security
in the Communication and believe that this is an urgent and fast
evolving challenge in which the EU can play an important part
in raising standards and awareness in the Member States.
127. The Commission had already proposed, in
September 2010, a Cybercrime Directive to replace and bring up
to date the 2005 Framework Decision on attacks against information
systems. We recommended
that the United Kingdom should opt in to this proposal, and the
Minister wrote to say that the Government had done so.
We welcome this.
The Budapest Convention
128. The Council of Europe has also had a role
to play. It is now nearly 10 years since the first international
treaty on crimes committed via the internet and other computer
networks was signed at Budapest, on 23 November 2001. Its main
objective is to pursue a common policy aimed at the protection
of society against cybercrime, especially by adopting appropriate
legislation and fostering international co-operation. It deals
in particular with infringements of copyright, computer-related
fraud, child pornography and violations of network security. It
also contains a series of powers and procedures such as the search
of computer networks and interception.
129. The Budapest Convention entered into force
on 1 July 2004, but not for the United Kingdom. Nearly 10 years
after the Convention was opened for signature the United Kingdom
has still not ratified it. It is in force in every other major
Member State except Poland, and in most smaller States. The minister
conceded that this "portrayed an indication, maybe wrongly,
that this country was not serious on this", and he assured
us that ratification would be "this year
we are literally
in the final stages of dotting the i's and crossing the t's in
relation to ratification".
130. In a speech to the Munich Security Conference
on 4 February 2011 the Foreign Secretary, the Rt Hon William Hague MP,
said: "We have a major opportunity to promote the Budapest
Convention on Cyber Crime, which the UK will look to do when we
chair the Council of Europe from November." If the United
Kingdom is to promote the Convention, we hope that it will have
deposited its instrument of ratification no later than the end
of July, since the Convention will not otherwise be in force for
the United Kingdom when it assumes the Chairmanship.
131. We welcome the Government's commitment
that the United Kingdom will ratify the Budapest Convention before
the end of this year.
132. The Commission's first and most significant
proposal for action under this chapter is to establish a Cybercrime
The Cybercrime Centre
By 2013, the EU will establish, within existing structures,
a cybercrime centre, through which Member States and EU institutions
will be able to build operational and analytical capacity for
investigations and cooperation with international partners. The
centre will improve evaluation and monitoring of existing preventive
and investigative measures, support the development of training
and awareness-raising for law enforcement and judiciary, establish
cooperation with the European Network and Information Security
Agency (ENISA) and interface with a network of national/governmental
Computer Emergency Response Teams (CERTs). The cybercrime centre
should become the focal point in Europe's fight against cybercrime.
133. It is a matter for some regret that we received
more evidence about where this Cybercrime Centre should be located
than about whether it would be useful to set up such a body in
the first place. However, Dr Cornish had reservations: "
the problem of cyber-security is still too young and too indistinct
to be absolutely confident that what is needed right now or by
2012 is a cyber-crime Centre run within the European Union".
The Government in its written evidence did not favour setting
up such a centre, pointing out that "
is at variance with the ISS in suggesting the establishment of
new EU structures and capacities for tackling cyber crime, including
the development of an EU cyber crime centre. We believe that any
action to tackle cyber crime arising out of the Commission's Communication
should be undertaken within existing structures
134. Symantec, while welcoming "in theory"
the setting up of a Cybercrime Centre, thought it was not clear
what role the Centre would in fact play; there should be further
discussion on the aims and objectives of the Centre, and how its
work might be structured. These discussions should include an
input from industry: "public private partnerships have been
shown around the world to play a key tool to addressing cyber-security
issues and should be integral to the development of any cybercrime
centre for Europe".Dr Cornish
thought that, if such a Centre were set up, he would also like
it "to focus very hard on the problem of cyber forensics
and cyber attribution".
JANET(UK), while welcoming the idea of a complementary body to
gather and promote good practice in dealing with cybercrime, doubted
that it should have a direct operational role, since this "would
at best add an additional layer of organisational complexity and
at worst disrupt existing bi- and multi-lateral working relationships
between national cybercrime centres."
135. Most of our other witnesses favoured setting
up a Centre with the functions envisaged by the Commission, but
thought it should be additional to and not in place of national
capacity. Mr Thompson stressed that no Centre or agency could
compensate for weak national capacity; the United Kingdom was
looked at as one of the stronger European countries, but its own
capacity was still weak. He did not think that creating an agency
and expecting it to fix the problem was "quite aligned to
the reality of where we are now".
136. The Commission Communication did not say
expressly where the Centre should be located, but if it is to
be "within existing structures" only two already existing
bodies are possible: Europol or ENISA, the European Network and
Information Security Agency. Since the Commission envisages that
the new Centre should "establish cooperation with ENISA"
it seems that it must envisage a Centre located within Europol.
This was confirmed by Commissioner Malmstr½m: "The Cybercrime
Centre would, as I see it, be set up at Europol and build on what
already exists in Europol. I am not talking of having a new big
agency but of pooling a few resources there, working closely with
Member States. Europol already has some capacity and some knowledge
on this and it will be natural to build on that and not create
if we want to focus on the crime issue, it
would be more natural to put it under Europol."
137. None of our witnesses, not even ENISA in
its written evidence, suggested that ENISA would be an appropriate
location for the Centre, and nor would we. Even if cybercrime
fitted with ENISA's current task of promoting cooperation and
best practice in the field of cyber-security, we would not recommend
giving these duties to an agency located in Heraklion. In our
earlier report we pointed to the many problems caused by the location
of an EU agency in Crete,
and we are not alone in this view.
138. We remain concerned about the dispersal
of EU agencies working in the field of cyber-security and cybercrime,
most recently exacerbated by the decision that the new agency
to manage the large-scale EU IT systems
should be shared between Strasbourg, where the infrastructure
remains, and Tallinn, where the management will be.
We received no evidence suggesting that the Cybercrime Centre
should be a new free-standing agency; all witnesses thought, like
the Commissioner, that Europol would be the appropriate location.
The most enthusiastic, perhaps not surprisingly, was Europol itself.
In its written evidence it stated: "Taking into account Europol's
experience in fighting cybercrime and the unique technical and
analytical expertise built in this field, as well as the fact
that the centre is supposed to facilitate operational cooperation,
the Agency [i.e. Europol] could play a primary role
in the establishment of the future entity. Dispersion of investigative
and analytical capacities in the fight against cybercrime should
be avoided in order to safeguard the necessary coordination and
139. In his oral evidence Mr Wainwright
was equally emphatic: "We have forensic experts at Europol
who can improve the capacity for domestic law enforcement to investigate
cybercrime offences. As a package, although rather small-scale
at the moment because of our resource limitations, it already
holds a key to the future elaboration of the EU cybercrime centre
and that is the model that we would like to take forward
Finally, in a document dated 21 December 2010 addressed to the
Commission but shown to the Committee, Europol put in what was
in effect a formal bid for the Cybercrime Centre to be hosted
140. The Minister, while not expressly supporting
the creation of a Cybercrime Centre, told us that if such a Centre
were set up, Europol would be the right place for it. He added:
"I do not think there is any reason to question that Europol
would have the skills and capabilities to develop a centre. The
High Tech Crime Centre has been housed in Europol since I think
around 2002, and provides valuable experience in this area that
can be drawn upon. So I think in that sense it is the obvious
place to put this."
141. Cooperation between the new centre and ENISA
is envisaged by the Commission in its Communication, and the Commissioner
said: "We also want to enlarge the competences of ENISA".
Negotiations are currently taking place on a Regulation increasing
the scope of ENISA's activities.
Our witnesses agreed that such a centre should work alongside
ENISA, and Peter Storr supported the extension of ENISA's role
to include law enforcement cooperation on cybercrime issues.
142. In October 2010 the Government announced:
"The National Cyber Security Programme will be supported
by £650 million of new investment over the next four years".
This commitment, which was welcomed on all sides, seems to us
to be an express acknowledgement by the Government that, even
in times of financial austerity, cyber threats cannot be combated
without additional resources. Yet the Government told us in their
written evidence that they believed that any action to tackle
cyber crime arising out of the Commission's Communication, including
the creation of a Cybercrime Centre, should be undertaken not
only within existing structures, but also within existing budgets.
The Director of Europol told us that some additional resources
would be needed, though he did not put a figure on them.
143. Peter Storr told us: "we wouldn't accept
that automatically when there is a new mandate it should be accompanied
by an increase in resources."
He subsequently qualified this: "I don't think I was suggesting
that we would block or be opposed to an increase in the Europol
budget to deal with cyber-security as a sort of principle
what one would look to Europol to do, as one would look to other
European bodies, is to make out a properly costed, well-argued
But the Minister was more explicit: "We think it [Europol]
can do that within existing resources."
144. Sir Richard Mottram, while conceding
that this addition to Europol's work could "probably not"
be done without additional resources, added that he was "always
of the argument that your highest priority,
because it is new and difficult and needs to be tackled, calls
for additional resources. It often calls for a reallocation of
145. We believe that additional resources are
needed, but they need not be the "staggering sums" which
Mr Thompson said the United States was investing in cyber-security.
Mr Wainwright told us: "We [Europol] already have some
experts in this field. I hope that we could supplement those with
at least some others from national cybercrime centres, including
one that will be established in the next year or so at SOCA here
in London. Certainly, I will be making those overtures to national
agencies like that in order to demonstrate to them that cybercrime
investigations centred in the UK will, by their very nature, have
a European, if not global, dimension, and that there are many
strong reasonseven operational reasonswhy they should
invest in common European arrangements so that we can better support
their work at the national level."
146. The establishment of a Cybercrime Centre
will enhance the EU's ability to contribute in this area. This
is not an end in itself, but only one of many measures that must
147. Europol would be best placed to host
such a body. However, we believe that finding staff with the necessary
expertise may not be easy. Additional staff and funding will be
essential if the Cybercrime Centre, wherever it may be situated,
is to achieve its key aims. The Government's view that this can
be done within existing resources is unrealistic, and inconsistent
with their making additional resources available for the United
148. We believe that the Centre should form
a close working relationship with ENISA, and we support the extension
of that agency's role and mandate to cooperate with law enforcement
149. The dispersal of agencies dealing with
cyber matters is especially unfortunate. In particular, we continue
to have concerns about ENISA's ability to operate effectively
from its geographical location. We endorse the European Parliament's
proposal that the agency's operations could be "frontloaded"
Improving response capabilities
150. Mr Thompson explained that one of the
reasons cybercrime was a growing problem, both nationally and
internationally, was that cyberspace gave criminals anonymity;
it was very easy to conduct crime in that space, and not enough
was done to deter criminals by building up the judicial and legal
capacity to deal with criminals when they were detected. But he
added that there was agreement that "you could not prosecute
your way out of this problem"; States had to raise their
151. The Commission's proposals for raising standards
centre on computer emergency response teams, or CERTs: "First,
every Member State, and the EU institutions themselves, should
have, by 2012, a well-functioning CERT".
This is a repetition of the recommendation made by the Commission
in its 2009 Communication on Protecting Europe against large-scale
which was the subject of our earlier report. We discussed CERTs
at some length in that report.
Then too the Commission appeared to be recommending that each
Member State should have a single CERT. We supported this suggestion
in the case of those member States, mainly in Eastern Europe,
which have inadequate CERTs, or even none at all. But there is
no need for this in those Member States which have a well-developed
system of CERTs. We explained that in the United Kingdom GovCertUK
is the CERT for the public sector, but the majority of the CERTs
are in the private sector, in large companies or in organisations
with a common interest.
152. JANET(UK) said: "
support the recommendation to increase the proportion of the European
Internet that is covered by a CSIRT by encouraging the creation
of at least a national CSIRT in each Member State and a CSIRT
for the European Institutions".
We note the words "at least". Symantec, while supporting
the proposal in the Communication, pointed out that "The
CERT model is flexible to enable Member States to develop multiple
CERTs, or different types of CERTs
153. Neither of these witnesses, nor any of those
who gave evidence to our previous inquiry, suggested that the
United Kingdom (or other States with a well-developed system of
multiple CERTs) should abandon this in favour of a single national
CERT. We urged the Commission to clarify its position. In its
response to the report it stated: "It is not the intention
of the European Commission to impose a 'one size fits all' model
with regard [to] the organisation of such capability, which is
left to the discretion and experience of Member States."
We were glad to read this, but regret that this is still unclear
in the ISS Communication.
154. As Mr Thompson emphasised, international
cooperation is important in terms of sharing best practice and
experience, as well as raising the standards in weaker States.
This is one of the roles of ENISA, though it is very conscious
that its current role is to supplement the responses of Member
States which "are best positioned to defend their own infrastructures".
ENISA has already coordinated the first pan-European cyber-security
exercise (Cyber Europe 2010). The Commission envisages that ENISA
should continue to help Member States to develop national contingency
plans and to undertake exercises in incident response and disaster
155. Many Member States already have an adequate
emergency response capacity and do not need to change their existing
CERT structure. But it is essential that every Member State should
have an adequate emergency response capacity, and this may need
to take the form of a national CERT. Where this is lacking, it
should be addressed as a matter of urgency. Individual weaknesses
will undermine the collective security of the EU.
Raising public awareness
156. Many of our witnesses regretted the low
level of awareness generally of vulnerability to cyber attacks
and cybercrime. Dr Cornish considered that there was a very
low level of "cyber consciousness" in the United Kingdom;
that a lot of "soft" work needed to be done to raise
awareness of the threat; that the threat developed so quickly
that institutional responses could become obsolete; that a "culture
change" was needed across the EU; and that there was a need
for the formulation of a "common language and definitions".
Mr Thompson considered that the United Kingdom had a "good
track record" in addressing cyber-security across Government
in cooperation with the private sector,
but he thought that the EU could play an important role in raising
awareness of the risks among citizens and businesses,
including the organisation of an "EU-wide public awareness
157. Other witnesses too thought that the EU
had an important role to play. The Commission's proposal is headed
"Work with industry to empower and protect citizens."
Sir Richard Mottram emphasised the importance of bringing
together government officials, senior industry figures and technical
experts to develop a deep understanding of the problem.
Mr Thompson mentioned that the EU had done this in the pastbringing
together "consortia of academics and industry partners"and
more work in this area would be welcome.
ENISA advocated improving cooperation between the public and private
sectors as well as raising public awareness through the inclusion
of "information security" lessons within the school
curriculum. Symantec was one private sector organisation which
said it was very willing to work with the public sector in this
area. However ways still need to be found to harness private sector
158. The Communication suggests that all Member
States should make it easier for people to report cybercrime incidents,
and should encourage them to do so. The information, once evaluated,
could then potentially feed in to a European cybercrime platform.
The Commissioner has encouraged the private sector to report cyber
was supported by Mr Thompson, who said that it was already
very much the approach of the United Kingdom and other Member
States. We accept
however that organisations may be reluctant to report such incidents
because of concerns that this may reveal weaknesses, undermine
public confidence and credence with regulatory authorities, and
perhaps increase the likelihood of further attacks.
159. A strong working relationship between
the public and private sectors will be crucial in raising awareness
of the threats from cyberspace. This needs to happen at both Member
State and EU level through joint forums involving all of the key
players. The EU can and should add value in this area by improving
160. We have already explained in Chapter 3 the
importance for security generally of improving relations with
international organisations and with strategically important third
countries. This is particularly true of cyber-security, which
almost by definition is a global problem that requires a global
161. It was therefore a particular concern to
us to hear the evidence of Dr Cornish. Two years previously
he had written a report for the European Parliament in which he
examined the level of collaboration among a set of organisationsEuropean
Union, NATO, OECD
and UNand his broad conclusion was that there was then
"next to no collaboration, partly because they had no common
understanding of what they were talking about. There was no common
lexicon. There was no common doctrine. There was nothing common
really. There were lots of good well-intentioned people in good
organisations trying to do their best, but there was no coming
together." The organisations did not all have to do everything,
but the chances that any one institution could solve the problem
within its own remit seemed to him to be slim.
162. Dr Cornish told us that the relationship
between EU and NATO was "the big problem". His sense
was that there was unlikely in the near future to be a good collaborative
effort between the two organisations. NATO with its Emerging Security
Challenges department was looking at the possibility of cyber-warfare
or war, and how NATO would react to it: whether it would invoke
Article 5, which
was clearly a NATO concern. But NATO did not look at cybercrime
as a discrete problem, which the European Union clearly did. This
unfortunate situation is no more than the specific application
to cyber-security of the general relationship between the two
organisations which we have considered in Chapter 3.
163. Cooperation with others seems to be better.
As far as the US and the European Union are concerned, Dr Cornish
told us that there was a working group on cyber-security running
which was to report later this year; he thought this would be
"a very high level and a very serious effort."
Dr Steve Marsh, deputy director of the Office of Cyber Security
and Information Assurance, pointed out that there were other international
institutions operating in the area, in particular the International
Telecommunications Union and the Internet Governance Forum. Mr Thompson
added that the Foreign Office was building additional capacity
to deal with these fora.
164. The global nature of the cyber threat
requires an international response. Proactive collaboration within
the international community, including the EU, UN and NATO, will
be indispensable if agreement is to be reached on the nature of
the threat, and on whether it can realistically be addressed.
165. In his Munich speech to which we have referred
in paragraph 127, the Foreign Secretary set out the benefits which
the internet could provide, but explained how our reliance on
it opened up new channels for hostile governments, enabled terrorist
networks to plan atrocities, and provided rich pickings for criminals.
He added: "Cyber-security is on the agendas of some thirty
multilateral organisations, from the UN to the OSCE and the G8
But much of this debate is fragmented and lacks focus.
We believe there is a need for a more comprehensive, structured
dialogue to begin to build consensus among like-minded countries
and to lay the basis for agreement on a set of standards on how
countries should act in cyberspace
the UK is prepared to
host an international conference later this year to discuss norms
of acceptable behaviour in cyber-space, bringing countries together
to explore mechanisms for giving such standards real political
and diplomatic weight." Mr Brokenshire confirmed that
the international conference would be held in the autumn of this
year, with attendance by invitation only to governments with a
"major stake" in the matter as well as international
organisations and representatives from the private sector and
academia. But he did not want to pre-empt the results of that
process by speculating as to whether an agreement would be reached.
166. We commend the United Kingdom initiative
to host an international conference on cyber-security, and hope
that a wide range of countries and organisations with a legitimate
interest will be invited. We look forward to considering the outcome
and the effect it may have on the EU.
175 June 2009, Cm 7590 Back
October 2010, Cm 7953, page 27 Back
In a speech at the Munich Security Conference, 5 February 2011 Back
The EU Internal Security Strategy in Action, Objective
3, p 10 Back
The Cost of Cyber Crime: A Detica report in partnership
with the Office of Cyber Security and Information Assurance in
the Cabinet Office, February 2011, http://www.detica.com/uploads/resources/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf
Q 135 Back
Communication from the Commission to the European Parliament,
the Council, the European Economic and Social Committee and the
Committee of the Regions on Critical Information Infrastructure
Protection: "Protecting Europe from large-scale cyber-attacks
and disruptions: enhancing preparedness, security and resilience"
(COM(2009)149 final, Council document 8375/09).
An assessment of the achievements to date was published on 1 April
2011: Communication from the Commission to the European Parliament,
the Council, the European Parliament, the European Economic and
Social Committee and the Committee of the Regions, on Critical
Information Infrastructure Protection, "Achievements and
next steps: towards global cyber-security" (COM(2011)163
final, Council document 8548/11). Back
March 2010; 5th Report, Session 2009-10, HL Paper 68 Back
In evidence to us (ISS 14) Symantec explained some of the technicalities
of Stuxnet, but without offering views as to the identity of the
designers of the virus or its target. Back
Cyprus, Hungary, Liechtenstein, Lithuania and Malta Back
Q 376 Back
QQ 298-300 Back
Q 86 Back
Q 180 Back
QQ 270, 292. Back
Q 270 Back
Protecting Europe against large-scale cyber-attacks, paragraphs
Ibid, Chapter 3: Is there a role for the EU? Back
ISS 14 Back
ISS 2 Back
Proposal for a Directive of the European Parliament and of the
Council on attacks against information systems and replacing Council
Framework Decision 2005/222/JHA (COM(2010)517, Council document
Letter of 27 October 2010 from the Chairman to Mr James Brokenshire
MP, Parliamentary Under-Secretary of State, Home Office, and reply
of 31 January 2011. Back
Q 414 Back
The EU Internal Security Strategy in Action,
Objective 3, Action 1, p 10 Back
Q 178 Back
ISS 10 Back
ISS 14 Back
Q 180 Back
ISS 4. JANET(UK) is the operator of JANET, the United Kingdom's
National Research and Education Network, which connects universities,
colleges, research organisations and regional schools networks
to each other, to peer research networks in other countries and
to the public Internet. Back
Q 278 Back
Q 19 Back
Protecting Europe against large-scale cyber-attacks, paragraphs
This would remain our view even if more of ENISA's activities
were moved to a centre in Athens, as is envisaged by the European
The Schengen Information Systems (SIS and SIS II), the Visa Information
System (VIS), and Eurodac, the fingerprint database for the Dublin
Regulation on jurisdiction to examine asylum applications. Back
Agreed at the Justice and Home Affairs Council on 2 December 2010 Back
ISS 11 Back
Q 135 Back
Q 415 Back
Q 16 Back
Proposal for a Regulation of the European Parliament and of the
Council concerning the European Network and Information Security
Agency (ENISA) (Document No 14358/10) Back
Q 255 Back
Strategic Defence and Security Review, Cm 7948, paragraph 4.C.3. Back
ISS 10 Back
Q 136 Back
Q 237 Back
Q 256 Back
Q 415 Back
Q 371 Back
Q 317 Back
Q 139 Back
Q 273 Back
The EU Internal Security Strategy in Action,
Objective 3, Action 3, p 11 Back
See paragraph 118 above Back
Paragraphs 57-71 Back
ISS 4. CSIRT stands for Computer Security Incident Response Team,
and is synonymous with CERT. Back
ISS 14 Back
Q 283 Back
ISS 5 Back
QQ 176-177 Back
Q 270 Back
Q 275 Back
Q 285 Back
Q 383 Back
Q 289 Back
The EU Internal Security Strategy in Action,
Objective 3, Action 2, p 11 Back
Speech at an APCO lunch debate, 8 February 2011 Back
Q 281 Back
Organisation for Economic Cooperation and Development Back
Q 183 Back
Under Article 5 of the North Atlantic Treaty each State undertakes
to treat an armed attack on one of them as an attack on all of
Paragraphs 53-57 Back
Q 183 Back
Q 309 Back
QQ 417-418 Back