The EU Internal Security Strategy - European Union Committee Contents

CHAPTER 5: Cyber-security

The challenge

115.  Cyber-security is an issue of increasing concern to governments, businesses and individuals. The Government published the first Cyber Security Strategy for the United Kingdom in 2009,[175] and in the 2010 revision of the National Security Strategy (NSS) "hostile attacks upon UK cyber space by other states and large scale cyber crime" were raised to a Tier One priority risk, second only to international terrorism.[176] Professor Joseph Nye has categorised cyber attacks into four categories: (i) cybercrime; (ii) cyber espionage; (iii) cyber terrorism; and (iv) cyber warfare between States.[177] We regard this as a useful distinction.

116.  The Communication has as its third objective the "rais[ing of] levels of security in cyberspace"[178] and the actions proposed bear primarily upon the first of Professor Nye's categories, though there are proposals also to improve capability for dealing with and responding to cyber attacks from any source. A recent report for the United Kingdom Office of Cyber Security and Information Assurance (OCSIA) estimated the cost of cybercrime to the United Kingdom on the most likely scenario to be £27 billion per annum.[179] The Director of Europol noted that within the EU over the previous year "approximately €100 billion of VAT fraud was committed by enterprising criminals on line, and that is just one aspect of it". "It [cybercrime] is a very good example of a transnational problem without a natural home."[180]

117.  All of our witnesses thought it right that the EU should pay greater attention to cyber threats. We agree, and are glad to see the emphasis placed on cyber-security in the Communication.

118.  The Commission had already published in April 2009 a Communication to the Council giving its views as to how the Member States might through the EU strengthen the security and resilience of their critical information infrastructures (CIIs) and develop their defences against cyber-attacks.[181] This was the subject of an earlier inquiry of this Committee which led to our report Protecting Europe against large-scale cyber-attacks.[182] In that report we gave the attacks on Estonia in April and May 2007 as well-known examples of the way even relatively minor attacks can cripple the infrastructure of a State which is ill-prepared for them. Since then Stuxnet has provided a further example of the use of hostile cyber-attack.



Stuxnet is a computer virus, first reported in June 2010, which is widely thought to have been designed by a major Western power, possibly together with Israel, specifically to disable, and possibly destroy, centrifuges at an Iranian uranium enrichment plant by greatly increasing their speed while disguising the fact that this was happening. President Ahmadinejad acknowledged at a news conference that "they succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts."[183]

119.  A more recent example, closer to home, shows the inadequacy of security measures in some Member States, and how this can be an invitation to cybercrime on a grand scale. The EU Emissions Trading System (ETS) is the largest carbon-trading scheme in the world with a turnover of more than €90bn in 2010. It is dealt with by the 30 national registries of the EEA States. After a number of security breaches in previous months in Austria, Greece, Poland and Estonia, a major cyber-attack on the Czech registry on 18 January 2011 led to the loss of some €30m worth of carbon allowances. The following day the Commission suspended transactions at all national registries until they could provide proof of adequate security measures. The United Kingdom was among the first five States allowed to resume operations on 4 February 2011. But it was only on 20 April 2011, more than three months after the attack, that security in the last five States[184] was thought adequate for them to be allowed to resume trading.

120.  In 2012 the EU is to open its own registry for emissions trading, taking over from the national registries. This is likely to be a potential target for cyber-criminals, and it surprises us that, as Sir Richard Mottram told us, the EU does not seem to have realised that it is itself an attractive target, and that it should focus more on the security of its own systems.[185] Neil Thompson, the Director of the Office of Cyber Security and Information Assurance (OCSIA), stressed that EU institutions were not immune; that the EU could eliminate some of the weaknesses in its system by reducing the number of portals it operates; and that whoever had responsibility for the EU ETS had to take responsibility for its IT security. This, he said, was a matter of "basic computer hygiene".[186]

121.  When we took evidence from the European External Action Service (EEAS) Mr Lars-Gunnar Wigemark, the Head of Security Policy at the Directorate-General for External Relations at the Commission (DG RELEX, the precursor of the EEAS), emphasised the importance of cyber-security which, he said, was much broader than cybercrime and involved national security interests. He thought that Member States had been reluctant to develop common positions, but he did not mention the security of the EU institutions.[187] He might have done so if he had known that DG RELEX and the EEAS would on 23 March 2011 be hit by a major cyber-attack which forced them to shut down external access to emails and the institutions' intranet, and required all staff to change their passwords. This was followed by an attack on the European Parliament the next day which was still continuing a week later.

122.  We congratulate the Government on the priority they give to cyber-security in the United Kingdom National Security Strategy. But there is no room for complacency. All Member States, individually and collectively, must devote greater resources and urgency to meeting this challenge, given that their overall security is only as strong as the weakest link.

123.  The EU institutions should take the lead by ensuring the security of their own networks and agencies. They are a natural target for malicious and criminal attack; weaknesses have been and will be exploited. They must take responsibility for their own cyber-security; it is in the interests of the United Kingdom to help them to do so.

The role of the EU

124.  A number of our witnesses gave their views about the challenges of creating greater security in cyber space. Dr Cornish thought that cyberspace was a largely unregulated no-man's land in which a criminal could work with relative impunity.[188] Mr Thompson talked of the "scale, pace and complexity of the cyber-security challenge", creating what he called a policy lag.[189] He also emphasised the importance of connecting with the private sector;[190] in our earlier report we too stressed the need for a close working relationship between Governments and the private sector.[191]

125.  In that report we also stressed that cyber-security is a global matter to combat a global problem, and that the EU had an important role to play in coordinating the parts played by the Member States.[192] Symantec, a worldwide leader in internet security, wrote: "It is important to remember however that different Member States will be at different stages of understanding, and perhaps experience, of cyber related threats. The ISS can therefore play an important role in creating a common European understanding and recognition of the threat from cyber criminals who are increasingly organised, coordinated and targeted in their operations …"[193] The danger of a fragmented response by Member States with different legal regimes, different offences and different prosecution systems was explained by CEPS, which gave the Wikileaks affair as an example of the problems raised.[194]

126.  We strongly welcome the emphasis on cyber-security in the Communication and believe that this is an urgent and fast evolving challenge in which the EU can play an important part in raising standards and awareness in the Member States.

127.  The Commission had already proposed, in September 2010, a Cybercrime Directive to replace and bring up to date the 2005 Framework Decision on attacks against information systems.[195] We recommended that the United Kingdom should opt in to this proposal, and the Minister wrote to say that the Government had done so.[196] We welcome this.

The Budapest Convention

128.  The Council of Europe has also had a role to play. It is now nearly 10 years since the first international treaty on crimes committed via the internet and other computer networks was signed at Budapest, on 23 November 2001. Its main objective is to pursue a common policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. It deals in particular with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

129.  The Budapest Convention entered into force on 1 July 2004, but not for the United Kingdom. Nearly 10 years after the Convention was opened for signature the United Kingdom has still not ratified it. It is in force in every other major Member State except Poland, and in most smaller States. The minister conceded that this "portrayed an indication, maybe wrongly, that this country was not serious on this", and he assured us that ratification would be "this year … we are literally in the final stages of dotting the i's and crossing the t's in relation to ratification".[197]

130.  In a speech to the Munich Security Conference on 4 February 2011 the Foreign Secretary, the Rt Hon William Hague MP, said: "We have a major opportunity to promote the Budapest Convention on Cyber Crime, which the UK will look to do when we chair the Council of Europe from November." If the United Kingdom is to promote the Convention, we hope that it will have deposited its instrument of ratification no later than the end of July, since the Convention will not otherwise be in force for the United Kingdom when it assumes the Chairmanship.

131.  We welcome the Government's commitment that the United Kingdom will ratify the Budapest Convention before the end of this year.

Cybercrime Centre

132.  The Commission's first and most significant proposal for action under this chapter is to establish a Cybercrime Centre.


The Cybercrime Centre

By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe's fight against cybercrime.[198]

133.  It is a matter for some regret that we received more evidence about where this Cybercrime Centre should be located than about whether it would be useful to set up such a body in the first place. However, Dr Cornish had reservations: "… the problem of cyber-security is still too young and too indistinct to be absolutely confident that what is needed right now or by 2012 is a cyber-crime Centre run within the European Union".[199] The Government in its written evidence did not favour setting up such a centre, pointing out that "… the Communication is at variance with the ISS in suggesting the establishment of new EU structures and capacities for tackling cyber crime, including the development of an EU cyber crime centre. We believe that any action to tackle cyber crime arising out of the Commission's Communication should be undertaken within existing structures …"[200]


134.  Symantec, while welcoming "in theory" the setting up of a Cybercrime Centre, thought it was not clear what role the Centre would in fact play; there should be further discussion on the aims and objectives of the Centre, and how its work might be structured. These discussions should include an input from industry: "public private partnerships have been shown around the world to play a key tool to addressing cyber-security issues and should be integral to the development of any cybercrime centre for Europe".[201]Dr Cornish thought that, if such a Centre were set up, he would also like it "to focus very hard on the problem of cyber forensics and cyber attribution".[202] JANET(UK), while welcoming the idea of a complementary body to gather and promote good practice in dealing with cybercrime, doubted that it should have a direct operational role, since this "would at best add an additional layer of organisational complexity and at worst disrupt existing bi- and multi-lateral working relationships between national cybercrime centres."[203]

135.  Most of our other witnesses favoured setting up a Centre with the functions envisaged by the Commission, but thought it should be additional to and not in place of national capacity. Mr Thompson stressed that no Centre or agency could compensate for weak national capacity; the United Kingdom was looked at as one of the stronger European countries, but its own capacity was still weak. He did not think that creating an agency and expecting it to fix the problem was "quite aligned to the reality of where we are now".[204]


136.  The Commission Communication did not say expressly where the Centre should be located, but if it is to be "within existing structures" only two already existing bodies are possible: Europol or ENISA, the European Network and Information Security Agency. Since the Commission envisages that the new Centre should "establish cooperation with ENISA" it seems that it must envisage a Centre located within Europol. This was confirmed by Commissioner Malmstr½m: "The Cybercrime Centre would, as I see it, be set up at Europol and build on what already exists in Europol. I am not talking of having a new big agency but of pooling a few resources there, working closely with Member States. Europol already has some capacity and some knowledge on this and it will be natural to build on that and not create anything new … if we want to focus on the crime issue, it would be more natural to put it under Europol."[205]

137.  None of our witnesses, not even ENISA in its written evidence, suggested that ENISA would be an appropriate location for the Centre, and nor would we. Even if cybercrime fitted with ENISA's current task of promoting cooperation and best practice in the field of cyber-security, we would not recommend giving these duties to an agency located in Heraklion. In our earlier report we pointed to the many problems caused by the location of an EU agency in Crete,[206] and we are not alone in this view.[207]

138.  We remain concerned about the dispersal of EU agencies working in the field of cyber-security and cybercrime, most recently exacerbated by the decision that the new agency to manage the large-scale EU IT systems[208] should be shared between Strasbourg, where the infrastructure remains, and Tallinn, where the management will be.[209] We received no evidence suggesting that the Cybercrime Centre should be a new free-standing agency; all witnesses thought, like the Commissioner, that Europol would be the appropriate location. The most enthusiastic, perhaps not surprisingly, was Europol itself. In its written evidence it stated: "Taking into account Europol's experience in fighting cybercrime and the unique technical and analytical expertise built in this field, as well as the fact that the centre is supposed to facilitate operational cooperation, the Agency [i.e. Europol] could play a primary role in the establishment of the future entity. Dispersion of investigative and analytical capacities in the fight against cybercrime should be avoided in order to safeguard the necessary coordination and cost-effectiveness."[210]

139.  In his oral evidence Mr Wainwright was equally emphatic: "We have forensic experts at Europol who can improve the capacity for domestic law enforcement to investigate cybercrime offences. As a package, although rather small-scale at the moment because of our resource limitations, it already holds a key to the future elaboration of the EU cybercrime centre and that is the model that we would like to take forward …"[211] Finally, in a document dated 21 December 2010 addressed to the Commission but shown to the Committee, Europol put in what was in effect a formal bid for the Cybercrime Centre to be hosted by Europol.

140.  The Minister, while not expressly supporting the creation of a Cybercrime Centre, told us that if such a Centre were set up, Europol would be the right place for it. He added: "I do not think there is any reason to question that Europol would have the skills and capabilities to develop a centre. The High Tech Crime Centre has been housed in Europol since I think around 2002, and provides valuable experience in this area that can be drawn upon. So I think in that sense it is the obvious place to put this."[212]

141.  Cooperation between the new centre and ENISA is envisaged by the Commission in its Communication, and the Commissioner said: "We also want to enlarge the competences of ENISA".[213] Negotiations are currently taking place on a Regulation increasing the scope of ENISA's activities.[214] Our witnesses agreed that such a centre should work alongside ENISA, and Peter Storr supported the extension of ENISA's role to include law enforcement cooperation on cybercrime issues.[215]


142.  In October 2010 the Government announced: "The National Cyber Security Programme will be supported by £650 million of new investment over the next four years".[216] This commitment, which was welcomed on all sides, seems to us to be an express acknowledgement by the Government that, even in times of financial austerity, cyber threats cannot be combated without additional resources. Yet the Government told us in their written evidence that they believed that any action to tackle cyber crime arising out of the Commission's Communication, including the creation of a Cybercrime Centre, should be undertaken not only within existing structures, but also within existing budgets.[217] The Director of Europol told us that some additional resources would be needed, though he did not put a figure on them.[218]

143.  Peter Storr told us: "we wouldn't accept that automatically when there is a new mandate it should be accompanied by an increase in resources."[219] He subsequently qualified this: "I don't think I was suggesting that we would block or be opposed to an increase in the Europol budget to deal with cyber-security as a sort of principle … what one would look to Europol to do, as one would look to other European bodies, is to make out a properly costed, well-argued business case …"[220] But the Minister was more explicit: "We think it [Europol] can do that within existing resources."[221]

144.  Sir Richard Mottram, while conceding that this addition to Europol's work could "probably not" be done without additional resources, added that he was "always suspicious … of the argument that your highest priority, because it is new and difficult and needs to be tackled, calls for additional resources. It often calls for a reallocation of priorities."[222]

145.  We believe that additional resources are needed, but they need not be the "staggering sums" which Mr Thompson said the United States was investing in cyber-security.[223] Mr Wainwright told us: "We [Europol] already have some experts in this field. I hope that we could supplement those with at least some others from national cybercrime centres, including one that will be established in the next year or so at SOCA here in London. Certainly, I will be making those overtures to national agencies like that in order to demonstrate to them that cybercrime investigations centred in the UK will, by their very nature, have a European, if not global, dimension, and that there are many strong reasons—even operational reasons—why they should invest in common European arrangements so that we can better support their work at the national level."[224]

146.  The establishment of a Cybercrime Centre will enhance the EU's ability to contribute in this area. This is not an end in itself, but only one of many measures that must be deployed.

147.  Europol would be best placed to host such a body. However, we believe that finding staff with the necessary expertise may not be easy. Additional staff and funding will be essential if the Cybercrime Centre, wherever it may be situated, is to achieve its key aims. The Government's view that this can be done within existing resources is unrealistic, and inconsistent with their making additional resources available for the United Kingdom's programme.

148.  We believe that the Centre should form a close working relationship with ENISA, and we support the extension of that agency's role and mandate to cooperate with law enforcement agencies.

149.  The dispersal of agencies dealing with cyber matters is especially unfortunate. In particular, we continue to have concerns about ENISA's ability to operate effectively from its geographical location. We endorse the European Parliament's proposal that the agency's operations could be "frontloaded" in Athens.

Improving response capabilities

150.  Mr Thompson explained that one of the reasons cybercrime was a growing problem, both nationally and internationally, was that cyberspace gave criminals anonymity; it was very easy to conduct crime in that space, and not enough was done to deter criminals by building up the judicial and legal capacity to deal with criminals when they were detected. But he added that there was agreement that "you could not prosecute your way out of this problem"; States had to raise their cyber-security standards.[225]

151.  The Commission's proposals for raising standards centre on computer emergency response teams, or CERTs: "First, every Member State, and the EU institutions themselves, should have, by 2012, a well-functioning CERT".[226] This is a repetition of the recommendation made by the Commission in its 2009 Communication on Protecting Europe against large-scale cyber attacks[227] which was the subject of our earlier report. We discussed CERTs at some length in that report.[228] Then too the Commission appeared to be recommending that each Member State should have a single CERT. We supported this suggestion in the case of those member States, mainly in Eastern Europe, which have inadequate CERTs, or even none at all. But there is no need for this in those Member States which have a well-developed system of CERTs. We explained that in the United Kingdom GovCertUK is the CERT for the public sector, but the majority of the CERTs are in the private sector, in large companies or in organisations with a common interest.

152.  JANET(UK) said: "…we strongly support the recommendation to increase the proportion of the European Internet that is covered by a CSIRT by encouraging the creation of at least a national CSIRT in each Member State and a CSIRT for the European Institutions".[229] We note the words "at least". Symantec, while supporting the proposal in the Communication, pointed out that "The CERT model is flexible to enable Member States to develop multiple CERTs, or different types of CERTs …"[230]

153.  Neither of these witnesses, nor any of those who gave evidence to our previous inquiry, suggested that the United Kingdom (or other States with a well-developed system of multiple CERTs) should abandon this in favour of a single national CERT. We urged the Commission to clarify its position. In its response to the report it stated: "It is not the intention of the European Commission to impose a 'one size fits all' model with regard [to] the organisation of such capability, which is left to the discretion and experience of Member States." We were glad to read this, but regret that this is still unclear in the ISS Communication.

154.  As Mr Thompson emphasised, international cooperation is important in terms of sharing best practice and experience, as well as raising the standards in weaker States.[231] This is one of the roles of ENISA, though it is very conscious that its current role is to supplement the responses of Member States which "are best positioned to defend their own infrastructures".[232] ENISA has already coordinated the first pan-European cyber-security exercise (Cyber Europe 2010). The Commission envisages that ENISA should continue to help Member States to develop national contingency plans and to undertake exercises in incident response and disaster recovery.

155.  Many Member States already have an adequate emergency response capacity and do not need to change their existing CERT structure. But it is essential that every Member State should have an adequate emergency response capacity, and this may need to take the form of a national CERT. Where this is lacking, it should be addressed as a matter of urgency. Individual weaknesses will undermine the collective security of the EU.

Raising public awareness

156.  Many of our witnesses regretted the low level of awareness generally of vulnerability to cyber attacks and cybercrime. Dr Cornish considered that there was a very low level of "cyber consciousness" in the United Kingdom; that a lot of "soft" work needed to be done to raise awareness of the threat; that the threat developed so quickly that institutional responses could become obsolete; that a "culture change" was needed across the EU; and that there was a need for the formulation of a "common language and definitions".[233] Mr Thompson considered that the United Kingdom had a "good track record" in addressing cyber-security across Government in cooperation with the private sector,[234] but he thought that the EU could play an important role in raising awareness of the risks among citizens and businesses,[235] including the organisation of an "EU-wide public awareness campaign".[236]

157.  Other witnesses too thought that the EU had an important role to play. The Commission's proposal is headed "Work with industry to empower and protect citizens." Sir Richard Mottram emphasised the importance of bringing together government officials, senior industry figures and technical experts to develop a deep understanding of the problem.[237] Mr Thompson mentioned that the EU had done this in the past—bringing together "consortia of academics and industry partners"—and more work in this area would be welcome.[238] ENISA advocated improving cooperation between the public and private sectors as well as raising public awareness through the inclusion of "information security" lessons within the school curriculum. Symantec was one private sector organisation which said it was very willing to work with the public sector in this area. However ways still need to be found to harness private sector expertise effectively.

158.  The Communication suggests that all Member States should make it easier for people to report cybercrime incidents, and should encourage them to do so. The information, once evaluated, could then potentially feed in to a European cybercrime platform.[239] The Commissioner has encouraged the private sector to report cyber incidents.[240] This was supported by Mr Thompson, who said that it was already very much the approach of the United Kingdom and other Member States.[241] We accept however that organisations may be reluctant to report such incidents because of concerns that this may reveal weaknesses, undermine public confidence and credence with regulatory authorities, and perhaps increase the likelihood of further attacks.

159.  A strong working relationship between the public and private sectors will be crucial in raising awareness of the threats from cyberspace. This needs to happen at both Member State and EU level through joint forums involving all of the key players. The EU can and should add value in this area by improving public awareness.

International cooperation

160.  We have already explained in Chapter 3 the importance for security generally of improving relations with international organisations and with strategically important third countries. This is particularly true of cyber-security, which almost by definition is a global problem that requires a global response.

161.  It was therefore a particular concern to us to hear the evidence of Dr Cornish. Two years previously he had written a report for the European Parliament in which he examined the level of collaboration among a set of organisations—European Union, NATO, OECD[242] and UN—and his broad conclusion was that there was then "next to no collaboration, partly because they had no common understanding of what they were talking about. There was no common lexicon. There was no common doctrine. There was nothing common really. There were lots of good well-intentioned people in good organisations trying to do their best, but there was no coming together." The organisations did not all have to do everything, but the chances that any one institution could solve the problem within its own remit seemed to him to be slim.[243]

162.  Dr Cornish told us that the relationship between EU and NATO was "the big problem". His sense was that there was unlikely in the near future to be a good collaborative effort between the two organisations. NATO with its Emerging Security Challenges department was looking at the possibility of cyber-warfare or war, and how NATO would react to it: whether it would invoke Article 5,[244] which was clearly a NATO concern. But NATO did not look at cybercrime as a discrete problem, which the European Union clearly did. This unfortunate situation is no more than the specific application to cyber-security of the general relationship between the two organisations which we have considered in Chapter 3.[245]

163.  Cooperation with others seems to be better. As far as the US and the European Union are concerned, Dr Cornish told us that there was a working group on cyber-security running which was to report later this year; he thought this would be "a very high level and a very serious effort."[246] Dr Steve Marsh, deputy director of the Office of Cyber Security and Information Assurance, pointed out that there were other international institutions operating in the area, in particular the International Telecommunications Union and the Internet Governance Forum. Mr Thompson added that the Foreign Office was building additional capacity to deal with these fora.[247]

164.  The global nature of the cyber threat requires an international response. Proactive collaboration within the international community, including the EU, UN and NATO, will be indispensable if agreement is to be reached on the nature of the threat, and on whether it can realistically be addressed.

165.  In his Munich speech to which we have referred in paragraph 127, the Foreign Secretary set out the benefits which the internet could provide, but explained how our reliance on it opened up new channels for hostile governments, enabled terrorist networks to plan atrocities, and provided rich pickings for criminals. He added: "Cyber-security is on the agendas of some thirty multilateral organisations, from the UN to the OSCE and the G8 … But much of this debate is fragmented and lacks focus. We believe there is a need for a more comprehensive, structured dialogue to begin to build consensus among like-minded countries and to lay the basis for agreement on a set of standards on how countries should act in cyberspace … the UK is prepared to host an international conference later this year to discuss norms of acceptable behaviour in cyber-space, bringing countries together to explore mechanisms for giving such standards real political and diplomatic weight." Mr Brokenshire confirmed that the international conference would be held in the autumn of this year, with attendance by invitation only to governments with a "major stake" in the matter as well as international organisations and representatives from the private sector and academia. But he did not want to pre-empt the results of that process by speculating as to whether an agreement would be reached.[248]

166.  We commend the United Kingdom initiative to host an international conference on cyber-security, and hope that a wide range of countries and organisations with a legitimate interest will be invited. We look forward to considering the outcome and the effect it may have on the EU.

175   June 2009, Cm 7590 Back

176   October 2010, Cm 7953, page 27 Back

177   In a speech at the Munich Security Conference, 5 February 2011 Back

178   The EU Internal Security Strategy in Action, Objective 3, p 10 Back

179   The Cost of Cyber Crime: A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office, February 2011,  Back

180   Q 135 Back

181   Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection: "Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" (COM(2009)149 final, Council document 8375/09). An assessment of the achievements to date was published on 1 April 2011: Communication from the Commission to the European Parliament, the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions, on Critical Information Infrastructure Protection, "Achievements and next steps: towards global cyber-security" (COM(2011)163 final, Council document 8548/11). Back

182   March 2010; 5th Report, Session 2009-10, HL Paper 68 Back

183   In evidence to us (ISS 14) Symantec explained some of the technicalities of Stuxnet, but without offering views as to the identity of the designers of the virus or its target. Back

184   Cyprus, Hungary, Liechtenstein, Lithuania and Malta Back

185   Q 376 Back

186   QQ 298-300 Back

187   Q 86 Back

188   Q 180 Back

189   QQ 270, 292. Back

190   Q 270 Back

191   Protecting Europe against large-scale cyber-attacks, paragraphs 72-79 Back

192   Ibid, Chapter 3: Is there a role for the EU? Back

193   ISS 14 Back

194   ISS 2 Back

195   Proposal for a Directive of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (COM(2010)517, Council document 14436/10) Back

196   Letter of 27 October 2010 from the Chairman to Mr James Brokenshire MP, Parliamentary Under-Secretary of State, Home Office, and reply of 31 January 2011. Back

197   Q 414 Back

198   The EU Internal Security Strategy in Action, Objective 3, Action 1, p 10 Back

199   Q 178 Back

200   ISS 10 Back

201   ISS 14 Back

202   Q 180 Back

203   ISS 4. JANET(UK) is the operator of JANET, the United Kingdom's National Research and Education Network, which connects universities, colleges, research organisations and regional schools networks to each other, to peer research networks in other countries and to the public Internet. Back

204   Q 278 Back

205   Q 19 Back

206   Protecting Europe against large-scale cyber-attacks, paragraphs 112-120 Back

207   This would remain our view even if more of ENISA's activities were moved to a centre in Athens, as is envisaged by the European Parliament. Back

208   The Schengen Information Systems (SIS and SIS II), the Visa Information System (VIS), and Eurodac, the fingerprint database for the Dublin Regulation on jurisdiction to examine asylum applications. Back

209   Agreed at the Justice and Home Affairs Council on 2 December 2010 Back

210   ISS 11 Back

211   Q 135 Back

212   Q 415 Back

213   Q 16 Back

214   Proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA) (Document No 14358/10) Back

215   Q 255 Back

216   Strategic Defence and Security Review, Cm 7948, paragraph 4.C.3. Back

217   ISS 10 Back

218   Q 136 Back

219   Q 237 Back

220   Q 256 Back

221   Q 415 Back

222   Q 371 Back

223   Q 317 Back

224   Q 139 Back

225   Q 273 Back

226   The EU Internal Security Strategy in Action, Objective 3, Action 3, p 11  Back

227   See paragraph 118 above Back

228   Paragraphs 57-71 Back

229   ISS 4. CSIRT stands for Computer Security Incident Response Team, and is synonymous with CERT. Back

230   ISS 14 Back

231   Q 283 Back

232   ISS 5 Back

233   QQ 176-177 Back

234   Q 270 Back

235   Q 275 Back

236   Q 285 Back

237   Q 383 Back

238   Q 289 Back

239   The EU Internal Security Strategy in Action, Objective 3, Action 2, p 11 Back

240   Speech at an APCO lunch debate, 8 February 2011 Back

241   Q 281 Back

242   Organisation for Economic Cooperation and Development Back

243   Q 183 Back

244   Under Article 5 of the North Atlantic Treaty each State undertakes to treat an armed attack on one of them as an attack on all of them. Back

245   Paragraphs 53-57 Back

246   Q 183 Back

247   Q 309 Back

248   QQ 417-418 Back

previous page contents next page

© Parliamentary copyright 2011