European Commission calls for collaboration and incident sharing

News by Dan Raywood

The European Commission's plan for a secure and open internet depends on national security strategies and cooperation.

The European Commission's plan for a secure and open internet depends on national security strategies and cooperation.

Announcing the cyber security strategy ‘An Open, Safe and Secure Cyberspace', the EC aims to: achieve cyber resilience; drastically reduce cyber crime; develop cyber defence policy and capabilities related to the Common Security and Defence Policy; develop the industrial and technological resources for cyber security; and establish a coherent international cyber space policy for the European Union.

Neelie Kroes, European Commission vice president for the digital agenda, said: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting.”

As part of this, each member state must adopt a network information security strategy and designate a national competent authority with adequate financial and human resources to prevent, handle and respond to risks and incidents related to network information security.

It also states that a cooperation mechanism should be established to share early warnings on risks and incidents between member states and the commission, via a secure infrastructure.

Asked how this could be achieved, Kroes said that there is an attitude to deny reality, and she made reference to a comment by one CEO that they know that they are being attacked, and that 93 per cent of large businesses were aware that they were being attacked.

“Being open is at stake, it is the only way to learn from each other and create incentives to do better,” she said.

“So there is no attitude of ‘that is damaging my reputation' and openness and transparency gives you a better situation in the very near future. I know that there is more awareness that reputational damage is no argument as to what is going on, sometimes companies want to avoid this but we shall be open and transparent.”

It also requires operators of critical infrastructures (such as financial services, transport, energy and health) and enablers of information society services (app stores, e-commerce platforms, internet payment, cloud computing, search engines and social networks) and public administrations to adopt risk management practices and report major security incidents on their core services.

Cecilia Malmström, EU commissioner for home affairs, said: “All member states should set up effective national cyber crime units that can benefit from the expertise and the support of the European Cybercrime Centre ‘EC3'.”

John Suffolk, global cyber security officer at Huawei, said: “The strategy comes at a crucial moment, providing the public and the private sector with the tools they need to move beyond debating the problem and take concrete steps to tackle security issues. The time has come to stop talking about the threat, stop talking about the challenges and start talking about the actions we have taken and will take.”

Jason Hart, vice president of cloud solutions at SafeNet, said: “This move is a welcome change as past breaches have demonstrated that delays in reporting may have exacerbated the initial problem. However reporting the breach itself is only a small part of the equation, what is of real importance is preventing the damage that the exposure of unencrypted data can cause in the event of a security breach.

“New legislations that come into play will need to provide a comprehensive set of measures based on the fundamentals of information security to ensure wider adoption of encryption and authentication as a way of mitigating the damage of a potential security breach.”

Ilias Chantzos, senior director of government affairs at Symantec EMEA and APJ, said: “With cyber attacks having an impact on both organisations and individuals in Europe, Symantec has consistently highlighted the need for governments and policy makers to make information security a major public policy priority, both at national and a European level.

“The proposed strategy builds on some of the existing work that EU member states have done and serves to reinforce the need to strengthen critical infrastructure and to work in a collaborative manner. The proposal is the start, not the end, of the democratic process within the EU, and it is definitely a step in the right direction.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews