How To Understand And Understand The European Priorities In Information Security

Transcription

1 European priorities in information security Graeme Cooper Head of Public Affairs Unit, ENISA 12th International InfoSec and Data Storage Conference, 26th September 2013, Sheraton Hotel, Sofia, Bulgaria European Union Agency for Network and Information Security

2 EU Cubersecurity Strategy essential points An Open, Safe and Secure Cyberspace The norms, principles and values that the EU upholds offline, should also apply online. Cyberspace must be correctly protected: Governments have a significant role in ensuring a free and safe cyberspace. The private sector owns and operates significant parts of cyberspace and has a leading role. Outside the EU, governments may misuse cyberspace for surveillance and control. The EU can counter this situation by promoting freedom online and ensuring respect of fundamental rights online. European Union Agency for Network and Information Security 2

3 Economic Arguments By completing the Digital Single Market, Europe could boost its GDP by almost 500 billion a year. For new connected technologies to take off citizens will need trust and confidence. Currently, Europeans are not confident in their ability to use the Internet for banking or purchases. They are also reluctant to disclose personal information. Across the EU, more than one in ten Internet users has been a victim of online fraud. The EU economy is already affected by cybercrime activities, economic espionage and state sponsored activities are new threats. European Union Agency for Network and Information Security 3

4 The Principles The strategy proposes key principles to guide the EU and international approach: The EU's core values apply as much in the digital as in the physical world. Fundamental rights, freedom of expression, personal data and privacy should be protected. The Internet should be accessible to all citizens. The digital world must be subject to democratic and efficient multi stakeholder governance. Ensuring security is a shared responsibility. European Union Agency for Network and Information Security 4

5 Strategic Priorities The Five strategic objectives of the strategy are as follows: Achieving cyber resilience Drastically reducing cybercrime Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP) Developing the industrial and technological resources for cybersecurity Establishing a coherent international cyberspace policy for the European Union and promoting core EU values ENISA explicitly called upon. European Union Agency for Network and Information Security 5

6 Achieving Cyber Resilience Introduces ENISA and explains the policy on NIS. Makes reference to articles 13a & 13b. Introduces the legislative proposal. Stresses the importance of the following: The establishment of a cybersecurity culture to enhance business opportunities and competitiveness. Reporting significant incidents to the national NIS competent authorities. Exchange of information between National NIS competent authorities and other regulatory bodies. Recognises that exercises at EU level are essential to stimulate cooperation among the MS and the private sector. European Union Agency for Network and Information Security 6

7 The Legislative Proposal Key points: Will help establish common minimum requirements for NIS at national level. Requires Member States to designate national competent authorities for NIS, set up a competent CERT and adopt a national NIS strategy and a national NIS cooperation plan. Explains the role of the CERT EU regarding the EU institutions, agencies and bodies. Requires the establishment of coordinated prevention, detection, mitigation and response mechanisms. Requires the private sector to develop, at a technical level, its own cyber resilience capacities and share best practices across sectors. European Union Agency for Network and Information Security 7

8 Achieving Cyber Resilience (1 of 2) In the area of cyber resilience, the EC asks ENISA to: Assist the Member States in developing strong national cyber resilience capabilities. Examine in 2013 the feasibility of Computer Security Incident Response Team(s) for Industrial Control Systems (ICS CSIRTs) for the EU. Continue supporting the Member States and the EU institutions in carrying out regular pan European cyber incident exercises. European Union Agency for Network and Information Security 8

9 Achieving Cyber Resilience (2 of 2) Specifically in terms of raising awareness, the Commission asks ENISA to: Propose in 2013 a roadmap for a "Network and Information Security driving licence". Support a cybersecurity championship in 2014, where university students will compete in proposing NIS solutions. European Union Agency for Network and Information Security 9

10 European Cybersecurity Month European Union Agency for Network and Information Security 10

11 Developing Resources There is a risk that Europe becomes excessively dependent on ICT and on security solutions developed outside its frontiers. Hardware and software components used in critical services and infrastructure must be trustworthy, secure and guarantee the protection of personal data. In order to mitigate this risk, the strategy proposes two action areas: Promoting a Single Market for cybersecurity products Fostering R&D investments and innovation European Union Agency for Network and Information Security 11

12 Single Market for Products A high level of security can only be ensured if all in the value chain make security a priority. The strategy aims to increase cooperation and transparency about security in ICT products: It calls for the establishment of a platform to identify good cybersecurity practices across the value chain. COM will support the development of security standards and assist with EU wide voluntary certification schemes. Cloud computing and data protection. critical economic sectors Industrial Control Systems, energy and transport infrastructure. European Union Agency for Network and Information Security 12

13 R&D and Innovation R&D should fill technology gaps in ICT security and prepare for the next generation of security. The Horizon 2020 Framework Programme for Research and Innovation will be launched in 2014: There are specific objectives for trustworthy ICT as well as for combating cyber crime. Specific attention will be drawn at EU level to optimising and better coordinating various funding programmes European Union Agency for Network and Information Security 13

14 Developing Resources The Commission asks ENISA to: Develop, in cooperation with relevant stakeholders, technical guidelines and recommendations for the adoption of NIS standards and good practices in the public and private sectors. Collaborate with Europol to identify emerging trends and needs in view of evolving cybercrime and cybersecurity patterns so as to develop adequate digital forensic tools and technologies. European Union Agency for Network and Information Security 14

15 Further Involvement of ENISA Although ENISA is not explicitly mentioned in the other strategic priorities, there is clearly a role for the Agency. The EU Internal Security Strategy explains how ENISA should collaborate with the recently established EU Cyber Crime Centre. We have a role in creating a strong culture of NIS throughout the EU. This can only be achieved by bringing communities together and ensuring that information on NIS is shared between such communities in an appropriate manner. European Union Agency for Network and Information Security 15

16 Concluding Remarks Complex ICT systems keep our economies running in key sectors such as finance, health, energy, etc. Many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information systems EC Recognises the importance of ICT in contributing to EUs economic growth and its role as a critical resource for all economic sectors ENISA is already well established and contributing in many of the areas described in the EU proposal for an EU cybersecurity strategy. European Union Agency for Network and Information Security 16

17 Thank you. Graeme Cooper, Head of Public Affairs Unit, ENISA ENISA European Union Agency for Network and Information Security Science and Technology Park of Crete (ITE) Vassilika Vouton, , Heraklion, Greece Athens Office 1 Vass. Sofias & Meg. Alexandrou Marousi , Athens, Greece Follow ENISA: European Union Agency for Network and Information Security