Speech on Cyber Risks & Security Seminar, The EU Digital Agenda and the Cyber-security proposed Directive: A legal and a contextual approach,

Transcription

1 Speech on Cyber Risks & Security Seminar, The EU Digital Agenda and the Cyber-security proposed Directive: A legal and a contextual approach, Organized by American Chamber of Commerce in Cyprus, 30 October 2013, 16:00 Cyprus Chamber of Commerce & Industry, By Dr. Antonios St. Stylianou [GREETINGS] It is with great honor that I have accepted the American Chamber s of Commerce in Cyprus invitation to participate and address the present seminar on Cyber Risks & Security. This is a hot issue - an issue of paramount importance with consequences on all levels of personal, social and business interaction in today s technologically advanced world. Technology simply refers to a scientific knowledge to solve practical problems, but can also create imminent dangers. As noted in the Lloyd s of London Risk Index Report for 2013, which was published in August this year, cyber security Lecturer in Law, University of Nicosia, LL.B Law (Bristol), Ph.D in Law International Law and Human Rights (Kent). Director UNic Law Clinic. Contact details: University of Nicosia, 46 Makedonitissa Avenue, P.O. Box 24005, 1700 Nicosia. stylianou.an@unic.ac.cy. Tel. No.: +(357) Page 1 of 13

2 was amongst the top concerns for executives at number three worldwide and number two in the United States. According to that report, the perception behind what is motivating cyber-attacks is [also] evolving: from financial crime to political and ideological attacks. It is exactly within that context, that I will proceed to examine the European legal and contextual approach to cyber risks and security. Distinguished participants, What has changed, in fact, in relation to the issue under examination, was the great number of security breaches online in the last few years. 2012, for example, saw the takedown of the Interpol, CIA and Boeing websites, the suspension of alternative currency Bitcoin s trading floor, the mass theft of passwords from professional networking site LinkedIn, the outage of the websites of six major US banks listed in Fortune 500 (Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank) and, of course, many more cyber-attacks, which have raised great awareness in relation to cyber risks and security and have initiated a series of developments, mainly in relation to the legislative framework regulating such issues. To put things in context, according to General Keith. B. Alexander, Head of the National Security Agency and the United States Cyber Command, there had been a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations. A study by the United Nations published in February 2013 on cybercrime, raised concerns about the impact of fragmentation at international level and diversity of national Page 2 of 13

3 cybercrime laws on international cooperation and highlighted issues such as the role of evidence location, harmonization of national legal frameworks, law enforcement and criminal justice capacity and cybercrime prevention activities. According to the European Union s Digital Agenda Commissioner Neelie Kroes, cyber security is too important to leave to chance, to the goodwill of individual companies, and to that effect, the European Union has introduced, as part of its Europe 2020 strategy aiming to deliver smart sustainable and inclusive growth across the Union, the Digital Agenda for Europe, taking into account the fact that the digital economy is growing at seven times the rate of the rest of the economy. And it is not only the digital economy which is growing this is something that could be discussed elsewhere but also the costs of cyber breaches. A 2012 study by the Ponemon Institute found that the average annualized cost for 56 benchmarked organizations was 8.9 million US dollars a year, with a range from 1.4 million US dollars to 46 million US dollars per year, per company. This staggering escalation has led the countries in both sides of the Atlantic to take much needed action. In the United States for example, in a rare agreement between Republican and Democrat Senators, the Congress proposed the Deter Cyber Theft Act. The proposed bill, which elevates cyber theft as a national security priority for the United States, aims to block products that contain intellectual property stolen from US companies by foreign countries from being sold in the United States, as, according to the chairman of the Armed Services Committee, Senator Carl Levin, the US needed to take aggressive new Page 3 of 13

4 steps to combat cyber-espionage and hit the thieves where it hurts most in their wallets. In the European Union, as noted above, such issues are dealt with under the EU Digital Agenda, which was launched in May 2010 and which contains in total 101 actions, grouped around seven priority areas. These priority areas are: the creation of a new and stable broadband regulatory environment; new public digital service infrastructures; digital skills and jobs; copyright; cloud computing; launch of a new electronics industrial strategy; and, of course, the proposal for an EU cyber-security strategy and Directive. Overall, the EU Digital Agenda aims to reboot Europe s economy, across the spectrum, and help Europe s citizens and businesses to get the most out of digital technologies, without compromising their personal data or trade secrets. To the above effect, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has published a cyber-security strategy, alongside a Commission proposed directive on network and information security. The aforementioned strategy, themed An Open, Safe and Secure Cyberspace, represents the European Union s comprehensive vision for the first time on how best to prevent and respond to cyber disruptions and attacks. The strategy furthers, at the same time, the EU values of freedom and democracy and ensures Page 4 of 13

5 that the digital economy, as described before, can safely expand and fulfill its potentials. In accordance with the strategy, five priorities have been identified, based on existing needs, threats and risks. In particular, the strategy articulates the means to achieve cyber resilience, reduce cybercrime in a drastic way, develop cyber defense police and capabilities related to the Common Security and Defense Policy, develop the industrial and technological resources for cybersecurity and establish a coherent international cyberspace policy for the EU, while, at the same time, promoting core EU values. It is emphasized that, in accordance with the EU strategy, the responsibility for a more secure cyberspace lies with all players of the global information society, from citizens to governments. At another level, given that threats are multilayered, synergies between civilian and military approaches in protecting critical cyber assets are also of paramount importance. In those respects, the contextual framework relating to the policy, aims to promote the respect of EU core values and fundamental freedoms, define norms for responsible behavior, advocate the application of existing international laws in cyberspace and assist countries outside the EU with cyber-security capacitybuilding, promoting, at the same time, international cooperation in cyber issues. The current successes of the policy are threefold: a) protection of EU citizens from online crimes, including the establishment of a European Cybercrime Centre; b) launch of a Global Alliance to fight sexual abuse online; and, lastly, c) proposed legislation on attacks against information systems. Page 5 of 13

6 In relation to the first success, that relating to the protection of EU citizens, the new European Cybercrime Centre (EC3) opened on 11 January 2013, giving a strong boost to the EU s capacity to fight cybercrime and defend an internet that is free, open and secure, according to EU Commissioner for Home Affairs Cecilia Malmström. The Centre delivers its expertise as a centre for operational investigative and forensic support, but also through its ability to mobilize all relevant resources in EU Member States to mitigate and reduce the threat from cybercriminals wherever they operate from. As operations relating to online fraud, child abuse online and other cybercrimes regularly involve hundreds of victims at a time, and suspects in many different parts of the world cannot be successfully concluded by national police forces alone, the Center marks a significant shift in how the EU aims to address cyber risks and maintain security across its territory and beyond. Taking into account that around one million people worldwide fall victim to some form of cybercrime every day, and that victims lose around 290 billion Euros each year worldwide as a result of cybercriminal activities, the Center aims to address the citizens concerns about cyber security, as, according to a Eurobarometer survey published last year (July 2012), 89% of Europeans remain very concerned about cyber security. The second success relates to the launch of a Global Alliance to fight sexual abuse online an initiative that was launch on 5 December The initiative aims to unite decision-makers all around the world to better identify and assist victims and to prosecute the perpetrators. This international initiative, entrusted by 50 Page 6 of 13

7 States, aims to strengthen our mutual resources to bring more perpetrators to justice, identify more victims of child sexual abuse, and ensure that they receive our help and support, according to US Attorney General Eric Holder. According to available statistical data, every day, countless children around the world are sexually abused and exploited, and images and videos of the abuse are circulated. Around 50,000 new child abuse images are added each year online and more than 70% of reported images feature children below 10 years of age. Four main pillars form the basis of this initiative, namely enhancing efforts to identify victims and ensuring that they receive the necessary assistance, support and protection; enhancing efforts to investigate cases of child sexual abuse online and to identify and prosecute offenders; increasing awareness among children, parents, educators and the community at large about the risks; and, reducing the availability of child pornography online and the re-victimization of children. Concrete operational goals and examples of potential actions that participant States could undertake to reach these goals and enlisted in a special document published at the launch of the campaign. As regards the Cyber-security proposed Directive, which forms an integral part of the EU Digital Agenda, the main aim is to ensure that Europe can defend itself from attacks against its key information (IT) systems. Complemented by a proposal for a Regulation to strengthen and modernize the European Network and Information Security Agency (ENISA), the two boost trust and network security. Page 7 of 13

8 The Directive regulates issues relevant to the provision of all available defenses against cyber-attacks. As such, of paramount importance is the establishment of the relevant legal framework which will allow bringing the perpetrators of cyberattacks and the producers of related and malicious software to justice, facing actually heavier criminal sanctions than at present. The Directive aims to impose also an obligation to Member States to quickly respond to urgent requests for help in the case of cyber-attacks, rendering European justice and police cooperation in this area more effective. In general, the Directive ensures a high common level of network and information security. This means improving the security of the Internet and the private networks and information systems underpinning the functioning of our societies and economies. This is to be achieved by requiring the Member States of the European Union to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport and key providers of information society services (e-commerce platforms, social networks, etc.), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. While Europe is engaged in taking full advantage of the potential of network and information systems, it should not become more vulnerable to disruptions caused by accidental or natural events (like submarine cable breaks) or through malicious actions (like hacking or other cyber-attacks). These could be based on, for Page 8 of 13

9 example, increasingly sophisticated tools which hijack large numbers of computers and manipulate them simultaneously as an army of robots on the internet ( botnets ) without their owners' knowledge. These infected computers can later be used to carry out devastating cyber-attacks against public and private IT systems, as happened in Estonia in 2007 where most online public services, as well as government, parliament and police servers were made temporarily inoperative. The number of attacks against information systems has risen steadily since the EU first adopted rules on attacks against information systems in February In March 2009, the computer systems of government and private organizations in more than 100 countries were attacked by a network of compromised computers which extracted sensitive and classified documents. In this instance again, malicious software created 'botnets', networks of infected computers that can be remotely controlled to stage a coordinated attack. The package proposed by the Commission will strengthen Europe's response to cyber disruptions. The Commission's proposal on cybercrime builds on rules that have been in force since 2005, and introduces new aggravating circumstances and higher criminal sanctions that are necessary to fight more effectively the growing threat and occurrence of large scale attacks against information systems. The 2005 Council Framework Decision deals, among other things, with illegal access to information systems, illegal system and data interference, and establishes new crimes in the legal systems of Member States, covering instigation, aiding and abetting and attempt to commit a cyber-crime. Page 9 of 13

10 Moreover, the proposed Directive would pave the way for an improvement of cooperation between the judiciary and the police of the Member States, introducing the obligation for Member States to make better use of the existing 24/7 network of contact points by treating urgent requests in a specified timeframe. Finally, the proposed Directive would provide for the establishment of a system to record and trace cyber-attacks. In addition to the proposed Directive, to help co-ordinate Europe's response, the Commission is proposing a new Regulation to strengthen and modernize the European Network and Information Security Agency (ENISA), which was first established in This would reinforce cooperation across EU Member States, law enforcement authorities and the industrial sector. ENISA will play an important role in boosting trust, which underpins the development of the Information Society, by enhancing the security and privacy of users. Under its new mandate, ENISA would engage EU Member States and private sector stakeholders in joint activities across Europe, such as cyber security exercises, public private partnerships for network resilience, economic analyses and risk assessment and awareness campaigns. A modernized ENISA would have greater flexibility and adaptability and would be available to providing EU countries and institutions with assistance and advice on regulatory matters. Page 10 of 13

11 Finally, to respond to the increased intensity of cyber security challenges, the proposed Regulation would extend ENISA's mandate for five years and gradually increase its financial and human resources. The Commission proposes that ENISA's governance structure would also be strengthened with a stronger supervisory role of the Management Board, in which the EU Member States and the European Commission are represented. Distinguished Friends, Over the last two decades, the internet and more broadly cyberspace has had a tremendous impact on all parts of society. Our daily life, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly. An open and free cyberspace has promoted political and social inclusion worldwide; it has broken down barriers between countries, communities and citizens, allowing interaction and sharing of information and ideas across the globe; it has provided a forum for freedom of expression and exercise of fundamental rights, and empowered people in their quest for democratic and more just societies. BUT, at the same time, issues of safety and security have become of paramount importance in the cyberspace. Malicious activities and misuse of the cyberspace, cyber-terrorism and other risks closely connected with the internet have risen in prominence. Page 11 of 13

12 The borderless and multi-layered Internet has become one of the most powerful instruments for global progress without governmental oversight or regulation. While the private sector should continue to play a leading role in the construction and day-to-day management of the Internet, the need for requirements for transparency, accountability and security is becoming more and more prominent. The EU Digital strategy clarifies the principles that should guide cyber-security policy in the EU and internationally. The more we live in a digital world, the more opportunities for cyber criminals to exploit. Cybercrime is one of the fastest growing forms of crime, with more than one million people worldwide becoming victims each day. Cybercriminals and cybercrime networks are becoming increasingly sophisticated and we need to have the right operational tools and capabilities to tackle them. Cybercrimes are high-profit and low-risk, and criminals often exploit the anonymity of website domains. Cybercrime knows no borders - the global reach of the Internet means that law enforcement must adopt a coordinated and collaborative cross-border approach to respond to this growing threat. The EU and the Member States need strong and effective legislation to tackle cybercrime. The 2001 Council of Europe Convention on Cybercrime, also known as the Budapest Convention, with 40 Parties from Europe and overseas, is a binding international treaty that provides an effective framework for the adoption of national legislation. The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly Page 12 of 13

13 with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception. Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. The EU has already adopted legislation on cybercrime including a Directive on combating the sexual exploitation of children online and child pornography. The EU is also about to agree on a Directive on attacks against information systems, especially through the use of botnets. Dear Friends, Issues relating to cyber-risks and security have become extremely important. An effective fight against cybercrime in general requires increased, rapid and wellfunctioning international co-operation and a determination to holistically address the threats but also the opportunities pertained to the cyberspace. Paraphrasing a quote about cyberspace, we can conclude that we have created a new civilization in the Cyberspace. May then, this civilization be more humane and fair and more secured than our real space. Page 13 of 13