An EU Cyber-Security Strategy

Strengthening the resilience of Europe’s information systems and reducing cybercrime are the key objectives of a new EU strategy.

These actions are designed to further European values of freedom and democracy, and ensure that the digital economy can continue to safely grow.

The strategy document, taking the form of a Commission Communication, is also accompanied by a legislative proposal for a Directive on strengthening network and information security (NIS).

Context

Cybercrime - crime involving a computer and a network - has become a significant issue.

There are an estimated 150,000 computer viruses in circulation every day and 148,000 computers are compromised daily. A McAfee study recently put cybercrime profits at €750 billion a year.

The World Economic Forum estimates that there is a 10% chance of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.

The Strategy

The European Cybersecurity Strategy aims to ensure a high level of protection for network and information systems, and to boost cooperation between Member States and EU institutions in combating cybercrime.

The Communication setting out the EU CyberSecurity Strategy outlines five main priorities:
• Achieving cyber resilience
• Drastically reducing cybercrime
• Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Developing the industrial and technological resources for cyber-security
• Establishing a coherent international cyberspace policy for the European Union and promoting core EU values

Achieving Cyber Resilience

The Commission has already developed a policy on Network and Information Security (NIS) to prevent, detect and handle cyber security incidents. However, private companies still do not provide reliable data on the existence or impact of NIS incidents and do not adequately invest in security solutions.

In addition, there is still a lack of coordination between national authorities in cases of incidents spanning across borders.

In order to respond to these problems, the Commission plans to carry out the following:
• Launch an EU-funded pilot project early in 2013 to provide a framework for coordination and cooperation between EU Member States and private sector organisations such as internet service providers and international partners
• Call on the European Network and Information Security Agency (ENISA) to assist Member States in developing strong national cyber resilience capabilities, by building expertise on security and resilience of industrial control systems, transport and energy infrastructure
• Urge industry to invest in a higher level of cyber security, and to develop best practices

Reducing Cybercrime

Cybercrime is one of the fastest growing forms of crime, with more than one million people worldwide becoming victims each day. Cybercrime networks are becoming increasingly sophisticated, while criminals often exploit the anonymity of website domains.

The Commission believes that the EU and Member States need strong and effective legislation to tackle cybercrime. To this end, the Commission will:
• Ensure swift transposition and implementation of the cybercrime related directives, including the Directive on combating the sexual exploitation of children online and child pornography
• Urge those Member States that have not yet ratified the Council of Europe's Budapest Convention on Cybercrime to ratify and implement its provisions as early as possible

Common Security and Defence Policy

The development of Europe’s cyber defence capabilities should be supported by research and development, as well as through closer cooperation between governments, the private sector and academia.

Member States and the European Defence Agency are invited by the Commission to collaborate in order to:
• Promote the development of EU cyber defence capabilities and technologies to address all aspects of capability development 
• Develop an EU cyber defence policy framework to protect networks within CSDP missions and operations
• Improve cyber defence training and exercise opportunities for the military, including the integration of cyber defence elements in existing exercise catalogues
• Promote dialogue and coordination between civilian and military actors in the EU 
• Ensure dialogue with international partners, including NATO, and other international organisations  

Industrial and Technological Resources

Another concern is that Europe could become too dependent on technology that is produced elsewhere. It is therefore important to ensure that hardware and software components produced in the EU and in third countries that are used in critical services and infrastructure are secure and guarantee the protection of personal data.

This is why the Commission will:
• Launch in 2013 a public-private platform on NIS solutions to develop incentives for the adoption of secure ICT solutions in Europe
•    Propose in 2014 recommendations to ensure cyber security across the information technology  value chain
•   Examine how major IT providers could inform national   competent authorities on detected vulnerabilities that could have significant security-implications

International Cyberspace Policy

The Commission wants to participate in international efforts aimed at strengthening cyber security. It further stresses that the EU will seek closer cooperation with organisations that are active in this field, including the Council of Europe, UN and NATO.

The Commission will therefore:
• Work towards a coherent EU international cyberspace policy to increase engagement with key international partners and organisations
• Facilitate dialogue on how to apply existing international law in cyberspace and promote the Budapest Convention to address cybercrime
• Increase policy coordination and information sharing through international critical information infrastructure protection networks such as the Meridian network

Network and Information Security

The accompanying proposed Directive on network information security (NIS) represents one of the key actions of the European Cybersecurity Strategy. It would require operators of critical infrastructures, such as energy and transport, and key providers of information society services, to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.

National NIS Strategy

The proposed Directive requires Member States to adopt a national NIS strategy that would set out objectives and concrete policy measures to achieve a high level of network and information security. The national NIS strategy would address the following issues:
• The definition of the objectives and priorities of the strategy 
• A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors
• The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors
• An indication of education, awareness raising and training programmes
• Research and development plans and a description of how these plans reflect the identified priorities

Cooperation Network

The proposal would also establish a cooperation mechanism between Member States and the Commission against risks and incidents. Within this network, competent authorities would:
• Share early warnings on risks and incidents
• Ensure a coordinated response following an early warning
• Publish on a regular basis non-confidential information on on-going early warnings and coordinated response on a common website 
• Organise regular peer reviews on capabilities and preparedness

Security Requirements

Member States must ensure that public administrations and market operators: 
• Take appropriate measures to manage the risks posed to the security of the networks and information systems which they control 
• Notify to the national competent authority incidents having a significant impact on the security of the core services they provide
The proposed Directive also states that competent authorities may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest. It also requires Member States to lay down rules on sanctions for cases where the provisions of this Directive are not respected.

Next Steps

The proposed Directive will now be sent to the European Parliament and the Council for examination, following the ordinary legislative procedure.

Both institutions may also decide to formally respond to the EU CyberSecurity Strategy in the coming months.