Tuesday, May 04, 2010

EU cybersecurity policy

This morning I gave the following invited speech to a session of the European Parliament's industry committee, which was considering a draft report on the Commission's recent Communication on Internet Governance. Also speaking was Ambassador Janis Karklis, chairman of ICANN's Government Advisory Committee; Frederic Donck from the Internet Society; and Prof. Adrian Cheok, director of the National University of Singapore's Mixed Reality Lab. Due to technical difficulties (!) the Internet Governance Forum secretariat's executive coordinator, Markus Kummer, was unable to participate remotely as planned.

Internet governance and cybersecurity

Clearly, European society is increasingly dependent on the Internet and related communications systems. But the security of those systems is not yet at a level appropriate for that dependence. Mr Sosa Wagner's draft report is right to stress the importance of improving the "availability, robustness and resilience" of critical information infrastructures.

The Commission and the Parliament have taken some important steps in improving this situation, especially through the recent telecoms reform package and its obligation for operators to identify risks and ensure continuity of service. I want to outline five key additional steps that the EU should take towards this goal (many of which are being discussed by the institutions):
  1. Bring member states up to a common high level on cybersecurity, with national Computer Emergency Response Teams or networks of sectoral teams. The European Network and Information Security Agency (ENISA) should continue to develop forums for information-sharing, and provide support to less capable member states.

  2. Further increase the effectiveness of ENISA, which needs significantly greater resources. With the entry into force of the Lisbon treaty, ENISA should be able to take action on former third pillar matters such as criminal use of Internet.

  3. Ensure the resilience of key industry sectors through appropriate regulation. There should be further discussion of the designation of critical information infrastructures under Council Directive 2008/114/EC (while addressing concerns over information sharing), and requiring isolation of critical utility systems from public networks.

  4. Widen requirements for security breach notification from communication network operators to other information society services.

  5. Reinforce system and network diversity through competition law, state use of open standards, and procurement policy.

The Commission's Communication on Internet governance states that "the EU should take a leadership role in working towards the goal of increased security and stability of the Internet by initiating dialogue with international partners." The Commission should develop concrete plans with the Parliament and member states on what this leadership role should entail. In addition to promoting at the international level the measures I previously described, this could include:

  • Support for ICANN in its work to ensure the security and stability of the Domain Name System;

  • Work in international venues such as the OECD, United Nations and Council of Europe to improve applicable laws and national coordination on cybersecurity;

  • Discussions on limited liability for software security faults, particularly in the operating system and browser software that is critical to system security.

Finally, it is critical that the Parliament continues its role in promoting fundamental European values such as freedom of expression and privacy. The draft report's suggestion to extend the Rome II regulation to include violations of data protection and privacy is positive, as is the suggestion on the negotiation of international agreements for effective redress. But the EU institutions should be extremely cautious in introducing measures such as powers to revoke IP address blocks and domain names, which was suggested last week by the Council, or requiring Internet blocking (as Commissioner Malmstrom has proposed). These measures would set an extremely damaging precedent for Internet governance by repressive states that do not share European values.

No comments: