1 / 18

Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu

Security and resilience in Information Society: towards a CIIP policy in the EU. Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu. Ubiquitous World. Mobile World. Networks with low performance devices (e.g. RF tags and sensors).

haskinsd
Download Presentation

Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and resilience in Information Society: towards a CIIP policy in the EU Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu

  2. Ubiquitous World Mobile World Networks with low performance devices (e.g. RF tags and sensors) (Real World) B3G Radio Access B3G Mobile Network Networks with high performance devices (e.g. home appliances) Ubiquitous LocalNW Mobile NW Mobile Edge Mobile-Ubiquitous NW What’s ahead: mobile & ubiquitous Information Society Broaden communication parties, networking, and business opportunities

  3. Network and information security:The European Context • Strategy for a Secure Information Society[COM(2006)251] • Policy initiatives on: • fighting against spam, spyware and malware [COM(2006)688] • promoting data protection by PET [COM(2007)228] • fighting against cyber crime [COM(2007)267] • Proposed package to reform the Regulatory Framework for e-communications [COM(2007)697, COM(2007)698, COM(2007) 699] • European Network and Information Security Agency, (ENISA) established in 2004 • A policy initiative on CIIP is announcedin the CLWP 2008 [COM(2007) 640]

  4. PARTNERSHIPgreater awareness &better understandingof the challenges DIALOGUEstructured and multi-stakeholder Open & inclusivemulti-stakeholderdebate EMPOWERMENTcommitment to responsibilitiesof all actors involved Towards a secure Information Society

  5. CIP at the EU level • In June 2004, the European Council asked for an overall strategy to protect critical infrastructures • On 17 November 2005, the Commission adopted a Green Paperon the policy options for a European Programme on Critical Infrastructure Protection (COM(2005)576) • Contributions from 22 Member States and over 100 private companies and industry associations • need for action at the European level to enhance the protection and resilience of critical infrastructures • In December 2006 theCommission adopted • a communication and • a proposal for a directive on the identification and designation of European Critical Infrastructure

  6. Dialogue & Partnership:CLWP 2008 Policy initiative on CIIP • Objectives • Enhance the level of CIIP preparedness and response across the EU • Ensure that adequate and consistent levels of preventive, detection, emergency and recovery measures are put in operation • Approach • Build on national and private sector initiatives • Engage relevant public and private stakeholders • Adopt All-hazards • Strengthen the synergies between 1st and 3rd pillar measures

  7. Dialogue & Partnership: Challenges for CIIP • Organisational:build trusted relationships and engage the stakeholders at the EU level • Policy orientations:achieve a better understanding and clarity on the guiding policy principles • Issues: • National vs. European information Infrastructures (criteria); • long-term Internet stability & resilience; • preventive, detection/early warning & responsive measures; • recovery and continuity strategies; • sharing knowledge and good practices; • cross-sectors proactive information assurance methods; • risk management culture and tools; • inter-dependencies, in particular across heterogeneous infrastructures; etc.

  8. CIIP - Preparatory activities (1) • 2006 • Study on “Availability and Robustness of Electronic Communications Infrastructures” (ARECI) • 2007 • Informal meeting of National experts on CIIP – Brussels, 19 January 2007 • Public consultation on the final ARECI report drafted by Alcatel-Lucent - April 2007 • Joint Member States and private sector meeting o– Brussels, 18 June 2007” • Workshop on “cc TLD’s Contingency practices”, 19/09/2007 • Workshop on challenges for awareness raising, 07/12/2007 • Study on “Critical dependencies of energy, finance and transport infrastructures on ICT infrastructures (under negotiation)

  9. CIIP - Preparatory activities (2) • 2008 • Workshop on “Learning from large scale attacks on the Internet: policy implications”, Brussels, 17 January 2008; • Meeting with MS on the criteria to identify European Critical Infrastructures in the ICT sector, Brussels, 5 February 2008; • Planned studies and projects funded under EPCIP financial scheme: "Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks“

  10. Workshop on “Learning from large scale attacks on the Internet:policy implications • Objectives • Foster discussions on lessons learnt and best practices • Raise awareness on further Internet security issues • Discuss and investigate the value of: • EU cooperation • International cooperation • Public Private Partnership • Attendance • 86 participants • 57 delegates from EU MS + EFTA from ministries of defence, interior affairs, industry, communications, finance, and Telecom National Regulatory Authorities • 12 experts from academia and industry

  11. Lessons learned critical issues to be considered • Availability and reliability of the DNS service underpinning the resolution of web names • Security of traffic exchangebetween operators (in particular IXP) • Increased complexity: sophistication of attacks; professional malware’s development cycle; commercial-alike distribution pattern (malware toolkits) • Web pagesare becoming the vector for infections • Increased targetedattacks • Information Asymmetrybetween attackers and targets • Attacks exploit P2P and increasingly WEB 2.0

  12. Lessons learned current situation • The distributed nature of the Internet • Enhances its resilience • But also provides structural vulnerability  public policyshould respect this distributed nature • Critical trends • Computers at the edges are more and more part of the global infrastructure • The distributed nature of P2P is more and more exploited to decentralise the command of malware - Attackers are hard if not impossible to identify • Internet’s security is a shared responsibility • Every stakeholder has a role and responsibility • Ones security brings more benefits to others  Hence, the question of the incentives for stakeholdersto adopt security measures

  13. Lessons learned the way forward (1/2) • Build resilience / Harden the infrastructure • Servers and links redundancy, Anycast • Security of routing protocol / traffic exchange • Security of DNS service • Profiling attackers and understandingtheir objectives (know your enemies) • Response preparedness • National contingency plan for the Internet • Cyber exercises on National/international level are crucial • Strengthen multinational cooperation for rapid response (formal rather than informal) • Importance of CERTs/CSIRTs and their role for national and international cooperation • Measurement - monitoringof traffic to understand what is going on • Computers at the edges could be leveraged to build collective intelligence

  14. Lessons learned the way forward (2/2) • Technology will not be sufficient • Study the economics of security and cyber crime • Set-up Public Private Partnership (PPP) • Importance of the role of government, which is to coordinate and be a good user • Develop cross-sector and cross-organisational cooperationon National, EU and international levels • Agree on responsibility’s allocation • Information and best practices sharing importance of trust • Raising awarenessand education of individuals, public bodies, corporate users and service providers

  15. CIIP – next steps • Criteria for the ICT sector • Questionnaire out  response by mid-March • Comments to JRC report by mid-March • Next meeting mid-May (tentative) • Time Frame: end 2008 • Survey on MS Policy approaches on CIIP • Focus on i) definitions/criteria; ii) risk assessment activities; iii) incident response capability; iv) Public Private Partnership; v) International dimension • Questionnaire ou  response by mid-March • Report: second half of 2008 • Thematic workshops • Meetings with Member States • Call for tenders & proposals (next slides) • A Commission policy on CIIP in early 2009

  16. CIIP – Planned public procurements EPCIP financial scheme • 2008 • In cooperation with DG JLS, three planned studies to: • Analyse and improve emergency preparedness in the field of fixed and mobile telecommunications and Internet (400 k€); • Identify rationale and propose criteria to designate European CII in the sub-sectors of information system and network protection, Internet, fixed and mobile telecommunications (500 k€) and, • Idem in the sub sectors ofinstrumentation automation and control systems(350 k€ - via arrangements with JRC);

  17. CIIP – Planned calls for proposals EPCIP financial scheme • 2008 • In cooperation with DG JLS, calls on: • Analysis of new media capabilities and identification of requirements to ensure critical communications between authorities and the public • Prototype of a European multilingual information sharing and alert system to provide appropriate and timely information via dedicated е-security web portals on threats, risks and alerts as well as on best practices. • Analysis of the dependency on electrical power of modern ICT infrastructures supporting the Internet as well as fixed and mobile telecommunications networks; • Supporting information sharing in the context of the Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or networks and amending Directive 2002/58/EC

  18. Web Sites DG INFSO Web site on the EU policy on secure Information Society http://ec.europa.eu/information_society/policy/nis/index_en.htm Page on CIIP http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/large_scale/index_en.htm

More Related