1 / 21

Valérie Andrianavaly

EU policy on Network and Information Security & Critical Information Infrastructure Protection. Valérie Andrianavaly European Commission Directorate General Information Society and Media - DG INFSO - Unit A3: Internet Governance; Network and Information Security

astrid
Download Presentation

Valérie Andrianavaly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EU policy on Network and Information Security &Critical Information Infrastructure Protection Valérie Andrianavaly European CommissionDirectorate General Information Society and Media - DG INFSO -Unit A3: Internet Governance; Network and Information Security valerie.andrianavaly@ec.europa.eu

  2. Part 1 Policy on Network and Information Security (NIS)

  3. A comprehensive EU approach to NIS International Co-operation OECD, G8, Council of Europe, UN, ITU, ... Economic, business and social aspects of security in Information Society Cyber-crime, Internal security External security / defence • Electronic Signature • Data protection in elect. com., • e-signature, e-ID and e-authentication • NIS & CIIP • Culture of security • ENISA • digital right management, biometrics, smart card, IPv6, open source software • … • Stockholm Programme • Framework Decision on attacks against information systems • Lawful interception • G8 CIIP • Data retention • biometrics in visas and residence permit • Cyber crime • EPCIP & Directive • … • Common Foreign and Security Policy • Dual use technology research • Crisis management • External security • … Research and Technology Information and Communication Technologies FP7 - ICT and Security research; Competitiveness and Innovation Programme; …

  4. PROSECUTE PREVENT NETWORK & INFO SECURITY CYBERCRIME & TERRORISM Hacking ID theft Intrusion Data retention PRIVACY AND DATA PROTECTION PROTECT Three angles for actions on NIS Policy

  5. Network and Information Security (NIS)The EU Policy Framework • 2004: Establishment of the European Network and Information Security Agency - ENISA • 2006: European Commission Strategy for a Secure Information Society - COM(2006)251 • 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01] • 2008: Extension of ENISA’smandate and launch of a debate on increased NIS • Mar 2009: European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP - • Nov 2009: Adoption of the revised telecoms regulatory package integrating provisions on security • Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01] • May 2010: Adoption of the European Digital Agenda • H2 2010: Commission’s proposal for a modernized NIS Policy in the EU (tentative)

  6. ENISA • European Network and Information Security Agency (ENISA) • Establishedin March 2004 for 5 years • Main objective: assist the Commission and the MS, and in consequence cooperate with the business community, in order to help them to enhance Network and Information Security • Key tasks: collect information, risk analysis; develop ‘common methodologies’; contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; contribute to international cooperation • Mid term evaluation in 2006 + public consultation in 2007 [COM(2007) 285] • Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012

  7. NIS Policy and related Regulations • Strategy for a Secure Information Society COM(2006)251 • holistic approach for a comprehensive EU-wide strategy across “pillars”, related policy and regulatoryinitiatives • “voluntary” activities stakeholders via dialogue, partnershipandempowerment • reinforce ENISA’s role in implementing the policy • importance of “resilience” strategy for CIIP, i.e. the ability to deal with unexpected events • Council Resolution 2007/C 68/01 on a Strategy for a Secure Information Society in Europe of 22 March 2007 • Endorses the key elements of the strategy, including the focus on resilience and the key role of ENISA • Other policy initiatives related to NIS • fighting against spam, spyware and malware [COM(2006)688] • promoting data protection by PET [COM(2007)228] • fighting against cyber crime [COM(2007)267] • new Safer Internet Programme [COM(2008) 106] • …

  8. PARTNERSHIPgreater awareness &better understandingof the challenges DIALOGUEstructured and multi-stakeholder Open & inclusivemulti-stakeholderdebate EMPOWERMENTcommitment to responsibilitiesof all actors involved COM(2006) 251 – A policy strategy towards a secure Information Society

  9. Network & Information Security (NIS)Facts • Increasing economic and social dependency on ICT vs growing sophistication of threats • Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility. • Global interconnection vs lack of transnational cooperation • Operational responsibility with private sector while public policy responsibility lies with governments • Limited incentives for wide NIS uptake • Fragmentation of NIS regimes and market maturity in MS

  10. Network and Information SecurityChallenges • Make security and resilience the front line of defence of critical ICT infrastructures • Develop a risk management culture in the EU • Identify socio-economic incentives • Promote openness, diversity, interoperability, usability, competition • NIS calls for a global collaborative and operational approach • Build a capability and policy framework for NIS in Europe(e.g. EU early warning system) • Boost policy and operational cooperation (e.g. pan-European security incident exercises)

  11. Part 2 Critical Information Infrastructure Protection (CIIP)

  12. A policy initiative on CIIPMotivations • CII are the nervous system of the Information Society  economic and societal dimension • Liberalisation, deregulation and convergence  complexity / multiplicity of players • Infrastructures are privately owned and operated  accountability vs. control • Ensuring the stability of society and economy is governments’ primary responsibility  governance • CII stretch out well beyond national borders  globalisation • The level of security in any country depends on the level of security put in place outside the national borders  sovereignty • National governments face very similar issues and challenges  scale • The private sector is calling for harmonised rules  market dimension

  13. Communication on CIIP - COM(2009)149High level objectives, scope and approach • High level objectives • Protect Europe fromlarge scale cyber attacks and disruptions • Promote security and resilience culture (first line of defense) & strategy • Tackle cyber attacks & disruptions from a systemic perspective • Means • Enhance the CIIP preparedness and response capabilityin EU • Promote the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures • Foster International cooperation, in particular on Internet stability and resilience • Approach • Build on national and private sector initiatives • Engage public and private sectors • Adopt an all-hazards approach • Be multilateral, open and all inclusive

  14. Communication on CIIP COM(2009)149Specific objectives The 5 specific objectives to be achieved: • Foster cooperation and exchange of good policy practices between MS • Develop a public-private partnership at the European level on security and resilience of CIIs • Enhance incident response capability in the EU • Promote the organisation of national and European exercises on simulated large-scale network security incidents. • Reinforce international cooperation on global issues, in particular on resilience and stability of Internet

  15. CIIP Policy - COM(2009)149The Five Pillars of the CIIP Action Plan • Preparedness and prevention • European Forum for MS to share information & policy practices - EFMS • European Public Private Partnership for Resilience EP3R • Baseline of capabilities and services for National/Governmental CERTs • Detection and response • Development of a European Information Sharing and Alert System – EISAS dedicated to EU citizens and SMEs • Mitigation and recovery • National contingency planning and exercises • Pan-European exercises on large-scale network security incidents • Reinforced cooperation between National/Governmental CERTs • International Cooperation • Define European priorities, principles and guidelines for the long term resilience and stability of the Internet • Promote the principles and guidelines at global level • Global cooperation on exercises on large-scale Internet incidents • Definition of criteria for the identification of European Critical Infrastructures in the ICT sector

  16. Ministerial Conference on CIIP27-28 April 2009, Tallinn, Estonia Presidency conclusions • “There is an urgent need for Member States and all stakeholders to commit themselves to swift actionin order to enhance the level of preparedness, security and resilience of Critical Information Infrastructures throughout the European Union” • “The Communication by the European Commission on Critical Information Infrastructure Protection furnishes a solid basis for taking such urgent action as is necessary” • See the Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 at: http://www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf

  17. Council Resolution of 18 December 2009 on a collaborative European approach to NIS • The Council resolution invites Member States to: • Organise national exercises and participate to European exercises • Create CERTs and reinforce cooperation between national CERTs • Increase efforts on education, training and research programmes • Jointly react to cross-border incidents • The Council resolution invites the European Commission to: • Initiate an awareness raising campaign with ENISA regarding the importance of appropriate risk management • Identify incentives for providers of electronic communications • Encourage and improve multi-stakeholder models • Come forward with a holistic strategy on NIS including proposals for a reinforced and flexible mandate for ENISA • Analyse in which areas further cooperation between CERTs is called for • The Council resolution calls on ENISA to: • Support the implementation of NIS policies + CIIP Action Plan • Develop a framework of statistical data on the state of NISin Europe

  18. The CIIP Action plan State of Play of the Implementation 31 March 2009 1st thematic workshop on EU policy dimension of vulnerability management and disclosure process (report on the web) 16 June 2009 1st EFMS meeting 17 June 2009 1st EP3R workshop (report on the web) June – Sept 2009 Informal consultation with MS on EU principles for Internet resilience & stability Sept – Oct 2009 Informal consultation with trade associations and individual companies on EP3R (e.g. DigitalEurope, ETNO, ETIS, Euro-IX, GSMA, EOS, BSA, Internet Security Alliance, and TechAmerica) 12-13 Nov 2009 Follow-up Workshops on EFMS and EP3R 30 March 2010 Third EFMS meeting 29-30 June 2010 EFMS & EP3R meeting On-going Studies & projects ENISA activities in support to the Commission NIS/CIIP policy and CIIP Action Plan

  19. Web Sites • EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index_en.htm • EU policy on Critical Information Infrastructure Protection – CIIP http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm • Report on the public consultation “Towards a Strengthened Network and Information Security Policy in Europe” http://ec.europa.eu/information_society/policy/nis/nis_public_consultation/index_en.htm • The reformed Telecom Regulatory Framework - November 2009 http://ec.europa.eu/information_society/policy/ecomm/tomorrow/index_en.htm • Research activities and projects funded under the FP7 ICT Security:http://cordis.europa.eu/fp7/ict/security/home_en.html

  20. Links to EU Policy Document • Communication of the European Commission on a Strategy for a Secure Information Society [COM(2006)251] of 31.5.2006 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0251:FIN:EN:PDF • Council Resolution on a Strategy for a Secure Information Society in Europe[2007/C 68/01] of 22.03.2007http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF • Communication of the European Commission on Critical Information Infrastructure Protection - "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience " [COM(2009)149] of 30.3.2009http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF • Council Resolution on a collaborative European approach to Network and Information security [2009/C 321/01] of 18.12.2009http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF • Communication of the European Commission on Fighting spam, spyware and malicious software [COM(2006)688] http://eur-lex.europa.eu/Result.do?T1=V5&T2=2006&T3=688&RechType=RECH_naturel&Submit=Search

  21. EU Policy on NIS and CIIP Thanks!

More Related