Inspiring People. Shaping the Future.
WASHINGTON, DC 1101 New York Avenue, NW Suite 901 Washington, DC 20005 USA Contact: Tyson Barker Contact: Tyson E-mail: tyson.barker@bertelsmanntyson.barker@bertelsmann- foundation.org Tel: (+1) 202.384.1993 Tel: www.bertelsmann-foundation.org
BRUSSELS Résidence Palace Rue de la Loi 155 1040 Brussels, Belgium Contact: Thomas Fischer Contact: Thomas E-mail: E-mail: thomas.fischer@bertelsmannthomas.fischer@bertelsmann- stiftung.de Tel: (+32 2) 280.2830 Tel: www.bertelsmann-stiftung.de/brussels www.bertelsmann-stiftung.de/brussels
EuroWire is a joint publication of the Bertelsmann Foundation offices in Washington, DC and Brussels. It connects Capitol Hill to European Union policy and politics and contributes to a common trans-Atlantic political culture. EuroWire is an occasional publication that highlights issues, legislation and policymakers relevant to the Congressional legislative cycle. This publication looks at the European Union from the point of view of Capitol Hill staffers and offers timely operational analysis.
The Growing Pains in EU Cyber Security Policy KEY POINTS • The EU has been slow to put together a comprehensive approach to cyber security. The Commission and ENISA are the chief interlocutors for cyber policy and work closely with European member-states. • Within the EU, the big three member-states (France, Germany and the UK) have begun to establish national cyber security doctrines in the face of mounting threats. • US President Barack Obama and EU President José Manuel Barroso announced the creation of a working group on cyber security at the US-EU Summit in Lisbon in November 2010.
binding agreement on cyber security issues, by all 27 member-states has been slow. Eight member-states (Austria, the Czech Republic, Greece, Ireland, Luxembourg, Malta, Sweden and Poland) have been reluctant to sign due to concerns about data protection and privacy, among other issues.
The EU is laboriously attempting to stitch together a holistic approach to cyber security to address these challenges. But despite the interconnectedness of European critical information infrastructure (CII) and the increasing sophistication of attacks, the common issues faced by member-states have yet to lead to a unified approach.
The Commission has nevertheless taken some tangible steps forward to craft a panEuropean policy. Charged with leading that effort, Home Affairs Commissioner Cecilia Malmström and Digital Agenda Commissioner Neelie Kroes are pasting together an EU strategy. In addition, the Commission in 2010 implemented a Digital Agenda for Europe that includes actions to improve Europe’s capability to prevent, detect and respond to network and information-security problems. In
Ratification of the 2001 Budapest Convention
on cyber crime, the only internationally
accordance with the agenda, Kroes’ team established in June 2011 the first fullscale computer emergency response pre-configuration team (CERT) for EU institutions. The European Network and Information Security Agency (ENISA), created in 2004 under EC Directive No. 460/2004 as an advisory body for member-states and EU institutions on network and informationsecurity issues, has rapidly established itself as an actor in the European cyber security community. ENISA saw its mandate extended by the Council after overseeing in November 2010 the coordination of the first pan-European cyber security exercises. But the agency has come under criticism for its location on Crete, a distant 1,500 miles (2,500 kilometers) from Brussels, making it hard to attract qualified IT personnel. With a
ABOUT THE BERTELSMANN FOUNDATION: The Bertelsmann Foundation is a private, nonpartisan operating foundation, working to promote and strengthen trans-Atlantic cooperation. Serving as a platform for open dialogue among key stakeholders, the Foundation develops practical policy recommendations on issues central to successful development of both sides of the ocean. ©Copyright rights reserved. reserved. ©Copyright 2011, 2010,Bertelsmann Bertelsmann Foundation. All rights
J U LY 2 0 1 1
From the 2007 wave of distributed denial of service (DDoS) attacks to hit Estonia to the 2008 Russian cyber attacks on Georgia during the brief South Ossetian war, Europe has become a primary theatre for cyber warfare. It has also emerged as a primary target of e-espionage, cyber crime, fraud, and “hacktivism”.
staff of 65, ENISA has an exceptionally small number of people relative to the breadth of its programs and responsibilities. On the military side, NATO early on considered cyber attacks among the greatest security threats to the developed world. The alliance’s new strategic concept, adopted at the Lisbon summit in November 2010, emphasized a desperate need to be able to respond to such attacks. The organization was one of the first to recognize the need for greater flexibility in the new strategic environment following the cyber attacks on
Estonia. Cooperation between NATO and to remove child pornography from the the EU, however, has been unsatisfactory, and advancing Council of InspiringInternet” People. Shapingthethe Future. according to many observers. Europe’s convention on cyber crime. The working group is expected to offer The US also plays an important role concrete recommendations for enhanced in Europe’s evolving cyber policy, one cooperation by the end of this year. In more that many Europeans would like to see evidence of trans-Atlantic coordination, US expand. During the Lisbon summit, US Department of Homeland Security Secretary and EU leaders announced the creation of Janet Napolitano travelled to Hungary in a joint working group on cyber security. April 2011 to meet with Commissioners Key subjects for this trans-Atlantic Malmström and Kroes to reiterate shared BRUSSELS WASHINGTON, DC Résidence global Palace Internet 1101 New Yorkcommitments Avenue, NW body will be “incident management to combat Rue de la Loi 155 901 response capabilities, immediate Suite joint security. 1040 Brussels, Belgium Washington, DC 20005 USA awareness raising activities, cooperation Contact: Tyson Barker E-mail: tyson.barker@bertelsmannfoundation.org Tel: (+1) 202.384.1993 www.bertelsmann-foundation.org
Cyber Security Strategy Development in the EU’s Big Three
Contact: Thomas Fischer E-mail: thomas.fischer@bertelsmannstiftung.de Tel: (+32 2) 280.2830 www.bertelsmann-stiftung.de/brussels
France In June 2008, France issued a white paper on security and defense that for the first time prioritized cyber attacks as a threat to national security. The following year Paris took additional steps to implement cyber policy with the creation of the Network and Information Security Agency (ANSSI), which serves as the national authority for cyber security. In February 2011, France issued a national strategy for the defense and security of information systems, which relies on four major objectives: a proactive global leader in the arena, maintaining the balance between freedom and privacy while ensuring rights are protected, reinforcing the French national critical infrastructures’ cyber security and ensuring security in cyberspace. Main agencies
French Network and Information Security Agency (ANSSI); French Data Protection Authority (CNIL); Telecommunications and Post Office Regulator (ARCEP); Central Office for the Fight Against Crime Related to Information Technology and Communication (OCLCTIC); Internet Usage Delegation (DUI); State Administration Modernization Directorate (DGME)
Major themes of cyber security strategy (as of February 2011)
• proactive global actor on cybersecurity • maintaining a balance between freedom and privacy while ensuring rights are protected • reinforcing the cyber security of French national critical infrastructure • ensuring security in cyberspace
Key figures and positions
• ANSSI Director Patrick Pailloux
Major incidents
• March 2011 “spectacular” attack on the French government in advance of G20 meeting
Germany Germany released in early 2011 its national cyber security strategy, which stresses enhanced protection of critical infrastructure and IT systems against cyber attacks. The strategy also called for the creation of a national cyber security center, which opened in Bonn on 16 June 2011. The Cyber Defense Center marks Germany’s first major effort to arm itself in the war against cyber attacks and follows the establishment of the UK’s Cyber Security Operations Centre and the US’s Cyber Command Center. Main agencies
Federal Ministry of the Interior (BMI); Federal Ministry of Economics and Technology (BMWi); Federal Office for Information Security (BSI); Federal Office for Information Technology (BIT); Federal Commissioner for Data Protection and Freedom of Information (BFDI); Federal Network Agency for Gas, Telecommunications, Post and Railway (BNetzA); Federal Criminal Police Office (BKA)
Major themes of cyber • protection of critical information infrastructure security strategy • private public partnerships (as of March 2011) • comprehensive approach highlighting international cooperation with bodies such as NATO, the OSCE, the EU, the UN and the Council of Europe Key figures and positions
• Federal Commissioner for Information Technology Cornelia Rogall-Grothe
©Copyright 2010, Bertelsmann Foundation. All rights reserved.
J U LY 2 0 1 1
Major incidents • latest government report states the number of “electronic attacks” on German federal officials in 2010 was 2,108, about 600 more than in the previous year
2
The United Kingdom The 2010 UK National Security Strategy names cyber attacks as one of the four most serious threats to the state. London accordingly earmarked Inspiring People. Shaping the Future. £650 million to support a dedicated cyber security program. The UK’s first national Cyber Security Strategy, published in 2009, outlined the need for a coherent approach towards cyber security beginning with the establishment of an Office of Cyber Security and Information Assurance. In May 2011, Prime Minister David Cameron and US President Barack Obama reaffirmed their mutual commitment to tackling cyber security by recognizing that the same “rules of the road” that help maintain international peace, security, and respect for individual rights must apply to cyber space. As the latest signatory to Convention on Cybercrime (25 May 2011), the UK has increased its efforts to tackle such illicit activity. Main agencies
Office of Cyber Security and Information Assurance (OCSIA); Centre for the Protection of National Infrastructure (CPNI); Department for Business Innovation and Skills (BIS); Communications Electronics Security Group BRUSSELS DC (CESG); Information Commissioner’s Office (ICO); Cyber WASHINGTON, Security Operations Centre (CSOC ), Serious Organised Résidence Palace 1101 New York Avenue, NW Crime Agency, SOCA
Rue de la Loi 155 Suite 901 1040 Brussels, Belgium Washington, DC 20005 USA Major themes of cyber • address deficiencies in the UK’s ability to detect and defend against cyber attack Contact: Thomas Fischer Contact: itself Tyson Barker security strategy • create a new Defense Cyber Operations Group to mainstream cyber security through E-mail: the Ministry of Defence E-mail: tyson.barker@bertelsmannthomas.fischer@bertelsmann(as of June 2009) and integrate it across all defense operations foundation.org stiftung.de (+1) 202.384.1993 Tel: (+32 2) 280.2830 • address shortcomings in critical cyber infrastructure Tel: www.bertelsmann-foundation.org www.bertelsmann-stiftung.de/brussels • sponsor long-term cyber security research to build and maintain excellence
• new program of cyber security education and skills for the public and businesses to encourage a more preventative approach to cyber security throughout the United Kingdom Key figures and positions
• Minister for the Cabinet Office Francis Maude • Minister for Security at the Home Office James Brokenshire
Major incidents
• December 2010 attack on the British foreign ministry
Europe’s Who’s Who on Cyber Security
Neelie Kroes Commissioner for Digital Agenda, European Commission
Sophie in’t Veld MEP, Group of the Alliance of Liberals and Democrats for Europe, Vice Chair, Committee on Civil Liberties, Justice and Home Affairs
Cecilia Malmström Commissioner for Home Affairs, European Commission
Ivailo Kalfin MEP, Group of the Progressive Alliance of Socialists and Democrats; Vice Chair, Committee on Budgets, European Parliament
Catherine Ashton High Representative for Foreign Affairs and Security Policy
Krzysztof Lisek MEP, Group of the European People’s Party; Vice Chair, Subcommittee on Security and Defense
©Copyright 2010, Bertelsmann Foundation. All rights reserved.
J U LY 2 0 1 1
Gilles de Kerchove EU Counterterrorism Coordinator, Council
3