• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CTO-CybersecurityForum-2010-Andrea Gloriso
 

CTO-CybersecurityForum-2010-Andrea Gloriso

on

  • 899 views

 

Statistics

Views

Total Views
899
Views on SlideShare
899
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 12 12

CTO-CybersecurityForum-2010-Andrea Gloriso CTO-CybersecurityForum-2010-Andrea Gloriso Presentation Transcript

  • Andrea GLORIOSO European Commission DG INFSO.A3 [email_address] Towards a modernised Network and Information Security policy for the European Union The EU framework and its relevance to the rest of the world
  • Network and Information Security (NIS) The EU Policy Framework
    • 2004: Establishment of the European Network and Information Security Agency - ENISA
    • 2006: European Commission Strategy for a Secure Information Society - COM(2006)251
    • 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01]
    • 2008: Extension of ENISA’s mandate and launch of a debate on increased NIS
    • Mar 2009: European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP -
    • Nov 2009: Adoption of the revised telecoms regulatory package integrating provisions on security
    • Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01]
    • Dec 2009: EESC Opinion on the Communication on CIIP
    • May 2010: Adoption of the European Digital Agenda
  • Network and Information Security (NIS) The EU Policy Framework
    • 2009: European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP -
    • Nov 2009: Adoption of the revised telecoms regulatory package integrating provisions on security
    • Dec 2009: EESC Opinion on the Communication on CIIP
    • Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01]
    • Summer 2010: Commission’s proposal for a modernized NIS Policy in the EU (tentative)
    • Part 1
    • Network and Information Security policy (NIS)
    • COM(2001) 298 final - Network and Information Security: Proposal for A European Policy Approach
      • Network and information security is defined as “ the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems”
    Network and information security (NIS)
  • A comprehensive EU approach to NIS International Co-operation OECD, G8, Council of Europe, UN, ITU, ... FP7 - ICT and Security research; Competitiveness and Innovation Programme; …
    • Electronic Signature
    • Data protection in elect. com.,
    • e-signature, e-ID and e-authentication
    • NIS & CIIP
    • Culture of security
    • ENISA
    • digital right management, biometrics, smart card, IPv6, open source software
    Economic, business and social aspects of security in Information Society Research and Technology Information and Communication Technologies External security / defence
    • Common Foreign and Security Policy
    • Dual use technology research
    • Crisis management
    • External security
    • Stockholm Programme
    • Framework Decision on attacks against information systems
    • Lawful interception
    • G8 CIIP
    • Data retention
    • biometrics in visas and residence permit
    • Cyber crime
    • EPCIP & Directive
    Cyber-crime, Internal security
  • Three angles for actions on NIS Policy PREVENT PROSECUTE NETWORK & INFO SECURITY CYBERCRIME & TERRORISM PRIVACY AND DATA PROTECTION Intrusion Data retention Hacking ID theft PROTECT
  • COM(2006) 251 - Towards a secure Information Society DIALOGUE structured and multi-stakeholder Open & inclusive multi-stakeholder debate EMPOWERMENT commitment to responsibilities of all actors involved PARTNERSHIP greater awareness & better understanding of the challenges
    • Strategy for a Secure Information Society COM(2006)251
      • holistic approach for a comprehensive EU-wide strategy across “ pillars ”, related policy and regulatory initiatives
      • “ voluntary” activities stakeholders via dialogue , partnership and empowerment
      • reinforce ENISA’s role in implementing the policy
      • importance of “ resilience ” strategy for CIIP, i.e. the ability to deal with unexpected events
    • Council Resolution 2007/C 68/01 on a Strategy for a Secure Information Society in Europe of 22 March 2007
      • Endorses the key elements of the strategy, including the focus on resilience and the key role of ENISA
    • Other policy initiatives related to NIS
      • Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.
      • fighting against spam, spyware and malware [COM(2006)688]
      • promoting data protection by PET [COM(2007)228]
      • fighting against cyber crime [COM(2007)267]
      • new Safer Internet Programme [COM(2008) 106]
    NIS Policy and related Regulations
    • European Network and Information Security Agency (ENISA)
      • Established in March 2004 for 5 years
      • Main objective : assist the Commission and the MS , and in consequence cooperate with the business community, in order to help them to meet the requirements of NIS
      • Key tasks : collect information, risk analysis; develop ‘ common methodologies ’; contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; contribute to international cooperation
      • Mid term evaluation in 2006 + public consultation in 2007 [COM(2007) 285]
      • Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012
    ENISA
  • NIS in the revised Regulatory Framework for Telecoms Security and integrity of networks and services within the Framework Directive
    • New chapter on security and integrity
      • Art 13 a, paragraph 1&2 - Providers have to:
        • Take appropriate measures to ensure a level of security appropriate to the risks
        • Prevent/minimise impact of security incidents on users and interconnected networks
        • Ensure the continuity of supply of services
      • Art 13 a, paragraph 3
        • Providers to notify security breaches with significant impact on operations
        • Competent national regulatory authority to inform other EU authorities, ENISA and the public when appropriate
        • Auth to submit a yearly report to Commission and ENISA
      • Art 13a, paragraph 4
        • The Commission, taking the utmost account of the opinion of ENISA, may adopt appropriate technical implementing measures with a view to harmonising § 1, 2 and 3
      • Art 13b - Implementation and enforcement
        • Enhanced power of competent national regulatory authority
  • NIS in the revised Regulatory Framework for Telecoms Amendment to the ePrivacy Directive
    • New provision on personal data breach notification
      • Providers have to notify the breach affecting personal data to:
        • Competent national authority
        • Subscriber or individual when appropriate
  • NIS in the revised Regulatory Framework for Telecoms Motivations & Timeline
    • Motivations
      • Reliable and secure e-communication is increasingly central to the economy and society (recital 44 of FWD)
      • The new security chapter will stimulate the dialogue between governments and private sector players + give visibility to network security and integrity
      • Breach notification: Getting comprehensive, reliable, up-to-date and comparable data on security incidents is key:
        • To develop a clear understanding of the challenges at stake
        • To feed into effective business decision and policy making
        • To assess the level of security and the success of previously implemented regulatory, organisational and technical measures
    • Role of ENISA
      • To contribute to the harmonisation of appropriate technical and organisational measures (recital 46 FWD)
    • Timeline: Transposition by 25 May 2011
    • Part 2
    • Critical Information Infrastructure Protection (CIIP)
  • What is at stake with CIIs
    • The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major CII breakdown in the next 10 years, with a potential global economic cost of approximately $250 billion
    • The US Business Roundtable in 2007 suggested that the economic costs of a month-long Internet disruption to the United States alone could be more than $200 billion.
    • According to OECD report on “Malicious software”, the estimated annual loss to United States businesses caused by malware is USD 67.2 billion
    • The macroeconomic costs of a major disruption to Switzerland, having an annual GDP of CHF 482 billion (EUR 317 billion) are estimated at CHF 6 billion (EUR 3.9 billion), i.e. 1.2% of GDP
  • Communication on CIIP - COM(2009)149 Objectives and scope
    • High level objectives
      • Protect Europe from large scale cyber attacks and disruptions
      • Promote security and resilience culture ( first line of defense ) & strategy
      • Tackle cyber attacks & disruptions from a systemic perspective
    • Means
      • Enhance the CIIP preparedness and response capability in EU
      • Promote the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures
      • Foster International cooperation , in particular on Internet stability and resilience
    • Approach
      • Build on national and private sector initiatives
      • Engage public and private sectors
      • Adopt an all-hazards approach
      • Be multilateral, open and all inclusive
  • Communication on CIIP COM(2009)149 Specific objectives
    • The 5 specific objectives to be achieved:
      • Foster cooperation and exchange of good policy practices between MS
      • Develop a public-private partnership at the European level on security and resilience of CIIs
      • Enhance incident response capability in the EU
      • Promote the organisation of national and European exercises on simulated large-scale network security incidents.
      • Reinforce international cooperation on global issues, in particular on resilience and stability of Internet
  • Communication on CIIP “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience” - COM(2009)149
    • The five pillars of the CIIP Action Plan:
      • Preparedness and prevention
      • Detection and response
      • Mitigation and recovery
      • International Cooperation
      • Criteria for European Critical Infrastructures in the ICT sector
  • CIIP Policy - COM(2009)149 The Five Pillars of the CIIP Action Plan
    • Preparedness and prevention
      • European Forum for MS to share information & policy practices - EFMS
      • European Public Private Partnership for Resilience EP3R
      • Baseline of capabilities and services for National/Governmental CERTs
    • Detection and response
      • Development of a European Information Sharing and Alert System – EISAS dedicated to EU citizens and SMEs
    • Mitigation and recovery
      • National contingency planning and exercises
      • Pan-European exercises on large-scale network security incidents
      • Reinforced cooperation between National/Governmental CERTs
    • International Cooperation
      • Define European priorities, principles and guidelines for the long term resilience and stability of the Internet
      • Promote the principles and guidelines at global level
      • Global cooperation on exercises on large-scale Internet incidents
    • Definition of criteria for the identification of European Critical Infrastructures in the ICT sector
  • The CIIP Action Plan 1. Preparedness and prevention
    • Baseline of capabilities and services for pan-European cooperation between National/Governmental CERTs
      • Target: End of 2010 for agreeing on minimum standards
      • End of 2011 for well functioning National/Gov CERTs in all Member States
    • European Public Private Partnership for Resilience (EP3R)
      • Target: End of 2009 for a roadmap and plan for EP3R
      • Mid of 2010 for establishing EP3R
      • End of 2010 for the first results
    • European Forum for information sharing between Member States
      • Target: End of 2009 for launching the Forum
      • End of 2010 for delivering the first results
    • With the support of ENISA and building upon its activities
  • The CIIP Action Plan 3. Mitigation and recovery
    • National contingency planning and exercises
      • National/Governmental CERTs/CSIRTs to take the lead in national contingency planning exercises and testing
      • Target: End of 2010 for running a national exercise in every MS
    • Pan-European exercises on large-scale network security incidents
      • EC provides financial support in 2010
      • Target: End of 2010 for first pan-European exercise
      • End of 2010 for EU participation in international exercises
    • Reinforced cooperation between National/Governmental CERTs
      • Support pan European cooperation also by expanding existing cooperation schemes (like EGC)
      • Target: End of 2010 for doubling the number of national bodies participating in EGC;
      • End of 2010 for ENISA to develop reference materials
  • The CIIP Action Plan 4. International Cooperation (1/2)
    • Internet resilience and stability
      • Define European priorities on long term Internet resilience and stability
      • Target: End of 2010 for EU priorities
      • Define principles and guidelines for Internet resilience and stability at the European level
      • Target: End of 2009 for a roadmap towards the principles & guidelines
      • Target: End of 2010 for agreeing on first drafts
      • (“focusing inter alia on regional remedial actions, mutual assistance agreements, coordinated recovery and continuity strategies, geographical distribution of critical Internet resources, technological safeguards in the architecture and protocols of the Internet, replication and diversity of services and data”)
      • Promote the principles and guidelines for Internet resilience and stability at global level
      • Target: Beginning of 2010 for a roadmap for international cooperation
      • Target: End of 2010 for first drafts of international principles & guidelines
      • (“strategic cooperation with third countries will be developed, notably in Information Society dialogues, as a vehicle to build global consensus”)
  • The CIIP Action Plan 4. International Cooperation (2/2)
    • Global cooperation on exercises on large-scale Internet incidents
      • Practical way to extend at the global level National and pan- European exercises and to build upon regional contingency plans and capabilities
      • Target: End of 2010 to propose a framework and a roadmap
  • The CIIP Action Plan The role of ENISA
    • ENISA is called to
      • Support the process of defining and agreeing on a baseline of capabilities and services for national/Governmental CERTs in support to pan-European cooperation
      • Take stock of the results of the projects aiming the prototyping of EISAS and other national initiatives and produce a roadmap to further progress in the development and deployment of EISAS
      • Support the exchange of good practices between Member States on national contingency planning and exercises
      • Stimulate and support pan-European cooperation between National/Governmental CERTs and develop reference materials
  • Ministerial Conference on CIIP 27-28 April 2009, Tallinn, Estonia Presidency conclusions
    • “ There is an urgent need for Member States and all stakeholders to commit themselves to swift action in order to enhance the level of preparedness, security and resilience of Critical Information Infrastructures throughout the European Union ”
    • “ The Communication by the European Commission on Critical Information Infrastructure Protection furnishes a solid basis for taking such urgent action as is necessary ”
    • See the Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 at: http://www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf
  • Council Resolution of 18 December 2009 on a collaborative European approach to NIS
    • The Council resolution invites Member States to:
      • Organise national exercises and participate to European exercises
      • Create CERTs and reinforce cooperation between national CERTs
      • Increase efforts on education, training and research programmes
      • Jointly react to cross-border incidents
    • The Council resolution invites the European Commission to:
      • Initiate an awareness raising campaign with ENISA regarding the importance of appropriate risk management
      • Identify incentives for providers of electronic communications
      • Encourage and improve multi-stakeholder models
      • Come forward with a holistic strategy on NIS including proposals for a reinforced and flexible mandate for ENISA
      • Analyse in which areas further cooperation between CERTs is called for
    • The Council resolution calls on ENISA to:
      • Support the implementation of NIS policies + CIIP Action Plan
      • Develop a framework of statistical data on the state of NIS in Europe
  • EU policies on NIS and CIIP Next step
    • NIS has never been so high on the EU political agenda
    • President Barroso “Political guidelines for the next Commission”, 3 September 2009:
    • “ The next Commission will develop a European Digital Agenda [] to tackle the main obstacles to a genuine digital single market, promote investment in high-speed Internet and avert an unacceptable digital divide. Because of the increasing dependence of our economies and societies on the Internet, a major initiative to boost network security will also be proposed . ”
    •  19 May 2010 : Adoption of the European Digital Agenda
    •  On going : Implementation of the CIIP Action Plan
    •  Summer 2010 (tentative) : EC proposals for the future of Network and Information Security in Europe
  • A Digital Agenda for Europe – COM(2010)245 The Seven Priority areas for action (1/3)
    • Creating a Digital Single Market
    • Improving the framework conditions for interoperability between ICT products and services
    • Boosting internet trust and security
    • Guaranteeing the provision of much faster internet access
    • Encouraging investment in research and development
    • Enhancing digital literacy, skills and inclusion
    • Applying ICT to address social challenges such as climate change, rising healthcare costs and the ageing population.
  • A Digital Agenda for Europe – COM(2010)245 Trust and security
    • Key actions:
    • “ The Commission will present in 2010 measures aiming at a reinforced and high level Network and Information Security Policy, including legislative initiatives such as a modernised European Network and Information Security Agency (ENISA), and measures allowing faster reactions in the event of cyber attacks, including a CERT for the EU institutions;”
  • A Digital Agenda for Europe – COM(2010)245 Trust and security
    • Key actions:
    • “ The Commission will present measures, including legislative initiatives, to combat cyber attacks against information systems by 2010, and related rules on jurisdiction in cyberspace at European and international levels by 2013;”
  • A Digital Agenda for Europe – COM(2010)245 Trust and security
    • Other actions:
    • • Establish a European cybercrime platform by 2012;
    • • Examine the feasibility by 2011 to create a European cybercrime centre;
    • • Work with global stakeholders notably to strengthen global risk management in the digital and in the physical sphere and conduct internationally coordinated targeted actions against computer-based crime and security attacks;
    • • Support EU-wide cyber-security preparedness exercises, from 2010;
  • A Digital Agenda for Europe – COM(2010)245 Trust and security
    • Other actions:
    • • As part of the modernisation of the EU personal data protection regulatory framework25 to make it more coherent and legally certain, explore the extension of security breach notification provisions;
    • • Give guidance by 2011 for the implementation of new Telecoms Framework with regard to the protection of individuals' privacy and personal data;
    • • Support reporting points for illegal content online and awareness campaigns on online safety for children run at national level and enhance pan-European cooperation and sharing of best practice in this field;
    • • Foster multi-stakeholder dialogue and self-regulation of European and global service providers, especially as regards use of their services by minors.
  • A Digital Agenda for Europe – COM(2010)245 Trust and security
    • Member States should :
    • • Establish by 2012 a well-functioning network of CERTs at national level covering all of Europe;
    • • In cooperation with the Commission carry out large scale attack simulation and test mitigation strategies as of 2010;
    • • Fully implement hotlines for reporting offensive or harmful online content, organise awareness raising campaigns on online safety for children, and offer teaching online safety in schools, and encourage providers of online services to implement self-regulatory measures regarding online safety for children by 2013;
    • • Set up or adapt national alert platforms to the Europol cybercrime platform, by 2012, starting in 2010.
  • Policies on NIS and CIIP US-EU cooperation
    • US-EU Summit declaration of 03/11/2009
      • US-EU agreed « to strengthen our cybersecurity dialogue to identify and prioritize areas where we can work together to help build a reliable, resilient, trustworthy digital infrastructure for the future »
    • Recent contacts with
      • White House, DHS, DoS, DoC, and FCC
    • EU Priority areas for cooperation
      • Common principles and approaches in the area of NIS & CIIP Policy
      • Global awareness raising initiatives
      • More effective dialogue and cooperation on NIS on the global scale
      • Global principles and guidelines for the resilience and stability of the Internet
      • International cooperation on exercises to test the capability to respond to large scale Internet incidents
  • The CIIP Action plan State of Play of the Implementation
    • 31 March 2009 1st thematic workshop on EU policy dimension of vulnerability management and disclosure process (report on the web)
    • 16 June 2009 1st EFMS meeting
    • 17 June 2009 1st EP3R workshop (report on the web)
    • June – Sept 2009 Informal consultation with MS on EU principles for Internet resilience & stability
    • Sept – Oct 2009 Informal consultation with trade associations and individual companies on EP3R (e.g. DigitalEurope, ETNO, ETIS, Euro-IX, GSMA, EOS, BSA, Internet Security Alliance, and TechAmerica)
    • 12-13 Nov 2009 Follow-up Workshops on EFMS and EP3R
    • 30 March 2010 Third EFMS meeting
    • 29-30 June 2010 EFMS & EP3R meeting
    • On-going Studies & projects ENISA activities in support to the Commission NIS/CIIP policy and CIIP Action Plan
  • EU Policy on NIS and CIIP
    • Thanks!
  • Web Sites
    • EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index_en.htm
    • EU policy on Critical Information Infrastructure Protection – CIIP http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm
    • Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 http://www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf
    • Council Resolution on a collaborative European approach to Network and Information security http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri =OJ:C:2009:321:0001:0004:EN:PDF
    • Report on the public consultation “Towards a Strengthened Network and Information Security Policy in Europe” http://ec.europa.eu/information_society/policy/nis/nis_public_consultation/index_en.htm
    • The reformed Telecom Regulatory Framework - November 2009 http://ec.europa.eu/information_society/policy/ecomm/tomorrow/index_en.htm
  • Links to EU Policy Document
    • Communication of the European Commission on a Strategy for a Secure Information Society [COM(2006)251] of 31.5.2006 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri =COM:2006:0251:FIN:EN:PDF
    • Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01] of 22.03.2007 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri =OJ:C:2009:321:0001:0004:EN:PDF
    • Communication of the European Commission on Critical Information Infrastructure Protection - "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience " [COM(2009)149] of 30.3.2009 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri =COM:2009:0149:FIN:EN:PDF
    • Council Resolution on a collaborative European approach to Network and Information security [2009/C 321/01] of 18.12.2009 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri =OJ:C:2009:321:0001:0004:EN:PDF