Opinion of the European Economic and Social Committee on the ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”’

COM(2009) 149 final

(2010/C 255/18)

Rapporteur: Mr McDONOGH

On 30 March 2009, the European Commission decided to consult the European Economic and Social Committee, under Article 262 of the Treaty establishing the European Community, on the

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection ‘Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience’

COM(2009) 149 final.

The Section for Transport, Energy, Infrastructure and the Information Society, which was responsible for preparing the Committee's work on the subject, adopted its opinion on 12 November 2009. The rapporteur was Mr McDonogh.

At its 458th plenary session, held on 16 and 17 December 2009 (meeting of 16 December 2009), the European Economic and Social Committee adopted the following opinion by 179 votes with four abstentions.

1.   Conclusions and recommendations

1.1   The Committee welcomes the communication from the Commission on the action plan for the protection of critical information infrastructures (CIIs) in Europe. The Committee shares the concern of the Commission re the vulnerability of Europe to large-scale cyber-attacks technical failures, man-made attacks and natural disasters, and the enormous damage that could be done to the economy and welfare of its citizens. We agree with the Commission that urgent action is needed to increase EU coordination and cooperation to address this critical problem. We also agree with the need to rapidly build a comprehensive policy framework for the protection of CIIs.

1.2   The Committee notes the conclusions of the EU Ministerial Conference on Critical Information Infrastructure Protection (CIIP) and is alarmed that Europe is poorly prepared to deal with large-scale cyber attacks or disruptions to CIIs, because the approaches taken in individual Member States to CII protection is often uneven and inadequately coordinated. It is understood how the evolution of the Internet and a lack of large-systems thinking about the security and resilience of information infrastructures has given rise to the serious situation we are in. However, now that the need for action has been identified, the Committee calls on the Commission to act decisively and without delay to address the problem.

1.3   The Committee supports the high-level ‘five pillar’ action plan outlined in the communication and compliments the Commission on its work; it is extremely difficult to develop an integrated, multi-stakeholder, multi-level approach to enhancing the security and resilience of CIIs, especially when dealing with such a disjointed set of stakeholders and with the complexity of European information infrastructures. It also recognises ENISA's supporting role and contribution in reaching the goals of this Communication.

1.4   The Committee notes that there has been insufficient action by stakeholders to implement Council Resolution 2007/C 68/01 as it relates to the security and resilience of ICT infrastructure (1). The difficulty in developing effective policies for the protection of Europe's most critical information infrastructures is helpful to those who would like to attack CIIs for political or financial reasons. Therefore the Committee would like the Commission to be more assertive about the strong leadership role needed to unify all stakeholders and implement effective measures to protect Europe from possible threats to its critical information infrastructures. The Committee does not believe that the action plan outlined in the communication will deliver the outcomes intended unless responsibility for implementing it is vested in an appropriate regulatory authority.

1.5   The Committee directs the attention of the Commission to previous Opinions by the EESC which commented on the need for a secure information society, Internet security concerns and protection for critical infrastructures.

2.   Recommendations

2.1   The European Union should vest responsibility in an appropriate regulatory authority, including members of the European Agency for Fundamental Rights, to implement effective protection for critical information infrastructures across the EU.

2.2   All Member States should develop a national strategy, a solid policy and regulatory environment, holistic national risk management processes and appropriate preparedness measures and mechanisms. In that respect, each Member State should form a Computer Emergency Response Team (CERT) and affiliate it with the European Governmental Group of CERTs (EGC) (2).

2.3   The Commission should accelerate its work on the establishment of the European Public Private Partnership for Resilience (EP3R) and integrate it with the work of the European Network and Information Security Agency (ENISA) and the European Governmental Group of CERTs (EGC).

2.4   Risk management best practice should inform the Critical Information Infrastructure Protection (CIIP) policy at all levels. In particular, the potential cost of security and resilience failures should be quantified and made known to the relevant responsible stakeholders.

2.5   Financial and other penalties should be imposed on stakeholders who fail to fulfil their responsibilities under a CIIP policy, proportionate to the risk and cost of system failures due to their negligence.

2.6   The responsibility for security and resilience of CIIs should rest most heavily on the large stakeholders – the governments, infrastructure providers and technology suppliers – and they should not be allowed to avoid responsibility by transferring liability to corporate and private consumers.

Security and resilience must be design imperatives in all information and communication technology (ICT) systems implemented in the EU. We would encourage private CIIP stakeholders to continuously strive for improvement in particular resilience related areas - e.g. network management, risk management and business continuity.

2.7.1   The setting and policing of best practices and standards should be a fundamental part of any policy to deal with failure prevention, situation response measures and CII recovery.

2.7.2   Priority should be given to the implementation of IPv6 (latest protocol for Internet addresses) and DNSSEC (suite of security enhancements to Internet Domain Name System) technologies throughout the Internet in the EU, which would enhance Internet security.

2.8   We encourage public and private stakeholders to regularly work together to test their preparedness and response measures through exercises. We fully support Commission's suggestions in this Communication to organise the first pan European exercise by 2010.

2.9   A strong information security industry should be fostered in Europe to match the competency of the very well financed industry in the US. Investment in R&D related to CIIP issues should be increased significantly.

2.10   Funding should be increased for skills development and knowledge & awareness programmes in the area of cyber-security.

2.11   Information and support agencies should be established in every member country to help SMEs and citizens understand and comply with their responsibilities under a CIIP policy.

2.12   In the interest of security, the EU should advance its position on the future of Internet governance (3), which calls for a more multilateral approach that respects the national priorities of the US but also reflects the interests of the European Union. The EU action in this area should include an in-depth appraisal of the interaction between cyber security and respect of civil and private liberties.

3.   Background

Threat of large-scale Cyber-attacks on Critical Information Infrastructures

3.1.1   Critical Information Infrastructures (CIIs) comprise the Information and Communication Technologies (ICTs) which provide the underpinning information and communications platforms for the provision of essential goods and services, including vital societal functions such as power supply, water, transport, banking, health and emergency services.

3.1.2   CIIs are characterized by a high degree of complex systems integration, interdependencies with other infrastructures (e.g. power) as well as cross-border interconnectedness. Thus these elaborate infrastructures are exposed to numerous risks, which could give rise to catastrophic systems failure affecting critical societal services in multiple Member States. The risks arise from human error, technical failure, man-made attacks (including criminal, and politically motivated attacks) and natural disasters. Risk analysis shows the shortcomings of such systems and at the same time reveals the possibility of controlling these system through practices which, intentionally or not, are detrimental to civil and private liberties. The Commission is obliged to ensure that fundamental rights are respected when drawing up Community legislation.

3.1.3   Governments and the providers of vital services do not publicize security and resilience failures unless they have to. Even so, there have been numerous public examples of the threat to critical infrastructure from security and resilience failures in CIIs:

3.1.4   The problem is greatly exacerbated by the malicious intent of criminal gangs and the use of cyber warfare for political motives.

3.1.5   The economic cost of CIIs failure could be extremely high. The World Economic Forum has estimated that there is a 10-20 % probability of a major CII breakdown in the next 10 years, with a potential global cost of $250 billion and thousands of lives.

Problem of Preparedness, Security and Resilience

3.2.1   The Internet is the primary platform supporting much of Europe's CIIs. The architecture of the Internet is based on the interconnection of millions of computers with processing, communications and control distributed globally. This distributed architecture is key to making the Internet stable and resilient, with fast recovery of traffic flows whenever a problem arises. However, it also means that large-scale cyber attacks can be launched from the edge of the network, using botnets for example, by any hooligan with the intent and basic knowledge.

3.2.2   Global communications networks and CIIs involve a high degree of cross-border interconnectivity. So, if there is a low level of security and network resilience in one country it can adversely affect the security and resilience of CIIs in all the other countries with which it is interconnected. This international interdependency puts the onus on the EU to have an integrated policy for managing CII security and resilience across the Union.

3.2.3   There is a low level of knowledge and awareness about the risks to CIIs among most stakeholders and in many Member States. Very few countries have a comprehensive policy for managing those risks.

3.2.4   The proposed reforms of the Regulatory Framework for electronic Communications networks and services will strengthen the network operators’ obligations to ensure that appropriate measures are taken to identify risks, guarantee the continuity of services and notify security breaches (4).

3.2.5   The vast majority of the technologies supporting the platform for CIIs is provided by the private sector and securing proper cooperation to ensure effective protection for CIIs depends heavily on high levels of competency, trust, transparency and communication between all stakeholders – governments, business and consumers.

3.2.6   A multi-stakeholder, multi-level, international approach is essential.

3.3   Five Pillar Action Plan

The Commission proposes a five-pillar action plan to address these challenges:

Specific goals are set under each of these headings with target dates for some extending to end-2011.

4.   Comments

4.1   It will be very difficult to develop and implement an effective strategy for the protection of CIIs by the highly consultative, voluntary and cooperation-based approach outlined in the communication. Given the seriousness and urgency of the challenge, the Committee recommends that the Commission examine the policy being followed in the UK and the US of vesting responsibility and power in an appropriate regulatory authority.

4.2   The Committee agrees with the call of UN General Assembly Resolution 58/199 for the Creation of a global culture of cybersecurity and the protection of critical information infrastructures. Given the interdependence between countries for the security and resilience of CIIs – ‘A chain is only as strong as its weakest link’ – it is alarming that only nine Member States have so far established Computer Emergency Response Teams (CERTs) and joined the European Government CERTs Group (EGC). The formation of these teams needs to be pushed-up the intergovernmental agenda.

4.3   Stakeholders in EU cyber security include every citizen whose life, might depend on vital services. The same citizens have a responsibility to protect their connection to the Internet from attack to the best of their ability. Even more responsible are the technology and services providers of the ICTs that deliver CIIs. It is critical that all stakeholders are appropriately informed about cyber security. It is also important for Europe to have a large number of skilled experts in the field of security and ICT resilience.

4.4   The Committee recommends that every Member State should have an organisation whose job it is to inform, educate and support the SME sector on issues regarding cyber security. The large firms can easily acquire the knowledge they need but SMEs need support.

4.5   Because the provision of CIIs is mostly in the hands of the private sector, it is important that high levels of trust and cooperation are fostered with all companies responsible for CIIs. The EP3R initiative launched by the Commission in June is to be applauded and encouraged. However, the Committee believes that the initiative needs to be supported with legislation to compel cooperation of stakeholders who fail to engage responsibly.

4.6   The discipline of Risk Management exists to help with the kind of problems covered by this paper. The Commission should insist that Risk Management best practices are followed where appropriate within its action plan. In particular, there is great merit in quantifying the risks and costs of failure at each level of the CIIs. When the probability and possible cost of failure is known, then it is easier to motivate stakeholders to take action. It is also easier to hold them financially liable for failing in their responsibilities.

4.7   Large stakeholders attempt to limit their liability by using their market power to force their customers or suppliers to accept terms which indemnify the large company from their proper responsibility, e.g. software license agreements or ISP interconnect agreements which circumscribe liability for security issues. These agreements should be illegal and liability should rest with the major actor.

4.8   Security and resilience could and should be designed into every ICT network. As a priority, the topology of network architectures in Member States, and the EU as a whole, should be studied to identify unacceptable concentrations of communications traffic and high-risk network failure points. In particular the high concentration of Internet traffic in a very few Internet Exchange Points (IXP) in some Member States presents an unacceptable risk.

4.9   The Committee also refers the Commission to its comments on COM(2008) 313 final Advancing the Internet – Action Plan for the deployment of Internet Protocol version 6 (IPv6) in Europe  (6) which highlighted the security benefits from the adoption of IPv6 throughout the EU Internet. We also recommend that DNSSEC technologies be implemented where possible to increase Internet Security.

4.10   With the launch of its policy on security in cyberspace, the US is budgeting to spend $40bn in 2009 and 2010 on cyber security. This is a massive injection of funds into the security sector and will see a lot of information technology security firms, including European firms, concentrate their efforts in the US. It will also stimulate the US security companies to become world leaders. It is highly desirable for Europe to have its own state-of-the-art industry competing on a par with American firms, and for the security industry to put sufficient effort and focus into Europe's infrastructural needs. The Committee would ask the Commission to consider how it might counterbalance the massive financial stimulus that the US is providing.

4.11   The Committee supports the recent communication from the Commission on the future of Internet governance (3). The Committee believes that the EU must have a more direct influence on the policies and practices of ICANN (Internet Corporation for Assigned Names and Numbers) and IANA (Internet Assigned Numbers Authority), and that the current unilateral oversight by the US should be replaced with arrangements for multilateral, international accountability.

(1)  COM(2006) 251.

(2)  http://www.egc-group.org.

(3)  COM(2009) 277 final.

(4)  Articles 13a and 13b in COM(2007) 697 (final) re proposed amendments to Directive 2002/21/EC.

(5)  Council Directive 2008/114/EC.

(6)  OJ C 175 of 28.7.2009, p. 92.