Download presentation
Presentation is loading. Please wait.
1
A strategy for a Secure Information Society –
“Dialogue, partnership & empowerment” COM(2006) 251 & SEC(2006) 656 Andrea SERVIDA DG INFSO A3 – Internet; network and information security Trust and security constitute an integral part of the i2010 initiative. Hence, there is need to coordinate efforts at European level in order to develop policies, regulations, technology and awareness to build trust and confidence of businesses and citizens in electronic communications and services. Achieving the objectives of the Lisbon agenda – that is, creating a competitive, sustainable and socially-inclusive Europe – largely depends on the take-up of secure and dependable ICT. ICT and electronic communications networks are becoming ubiquitous in everyday economic and social life. Therefore, their security and availability is of increasing concern to EU citizens. At the same, time, problems like spam, viruses and other forms of malware persist.
2
EU NIS Policy – the history
1997: COM(97) 503 on ensuring security & trust in electronic communications 1999: Electronic Signature Directive (1999/93/EC) 1999: eEurope 2002 Action Plan – smart card & secure access 2001: COM(2001) 298 a EU policy on NIS 2002 & 2003: Council Resolutions 2002: eEurope 2005 Action Plan – a task force proposed 2004: ENISA is established 2005: the i2010 initiative – a security strategy is announced 31 May 2006: COM(2006) 251 is adopted Until the late nineties, network and information security technologies and policy were regarded as domains linked to National security interest and, therefore, of competence of the Member States. This was particularly true for cryptography and encryption technologies. The situation changed after the adoption, in 1997, of the Commission Communication that highlighted the importance of secure communication and digital signatures for the development of the Information Society. After the Communication of 1997, the main policy developments were the Electronic Signature Directive (1999) and the establishment of ENISA (2004). These key results were made possible by policy initiatives and discussions undertaken in the framework of e-Europe. JB/050103/VR
3
NIS in the Information Society TRUSTWORTHY, SECURE & RELIABLE ICT
TECHNICAL dimension SOCIAL dimension TRUSTWORTHY, SECURE & RELIABLE ICT Improving NIS in the Information Society does not mean just trustworthy, secure and reliable ICT. It is a complex task for which a number of “technical”, “economic”, “social” and “legal” dimensions and challenges should be considered. ECONOMIC dimension LEGAL dimension JB/050103/VR
4
The technical dimension & challenges
Threat landscape changes Convergence of digital services COTS products and systems Interdependent devices and applications Pervasiveness of ICT The technical dimension and challenges Threat landscape changes due to profit motivated attacks Convergence of digital services increases attack potential The wide use of COTS (Commercial Of The Shelf) products and systems favor the development of technological “monoculture” which magnifies the risk of vulnerability exposure Networked and interdependent devices and applications increase impact of breaches Pervasiveness of ICT creates additional (in particular systemic) risks to business and society JB/050103/VR
5
The economic dimension & challenges
Lack of user confidence Make the EU ICT industry a competitive supplier Private and public sectors as demanding users NIS industry to become a strategic sector for EU Financial loss due to poor risk preparedness The economic dimension and challenges Lack of user confidence poses obstacles to the uptake of ICT and of ICT enabled services The EU ICT industry must remain an important, innovative and competitive supplier of security technologies ( at stake is the strategic issue, in the long term, of the EU’s independent capacity to act) Private and public sectors should become more demanding users of NIS Security breaches cause financial loss due to poor risk preparedness JB/050103/VR
6
The social dimension & challenges
Citizens & consumers may become “vehicles” of attacks Societal dependence on ICT Protection of fundamental rights as a prerequisite for democracy Balance between NIS policies and civil liberties The social dimension and challenges Citizens and consumers are not only victims, but they (or better, their systems) may also become “vehicles/means” to perpetrate of attacks Society at large depends on ICT due to the pervasiveness and interconnectivity of critical information infrastructures The freedom of speech and the protection of other fundamental rights are prerequisite for democracy NIS policies & measures shall not put at risk individual rights, freedom of choice and civil liberties JB/050103/VR
7
The legal dimension & challenges
A substantial body of legislation relevant to NIS exists Need for new legal and/or regulatory measures New regulatory measures, if needed, as result of the 2006 Review of the Regulatory Framework for eCommunications Proportionality & enforceability of laws The legal dimension and challenges A substantial body of legislation relevant to NIS is already in place: Regulatory framework for eCommunications: security of services, confidentiality of communications, cookies & spyware, anti-spam… Framework Decision on attacks against information systems: hacking, viruses, DoS… The need for new legal and/or regulatory measures shall result from a dialogue with all stakeholders Regulatory measures would be proposed, if needed, only as result of the 2006 Review of the Regulatory Framework for eCommunications The principle of proportionality & enforceability of laws are major challenges in this area JB/050103/VR
8
… to improve and develop a culture of NIS
The key principles … … to improve and develop a culture of NIS Technical Promote diversity, openness and interoperability as integral components of security Economic Present NIS as a virtue and an opportunity Social Individual users need to understand that their home systems are critical for the overall security chain Legal Privacy and security are a prerequisite for guaranteeing fundamental rights on-line The Commission sets few principles to guide stakeholders in their activities on improving NIS: Technical - Promote diversity, openness and interoperability as integral components of security Economic - Present NIS as a virtue and an opportunity Social - Individual users need to understand that their home systems are critical for the overall security chain Legal - Privacy and security are a prerequisite for guaranteeing fundamental rights on-line JB/050103/VR
9
The challenges for stakeholders
Public Administrations Private sector enterprises Individual users The role and challenges for stakeholders Public Administrations - to address the security of their own networks and serve as an example of best practice for other players Private sector enterprises - to address NIS as an asset and an element of competitive advantage an not as a “negative” cost Individual users - to understand that their home systems are critical for the overall “security chain” JB/050103/VR
10
Towards a secure Information Society
DIALOGUE structured and multi-stakeholder PARTNERSHIP greater awareness & better understanding of the challenges Open & inclusive multi-stakeholder debate This Communication sets out a strategy to match the need for coordinated efforts and calls, inter alia, for a structured process of consultation and dialogue as well as new partnerships that would span public and private sectors, and individual consumers. An open and inclusive multi-stakeholder dialogue is proposed as the means to develop effective security policies that would take into account the complementary roles of public and private sectors. New partnerships are needed to ensure that all stakeholders would work together to promote network and information security. The empowerment of each stakeholder group. Governments should be prudent users and suppliers of information society services; as well as setting framework conditions. The private sector is largely responsible for delivering solutions, services and security products. Individual users should be made aware of the risks and how to protect themselves. EMPOWERMENT commitment to responsibilities of all actors involved JB/050103/VR
11
Dialogue Benchmark national NIS-related policies
Address SMEs as well as individual users Structured multi-stakeholder dialogue A Business Summit & a Seminar A Seminar for end-users Benchmark national NIS-related policies public administrations shall act as ‘intelligent’ users and serve as an example for best practice drivers Address SMEs as well as individual users raise awareness and strengthen their capability to counter NIS risks Structured multi-stakeholder dialogue How to exploit existing regulatory instruments to balance between security and the protection of fundamental rights Develop a sector-specific policy for the ICT sector to enhance the security and the resilience of networks (->CIIP) A Business Summit & a Seminar stimulate industry commitment to adopt effective approaches to implement a culture of security in industry A Seminar for end-users raise security awareness and strengthen the trust of end-users JB/050103/VR
12
Improve knowledge of the problem Establish strategic platform
Partnership Improve knowledge of the problem Establish strategic platform Support response capability Improve knowledge of the problem ENISA will be asked to develop a trusted partnership with Member States and stakeholders to create a data collection framework to collect EU-wide data on security incidents and consumer confidence Establish strategic platform fostering a strategic relationship between governments, businesses and research community to deliver data on trends in ICT security Support response capability ENISA will be asked to examine the feasibility of a European information sharing and alert system (including a multi-lingual security portal) JB/050103/VR
13
Empowerment Invite Member States to:
Participate in the benchmarking exercise Promote awareness campaigns on virtues and benefits of NIS Promote good security practices to other sectors Reinforce higher education curricula in NIS Invite Member States to: Proactively participate in the proposed benchmarking exercise of national NIS policies; Promote, in close cooperation with ENISA, awareness campaigns on the virtues, benefits and rewards of adopting effective security technologies, practices and behaviour; Leverage the roll-out of e-government services to communicate and promote good security practices that could then be extended to other sectors; Stimulate the development of network and information security programmes as part of higher education curricula. JB/050103/VR 13
14
Empowerment (2) Invite private sector stakeholders to take initiatives to: Tackle the issue of responsibilities for software producers and Internet service providers Promote diversity, openness, interoperability, usability and competition Disseminate good security practices Promote training programmes in the business sector Work towards affordable security certification schemes Involve the insurance sector in risk management tools and methods Invite private sector stakeholders to take initiatives to: Develop an appropriate definition of responsibilities for software producers and Internet service providers in relation to the provision of adequate and auditable levels of security. Here, support for standardised processes that would meet commonly agreed security standards and best practice rules is needed. Promote diversity, openness, interoperability, usability and competition as key drivers for security as well as stimulate the deployment of security-enhancing products, processes and services to prevent and fight ID theft and other privacy-intrusive attacks. Disseminate good security practices for network operators, service providers and SMEs as baseline levels for security and business continuity. Promote training programmes in the business sector, in particular for SMEs, to provide employees with the knowledge and skills necessary to effectively implement security practices. Work towards affordable security certification schemes for products, processes and services that will address EU-specific needs (in particular with respect to privacy). Involve the insurance sector in developing appropriate risk management tools and methods to tackle ICT-related risks and foster a culture of risk management in organisations and business (in particular in SMEs). JB/050103/VR 14
15
Conclusions Meeting future NIS challenges requires the full commitment and contribution of all stakeholders. The proposed policy strategy seeks to achieve this by reinforcing the multi-stakeholders approach. This will build on mutual interests, identify respective roles and develop a dynamic framework for public-policy making and private sector initiatives. The strategy is not in the vacuum as it set the framework for future European initiatives on NIS. The commission will report to Council and Parliament in 2007. JB/050103/VR 15
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.