The Institute of International and European Affairs 8 North Great Georges Street, Dublin 1, Ireland

Transcription

1

2 The Institute of International and European Affairs 8 North Great Georges Street, Dublin 1, Ireland Tel: (353) : Fax: (353) reception@iiea.com Cybersecurity: European and domestic responses. April 2013, The Institute of International and European Affairs. The Institute of International and European Affairs grants permission for the reproduction of quotations from this text provided such quotations do not exceed 400 words in length, that they provide the reader with a fair context, and that due acknowledgment of the source is made. As an independent forum, the Institute of International and European Affairs does not express opinions of its own. The views expressed in its publications are solely the responsibility of the authors. Cover designed by Andrew Hegarty, Creative Officer, IIEA Photo by flaviokola,

3 Cybersecurity: European and domestic responses Briefing paper Abstract: This paper provides an overview of the EU s recent legislative proposals on cybersecurity, and examines the evolving role of each of the key European stakeholders in this field. It proceeds to summarise Ireland s current legislative and policy responses to cyber-threats, before outlining the major policy challenges to EU proposals in the medium term.

4 1. EU Cybersecurity Strategy and Proposed Directive on Network and Information Security, 7 February 2013 On 7 February 2013, the European Commission proposed a wide-ranging EU cybersecurity strategy ( An Open, Safe and Secure Cyber-space ) and Directive on Network and Information Security. The proposal was jointly launched by the Commissioner for the Digital Agenda, Neelie Kroes; the Commissioner for Home Affairs, Cecilia Malmström; and the High Representative for Foreign Affairs and Security Policy, Catherine Ashton. The strategy and Directive seek to combat financial fraud, identity theft, child pornography, cyber-attacks and a range of other cyber-crimes and online security threats. They aim to set higher standards of protection for network and information systems, as well as seeking to address the limited levels of cooperation between Member States and EU institutions in combating cyber-crime. The Commission has underlined five key strategic priorities for the proposed reforms: Achieving cyber-resilience Reducing cyber-crime Developing cyber-defence policy and capabilities related to the Common Security and Defence Policy (CSDP) Developing the industrial and technological resources for cybersecurity Establishing a coherent international cyber-space policy for the EU and promoting core EU values 1 The proposed legislation has significant implications for Member States, public administrations, online enterprises and operators of critical infrastructures, including energy, transport, banking, financial services and healthcare. The Directive contains the following specific provisions: Member States will be required to adopt a network and information security (NIS) strategy and designate a national competent NIS authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents. Each Member State will also be required to set up a national Computer Emergency Response Team (CERT) responsible for handling incidents and risks, which would fall under the supervision of the competent NIS authority. 1 European Commission/EEAS Press Release: EU Cybersecurity plan to protect open internet and online freedom and opportunity, 7 February 2013, 1

5 A cooperation mechanism, comprising Member States competent NIS authorities and the Commission, is to be established to share early warnings on risks and incidents, facilitate exchange of information and best practices and organise regular peer reviews. Operators of critical infrastructures in certain sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores, e- commerce platforms, Internet payment companies, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services to the competent national NIS authority. Significantly, this requirement for market operators and public administrations to report breach notifications is to apply regardless of whether they perform the maintenance of their network and information systems internally or outsource it. Full liability for reporting, therefore, lies with market operators themselves. Market operators and public administrations will be required to undergo audits by a qualified independent body or national authority on their preparedness to handle cybersecurity threats. 2 The European Commission claims that these measures will benefit consumers, citizens, businesses and the European economy as a whole by stimulating increased confidence in digital services and online transactions. 3 In order to do so, however, the proposals must ensure that businesses are not overburdened by new reporting obligations. The UK has raised concerns that these requirements, as against a more ad hoc and voluntary information-sharing system, may have an adverse effect on business confidence. 4 Striking this delicate balance will be a key policy challenge for the EU s proposals as they are scrutinised in the coming months. On a more practical level, the proposals face a degree of time pressure. The strategy and Directive have not yet been formally distributed among the competent European Parliament committees, which are likely to include Civil Liberties, Justice and Home 2 Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union, 7 February 2013, 3 European Commission Memo: Proposed Directive on Network and Information Security frequently asked questions, 7 February 2013, 4 Maude warns on EU cybersecurity plans, Financial Times, 27 March 2013, 2

6 Affairs, Industry Research and Energy, Internal Market and Consumer Protection, and Legal Affairs. With a lead committee and rapporteurs yet to be appointed, and with European Parliament elections approaching in May 2014, it is by no means guaranteed that the proposals will be considered within the term of the current legislature. Timeline 7 February 2013: Launch of EU cybersecurity strategy and Directive on Network and Information Security April/May 2013 (tbc): May 2014: European Parliament committees to debate proposals European Parliament elections [Member States will have 18 months to transpose the Directive into national law after it is adopted by the European Parliament and Council.] 3

7 2. Key European stakeholders on cybersecurity The strategy and Directive set out important implementation roles for relevant EU agencies, a number of which have undergone or are undergoing organisational changes. Coordination among these bodies with regard to tasks and competencies represents a challenge in the implementation of any future legislative reform in this area. European Network and Information Security Agency (ENISA) ENISA commenced operations in September 2005, having been established by a decision of the European Parliament and Council in March It has its headquarters at Heraklion in Crete, Greece and is led by Professor Udo Helmbrecht, Executive Director [Prof. Helmbrecht delivered a keynote address at the IIEA on 12 March 2013]. As a European agency, ENISA is mandated to assist the European Commission, Member States and the business community to respond to and prevent threats to network and information security. Its specific functions include: Advising and assisting the Commission and the Member States on information security and working with industry to address security-related problems in hardware and software products; Collecting and analysing data on security incidents in Europe and emerging risks; Promoting risk assessment and risk management methods to enhance capability to deal with information security threats; Awareness-raising and cooperation between different actors in the information security field, notably by developing public/private partnerships with industry. 5 In the context of the development of the EU s cybersecurity strategy and Directive, an extension of ENISA s existing mandate, which was due to expire on 13 September 2013, is currently under discussion in EU institutions and is close to final approval. The Irish Presidency reached agreement with the Council and European Parliament on a new, extended mandate for ENISA on 1 February 2013, which will aim to strengthen and modernise the agency 6 and extend its existing range of tasks. The new mandate is to last for seven years. 5 ENISA website: 6 Council of the EU Press Release: Council and European Parliament reach agreement on new mandate for the EU Network and Information Security Agency, 1 February 2013, 4

8 The European Parliament's Industry, Research and Energy (ITRE) Committee voted to approve a resolution to this effect, prepared by British MEP Giles Chichester, on 20 February The Parliament voted in full plenary to approve the resolution on 16 April The Council is due to give its final approval in the coming weeks. The updated mandate will include the following provisions: Increased financial/human resources devoted to ENISA. Strengthened governance structure, including a stronger supervisory role for ENISA s Management Board and the establishment of an executive board to ensure more accountability to the European Parliament. A clear mandate to support the establishment and functioning of an expanded European Union Computer Emergency Response Team (*CERT-EU). 7 [See below further information on CERT-EU] The establishment of an operational headquarters in Athens, with administrative functions to remain in Heraklion. *CERT-EU was established on 11 September 2012, following a successful pilot period that lasted for one year. It is mandated to maintain cybersecurity for each of the EU institutions, agencies and bodies, from which it draws its membership. The body convenes ICT security experts from the European Commission, General Secretariat of the Council, European Parliament, Committee of the Regions, and the Economic and Social Committee. It works in close cooperation with Member States national CERTs, as well as with specialised ICT security companies in the private sector. The proposed cybersecurity strategy and Directive also outline aspects of ENISA s expanded role. These include: ENISA is requested to increase its links with Europol and to reinforce links with industry stakeholders in order to identify emerging trends and responses to cyber-crime. 7 European Parliament Press Release: A new mandate for ENISA to face the challenges of network and information security in the EU, 21 February 2013, EN.pdf 5

9 The proposed cooperation mechanism between Member States on network and information security is to be developed in consultation with ENISA; the Agency could assist by developing information exchange mechanisms and templates. 8 Examine in 2013 the feasibility of Computer Security Incident Response Team(s) for Industrial Control Systems (ICS CSIRTs) for the EU. 9 Recent developments A large-scale Distributed Denial of Service (DDoS) attack was reported on 27 March 2013, in which the website of Spamhaus, a non-profit organisation which provides spamfiltering services to businesses, was targeted and brought down by huge amounts of internet traffic. The attack was strong enough to slow down internet speeds across Europe. 10 ENISA published a report of their investigation into the attack, which concludes that internet service providers should implement stronger traffic-filtering techniques. 11 In his address to the IIEA on 12 March 2013, Prof. Udo Helmbrecht, ENISA s Executive Director, underlined the added value of his Agency in fostering an environment in which network and information security is seen as a business model, rather than as an optional add-on. He also highlighted that ENISA has a key role to play in helping Member States to establish clear lines of responsibility and communication in the event of cyber attacks. ENISA published an information note on 13 March 2013, which analyses cyber-attacks launched over recent months against governments and operators of critical infrastructure. It calls on Member States and businesses to take urgent action to address 8 Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, 7 February 2013, Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union, 7 February 2013, 9 Industrial Control Systems is the term applied to electronic systems that control critical infrastructures, including healthcare, energy and banking. ICS-CSIRTs are emergency response teams embedded within organisations working to combat cyber-threats to these systems. 10 Hackers mount widespread cyber attack, Financial Times, 27 March 2013, 11 ENISA Flash Note: Can Recent Attacks Really Threaten Internet Availability?, 12 April 2013, 6

10 security deficiencies, highlights the vulnerability of and existing anti-virus software and underlines the importance of preventative measures against cyber-crime. 12 European Cyber-crime Centre (EC3) EC3 was officially launched on 21 January 2013 to act as the focal point in the fight against cyber-crime in the EU. It is intended to serve as a European information hub on cyber-crime, developing and deploying digital forensic capabilities to support investigations in the EU, building capacity to combat cyber-crime through training and awareness raising, as well as delivering best practice on cyber-crime investigations. 13 On the basis of the recommendation of a Rand Corporation feasibility study commissioned by DG Home Affairs in , EC3 is hosted by Europol, the European law enforcement agency based in The Hague. It is therefore able to draw on Europol s existing infrastructure and law enforcement network. The EU s proposed cybersecurity strategy states that EC3 will gradually serve as a voice for the law enforcement community on cyber-crime issues in its own right. EC3 s mandate covers the following areas: Crimes committed by organised groups to generate large criminal profits, such as online fraud. Crimes which cause serious harm to the victim, such as online child sexual exploitation Crimes affecting critical infrastructure and information systems in the EU 15 A Letter of Intent has been signed between Europol and U.S. Immigration and Customs Enforcement (ICE) within the Department of Homeland Security, in which the two agencies committed to developing ongoing cooperative efforts through support, training, and information-sharing on different areas of cyber-crime. ICE maintains a corresponding Cyber-crime Center (C3) in Washington D.C., which comprises the Cyber-crime Unit, Child Exploitation Investigations Unit and the Computer Forensics Unit. [The IIEA briefing paper Cybersecurity: the Global Picture by Eoin McDonnell contains further information on US and other international efforts to combat cyberthreats.] 12 ENISA Flash Note: Cyber-attacks a new edge for old weapons, 13 March 2013, 13 Europol Press Release: New European Cybercrime Centre Opens at Europol, 21 January 2013, 14 Feasibility Study for a European Cybercrime Centre, RAND Corporation, 2012, 15 Europol website: 7

11 Recent developments On 28 March 2013, 44 members of a global credit card fraud network were arrested in a joint operation coordinated by the Romanian Cyber-crime Unit, in close cooperation with EC3. Illegal electronic equipment, financial data, cloned cards, and cash were seized in a series of investigations in Romania and the UK. 16 On 13 February 2013, EC3 contributed to the dismantling of a large cyber-crime network, based principally in Málaga, Spain. 17 In close cooperation with the Spanish police, 11 arrests were made of persons responsible for the creation, development and international distribution of police ransomware (malware that blocks the victim s computer, accusing him/her of having visited illegal websites and requesting the payment of a fine to unblock it). ENISA/EC3 cooperation The EU s cybersecurity strategy tasks both ENISA and EC3 to identify emerging trends and needs in view of evolving cyber-crime and cybersecurity patterns so as to develop adequate digital forensic tools and technologies. Europol hosted a workshop on October 2012 that focused on cooperation between Computer Emergency Response Teams (CERTs), as coordinated by ENISA, and law enforcement agencies, as represented by EC3. The workshop underlined the need for improved trust and coordination between the technical and law enforcement communities. It recommended measures such as the establishment of liaison roles for CERT and law enforcement representatives in each other s teams and the establishment of automated data-sharing mechanisms. 18 Other stakeholders The cybersecurity strategy requests Eurojust, the EU agency dealing with judicial cooperation in criminal matters, to identify the main obstacles to judicial cooperation on cyber-crime investigations and to coordinate between Member States and with third countries and support the investigation and prosecution of cyber-crime both at the operational and strategic level as well as training activities in the field. Eurojust is also required to cooperate closely with EC3 in order to collectively increase their effectiveness in combating cyber-crime. 16 Europol Press Release: Global Credit Card Fraud Network Dismantled, 28 March 2013, 17 Europol Press Release: Police Dismantle Prolific Ransomware Cyber-criminal Network, 13 February 2013, 18 Final Report of 7 th ENISA-CERT Workshop, 4 January 2013, 8

12 The European Police College (CEPOL) is requested to coordinate the design and planning of training courses to equip law enforcement with the knowledge and expertise to effectively tackle cyber-crime. 19 On 27 March 2013, the European Commission proposed a Regulation to merge CEPOL with Europol, relocating its training operations from the UK to Europol s headquarters in The Hague. EU inter-agency cooperation on cyber-crime: L a w enforcement; investigation; data-gathering! Cyber-crime training for law enforcement officials! Technical assistance for M e m b e r States/EU; risk assessment; data analysis! Judicial cooperation on cyber-crime investigation and prosecution! 19 Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, 7 February 2013, 9

13 3. Ireland s existing activities on cybersecurity Legislative framework Ireland is a signatory to the 2001 Council of Europe Convention on Cyber-crime (the Budapest Convention ), but has yet to ratify it. The Budapest Convention is the first international treaty to provide a model for international cooperation in combating cybercrime. The new EU strategy seeks to build upon this and other existing international legal instruments, and urges Member States to ratify it as early as possible. Domestically, certain cyber-crime offences are contained in the Criminal Justice Act 1991 and the Criminal Justice (Theft and Fraud Offences) Act These acts broadly frame cyber-crime as a form of criminal damage, whereby personal data is interpreted as a form of property. 20 These acts outlaw unauthorised access to a computer, damage to personal data and dishonest operation of a computer for personal gain; forms of cyber-crime which evade these categories are arguably not covered by existing legislation (e.g. denial of service attacks). 21 With regard to data privacy, the relevant Irish law is contained in the Data Protection Acts 1988 and In line with European legislation, these acts state that personal data (both electronic and on paper) must be obtained, processed and used by data controllers fairly and for specified, explicit and legitimate purposes. The Data Protection Acts also provide for appropriate security measures to be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. 22 Ireland has not yet published a national cybersecurity strategy. A report published by ENISA in May 2012 notes that only ten EU Member States had published strategies at its time of writing: Estonia, Finland, Slovakia, Czech Republic, France, Germany, Lithuania, Luxembourg, the Netherlands, and the UK Criminal Justice Act 1991, 21 T.J. McIntyre, Computer Crime in Ireland: A Critical Assessment of the Substantive Law, Irish Criminal Law Journal, Vol. 15, No. 1, Data Protection (Amendment) Act 2003, 23 ENISA report: National Cyber Security Strategies: Setting the Course for National Efforts to Strengthen Security in Cyberspace, 8 May 2012, 10

14 Policing Ireland s work in combating cyber-crime is led by the Computer Crime Investigation Unit (CCIU), which sits within the Fraud Investigation Division of An Garda Síochána. CCIU employs approximately fifteen full-time staff of Detective Garda grade or higher, as well as a small number of detectives on secondment from the Paedophile Investigation Unit (PIU). CCIU provides forensic and investigative support to local policing units and has responsibility for investigating high-tech crime in Ireland. The Unit participates in an information-sharing and analysis forum with retail banks based in Ireland and internet service providers, and is in the process of developing a similar forum for telecommunications stakeholders. The Unit also acts as the point of contact for Interpol and Europol, with which it coordinates on alerts and requests for assistance. The CCIU maintains a close relationship with the Centre for Cybersecurity and Cybercrime Investigation (CCI) at University College Dublin (UCD). The two organisations have worked closely together since 1997, and are partners in European Commissionfunded projects to develop training for law enforcement officers in cyber-crime investigation and digital forensics. UCD CCI staff provide operational support and training to the CCIU. The CCIU currently sits on the board of the European Cyber-crime Training and Education Group (ECTEG). 24 Government Ireland s governmental response to cybersecurity is coordinated by the Department of Communications, Energy and Natural Resources (DCENR). DCENR works closely with various other government stakeholders in this area, including the Department of Defence, Defence Forces, the Department of Foreign Affairs and Trade and the Department of Justice and Equality. 24 Feasibility Study for a European Cybercrime Centre, Rand Corporation, 2012, 11

15 4. Conclusions Large-scale cyber-attacks reported in March 2013, which slowed down internet traffic across Europe and temporarily brought down the website of a large non-profit organisation, demonstrate the potential impact of targeted cyber-crime for Member States, businesses and citizens. 25 The EU s proposed cybersecurity strategy and Directive attempt to set out a coordinated response to these kinds of incidents, along with potentially even more damaging attacks on financial institutions, healthcare providers and other sections of critical infrastructure. The proposals cut across a number of policy areas, from security and defence to criminal justice and home affairs. In the medium term, and in addition to the time constraint posed by European Parliament elections in May 2014, the proposals face three major challenges as they are discussed in EU institutions in the coming months. Firstly, they must maintain a balance between ensuring that consumers are adequately protected and satisfying the needs of businesses and the private sector as a whole. As they stand, the proposals place a considerable burden on market operators, obliging them to report all significant threats even if responsibility for network security is outsourced. Should market operators feel that these obligations place an excessive burden on their activities, the proposals are unlikely to be finalised in their current form. Secondly, the proposals will require a significant effort of coordination among the agencies and institutions currently operating in the field of cybersecurity. As the range of bodies described in this paper illustrates, there are already a large number of organisations carrying out law enforcement, advisory and technical functions in the EU. Ensuring that these efforts are complementary, particularly between the newly-formed European Cyber-crime Centre (EC3) and the newly-mandated ENISA, will be a key factor in the success of any future legislation. Thirdly, the proposals will require a significant level of commitment on the part of Member States. As stated earlier in this paper, the majority of EU members have not yet adopted national cybersecurity strategies. The success of the proposed reforms will rely in large part on concerted action by national legislatures. 25 Global Internet Slows After Biggest Attack in History, BBC News, 27 March 2013, 12