"Cybersecurity in Europe and the EU- Russia Co-operation"

Transcription

1 SPEECH/03/185 Mr Erkki Liikanen Member of the European Commission, responsible for Enterprise and the Information Society "Cybersecurity in Europe and the EU- Russia Co-operation" IT Security Russia Conference Moscow, 4 April 2003

2 Ladies and gentlemen, Thank you for inviting me to this conference. It is a pleasure to be here and to exchange views with you on the role of security in information and communication technologies. In this presentation I would like to inform you about the efforts of the European Commission to improve the security of information infrastructures and to combat computer-related crime. The activities related to cybersecurity and cyber-criminality fall in three broad categories: Firstly, we have the legislative framework on telecommunications in place, which includes data protection, Secondly, cybercrime, for which we have policy proposals in progress, Thirdly, activities on network and information security complete the picture. These three categories are related and also have overlaps to a certain degree. We seek to deal with them in a coherent way The risks facing the information society Increasingly we depend on networks and information systems to do business, to communicate with each other, and to control critical infrastructures such as electricity, water, or public transport. The more networks are used for legitimate economic and social purposes, the more potential they offer for illegal activities. It is actually the success of the Information Society that also attracts criminal activities and cyber-vandalism. Damages and disruptions to the emerging new economy need to be prevented and circumscribed. Measures need to be developed which will both reinforce the security of the networks in terms of prevention and help fighting subversive activities. Requirements on security will increase in the future. For instance broadband connections offers always on. This increases the vulnerability of systems if no action is taken. We face the challenging task of developing an effective policy to stimulate cybersecurity and combat cybercrime. Security in the information society concerns everybody: citizens, businesses and public administrations. Cybersecurity initiatives in the European union In the EU, several policy and regulatory proposals have been adopted that are related to these different aspects of cybersecurity. On personal data protection the conditions have been established for the lawful processing of personal data and the rights of the individuals concerned. Directives on electronic signatures and on electronic commerce help the establishment of a single market for electronic commerce by providing conditions for trusted electronic transactions. 2

3 In June 2001 the Commission issued a Communication on Network and Information security. The Communication highlighted the different security threats and outlined the main policy initiatives of the EU. The aim of the Communication was to address the issue of security threats proactively. The focus was on promoting an information security culture, raising awareness, facilitating European co-operation on information security matters and improving the overall security of Europe s information infrastructure. The e-europe action plans Many of the Commission s initiatives concerning security have been part of the e-europe Action Plans. The e-europe 2002 Action Plan has accelerated the development of the information society in the European Union. It has stimulated access to the Internet. One of e-europe s activities focused on electronic signatures. The European Union issued the Electronic Signature Directive, which has established the legal framework for the recognition of electronic signatures. Thereafter, the European Electronic Signature Standardization Initiative (EESSI) was launched to help companies implement the Directive. Its task was to identify the standardization activities necessary to enable electronic signatures and to monitor the implementation of a work programme to meet this need. A new e-europe 2005 Action Plan was adopted last year. This Action Plan aims at increasing the effective use of the Internet. It focuses on stimulating content, services and applications on the basis of a secure, broadband infrastructure that can be accesses from multiple platforms, such as PC, digital TV, and mobile terminals. Governments can make public services more productive and available for all by reorganising themselves for online service delivery in e-government, e-health and e- learning. They can also contribute by promoting a more favourable environment for e-business. The e-europe 2005 Action Plan highlights the importance of network security and the achievement of trust amongst businesses and consumers. Among the key objectives of e-europe are increasing security and promoting trust. The safer internet action plan The European Union also has a coherent approach to the difficult issue of illegal and harmful content on the Internet. One major concern is child pornography. Modern technology unfortunately makes it possible for this to be produced anywhere and immediately made available for download all over the world. This makes international co-operation absolutely vital. While for a long time criminal law was a matter for the Member States, the European Union now has a role in fostering harmonisation and co-operation. This is exemplified by the Council of Europe s Convention on Cybercrime and the European Union's proposed Framework Decision on Child Pornography. The Commission understands that the Russian authorities are taking practical steps to deal with production of child pornography and distribution from sites hosted in Russia on the Internet. 3

4 The Commission has set up a European network of hotlines, under the Safer Internet Action Plan. These hotlines allow members of the public to report illegal content on the Internet, including child pornography. The reports are then passed to police, Internet service providers or to a correspondent hotline. We would welcome the opportunity to discuss ways to improve yet further cooperation in this area, for instance by inviting a Russian representative to the next workshop for police and hotlines which the Commission plans to hold following a successful first event in October last year The network and information security agency In February this year, the Commission proposed the establishment of a Network and Information Security Agency. The proposal is currently under consideration in the European Parliament and in the Council of the European Union. The Agency will build on national efforts to enhance security and to increase the ability to prevent and respond to major network and information security problems. It shall be able to provide assistance in the application of EU measures relating to network and information security, for example to the Computer Emergency Response Teams (CERTs) of our Member states. The activities of the Agency will include advisory and co-ordinating functions, where data on information security is collected an analysed. Awareness raising and co-operation is key in this area. The agency will launch cooperation initiatives between different actors in the information security field, for example to support the development of secure e-business. Participation and involvement of all stakeholders in public-private partnership will be necessary. The Agency will have a supporting role to assess standardisation needs and to develop network and information security concepts. This will be done in close collaboration with industry and building upon their expertise. Concerning international co-operation, the Agency will provide support for the EU s contacts with relevant parties in third countries. The Network and Information Security Agency will ultimately serve as a centre of competence where both Member States and EU Institutions can seek advice on matters relating to security. International cooperation on cybercrime On the Internet, actions undertaken in one location can have effect in countries all over the world. Ideally, there should be a global approach to regulatory issues. In practice, this is not so easy because of widely varying standards among nations in different regions of the world. It is not surprising, that the main fora for development of cybercrime policy are international: the Council of Europe, the G8 and the European Union. In the framework of the Council of Europe, a Cybercrime Convention was negotiated. Apart from all the members of the Council of Europe, which include Russia, there were countries from outside Europe that participated in the negotiations, such as the United States, Canada and Japan. 4

5 The European Commission participated as an observer in the Convention. It was opened for signature at the end of 2001, and it is the first multilateral treaty that seeks to provide an international approach to the problem of cybercrime. The High-tech Crime Subgroup of the G8 has also been active in discussing policy principles for combating computer-related crime. Russia has been an active member of this group and the European Commission participates as an observer. The activities of the G8 have led to principles on combating high-tech crime that were implemented in the G8 Member-States and thus provided a policy role-model for other countries. The 24/7 Network of national points of contact for high-tech crime, an initiative of the G8, has been very helpful in promoting quick international responses to cybercrime incidents. All Member-States of the European Union will join this network. Cybercrime initiatives in the european union When the Treaty of Amsterdam entered into force of in 1999, the European Commission received a mandate to also propose initiatives to combat computerrelated crime. In January 2001, the Commission issued a Communication on Creating a safer Information Society by improving the security of information infrastructures and combating computer-related crime. This communication was sponsored jointly by Commissioner Antonio Vitorino, who is responsible for Justice and Home Affairs, and me. It was the first comprehensive EU policy document on cybercrime. It served as a basis for further discussions and announced a number of legislative and non-legislative initiatives. The framework decision on information systems The main legislative initiative announced in the Communication was a Framework Decision on attacks against information systems. It was proposed a year ago by the European Commission, and will probably be adopted later this month by the Council of the European Union. The Framework decision addresses the most significant forms of criminal activity against information systems, such as illegal access or hacking, spread of malicious code such as viruses and worms, and denial-of-service attacks. It encourages and promotes information security, while ensuring that Europe s law enforcement authorities can take action against these new forms of crime. This approach is complementary to the Network & Information Security Agency: the one deals with prevention of crime, the other with ex-post criminal investigations. The proposal requires the EU Member States to establish in national law the offences of illegal access to an information system and illegal interference with information system. It also contains provisions on liability of legal persons and rules on jurisdiction. Furthermore, the Framework Decision will require the EU Member States to join the existing G8 network of operational points of contact on high tech crime available 24 hours per day, 7 days per week. Russia is already a member of this network. 5

6 The eu forum on cybercrime The main non-legislative initiative announced by the Cybercrime Communication was the establishment of an EU Forum on Cybercrime, in which the relevant stakeholders would have the opportunity to discuss various issues. The task of developing policy to combat cybercrime involves balancing varying societal interests, such as network security, law enforcement powers, privacy protection and economic priorities. Through plenary sessions in Brussels, expert meetings, and a website, the Forum on Cybercrime ensures an open exchange between the various stake-holders. Such an open debate is vital to achieve an effective, coherent and balanced policy approach, and to assure confidence and trust among European citizens in the Information Society. Research projects stimulating cybersecurity Apart from regulatory and standardisation initiatives, the European Union actively promotes R&D on security and dependability of information infrastructures. The 6th framework programme of research and technological development has just been launched. R&D on security and dependability technologies is a key component. This research will stimulate and support the development of knowledge and technologies in areas like cryptography, biometrics, smart cards, and authentication. It also seeks to tackle novel scenarios of mobile network environments, digital identity management, and interdependencies of information infrastructures. Also under the 5 th Framework Programme of Research and Development, significant attention was given to security and dependability. 75 Projects were funded on network and information security, for a total funding of 80 Million Euro. In addition, 16 projects were funded on dependability, for a total funding of 28 Million Euro. This research focused on attack tolerance for largely distributed systems, interdependencies between electrical and telecom grids, stability of cellular networks, and intelligent agents to enhance survivability for large critical infrastructures. The ambient intelligence vision The advent of increasingly sophisticated computational technologies and connectivity through wireless technologies sustains the development of the Information Society towards Ambient Intelligence. In the Ambient Intelligence vision, people would be surrounded by a multitude of embedded systems that provide pervasive computing and communication capability. Imagine an environment where many items are inter-connected and can exchange information: your wristwatch, your clothing, your pacemaker, your refrigerator, and your car. The Ambient Intelligence vision demands innovative security paradigms. This will be necessary for sharing computing resources, ensuring dependability, managing digital assets, protecting privacy, and introducing biometrics. 6

7 These new requirements for cyber security must be reconciled with the public trust and confidence essential in any open society. Along with the pursuit of these advances, the Commission undertakes a careful analysis of social and economic implications related to the deployment of advanced information technology and cybersecurity measures. A dialogue with Russia on telecommunications Application of modern technologies and know-how will increasingly become a crucial element to participating in the worldwide Information Society and developing an efficient economy, not least for Russia. Improvements in infrastructure are needed for economies to develop. Developing and implementing cost-effective telecommunications services is a major challenge that needs to be addressed in the coming years, given the impact of this field on economic growth and integration in practically all sectors of the economy. A modern and liberalised telecommunications industry is important as an industry in itself, and as support for other industries. A clear, pro-competitive regulatory framework on telecommunications, enforced by an independent National Regulatory Authority is key. This will help to attract investment into telecommunications. In light of the EU enlargement process and Russia s ambitions to join the WTO, we are interested to establish a closer co-operation within the field of telecommunications and Information Society. In this context, I would call your attention to our Partnership and Co-operation Agreement, in particular to its subcommittee that covers issues related to telecommunications and the Information Society. I would be interested to further discuss your plans to liberalise the Russian Telecommunications Market. Russia in the ist programme in fp5 In the Information Society Technologies R&D Programme of the European Union, there has been sofar a substantial participation by Russian organisations. Just under 200 organisations from Russia participated in research proposals. 33 Russian organisations were selected in 25 proposals and are in various stages of negotiation and contracting. The total financial volume of joint EU-Russian work in the Information Society Technologies Programme amounts to 58 Million Euro under the Fifth Framework Programme, with 40 Million Euro of EU funding. Other EC-supported activities include the TRISTAN-EAST network of IST contact points in all the Eastern-European countries, the ADMIRE-P partnering activity with the larger Volga region around Nizhny Novgorod, as well as an activity to support the outsourcing of ICT development towards Russia and other NIS countries. In view of the EU-Russia action plan for the Sixth Framework Programme that is being developed following a meeting between Commissioner Busquin and Minister Dondukov, the dialogue has intensified. Two domains were identified in which cooperation could be deepened on the short term: interconnection of EU and Russian research networks, and the use of IST in education. 7

8 Unlike the Fifth framework Programme, the rules for participation for the Sixth Framework Programme allow EU financing of Russian organisations. In addition, FP6 earmarks a specific budget for co-operation with Eastern European countries. We expect that this will result in a steep increase in Russian involvement in the Information Societies Programme of the European Union. Russia and research networking During the EU-Russia Science and technology Subcommittee in Brussels in 2001, Russia was invited to connect to GEANT, the pan European high speed research network. In the context of the research network summit, last year, the IST Programme organised a workshop in Brussels between the main research networking actors in Russia and representatives from the GEANT and GRID projects. The Russian delegation was lead by Deputy Minister of Communication Korotkov, which showed the political importance Russia attaches to this issue. The meeting lead to a blueprint for future direct connection of Russia from St. Petersburg and Moscow to the GEANT network. Conclusion In conclusion, I would like to say that I am pleased with the active dialogue with Russia on cybersecurity and cybercrime issues at several fronts: in the G8, in the Council of Europe and in bilateral discussions. I would like to maintain these discussions and expand them whenever appropriate. I am also pleased with the participation of Russian industry and organisations in the Information Society Programme. Now that the rules for participation have become more favourable and the budget for participation by Eastern European countries has been expanded, this co-operation between organisations from Russia and the European Union is likely to increase. Thank you for your attention. 8