The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Transcription

1 The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

2 What is at stake with CIIs The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major CII breakdown in the next 10 years, with a potential global economic cost of approximately $250 billion The US Business Roundtable in 2007 suggested that the economic costs of a month-long Internet disruption to the United States alone could be more than $200 billion. According to OECD report on Malicious software, the estimated annual loss to United States businesses caused by malware is USD 67.2 billion The macroeconomic costs of a major disruption to Switzerland, having an annual GDP of CHF 482 billion (EUR 317 billion) are estimated at CHF 6 billion (EUR 3.9 billion), i.e. 1.2% of GDP

3 Are large scale cyber attacks & disruptions real or science fiction? Few recent large scale events DDoS attacks on Estonian networks (April-May 2007) Defacement attacks on more than 300 private and official sites in Lithuania (June-July 2008) Three major cables cuts in the Mediterranean (January, February and December 2008) Lowering entry barriers for malicious attackers According to UK House of Lords report on Personal Internet Security, the competition to supply botnets has decreased the cost of renting a platform for spamming to around 3-7 US cents per zombie per week One report averaged the weekly rental rate for a botnet at USD per bots.

4 Communication on CIIP - COM(2009)149 Objectives and scope High level objectives Protect Europe from large scale cyber attacks and disruptions Promote security and resilience culture (first line of defence) & strategy Tackle cyber attacks & disruptions from a systemic perspective Means Enhance the CIIP preparedness and response capability in EU Promote the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures Foster International cooperation, in particular on Internet stability and resilience Approach Build on national and private sector initiatives Engage public and private sectors Adopt an all-hazards approach Be multilateral, open and all inclusive

5 Communication on CIIP COM(2009)149 Specific objectives The 5 specific objectives to be achieved: 1. Foster cooperation and exchange of good policy practices between MS 2. Develop a public-private partnership at the European level on security and resilience of CIIs 3. Enhance incident response capability in the EU 4. Promote the organisation of national and European exercises on simulated largescale network security incidents. 5. Reinforce international cooperation on global issues, in particular on resilience and stability of Internet

6 The CIIP Action Plan 1. Preparedness and prevention Baseline of capabilities and services for pan-european cooperation between National/Governmental CERTs Target: End of 2010 for agreeing on minimum standards End of 2011 for well functioning National/Gov CERTs in all Member States European Public Private Partnership for Resilience (EP3R) Target: End of 2009 for a roadmap and plan for EP3R Mid of 2010 for establishing EP3R End of 2010 for the first results European Forum for information sharing between Member States Target: End of 2009 for launching the Forum End of 2010 for delivering the first results With the support of ENISA and building upon its activities

7 The CIIP Action Plan 2. Detection and response Development and deployment of European Information Sharing and Alert System (EISAS) The Commission financially supports two complementary prototyping projects ENISA is called upon to take stock of results and produce a roadmap to further develop and deploy EISAS Target: End of 2010 for completing the prototyping projects End of 2010 for the roadmap

8 The CIIP Action Plan 3. Mitigation and recovery National contingency planning and exercises National/Governmental CERTs/CSIRTs to take the lead in national contingency planning exercises and testing Target: End of 2010 for running a national exercise in every MS Pan-European exercises on large-scale network security incidents EC provide some financial support in 2009 Target: End of 2010 for first pan-european exercise End of 2010 for EU participation in international exercises Reinforced cooperation between National/Governmental CERTs Support pan European cooperation also by expanding existing cooperation schemes (like EGC) Target: End of 2010 for doubling the number of national bodies participating in EGC; End of 2010 for ENISA to develop reference materials

9 Internet resilience and stability Define European priorities on long term Internet resilience and stability Target: End of 2010 for EU priorities Define principles and guidelines for Internet resilience and stability at the European level Target: End of 2009 for a roadmap towards the principles & guidelines Target: End of 2010 for agreeing on first drafts ( focusing inter alia on regional remedial actions, mutual assistance agreements, coordinated recovery and continuity strategies, geographical distribution of critical Internet resources, technological safeguards in the architecture and protocols of the Internet, replication and diversity of services and data ) Promote the principles and guidelines for Internet resilience and stability at global level Target: Beginning of 2010 for a roadmap for international cooperation Target: End of 2010 for first drafts of international principles & guidelines ( strategic cooperation with third countries will be developed, notably in Information Society dialogues, as a vehicle to build global consensus ) The CIIP Action Plan 4. International Cooperation (1/2)

10 The CIIP Action Plan 4. International Cooperation (2/2) Global cooperation on exercises on large-scale Internet incidents Practical way to extend at the global level National and pan- European exercises and to build upon regional contingency plans and capabilities Target: End of 2010 to propose a framework and a roadmap

11 The CIIP Action Plan 5. ICT Criteria to identify ECI Continue to develop the criteria for identifying European Critical Infrastructures (ECI) for the ICT sector Process conducted in cooperation with Member States and all relevant stakeholders A 9-month study was launched in June 2009 to support the process Staff Working Paper on criteria is under development Target: First half of 2010 to define the criteria

12 The CIIP Action Plan The role of ENISA ENISA is called to Support the process of defining and agreeing on a baseline of capabilities and services for national/governmental CERTs in support to pan-european cooperation Take stock of the results of the projects aiming the prototyping of EISAS and other national initiatives and produce a roadmap to further progress in the development and deployment of EISAS Support the exchange of good practices between Member States on national contingency planning and exercises Stimulate and support pan-european cooperation between National/Governmental CERTs and develop reference materials

13 A Digital Agenda for Europe-COM(2010)245 The Seven Priority areas for action Every European Digital N. Kroes 1. Creating a Digital Single Market 2. Improving the framework conditions for interoperability between ICT products and services 3. Boosting internet trust and security 4. Guaranteeing the provision of much faster internet access 5. Encouraging investment in research and development 6. Enhancing digital literacy, skills and inclusion 7. Applying ICT to address social challenges such as climate change, rising healthcare costs and the ageing population.

14 Overview of Pillar 3 Trust and Security KA 6 (28) Cybersecurity preparedness Cybercrime Safety and privacy of online content and services 1 ENISA Regulation for mandate and duration 32 Cooperation on cybersecurity 31 Create European Cybercrime center 40 Harmful content hotlines and awareness campaigns 2 ToolBox ENISA EFMS. EP3R.. Observer in Cyberstorm. EPCIIP.. CIIP Conference 33 EU cybersecurity preparedness 39 MS Simulation exercises as of EU platform by National alert platforms by Support for reporting of illegal content 37 Dialogue and selfregulation minors 3 EU institutions CERT Expert Group 38 Network of CERTs by 2012 KA 7 (29) Measures on cyberattacks 35 Implementation of privacy and personal data protection INFSO CdF HOME CdF Others COM CdF Commission action Member States action KA 6 (28) NIS Policy 34 Explore extension of personal data breach notification

15 DAE trust and security actions and CIIP pillars

16 A Triple Play for a modernised ENISA COM(2010) 521 final Knowing better Assist MS and EU Institutions in collecting, analysing and disseminating NIS data (regularly assess NIS in Europe) Working better Provide assistance, support and expertise to the Member States and the European institutions and bodies (cross border issues, detection and response capability, Exercises, etc.) Cooperating better Facilitate cooperation, dialogue and exchange of good practice among public and private stakeholders (risk management, awareness, security of products, networks and services, etc)

17 Web Sites A Digital Agenda for Europe Commission to boost Europe's defences against cyberattacks emlongdetail.cfm?item_id=6190 EU policy on promoting a secure Information Society _en.htm EU policy on Critical Information Infrastructure Protection CIIP egy/activities/ciip/index_en.htm The reformed Telecom Regulatory Framework - November omorrow/index_en.htm