[kictanet] Protecting Critical Information Infrastructures: Something for RECs to think about?]

alice alice at apc.org
Mon Mar 30 20:49:15 EAT 2009


*Protecting Critical Information Infrastructures: Frequently Asked 
Questions*

*What are Critical Information Infrastructures?*

_*There is no globally shared definition of Critical Information 
Infrastructures (CII).*_ In its Green Paper on a European Programme for 
Critical Infrastructure Protection 
<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2005:0576:FIN:EN:PDF> 
(EPCIP), the* *European Commission captured the concept of CII as being 
all* */"ICT systems that are critical infrastructures for themselves or 
that are essential for the operation of critical infrastructures 
(telecommunications, computers/software, Internet, satellites, etc.)"./ 
In 2008, the OECD defined CII as /"those interconnected information 
systems and networks, the disruption or destruction of which would have 
a serious impact on the health, safety, security, or economic well-being 
of citizens, or on the effective functioning of government or the economy"./

Despite the existing differences in national and international policy 
contexts, what is important is that the notion of CII is conducive to a 
holistic policy perspective on the secure and continuous functioning of 
ICT systems, services, networks and infrastructures (ICT 
infrastructures) of which the Internet is a very important component, 
due to its widespread diffusion and the process of technological 
convergence.

*Why is action at EU level to protect these infrastructures urgently 
needed?*

Cyber attacks have risen to an unprecedented level of sophistication. 
What used to be simple experiments are now turning into sophisticated 
activities performed for profit or political reasons. The recent large 
scale cyber-attacks on Estonia, Lithuania and Georgia are the most 
widely covered examples of a general trend. The huge number of viruses, 
worms and other forms of malware, the expansion of botnets^*[1] 
<http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/09/141&format=HTML&aged=0&language=EN&guiLanguage=en#fn1>* 
and the continuous rise of spam confirms that this is a severe problem.

The high dependence on CII, their cross-border interconnectedness and 
interdependencies with other infrastructures (e.g. energy 
infrastructures), as well as the vulnerabilities and threats they face 
raise the need to address their security and resilience in a systemic 
perspective as the frontline of defence against failures and attacks.

Because of the transnational dimension of this issue, a more integrated 
and coordinated approach throughout the European Union will usefully 
complement and add value to the programmes which are already in place 
within Member States. This will also reinforce the wealth creation 
capabilities of the Single Market.

It is clear that no single "silver bullet" solution will be able to 
provide all the answers, but simply leaving the situation as is will not 
lead to satisfactory results. It is necessary to establish the right 
policy framework – in particular for economic and societal drivers and 
incentives – on the basis of a shared responsibility and cooperation 
amongst all the involved stakeholders. It is vital to promote 
operational/ tactical cooperation in the short and medium term (until 
2010-2011) as well as strategic policy discussion for long-term 
scenarios (2012 and beyond). The work must start now in order to prepare 
Europe against large-scale cyber attacks and disruptions.

*How does this initiative relate to the debate around European efforts 
towards an increased and modernised network and information security 
policy?*

The Commission's initiative on Critical Information Infrastructure 
Protection focuses on prevention, preparedness and awareness and defines 
a plan of immediate actions running until 2011 to strengthen the 
security and resilience of CII. The focus and timeframe are consistent 
with the debate launched at the request of the Council and the European 
Parliament to address the challenges and priorities for network and 
information security policy and the most appropriate instruments needed 
at EU level to tackle them beyond 2012. The work conducted and the 
lessons learned under the Commission's proposed action plan will be an 
important contribution to the more general debate on an increased and 
modernised European policy in this area.

*Why is the Commission proposing voluntary rather than binding measures?*

Ensuring the security and resilience of CII requires cooperation between 
public and private actors, which is largely based on trust. A 
non-binding approach will be more effective in steering a dialogue 
through which interested parties can work out the best way to cooperate 
and share best practices. During the consultation process prior to the 
launch of this initiative, Member States' and private sector 
representatives strongly supported the proposed initiative and confirmed 
the need and willingness to cooperate at EU level, as long as this 
remained voluntary.

This does not mean that a binding approach can not be used to enhance 
the level of security and resilience of CII. Proposals by the European 
Commission to reform the Electronic Communication regulatory package – 
including provisions to strengthen operators’ obligations to ensure that 
appropriate security measures are taken, and those on mandatory security 
breach notification – show that binding measures are considered when it 
is feasible and useful.

Moreover, there is not yet sufficient data on security incidents and 
their impact across the different sectors to define and frame additional 
regulatory measures in a consistent economic and public policy perspective.

*What are the specific objectives of the Critical Information 
Infrastructure Protection initiative? *

The Commission's proposal covers the following objectives:

    * Foster cooperation, exchange of information and transfer of good
      policy practices between Member States via a newly-established
      *European Forum*.
    * Develop a *public-private partnership* at the European level on
      security and resilience of CII to support sharing of information
      and dissemination of good practices between public and private
      stakeholders.
    * Enhance *incident response capability* in the EU by increasing
      national capacities, possibly built on National or Governmental
      Computer Emergency Response Teams/Computer Security Incidents
      Response Teams (CERTs/CSIRTs) as well as by encouraging and
      supporting the European cooperation between these entities with a
      view to facilitate the exchange of information, technical measures
      and good practices.
    * Promote the organisation of *national and European exercises for
      contingency planning and disaster recovery* on simulated
      large-scale network security incidents.
    * Reinforce *international cooperation* on global issues, in
      particular on resilience and stability of Internet.

*What is the purpose and value of a European Forum for Member States? *

Although there are commonalities among the challenges and the issues 
faced, measures and regimes to ensure the security and resilience of 
CII, as well as the level of expertise and preparedness, differ across 
Member States.

Purely national approaches run the risk of producing fragmentation and 
inefficiency across Europe. Differences in national approaches and the 
lack of systematic cross-border co-operation substantially reduce the 
effectiveness of domestic countermeasures, /inter alia/ because, due to 
the interconnectedness of CII, a low level of security and resilience of 
CII in a country has the potential to increase vulnerabilities and risks 
in other ones.

To overcome this situation a European effort is needed to bring added 
value to national policies and programmes by fostering the development 
of awareness and common understanding of the challenges; stimulating the 
adoption of shared policy objectives and priorities; reinforcing 
cooperation between Member States and integrating national policies in a 
more European and global dimension.

These are the reasons why the Commission has proposed to establish a 
*European Forum* for Member States to share information and good policy 
practices on security and resilience of CII.

*Why a Public-Private Partnership for Resilience (EP3R)? *

Enhancing the security and the resilience of CII poses peculiar 
governance challenges. While Member States remain ultimately responsible 
for defining CII-related policies, their implementation depends on the 
involvement of the private sector, which owns or controls a large number 
of CII. On the other hand, markets do not always provide sufficient 
incentives for the private sector to invest in the protection of CII at 
the level that public authorities would normally demand.

Public-private partnerships (PPPs) have emerged at the national level as 
the reference model to address this governance challenge. However, 
despite the consensus that this approach would also be desirable on the 
EU level, European PPPs have not materialised so far.

PPP at the EU level could play an important role to complement the work 
carried out by Member States at national level – in particular, in areas 
like the exchange/promotion of good policy practices and measures, the 
implementation of cross-border security and resilience measures for CII, 
the adoption of preventive measures and response strategies, etc.

A Europe-wide multi-stakeholder governance framework, which may include 
an enhanced role of ENISA, could foster the involvement of the private 
sector in the definition of strategic European public policy objectives 
as well as operational priorities and measures. The focus would be on 
enhancing the security and resilience of CII and the coordination of 
preventive and response activities.

This framework would bridge the gap between national and EU 
policy-making and operational reality on the ground.

*What will be the remit and the form of the proposed Public-Private 
Partnership? *

The concrete remit of this PPP might initially consist of:

    * Knowledge sharing to deepen the understanding and mastering of
      European challenges for the security and resilience of CII;
    * Identification and dissemination of good baseline practices and
      commonly agreed guidelines and standards for the security and
      resilience of CII.

The work of this PPP should be focused on specific issues and be 
action-oriented. The topics discussed should have a cross-border or 
global dimension.

In terms of form, it is proposed that the setting-up of the *European 
Public Private Partnership for Resilience (EP3R)* CII would follow a 
step-by-step approach so that, on the one hand, stakeholders would 
discuss and design the necessary building blocks that would best match 
their requirements and, on the other hand, the work on the key 
challenges that require this kind of approach could immediately start. 
The first step of this process is the *workshop on the EU policy 
dimension of vulnerability management and disclosure process* of 31 
March 2009.

*What is the role of the European Network and Information Security 
Agency in this initiative?*

The Commission has called on the European Network and Information 
Security Agency (ENISA) to play a key role in supporting this initiative 
by encouraging dialogue and cooperation between Member States, the 
private sector and other relevant players across Europe, building on the 
findings and results it has already contributed in this area.

*How does this initiative relate to the European Programme on Critical 
Infrastructure Protection and other EU activities in the area of justice 
and home affairs? *

The activities planned in today's Communication are conducted under and 
in parallel to the European Programme for Critical Infrastructure 
Protection (EPCIP 
<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0786:FIN:EN:PDF>). 
A key element of EPCIP is the Directive on the identification and 
designation of European Critical Infrastructures 
<http://register.consilium.europa.eu/pdf/en/08/st10/st10934.en08.pdf>, 
which identifies the ICT sector as a future priority sector. One element 
of the CIIP action plan is to further develop the criteria for 
identifying European Critical Infrastructures for the ICT sector which 
will help implement the above mentioned Directive.

The proposed actions are also complementary to existing *third pillar 
*initiatives – e.g. fight against cyber-crime – as envisaged by the 
Council Framework Decision on Attacks Against Information Systems 
adopted in 2005 (2005/222/JHA) 
<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32005F0222:EN:NOT>. 
As the CIIP initiative focuses on prevention, preparedness and awareness 
to enhance the intrinsic security and resilience of CII, it does not 
conflict with or duplicate the efforts carried out under the third 
pillar, i.e. by police and judicial cooperation addressing measures to 
prevent, fight and prosecute criminal and terrorist activities targeting 
CII.

*How does the Commission's action plan relate to international efforts 
in this area? *

This initiatives takes stock and builds upon recognised international 
principles such as the G8 principles on CIIP 
<http://www.cybersecuritycooperation.org/documents/G8_CIIP_Principles.pdf>, 
the UN General Assembly Resolution 58/199 'Creation of a global culture 
of cybersecurity and the protection of critical information 
infrastructures' 
<http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_58_199.pdf.> 
and the recent OECD Recommendation on the Protection of Critical 
Information Infrastructures 
<http://www.oecd.org/dataoecd/1/13/40825404.pdf>.

The initiative complements work conducted by NATO on cyber-security – 
specifically the common policy on cyber defence and the activities of 
the Cyber Defence Management Authority (CDMA), announced by NATO on 
April 2008, as well as the outputs of the NATO's Cooperative Cyber 
Defence Centre of Excellence 
<http://transnet.act.nato.int/WISE/TNCC/CentresofE/CCD> (CCD-COE). NATO 
initiatives are mostly focused on military defence whereas the 
Commission's proposal works to facilitate the coordination and 
cooperation of public and private resources and capabilities across 
Member States.

*Does the action plan include regulatory measures for the Internet?*

The action plan does not propose any measure aimed at regulating the 
Internet. It proposes three complementary activities to enhance the 
resilience and stability of the Internet.

    * The Commission will launch a Europe-wide debate to define EU
      priorities for the long-term resiliency and stability of the
      Internet.
    * The Commission will work with Member States to define appropriate
      principles and guidelines for Internet resilience and stability.
    * The Commission, together with Member States, will develop a
      roadmap to promote these principles and guidelines at the global
      level, building upon strategic cooperation with third countries.

*What is the timing envisaged by the action plan? *

The different actions have different targets and timelines, running from 
2009 until the end of 2011. However continuous European efforts will 
still be needed beyond 2011. A stock-taking exercise will already be 
conducted at the end of 2010 and lessons learned will be used as an 
input into the debate on the future of Network and Information Security 
beyond 2012.

*How will the Commission monitor the implementation of the action plan?*

The Commission identified in the impact assessment of the Communication 
<http://ec.europa.eu/governance/impact/cia_2009_en.htm> a number of 
indicators for achieving the objectives of the action plan. These 
include, the number of meetings and conferences organised at EU level 
with relevance to security and resilience of CII; the agreements on 
common terminology and procedures for the collection and dissemination 
of information on economic impacts of security incidents; the number of 
National/Governmental CERTs participating in the European Governmental 
CERTs Group; the number of international agreements on mutual 
assistance, recovery, and remedial strategies for the resilience and 
stability of the Internet.

http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm

IP/09/494 
<http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/494&format=HTML&aged=0&language=EN&guiLanguage=en> 


------------------------------------------------------------------------

^*[1] 
<http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/09/141&format=HTML&aged=0&language=EN&guiLanguage=en#fnB1>* 
A group of computers, often very large, that malicious hackers have 
brought under their control. While most owners are oblivious to the 
infection, the networks of tens of thousands of computers are used to 
launch spam e-mail campaigns, denial-of-service attacks or online fraud 
schemes.

-------------- next part --------------
_______________________________________________
AfrICANN mailing list
AfrICANN at afrinic.net
https://lists.afrinic.net/mailman/listinfo.cgi/africann



More information about the KICTANet mailing list