Protecting Europe from large scale cyber-attacks and disruptions
Our daily activities, both private and professional, are more and more dependant on Information and Communication Technologies (ICTs). The protection of Critical Information Infrastructures (CIIs) from large scale cyber-attacks and disruptions therefore represents a major challenge for European society and its economy.
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 30 March 2009 on Critical Information Infrastructure Protection - “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience” [COM(2009) 149 final- Not published in the Official Journal].
This Communication gives details of the main challenges facing critical information infrastructures (CIIs) and proposes an action plan aimed at increasing their protection.
Critical information infrastructures are vital for the economic and societal growth of the European Union (EU).
The risks to critical information infrastructures are constantly increasing. This is demonstrated by the growing use of different computer technologies for improper purposes, such as viruses, worms, malware, botnets and spam.
The sophistication of cyber-attacks, the complexity of infrastructures and their interdependency contribute to the increasing risk.
Moreover, the level of awareness across stakeholders is not always sufficient to devise effective safeguards and countermeasures.
Another weakness lies in the lack of coordination of national approaches to the security and resilience of CIIs as well as disparate levels of skill and preparedness. The result is a fragmentation and inefficiency across Europe.
While Member States remain ultimately responsible for defining CII-related policies, their implementation depends on the involvement of the private sector, which owns or controls a large number of CIIs. Furthermore, markets do not always provide sufficient incentives for the private sector to invest in the protection of CIIs at the level that governments would normally demand.
Governance mechanisms will be truly effective only if all participants have information to act upon. With regard to security incidents, reliable information sharing between Member States is still at an informal stage or forms part of bilateral exchanges. In addition, cyber-security exercises are still in an embryonic state.
The way forward and an action plan to combat cyber-attacks
The European Commission proposes an action plan based on five pillars:
Preparedness and prevention
The Commission invites Member States to define a minimum level of capabilities and services for Computer Emergency Response Teams (CERTs) with the support of the ENISA. Moreover, the Commission is to introduce a European Public Private Partnership for Resilience (EP3R) on security and resilience objectives. A European Forum will be established to facilitate information sharing between Member States.
Detection and response
The development and deployment of a European Information Sharing and Alert System (EISAS), reaching out to citizens and SMEs will be maintained.
Mitigation and recovery
The Commission invites Member States to devise national contingency plans, to organise exercises simulating large-scale cyber-incidents and to strengthen cooperation between national and governmental CERTs. The European Commission financially supports the development of pan-European exercises which may constitute the operational platform for European participation in international exercises.
International cooperation is envisaged with regard to the stability and resilience of the Internet in particular, for the defining of priorities, principles and guidelines, firstly at European level and then on a global scale.
Establishing criteria for European Critical Infrastructures in the ICT sector
Criteria for European Critical Infrastructures in the ICT sector will continue to be established.
The World Economic Forum estimated in 2008 that there was a 10 to 20 % probability of a major CII breakdown in the next 10 years, which would generate a cost of USD 250 billion.
The cyber-attacks on Estonia, Lithuania and Georgia demonstrate the necessity for coordinated guidelines not only at European level but also globally.