Brussels, 31 May 2006
Businesses, individuals and public administrations in Europe still underestimate the risks of insufficiently protecting networks and information. Security presently represents only around 5-13% of IT expenditure, which is alarmingly low. The Commission is therefore promoting greater awareness, in a policy document adopted today, through an open and inclusive multi-stakeholder dialogue on a new IT Security Strategy for Europe. A partnership amongst Member States, involving the IT industry and users as well as the European network security agency ENISA should lead to more trustworthy, secure and reliable information and communication technologies. People and organisations must be empowered to look after their own interests and responsibilities.
“The nature of the threat is changing and so must our response” said Information Society and Media Commissioner Viviane Reding. “In the past, hackers were motivated by a desire to show off whereas today, many threats come from criminal activities and are motivated by profit. What we need is a renewed strategy based on dialogue, partnership and empowerment”.
The Commission believes that an open dialogue involving all stakeholders is essential for building consumer trust and confidence and for supporting the widespread take-up of digital services. In its Communication adopted today, the Commission aims to promote a general security consciousness and an awareness of the actions that people and organizations need to take for themselves, in order to protect their own information and equipment.
All stakeholders need reliable information on network and information security incidents to help them take the steps necessary to ensure their own security and safety. An analysis of security “incidents” should point to solutions and best practices to be adopted by public and commercial organisations and in peoples’ homes. A key role in promoting a greater awareness of security is to be played by public authorities, although it is largely up to the private sector to provide solutions.
Specific proposals of the Commission include the benchmarking of national policies on network and information security to improve the dialogue between public authorities, to identify best practices and to raise the security awareness of end-users. ENISA, the European Network and Information Security Agency established in Heraklion Greece, will be entrusted to develop an appropriate data collection framework to handle security incidents and measured levels of consumer confidence from all over Europe. ENISA will also be asked to examine the feasibility of a multilingual information sharing and alert system. Finally, Member States and the private sector are invited to play a more proactive and energetic role in enhancing network and information security.
In parallel, the Commission is carrying out a public consultation on the security and privacy implications of RFID (Radio Frequency Identification) and will present its conclusions later in the year. These initiatives are part of a coherent European policy on network and information security, which also covers spam and spyware, cybercrime, the integrity and protection of critical communication infrastructures and related European research activities.
Communication on a strategy for a Secure Information Society – “Dialogue, partnership and empowerment” COM(2006) 251
The European Network and Information Security Agency (ENISA): http://enisa.europa.eu/.
ENISA’s legal basis was recently confirmed by the European Court of Justice.