Sélecteur de langues
Brussels, 31 May 2006
What is network and information security?
Network and information security (NIS) can be understood as “the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems”. As such NIS embraces a number of properties that protect the information from a wide range of threats in order to ensure its confidentiality, integrity and availability, in particular when it is transmitted, stored or accessed over electronic communications networks (including the Internet). It is achieved by implementing a suitable set of controls, including policies, processes, procedures, organisational structures as well as appropriate technology solutions.
Why is network and information security important?
Information (in particular in digital form) not only constitutes an important business asset but is also increasingly important to the protection of critical infrastructures and to the functioning of today’s Information Society as a whole. Reliable electronic communications networks and services have gained an enormous economic and societal importance as they underpin many critical aspects of our economy and society. Networks and the information they carry need to be protected, for instance to maintain competitive edge, commercial image, business continuity, prevent fraud or ensure legal compliance (for instance with privacy and data protection laws). Appropriate levels of network and information security provide such protection by ensuring that information transmitted and accessed over electronic communications networks remain available, reliable, authentic and confidential. As such, network and information security is a primary element for ensuring trust and confidence in an Information Society.
What is at risk when network and information security is poor?
One has to keep in mind that absolute and perfect security simply cannot be achieved. Given the complexity of today’s electronic communications systems and networks, people must assume that vulnerabilities will always be there - and so will be the corresponding risk of attacks or incidents. Adequate and well managed levels of NIS can help avoid or reduce the negative consequences of - a possible security incident.
Some security incidents can result in direct financial losses: for instance when a popular e-Commerce Web site goes off-line because of a technical failure, or when fraud is committed using a credit card number intercepted during an insufficiently secure on-line transaction. In other cases the damage is of a more indirect nature; for instance when lack of confidence and trust prevents citizens from engaging in activities on-line, thus limiting innovation, the potential of the Information Society to grow and so create jobs. Insufficient protection of personal data can sometimes lead to very severe consequences such as identity theft. In turn, personal computers that are insufficiently protected can be turned into “zombies” and “botnets” and used for malicious purposes, including denial-of-service attacks and the sending out of spam and “malware” (i.e. malicious software). The consequences of security incidents affecting critical infrastructures, - whether these be attacks, accidents or technical failures - can of course be even more perilous. (e.g. those affecting infrastructures for energy, transport, telecommunications...)
Should the society at large be concerned about network and information security?
From a society point of view, we all have to understand the full potential of ICTs to transform our lives. When the Internet was first designed and developed, no-one imagined it would become the backbone of our Information Society and consequently its security has not been a priority. Nowadays the ways we use information and communication networks, in particular the Internet, continue to multiply: ranging from commercial uses (e.g. on-line banking), information sharing (e.g. news portals, on-line journals), exchange of email, social networks, to eGovernment services. The reliability and robustness of the underlying infrastructures as well as security of information transmitted over the networks thus becomes increasingly important to the functioning of the society as a whole.
What are the biggest challenges for network and information security?
One of the greatest challenges for NIS is the growing dependency of society on electronic communication networks and related information technologies. As the systems and networks continue to grow and become increasingly complex, we can expect a number of unprecedented security issues to emerge. However the threat scenario has also changed. Whereas in the past most attacks on computer systems had been motivated by curiosity or a desire to show off technical virtuosity, many attacks today are motivated by profit and very often also linked to organised crime. This puts the need for better security into a particularly alarming light. New technologies and applications that are already in use (or which will be used in the near future), such as mobile devices, RFID and ubiquitous computing, are likely not only to unveil new opportunities but also to pose new security and privacy challenges. Europe must be therefore prepared to respond to these challenges in an adequate manner.
Why does the Commission take this initiative now?
Network and information security is a key enabler for the further development of the Information Society in Europe and beyond. In the context of its i2010 initiative, the Commission considers it useful to review the current nature of security threats in order to determine what additional steps should be taken.
The progressive liberalisation of electronic communications networks and services markets, and the resulting multiplication of actors involved and accelerated rate of technological development (to mention but two major elements) have boosted competition and economic growth. Yet at the same time these developments have also made the management of networks a very complex task, with an unclear division of responsibilities. In this context bringing all stakeholders together and initiating a broad dialogue on NIS issues could provide real added value at European level.
How does the EU intend to tackle these challenges?
The European Community has developed a three-pronged approach embracing: (i) specific network and information security initiatives including investment in research and development, the establishment of ENISA, and the regulatory framework for electronic communications; (ii) the protection of privacy and data; and (iii) the fight against cybercrime. Although these three aspects can to a certain extent be developed separately, their numerous interdependencies call for a coordinated strategy. Such a strategy should ensure proper coordination of all policies and regulatory measures having an impact on information security, and achieve an optimum deployment of appropriate measures and processes.
The Commission will address a wide range of these issues in a series of policy documents planned for 2006. In addition to the present Communication on a strategy for a secure Information Society, these documents will include a Communication specifically addressing spam, spyware and malware and a Communication on cybercrime. Any regulatory measures considered necessary to ensure network and information security will be pursued in the context of the 2006 review of the regulatory framework for electronic communications.
What exactly is ENISA and what is its role in improving NIS?
ENISA is the European Network and Information Security Agency which was established one year ago in Heraklion (Greece) in response to security threats. ENISA contributes to the smooth functioning of the Internal Market and serves as a centre of expertise for Member States and EU Institutions to seek advice on matters related to network and information security. The agency does not replace national authorities dealing with NIS-related matters, but is complementary to their missions. For more information on ENISA see http://enisa.europa.eu/.
What is new about the EU’s approach to network and information security?
The Commission chose a dynamic and integrated approach which involves all stakeholders and builds on an open and inclusive dialogue, partnership and empowerment. As a first step it proposes benchmarking national NIS related policies, especially for the public sector, which will help identify the most effective practices and make public authorities drivers of best practice in security. With active support of ENISA, this would in turn lead to improved awareness among SMEs and citizens. ENISA will develop a trusted partnership with Member States and stakeholders to create a data collection framework to collect and analyse EU-wide data on security incidents and consumer confidence. However the most important element in fostering security consciousness is the empowerment of each stakeholder group. All players must themselves actively preserve and protect their own security. Further to this the Commission aims to help develop new and innovative partnerships to boost the growth of the European ICT industry and to promote more intensively, global cooperation on network and information security.
What exactly does the title of today’s Communication “Dialogue, partnership and empowerment” mean?
Given the important and complementary roles of both public and private sector actors in the development of a security culture in Europe, security policy can only be tackled in an effective manner on the basis of an open and inclusive multi-stakeholder dialogue. Partnerships are needed so that each actor can fulfil their own role in the broader context of network and information security. The empowerment of each stakeholder group is a prerequisite to foster awareness of security needs and risks. Governments, in addition to being major users in their own right, are primarily responsible for setting the right framework conditions. The private sector is largely responsible for delivering solutions, services and security products. Individual users are responsible for the vast majority of computers and information sources, and therefore are key actors in developing a general culture of security.
What other related policies is the Commission pursuing?
In addition to specific initiatives addressing network and information security the Commission is pursuing a number of related policies. These include in particular the protection of personal data, a regulatory framework for electronic communications (currently under review), the fight against cybercrime, the protection of critical infrastructures (including critical information infrastructures) as well as research and development activities. The Commission attaches particular importance to international cooperation for creating, fostering and enhancing a global culture of security, and is following the approach agreed at the World Summit on the Information Society in Tunis in 2005.
How do public administrations, private sector and individual users perceive the importance of network and information security?
One of the major problems seems to be that people do not necessarily appreciate the need to actively ensure their own security until something goes wrong. Part of the problem is a lack of awareness of the security risks related to use of ICTs. Furthermore some user groups (in particular individuals and SMEs) often lack the means and expertise to implement adequate security measures or choose to ignore the risks and focus on the benefits of technology instead. They forget that their unprotected machines can make the whole network vulnerable! Businesses often do not invest enough in security simply because they do not see a clear enough return on their investment.
What can be done about this?
The key is to improve our knowledge of the problem and to raise awareness of the need for network and information security. However, awareness programmes that highlight security threats need to avoid undermining consumer and user confidence by focussing only on negative aspects of information security. Instead, network and information security needs to be seen as a virtue and an opportunity rather than a liability and a cost. It needs to be viewed primarily as an asset in building consumer confidence, a competitive advantage for enterprises operating information systems and as a quality of service issue for public sector service providers. Public authorities should serve here as an example of best practice for other players to follow, though each stakeholder group has its own role to play. The contribution of ENISA to this goal will be very important.
A prerequisite for effective policy making is of course reliable data on information security incidents and trends. Yet the fast-changing and complex nature of ICTs, information systems and security threats means that reliable and up-to-date statistical data is not always complete or available. In relation to security breaches in particular, many victims are often reluctant to share or publicise information. Even when data is available, it is often published by industry sources with a particular commercial perspective that can make the data insufficiently independent for public policy makers. A strategic partnership among the Member States, the private sector and the research community could go a long way towards providing information needed for effective policy making.
What does it mean in practice?
Public administrations have a particularly important role to play. When giving high priority to the security of their own networks and information, public administrations serve as an example to other stakeholders. Private sector enterprises in turn should address security as an aspect of customer service. It should be seen as an enabler for new business opportunities and innovative services for society rather than as a necessary evil or a purely legal obligation. Individual users for their part need to understand that the security and integrity of their home system is also an important component of overall network security and stability: People must ensure that their own machines do not damage other user’s data and systems.
 COM(2001) 298
 See also the ISO/IEC standard FDIS 17799 : Information technology; security techniques; code of practice for information security management (2nd edition)