Mr Erkki Liikanen
Member of the European Commission, responsible for Enterprise and the Information Society
The European Network and Information Security Agency
Brussels, 10 February 2003
Ladies and Gentlemen,
Today, the Commission is proposing to establish a European Network and Information Security Agency.
Network security has become important in line with the increasing use of the Internet and other information and communication technologies.
Today more than 90% of companies in the European Union have an Internet connection and the majority of them operate a web site.
About 40% of EU households have their own Internet connections.
Public administrations are moving towards electronic government. Computers and communication networks control critical infrastructures such as electricity and water supply or public transport systems.
In today's society, already a lot depends on networks and information systems.
Network security has become a key concern, especially in the aftermath of the 11th of September events. The malfunctioning of networks and information systems concerns everybody: citizens, businesses and public administrations.
The Commission already made its first Communication on network and information security in June 2001.
Future requirements on security will rapidly change as networking and computing develop further and electronic communications will become more ubiquitous. For instance broadband connections offer people the possibility to be "always on". This, of course, increases the vulnerability of systems and multiplies the probability of some sort of cyber-attack. Enhanced security is therefore a key element for the success of broadband.
New wireless applications will enable the users to access the Internet from anywhere.
The possibilities to connect everything from printers to central heating systems to the Internet, will continue to develop and expand the way people use the Internet.
To offer a secure information infrastructure the eEurope 2005 Action Plan, endorsed at the Sevilla Summit last year, calls for stepped-up action
The activities related to network and information security in the overall picture of 'cyber security', fall in three broad categories.
Firstly, we have the legislation on telecommunications and data protection in place.
Secondly we witness an emerging policy on cybercrime.
Thirdly, the activities on network and information security complete the picture. These three activities have overlaps (hacking, intrusion, data retention) whereby the middle one represents the worst scenario: identity theft.
What do we understand by network and information security? I give you the following definition:
"it is about ensuring 'the ability of a network or an information system to resist, with a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of data and the related services offered by or accessible via these networks and information systems'.
This definition demonstrates that security has turned out to be a difficult and complex task. The user has to deal with the availability, integrity, authenticity, and confidentiality of data and services. Due to the complexity of technology, many components and actors must play together, and human behaviour has become a crucial factor.
This brings me to the current situation at EU-level where security has become a major policy concern. Governments see a widening responsibility in this field. They want to promote security, for instance by giving support to computer emergency response teams, to research and to awareness raising campaigns. They also equip and train law enforcement to deal with computer and Internet related crime.
Member States are however in different stages of their work and the approaches vary. Today there is no systematic cross-border co-operation on network and information security between Member States, although security issues cannot be an isolated issue for only one country. There is no mechanism to ensure effective responses to security threats.
The European Union will benefit from increased co-ordination between Member States to achieve a sufficiently high level of security in all Member States. We propose to establish a European Network and Information Security Agency to build on national efforts to enhance network and information security and to increase the ability of Member States and EU Institutions to prevent and respond to major network and information security problems.
The Agency shall be able to provide assistance in the application of EU measures relating to network and information security. The assistance it provides shall help ensure interoperability of information security functions in networks and information systems, at the same time contributing to the functioning of the Internal Market.
The Agency will ultimately serve as a centre of competence where both Member States and EU Institutions can seek advice on matters relating to security. This expertise provided for by the Agency will play a key role for the security of Europe's digital economy and the development of the information society in general.
The activities of the Agency will consist in advisory and co-ordinating functions, where data on information security is collected and analysed. Today both public and private organisations with different objectives gather data on IT-incidents and other data relevant to information security. There is, however, no central entity at European level that collects and analyses such data to support the EU policy work in that area, whilst at the same time providing added-value to national initiatives.
Awareness-raising and co-operation is key in this area. The agency will launch co-operation initiatives between different actors in the information security field, e.g. to support the development of secure e-business. Such co-operation will be a vital prerequisite for the secure functioning of networks and information systems in Europe. Therefore the participation and involvement of all stakeholders in public / private partnership is necessary. Industry of course has a key role to play in this field, especially as most of the networks are privately owned and managed.
The initiation of a co-ordinated European approach and the promotion of risk assessment and risk communication methods will enhance our capability to deal with increasing information security threats.
As not only legal requirements, but to a large extent technical requirements can affect the interoperability of products and services, the Agency will have a supporting role to assess standardisation needs and to develop network and information security concepts. This will be done in close collaboration with industry and building upon their expertise.
We all know that network and information security issues are global as electronic communication channels do not stop at national nor European borders. Enhanced international co-operation in this field is necessary. The Agency will provide support for the EU's contacts with relevant parties in third countries.
To conclude, network security is becoming an essential element of our everyday lives.
Society as a whole as well as individuals has to learn how to manage the risks involved in networks and information systems.
The European Network and Information Security Agency will contribute to that process to the benefit of both European industry and citizens.