Other available languages: none
Vice-President of the European Commission responsible for the Digital Agenda
Network and information security
TechAmerica event on joint EU/US cybersecurity
Washington, 16 December 2010
It is a pleasure to be here to discuss with you network and information security - what is commonly called "cyber-security".
Nowadays, no one would deny that our societies' prosperity and many aspects of our day-to-day life depend upon the unimpeded functioning of the Internet and other IT networks.
Cyber-incidents – be they the result of a technical failure, or of deliberate hacking ‑ may cause major economic and social damage.
Some numbers may help to get the picture clear:
The OECD estimates that US businesses alone are losing around USD 70 billion a year because of malware, not to mention the cost and hassle for individuals1.
In Europe, a recent survey2 showed that, looking at the past five years, 78% of all EU Internet users had security problems and 65% reported being victim of spam; and almost one in two (46%) detected viruses in their computers.
Many reports3 show that problems related to cybercrime are growing across the board: financial fraud, malware infection, password sniffing, web site defacement and denials of service attacks – which have now entered into everyday parlance after the WikiLeaks saga.
Take also the discovery of Stuxnet earlier this year: the risk of an attack against critical infrastructure is no longer a fictional scenario for a horror movie.
The threat is real.
But while the threat is growing and diversifying, we sometimes fail to see who is behind it and indeed understand their true motivations.
We all know how difficult it is to attribute responsibility when it comes to cyber-space.
Too often, we do not have the right tools to find the originators of an attack.
Sometimes, we do not have appropriate laws in place either.
Take for instance, what is happening with Wikileaks. What lessons can we draw?
In my view, we should well distinguish between three security incidents.
The first incident was the leaking of sensitive information from the IT systems of the US State Department. This was allegedly done by an insider. I shall not comment on the judicial proceedings. But from a cyber-security angle, this highlights the need for all organisations and individuals to protect themselves against threats to steal confidential information.
In parallel, we should also ensure that we, as governments and public administrations, are as transparent and open as possible. I think that is an important value, but it also has a major practical advantage: it reduces the amount of information that requires special protection.
The second incident was the interruption of domain name and other web service provision for Wikileaks.. Was there a violation of the terms of service by the various providers involved? Was the fact that those providers operated across various regions of the world, and therefore under different policy and regulations of "cloud computing", relevant to their decision? When problems arise with globally distributed services all private operators and public authorities should be able to act with some legal certainty.
The third incident was the so-called "hacktivist" attacks both against, and then in support of Wikileaks: a hacker called Jester mounted a denial of service (DoS) attack against the Wikileaks website. Later, in support of Wikileaks, the group Anonymous distributed a software (LOIC) to mount voluntary distributed denial of service (DDoS) attacks against Visa, Paypal and governmental sites.
These incidents also highlight a number of issues.
The number of computers used in the attacks was apparently relatively small (a few hundreds), although some figures reported in the press claimed over six times as many. This raises the question of the reliability of the information circulating about cyber-attacks. It also tells us that such attacks can be organised by just a few.
However, the "victim" services have also proved quite robust and agile, which demonstrates the resilience of the cloud architectures we have in place.
Finally, although the LOIC software shares features with botnets (e.g. the PCs respond to a central command server), a key fact is that the PC owners have voluntarily made their computers part of a coordinated action.
Those issues are for us all to examine.
In my mind this series of events obliges public and private operators to find solutions together, and to anticipate rather than react "after the facts" and in the heat of the moment.
This is not an online game: what is at stake here is whether people and businesses on both sides of the Atlantic will continue to use and trust the Internet and have confidence in its integrity.
In Europe, my colleague Cecilia Malmstrom, the European Commissioner for Home Affairs, has tabled a piece of legislation on attacks against information systems. As a result, those who set up "botnets" for instance will be subject to heavier penal sanctions.
We are also working to render justice and police cooperation in this area more effective.
For instance, I am particularly horrified by the ease with which children abuse images can be exploited online. Last weekend, yet another case was discovered, thanks to cooperation between the US and the Dutch authorities.
It is essential that we do more to prevent such exploitation and crimes. There is no excuse for taking a month to remove a paedophile website, when phishing websites are generally removed within hours of their detection.
We are taking steps to improve this. My department in the Commission runs a Safer Internet Programme that supports hotlines for the public to report illegal content. We also fund an international network of hotlines, called INHOPE, with members in Europe but also in Asia, Canada and the United States (Cybertipline, which is run by the US National Centre for Missing and Exploited Children).
From January 2011, we intend to promote systematic and fast notification of ISPs by the European hotlines, in an agreed procedure with law enforcement agencies.
On the cyber-security front, I have also made proposals to modernise the European Network Security Agency (ENISA). This Agency helps the EU, its Member States and the private stakeholders to deal with cyber-security challenges.
Modelled on the US "cyberstorm" simulation exercises, we are carrying out pan-European exercises. We will keep working with the US to align our plans.
Is it enough? I do not believe so.
We can do a lot more to minimise the disruptions on our networks, notably by working together – private and public sectors, the EU, the US and other countries.
This is the message I have come over to convey to the US Government and to you, in the private sector: by working together, we can dramatically improve our capability to prevent, detect and respond to cyber-security problems.
Partnerships are the way forward. There is no alternative when the effects of cyber-disruption generated in one part of the world can be readily, easily and heavily felt in all parts of the world and all sectors.
This fact makes very welcome the creation last month of the new EU-US Working Group on Cyber-security and Cyber-crime.
I have come over to Washington to discuss the agenda of this newly enhanced cooperation with Howard Schmidt and I will pursue this dialogue next year with Janet Napolitano.
In the year to come, the Working Group will focus on four priority areas that are of direct relevance to cyber-security: Cyber Incident Management, Awareness Raising, Cybercrime and Public–Private Partnerships (PPP).
Let me stress once again the importance I give to this latter dimension: unless we involve the expertise of the private sector that owns or controls a majority of our ICT infrastructures, we as public authorities simply cannot fully exercise our responsibilities.
Together we must build a true risk management culture.
First, we need wider circles of "trusted parties".
To start with, all the main network players should make available the wealth of data they have on security incidents and their impacts.
We should also be able to measure, for our businesses, NGOs and our governments, the cost of countermeasures and mitigation strategies.
We must also turn this wealth of data into globally shared ICT risk management standards and practices.
Second, I would like to see the ICT sector as a whole – on both sides of the Atlantic - develop and promote sound security practices, guidelines and standards to enhance the quality of software and hardware systems. We are not 'starting from scratch', so to say: many companies do already use security as a competitive advantage.
But I also think that too often some important players in the sector accept the existence of insecure products on the market.
In short, I would like to see full commitment of the whole ICT sector to security, not as an "add-on", but as a true design principle underlying all your businesses and technological processes from the outset.
Security-by-design, just like the other side of the coin, I mean privacy-by-design, should go hand in hand.
Those who see these as a mere additional cost are short-sighted: today it is already a competitive advantage; tomorrow it will be a necessary requirement – for, when your bank account, your health records and your rights and duties as a citizen will be fully dependent on IT systems, no individual or organisation will want to buy or use IT products and services that do not have the highest security and privacy standards.
Third, and this is linked, we therefore need to identify what key assets, resources and functions are necessary to ensure the continuity of vital ICT services.
We also need to develop common mechanisms and transatlantic networks to prevent, mitigate and react to large-scale cyber attacks and cyber disruptions, such as botnets and distributed denial-of-service attacks.
Ladies and Gentlemen
Let me conclude by paraphrasing a US President: cyber-space is the "New Frontier" of our times!
It is an uncharted area: full of risks, but also of more opportunities to come. It is our duty to explore it.
And I believe that together, the US and Europe – both their public and private sectors – can make it our collective success.
Source: OECD Malicious Software (Malware): A Security Threat to the Internet Economy http://www.oecd.org/dataoecd/53/34/40724457.pdf
Flash Eurobarometer – Confidence in Information Society" – April 2009