Member of the European Commission responsible for Home Affairs
It's time to take cyber criminals offline
Hungarian Presidency Cyber Crime Conference in Budapest
Brussels, 13 April 2011
Ladies and Gentlemen, dear Colleagues,
I'm very happy to be here today to celebrate the 10th anniversary of the Budapest Convention against cybercrime.
Ten years after the convention we need to take stock of the new challenges. The threat is very much a real one. The number of cyber attacks in the world is on the rise and the cost of cybercrime is skyrocketing. You can seldom open a paper these days without reading about a new major cyber attack.
The EU institutions are far from immune. Some time ago it was our Emission Trading System that was hacked into, and more recently the institutions themselves (the Commission and the External Action service) became victims of a large-scale cyber attack, severely affecting our e-mailing systems.
I discovered it myself when I couldn't access my e-mails on a trip in Cairo. That was quite annoying, as e-mailing has become almost as normal as breathing in our modern society, but even worse is the fact that the intruders attacking the Commission did not only want to create damage.
They were there to get important information. And the attack was particularly sophisticated. I can guarantee that this will certainly speed up the formation of the planned Computer Emergency Response Team (CERT) for the European Institutions, foreseen now for the end of May.
I don't think I exaggerate when I say that this must be the golden age for cyber criminals. Our job is to change this. But it can only be done if we join forces.
Given the fact that an attack can happen in 12 countries in 12 seconds, we have to work together. I can assure you that the criminals do. And we see an unfortunate trend where more and more of the committed online crimes are of an organised nature.
The EU must therefore speed up the fight against cybercrime. But to do so we cannot only focus on traditional Law Enforcement tools. We must also strengthen the security of our networks.
Cyber security and cyber crime are two sides of the same coin. There are not – and should not be – any artificial lines dividing the two.
The European Commission takes these issues very seriously. I work closely with Vice President Neelie Kroes and High Representative Catherine Ashton in coordinating a joint response to the challenges we are facing.
So what then does the response of the European Commission to fight cybercrime look like?
In the first ever EU Internal Security Strategy in Action that I presented in November, we put cybercrime and cyber security forward as one of the main challenges for the following four years.
And let me be clear. This is a shared agenda between the EU institutions, Member States and the industry. Without all of us taking responsibility we will pay a very high price.
The strategy focuses on three main areas to better prevent and fight cybercrime.
The first area is capacity-building in law enforcement and the judiciary. Europol is becoming an increasingly important actor in fighting cybercrime and I welcome Europol Director Wainwright's efforts to see how the agency can be of even bigger support to Member States.
But the Commission and Europol can only be complementary to the Member States. Therefore, I encourage Member States to step up their own efforts at the national level. The way to tackle cybercrime differs a lot across the EU. The European Commission stands ready to facilitate platforms to share best – and to avoid worst – practices.
I want us to work closer together in training, as the potential for cooperation here is huge. The European Commission has contributed to the development of cybercrime training courses and centres of excellence in the last 10 years, but the demand has never been greater. I would therefore be happy to discuss how we can take this further.
One major component in the fight against cybercrime will be the establishment of a European Cybercrime Centre by 2013. This centre will become the focal point in the EU's fight against cybercrime and it will also ensure faster reactions in the event of cyber attacks.
We are now launching a feasibility study to see what the centre should focus on and where it could be hosted. This study will be the basis for a discussion with Member States early next year.
Your input in this process will be invaluable. Because in the end the importance of such a centre in the fight against cybercrime follows the classical recipe of "You get out what you put in".
The second area involves enhancing cooperation with the industry in order to empower and protect citizens.
Much remains to be done to raise the risk awareness of the everyday visitor in cyberspace, and it is astonishing to see how many people are still unprotected on the net – without or with outdated anti-virus protection, no firewalls and using computers with unsecured access points.
Cooperation with the industry must therefore include building resilience of network and information infrastructure via public-private partnerships, but also dealing with illegal activities on the Internet.
Without the industry taking a bigger responsibility we will not make it. In this, the European Commission and the Member States have a shared responsibility to push this dialogue forward.
The third area I want to address concerns improving the capabilities of dealing with cyber attacks. This is the biggest threat we face today. A major component of this will be improved cooperation of Member States' computer emergency response teams (CERTs), which are to be set up by 2012. In this work, ENISA, but also Europol, will have important roles to play.
All these actions will make a difference. But we can only be successful if we not only join efforts, but also make these pieces work together.
The European Cybercrime Centre is a good example. To achieve its goals, the centre has to establish a close cooperation with ENISA as well as with national and governmental CERTs on law enforcement aspects of cyber security.
The interface of this planned Centre and the private sector is very important. It comes as no surprise that a great number of cybercrimes – including bigger attacks – are never even put on record by law enforcement agencies due to the simple fact that such cases are never reported in the first place. This has to change.
We must encourage companies to report crimes more often. Otherwise, how can we solve crimes if they are not reported? And how can we understand the pattern in how criminals operate so that we can build on those experiences in our joint response to this challenge?
Improvements in these three areas are crucial, but they will not be enough. Cybercrime is a global problem, so it goes without saying that it needs a global response.
Europe's main partner is the United States. That is why the creation of the high-level EU-US Working Group on cyber security and cybercrime, agreed at the last November EU-US summit, is so important.
The group should deliver concrete results within one year. This will include everything from preparing joint exercises to developing a public/private partnership with the industry.
The cybercrime subgroup met with a wide array of stakeholders from the private sector, Internet Service Providers and Member State law enforcement experts in February 2011 to discuss the misuse of Internet domain names and Internet Protocol addresses for illegal purposes.
A further meeting of this subgroup will be dedicated specifically to the issue of child pornography and is scheduled to take place in June.
Ladies and Gentlemen,
The focus of today's conference is the 10th anniversary of the Council of Europe's Budapest Convention on cybercrime. 10 years of cybercrime cooperation in the fast-paced world of today is already an achievement.
Considering that preparatory works on the Convention drafting started in the mid-1990s, it is an impressively up-to-date instrument. And let's recall that the EU has said that the Convention should become the legal framework of reference for fighting cybercrime at the global level.
It is now time for those EU Member States that have not done so yet to ratify the Convention. Most Member States have done this already, and I understand that Belgium and the United Kingdom are close to doing so also.
That still leaves 8 countries (Austria, the Czech Republic, Greece, Ireland, Luxembourg, Malta, Poland and Sweden). I know that some of them are preparing for ratification, but I can only urge them to speed up their efforts.
How influential the Budapest Convention is for the EU is well explained in our proposal for a Directive on attacks against information systems. The text is largely based on the Budapest Convention. What has been added is the part covering large scale attacks, which is an emerging trend and not fully covered in the Convention.
The proposal was discussed yesterday in the Council and I have great hopes that the Hungarian Presidency will continue to drive this process forward by June. We have to work quickly to adapt our legislation to face the challenges of today.
To conclude, let me return to where I started. If we are to put an end to what I would call the golden age of cybercrime and take the cyber criminals offline, we need more action from Member States as well as from the industry.
I stand ready to give all my support to this very important mission; because what is at stake is nothing less than our citizens' freedom on the Internet.
Our way of living and our societies are dependent on a well-functioning and open Internet. It is our job to make sure it stays open and safe.
And it would be nice to meet again in 10 years time and say that the political momentum created in 2011 was a turning point in the fight against cybercrime.
Thank you for your attention.