Member of the European Commission responsible for Home Affairs
The EU Internal Security Strategy and the growing cyber threat
APCO lunch debate
Brussels, 8 February 2011
Ladies and Gentlemen,
It is a great privilege for me to be here today and discuss one of the growing challenges we face today – I'm thinking of the cyber threat.
You can seldom open a paper these days without reading about some kind of cyber attack, be it at the EU Emission Trading System, the Nasdaq stock exchange or the many people getting their Facebook accounts hacked.
The number of cyber attacks is on the rise, the cost of cybercrime is skyrocketing. Security in cyberspace has truly become a global concern.
Today, cyberspace is used to commit crimes, increasingly of an organised nature. There is the continuing threat of online child pornography; there are traditional crimes once committed offline that have arrived in the digital age such as online fraud.
New threats include ever more sophisticated malicious code, used to spy on us, hack our bank accounts, or damage our critical infrastructure.
While there are no comprehensive statistics – and this is a problem in itself since you need numbers to see patterns - all available indicators and threat assessments point to rising numbers and greater impact of cyber attacks
But don't get me wrong. I'm not here to preach that the Internet is something bad. On the contrary, the very notion of the Internet is that it provides a borderless space to quickly exchange news, make business transactions, and obtain information. It is an amazing tool empowering people. Its role in the current events affecting Tunisia and Egypt has possibly not yet received the attention it deserves.
The reason we have to take the cyber threat so serious is so the Internet can continue to develop and facilitate our lives.
Cyber security and cybercrime are not the same. This being said, both go together. There are and should not be any artificial dividing lines between those two topics.
While the Internet, with its technical advances, its government structure and issues around jurisdiction, just to name a few issues, are already complex in their own right, we should not loose additional time duplicating initiatives but make sure that real synergies are made.
It is time for improved coordination between all actors, be it the military, law enforcement and other parts of government, be it NGOs, and not the least the private sector. It is for this reason I am happy to see a significant number of industry representatives here.
Preventing cybercrime from happening in the first place goes hand-in-hand with raising the level of cyber-security. That is why I'm happy to say that I have a very close cooperation with Vice President Neelie Kroes.
So then you might wonder what we do at the EU level to respond to these challenges? Actually, several concrete initiatives to improve cyber security and to curb cybercrime have been launched recently.
At the policy level, specific objectives and roadmaps have been set, such as the European Digital Agenda and the recent European Internal Security Strategy.
In the Internal Security Strategy, the European Commission clearly identifies raising the level of security for citizens and businesses in cyberspace as one of its core security objectives.
2010 also saw the tabling of two Commission legislative proposals:
a text for a proposed Directive on child online exploitation followed by
the proposal for a Directive on attacks against Information Systems.
The Directive on attacks specifically includes provisions to penalise the use of tools – such as malicious code – used to create Botnets, often used for large scale attacks.
Both legislative proposals strive to adapt European legislation on cybercrime in the face of recent threats in cyberspace.
Let's turn to our operational priorities. The Internal Security Strategy foresees three actions to better prevent and fight cybercrime and cyber attacks:
Capacity building in law enforcement and the judiciary, inter alia by establishing a European Cybercrime Centre by 2013. This centre is to become the focal point in the fight against cybercrime in the Union and will also ensure faster reactions in the event of cyber attacks.
Enhancing the work with industry to empower and protect citizens, targeted to simplify the reporting of cybercrime for citizens, but also enhancing resilience of network and information infrastructure via public-private partnerships; and
Improving the capabilities to deal with cyber attacks, for example via improved cooperation of Member States' computer emergency response teams (CERTs) and ENISA.
All these actions will make a difference. But we can only be successful if we also make the pieces work together. The European Cybercrime Centre is a good example. In order to achieve its goals, the centre has to establish a close cooperation with ENISA as well as national and governmental CERTs on law-enforcement relevant aspects of cyber security.
Also the interface of this planned Centre and the private sector as well as NGOs is of utmost importance. It comes as no surprise that a great number of cybercrimes and –attacks – are never ever recorded by law enforcement agencies due to the simple fact that such cases are never reported in the first place.
In order to reduce this gray field, I can only encourage the private sector to report such incidents. It is understandable that in case of large-scale attacks, companies, but also governments will give the first attention to restore their systems and have websites up and running again. However, to identify and prosecute the perpetrators of such attacks, law enforcement needs to be involved as well.
NGOs and the private sector also have a large role to play when it comes to the prevention of cybercrimes. Much remains to be done to raise the risk awareness of the ordinary visitor in cyberspace, and it is astonishing to see how many people are still navigating the net without or with outdated anti-virus protection, no firewalls and via unsecured access points.
But let's face it, global challenges require global solutions. The Union is therefore also engaging its international partners on these issues. A working group between the EU and the US was created at the summit in November 2010. The group should deliver concrete results within one year. This will include everything from preparing joint exercises to develop a public private partnership with the industry in order to take further steps to fight cybercrime.
Finally, what I want to achieve is an Internet that is safe to use for all of us.
Only if we can trust that our bank accounts will not be hacked can we continue pay over the Internet.
Only if we have safe systems do we dare to digitalise more and more of authorities and companies work.
And only by cooperation can we achieve long lasting solutions to face the growing cyber threat.
This is what I will work for in the coming four years. But this can only be achieved if we work together. And in this I count on the support from all of you here today.