Other available languages: none
Vice-President of the European Commission responsible for the Digital Agenda
A European Strategy for Internet Security
High Level Public-Private Security Roundtable
Brussels, 21st March 2012
It's a pleasure to address you all today. I know we all feel the importance and urgency of tackling internet security threats.
For one thing, there are serious costs to inaction. Already, some say that cyber crime accounts for more than the global drugs trade. The 2011 cyber attack cost Sony nearly $175 million, almost as much as they lost from the same year's earthquake and tsunami.
For another, serious risks are out there. The recent World Economic Forum asked the question: what are the chances, over the next decade, of a major breakdown of Critical Information Infrastructure? A disaster which could cost of hundreds of billions of euros? They decided: 10%. One in ten.
And for another, these threats affect everyone. They could damage not just government or critical infrastructure, but also threaten consumer trust in global e-commerce, worth trillions of euros each year.
The threats come from around the world and readily cross borders.
But so far, our societies have not taken the necessary measures to address these risks. Internet Security cannot be confined to the national devices of national security, as if cyberspace were just another domain of combat action.
Computers and networks are the very fabric of our everyday lives. Attacks on the security and proper functioning of our networks can come from a variety of sources, be it for political motives, for gain, for vandalism, for protest, for adventure.
We need a comprehensive response that covers it all.
This is why we need a new vision to address the specificities of security in cyberspace. This is why I prefer to call it a European Strategy for Internet Security.
We need everyone—governments, businesses and individuals—to work together and share the responsibility of making Internet safe and secure.
Our strategy - I say 'our' because I work closely with Cécilia Malmström and Cathy Ashton - due in the third quarter of this year, will enable a step-change in how we ensure Internet security. It will be embedded in our principles for Internet governance. There will be five main strands.
First, we need capabilities and response networks. Member States will be asked to guarantee minimum capabilities. To respond adequately to threats, we'll need to share critical information in a secure and confidential manner: within and between public and private sectors. CERTs and other competent bodies need to exchange regularly and rapidly, to warn and assist. Those relations should be based on a trusted network and on a common reference framework within the Single Market.
Second, we need a governance structure. Member States need to establish competent authorities, centralising information and sharing with partners. A European Forum could then be created to establish collaboration between these authorities and the private sector. This would support a European cyber-incident contingency plan and exchange of best practices. It would also help with linking security, cybercrime and defence.
Third, remember the private sector owns and runs most of the infrastructure. So they must have the incentives to improve their own security. For example, businesses need proper risk management, to assess and mitigate risks. Of course - despite these measures - breaches, incidents or attacks might still occur. And if so, we'll still need safeguards. Prompt reporting means competent national authorities can react quickly to incidents, and minimise their impact. Such an obligation to notify security breaches already exists for the telecom sector. It should also encompass other sectors relying on critical information infrastructure, like energy, water, finance and transport.
Fourth, we need a more vibrant Single Market for these technologies. I want to invest in innovation for security technologies, including through the EU budget. Indeed we already are: we've now launched a call for proposals on how to fight botnets. But research alone isn't enough. We need to fill the gaps in the value chain, and seamlessly bring bright ideas to the market. Pre-Commercial Procurement is a powerful instrument here; as are public-private partnerships. And we need a more transparent market in security products. If end users were better aware what's on offer - including through standards - that would drive demand for better products.
Fifth, this is not just a European problem. Global interdependencies need global cooperation. That includes identifying and addressing possible barriers to market access. And ensuring security throughout the supply chain, including third-country products that enter the EU.
Internet security is not a problem that's going to go away. During the course of this round table alone, 25,000 new pieces of malware will have been developed across the globe.
But with an approach that is built on the Single Market, giving the right incentives to the private sector, investing in supply, and with an international outlook, then we can deliver not just a safer Internet for all, but also stimulate a vibrant and essential new EU industry.
Thank you for your attention.