European Commissioner responsible for Home Affairs
The European Response to the rising Cyber Threat
Transatlantic Cyber Conference organised by the Center for Strategic and International Studies, the European Security Roundtable and SRA International
Washington, 2 May 2012
I'd like to thank the organisers, Center for Strategic and International Studies, the European Security Roundtable and SRA International for bringing us all together today.
This conference is an excellent way to encourage even closer transatlantic cooperation. And let's hope that a few new good ideas will be born today. We will need them if we are to win the battle against those who attempt to disrupt our digital lives.
I want to tell you about the first joint operation conducted by the FBI and Europol in the field of child sexual exploitation. The name of the operation was Atlantic and the case was completed two months ago.
Thanks to the close cooperation between the FBI, Europol and several EU Member States an international network of child sex offenders was dismantled.
Several arrests were made on both sides of the Atlantic. In Europe, 8 children between 3 and 10 years old were rescued, preventing further horrific abuse at the hands of their captors.
I'm grateful for the professionalism and dedication I have seen from Law Enforcement to fight this and other horrible crimes. Yesterday, I had the opportunity to follow the work of the FBI and I was impressed by how advanced they are. This has reinforced my view that we should continue to deepen transatlantic cooperation against cyber threats.
The U.S. and the EU are primary targets for different kinds of cyber threats. And our governments, businesses and citizens are under siege from increasingly sophisticated attacks. These attacks can come from many different sources - from other states to organised crimes and hackers.
To overcome this growing global threat, EU-U.S. cooperation is not a choice, but a necessity. The establishment of an EU-U.S. Working Group on Cyber-security and Cybercrime in November 2010 was our first step to identify strategic goals and concrete actions.
I am leading our work on Cybercrime together with the Secretary of Homeland Security, Janet Napolitano. The Attorney General Eric Holder has also played an important role.
Overall, we have had some early successes, such as the first Cyber Atlantic 2011 exercise, which kicked off a groundbreaking programme of joint cyber attack exercises that will culminate in a fully fledged EU-U.S. cyber exercise in 2014.
The Working Group has also been instrumental in raising international awareness of the problems associated with misuse of domain names.
Unfortunately it is still possible to register a domain name under the name of Mickey Mouse with an address in Disneyland.
"Not possible" I hear you say. Almost 50 % of the data given by applicants for the top five generic top level domains -.com (dot com), .org, .net, .info and .biz – contains evidence of fake, false or incomplete identity information, making it difficult, if not impossible for law enforcement to trace offenders abusing those Internet resources.
After considerable pressure from the EU and the U.S., we have finally seen a commitment by the Internet Corporation for Assigned Names and Numbers (ICANN) and the private sector to implement specific law enforcement recommendations in their policies.
But we must continue to put pressure on ICANN to deliver at its upcoming meeting in Prague this June. The actions of the US Government in the coming weeks will be decisive if we are to succeed.
This year we are also planning a summit on child protection. We are particularly concerned about Child sexual exploitation online
During the past decade we have seen an unprecedented expansion in the market for child abuse images. Although we have successfully disrupted numerous child abuse networks online, we must do more to protect our children from harm.
Alongside its cooperation with the U.S., the EU will have to do its homework to make cyberspace safer.
As more and more of our everyday lives and business transactions happen online so too does criminal activity. Online organised crime ranges from selling stolen credit cards for as little as one euro to advanced identity theft.
The threat from online criminal activity is constantly evolving and we must adapt our approach in response.
We must ensure that our legislation keeps pace with new technological developments. We hope to agree on a proposal before the summer to bring EU legislation up to date, including measures to address the rising threat from botnets.
Legislation on its own is not enough. We must also equip law enforcement agencies with the operational tools and intelligence to respond to the threat. A month ago I presented our plans to set up a European Cybercrime Centre. The Centre will be established within Europol, in the Netherlands.
The Centre will be the European focal point in the fight against cybercrime.
It will help to prevent the illegal online activities of organised criminal groups such as online fraud involving credit card and bank credentials
It will work closely with social networks to protect users from online identity theft
It will focus on cybercrimes that cause the most harm including online sexual exploitaition of children and attacks to our critical infrastructure
The Centre will be an invaluable resource for Member States, providing operational support, promoting best practice and gathering intelligence from a wide range of sources.
This intelligence will be used to warn Member States of major cybercrime threats and alert them to weaknesses in their online defences. Besides the Member States, the centre will also work closely with the private sector.
The Centre won't just be inward facing. It will become the natural partner for international initiatives and law enforcement agencies in the field of cybercrime such as the FBI, Secret Service and Interpol.
As you have heard, we have a strong package of measure to prevent cybercrime. But to be effective we have to align these measures with the initiatives we have taken in the wider field of cyber-security.
Some Members of the European Union already have cyber-security strategies in place. And I'm well aware of the US strategy and the efforts you put into that document.
It is now time for the EU to set out a vision of how we can enhance security in cyberspace.
We need everyone — governments, businesses and individuals — to work together and share the responsibility.
Our strategy - I say 'our' because I work closely with Vice President Neelie Kroes responsible for the Digital Agenda, and High Representative Catherine Ashton - will enable a step-change in how we ensure cyber security. This is still a work in progress but let me give you a brief overview of what we intend to cover.
First, we need to communicate the ever-important message that freedom and security in cyberspace are not mutually exclusive. The virtue of an open cyberspace has to be maintained while providing the right level of security.
Secondly, we need to enhance our cyber security resilience and response capability. We must also become better at sharing critical information in a secure and confidential manner: within and between public and private sectors in EU member states.
This is also a major issue for the U.S., and there are areas where we can work together to enhance the sharing of information through transatlantic partnerships.
We must furthermore enhance our resilience against cyber attacks to our critical services, including a cyber component in existing crisis management procedures at EU level.
Third, we all know that the private sector owns and runs most of the infrastructure. So they must be given the incentives to improve their own security and to coordinate more effectively both with national authorities and with each other. For example, the private sector can – and should – be better at managing risks and exchanging information when security breaches do occur.
We know from experience that a top-down approach with governments trying to mandate better cyber security is bound to fail. We have to seek out intelligent ways of working with the private sector to create trust, improve coordination and increase the joint handling of incidents.
We also need better software and more resilient technology in the future. This is primarily a responsibility for the private sector but the EU will continue to invest in security technology innovation.
Finally, since the cyber threat is a global one we need global cooperation. The strategy will therefore identify how the EU can reach out to its strategic partners to make our response more effective.
The EU-U.S. working group is an excellent example. Instead of focusing on the institutional set-up and developing new conventions, we have built upon the Budapest Convention and identified immediate actions to make our citizens and business safer.
We also have the beginning of a strong operational partnership between the EU and the U.S.. I am convinced that in the coming months and years we will be able to report back to our citizens on many more successful joint operations between FBI and Europol.
Although I've outlined some of the good work we have done so far - our transatlantic cooperation, our plans to establish a European Cybercrime Centre and our work on a comprehensive EU strategy - I must also be honest and admit that for the time being the bad guys have the upper hand.
The only way to turn the tables in our favour is for us to act quickly and to act together. And being among friends and colleagues in this room today I'm hopeful we will win this battle.