European Commissioner responsible for Home Affairs
Public-private cooperation in the fight against cybercrime
EU Cybersecurity & Digital Crimes Forum
Brussels, 31 May 2012
Ladies and Gentlemen,
I am glad to have this opportunity to speak to you today.
We know that cybercrime causes serious damages to victims and brings huge losses to our economy.
But beyond that, it affects the way our citizens feel when they go online, and that feeling of insecurity has, in turn, an influence on their behaviour.
A new Eurobarometer survey, to be published shortly, shows that citizens are very concerned about the threat of cybercrime.
Almost three out of four respondents felt that the risk of falling victim to cybercrime had increased in the past year. This fear affects their confidence in shopping and banking online. But it can also affect our willingness to interact with families and friends in the digital world.
* * *
Cybercrime is therefore an attack on basic societal values and citizens' security.
As such, it is the duty of States to combat it with the classical tools they have at their disposal for such serious interferences, namely criminal law and due process. On the other hand, due to its specific features, cybercrime has proven to be a challenge to the effectiveness of traditional law enforcement mechanisms.
The complexity of its structure, consisting mostly of privately-owned infrastructure and numerous layers of different actors across jurisdictions, coupled with the relative anonymity it allows, may render traditional means of policing ineffective.
As a result, cybercrime can only be fought effectively with: (a) a strong involvement of public authorities; (b) a strong commitment from the private sector, including industry and civil society; and (c) an intensive cooperation amongst them.
The first component I mentioned is a strong involvement of public authorities. Let me say a few words on what we do within the EU.
First of all, we must ensure that our legislation keeps pace with new technological developments and enables us to effectively identify and prosecute cybercriminals and protect victims.
We have recently adopted new legislation against sexual abuse and sexual exploitation of children and child pornography. The new directive harmonises the rules across Member States, making cooperation easier and removing procedural obstacles. It will help us to jointly tackle these heinous crimes.
We are currently in the process of adopting a directive on attacks against information systems, which will include measures to address the rising threat from botnets.
Legislation is, however, not enough. We must also equip law enforcement agencies with the operational tools and intelligence to respond to the threat.
Two months ago, I presented our plans to set up a European Cybercrime Centre. The Centre will be established within Europol.
The Centre will be the European focal point in the fight against cybercrime:
It will help to prevent the illegal online activities of organised criminal groups such as online fraud involving credit card and bank credentials;
And it will focus on cybercrimes that cause the most harm including online sexual exploitation of children and attacks to our critical infrastructure.
The Centre will provide operational support for Member States, promote best practices, and gather information from a wide range of sources. This information will be used to warn Member States of major cybercrime threats and alert them to weaknesses in their online defences.
The Centre will not just be focused on the EU. It will become the natural partner for international initiatives and law enforcement agencies in the field of cybercrime such as Interpol and the FBI.
As such, it will form part of an already well-established, successful international cooperation between the EU and other States. To cite but one example, the EU is cooperating closely with the U.S. in a Working Group on Cyber-security and Cybercrime.
We recognise our responsibility to deepen and expand the cooperation with third States in order to improve the prevention and prosecution of cybercrimes outside the EU as well, and to better protect EU citizens and businesses against threats originating abroad.
* * *
So we have a strong package of measures to prevent and respond to cybercrime. But to be effective we have to align these measures with the initiatives we have taken in the wider field of cyber security.
Some Member States of the European Union already have cyber-security strategies in place, as do a number of other countries. It is now time for the EU to set out a vision of how we can enhance security in cyberspace.
We need everyone - governments, businesses and individuals alike - to work together and share this responsibility.
Our strategy - I say 'our' because I work closely with Vice-President Neelie Kroes, and High Representative Catherine Ashton - will enable a step-change in how we ensure cyber security. This is still a work-in-progress but let me give you a brief overview of what we intend to cover.
First, we need to communicate the ever-important message that freedom and security in cyberspace are not mutually exclusive. The virtue of an open cyberspace has to be maintained while providing the right level of security.
Secondly, we need to enhance our cyber security resilience and response capabilities. We must also become better at sharing critical information in a secure and confidential manner: within and between public and private sectors in EU Member States.
We must furthermore reinforce and enhance the protection of our critical infrastructures against cyber attacks, including a cyber component in existing crisis management procedures at EU level.
* * *
These are all actions the EU will bring forward. The second big component I referred to before is a strong involvement from the private sector, in particular industry. There are a number of ways in which industry can contribute to the security of our citizens online.
Prevention is the first step in reassuring our citizens, and I am very glad that this conference addresses the question of secure design as one of the key elements in reducing threats and ensuring users' confidence.
Most of the infrastructure making it possible to interact online is owned and operated by the private sector. So it also must take responsibility for creating and maintaining robust and resilient systems.
The EU will contribute to this by continuing to invest in security technology innovation, but at the end of the day it is your own house you are protecting as industry.
The third component I referred to is intensive cooperation among all actors. This includes strong public-private partnerships.
The private sector needs to improve security and to coordinate more effectively, both with national authorities and with each other. We are counting on the private sector to find new and better ways to manage risks, exchange information when security breaches do occur, and share best practices.
In turn, public authorities will also have to seek out intelligent ways of working with the private sector to create trust, improve coordination and facilitate the joint handling of incidents. We are committed to doing our part, using the European Cybercrime Centre and other initiatives.
Besides working with the Member States, the centre will also work closely with the private sector. It will encourage and facilitate cooperation between the private sector and law enforcement authorities and other public bodies. It will build trusted networks and information exchange platforms. These should enable cross-community information sharing on a range of issues, including early warning of cyber threats. They should also facilitate collaborative responses to cyber-attacks and other types of cybercrime.
We know how effective and promising our efforts can be when public authorities and private actors cooperate. I welcome the efforts that Microsoft and other private actors have been making and would like to single out two examples of successful public-private cooperation:
First, Microsoft is among the 'founding fathers' of an emerging EU network of cybercrime centres of excellence for training, research and education. The network was started last years with centres in Ireland, France, Belgium and Estonia, and we expect more centres to be created this year. The centres of excellence have become a successful model for law enforcement agencies, universities and the private sector to join forces in developing cybercrime training capacity across the EU.
Second, Microsoft has developed a software called PhotoDNA that it makes available to law enforcement and other interested parties free of charge. To put it simply, PhotoDNA can compare two photos and identify them as identical, even where one of the photos has been modified. In child sexual abuse investigations, such a software can save police officers a significant amount of very uncomfortable hours that they would otherwise have to spend manually going through images of child sexual abuse.
These examples show that public-private cooperation can go a long way in the fight against cybercrime.
However, we are aware that public-private partnerships also face important challenges. Where the line should be drawn between what Internet providers can do, must do or may not do? Who should bear the costs? And how can corporate social responsibility be reconciled with due process or democratic oversight?
We need to hold an open and frank debate on these and other issues.
Industry may develop wonderful investigative tools, but if it does not make them available easily and affordable for law enforcement, it will not help.
Internet service providers may recognise the benefits of having police forces develop intelligence on the attacks they may be victims of. But as long as they fear that by reporting attacks they have more to lose in terms of liability or industrial property than to gain out of that, it will not help.
Your presence here shows your willingness to continue to explore more and novel ways to cooperate around our common aim to strengthen cyber-security and effectively combat cybercrime. For that I am grateful to you. I look forward to exploring new avenues of cooperation with you, and I welcome your suggestions.
The only way to turn the tables in our favour is for all of us to act quickly and to act together. And seeing you here makes me confident that the European Union will continue to be able to count on many partners, public and private, in this quest.