Other available languages: none
Vice-President of the European Commission responsible for the Digital Agenda
Securing our Cyber-world
Top Level Conference on Cyber Security of Industrial Control Systems and Smart Grids/Amsterdam,
16 October 2012
Every day, people everywhere rely on the internet ecosystem for ever more services. No longer just a tool for simple information and communication, it can now be a forum for almost any kind of interaction or transaction.
Even today, and increasingly in the future, it will be the tool supporting systems from healthcare to banking; underpinning networks from transport to energy; essential infrastructure for businesses and governments alike.
Those developments are promising for our economy; offering a great boost to competitiveness and productivity. They are great for citizens, opening up a world of convenience and opportunity. And they are great for governments, giving them the 21st century tools to deliver more effective services for their citizens – at less cost.
But as the internet grows in importance, so grows the need to protect our networks and systems. The more we depend on ICT, the more we depend on it to be secure.
The areas you are looking at today are a case in point. Take smart grids. For example "smart electricity meters" can incorporate computing and communication ability. These technologies can inform and empower consumers, integrate small-scale renewable energy better to the grid, and better manage electricity supply. But, on the other hand, those features increase the risk and consequences of attack. With every household potentially a weak link, we would also make our system of power generation and distribution more vulnerable.
Equally, attacks on industrial control systems could prove devastating; and not just economically. We already know of viruses deliberately targeted to nuclear facilities.
Attacks on information networks can occur for a variety of reasons: whether the perpetrators seek financial gain, political activism, or merely attention.
But one thing is clear, these are growing in number and seriousness: the number of web-based attacks went up 36% between 2010 and 2011. The range of actors taking part in cyber-attacks is growing – including, sometimes, state actors. And the economic consequences of a major breakdown of Critical Information Infrastructure could amount to hundreds of billions of euros.
The Commission has been working to boost cyber-security for over 10 years now. But in today's new environment, we need to raise our game. We need to act strategically; we need to work together; and we need to give this attention at the highest political level. And that is exactly what we will do with our forthcoming European Cyber-security Strategy.
Thank you to the many of you who took part in our consultation on that Strategy, which closed yesterday. Well over one hundred organisations and individuals did so. Let me give you some early outcomes from that exercise, and some early indications of our thinking.
Two in three responses to our consultation agreed on the need for regulatory requirements to manage these security risks, of whom the great majority believed it should be at EU level. And here's what I think our EU strategy needs to contain.
First, it's clear that dealing with this issue calls for serious cooperation between the countries of the EU. The internet knows no borders; we are only as strong as the weakest link in the chain.
So we need protection within the EU to be consistent, and high. Not through centralised EU control – an approach based on dialogue, partnership and empowerment is much more appropriate. But equally, disconnected individual actions risk raising barriers to entry, and shattering our Single Market: cyber-protectionism is not the answer.
Our strategy will set out how to raise protection levels across Member States; ensure countries are more prepared; and establish mechanisms for cross-border cooperation. For example: already every country should have functioning and well-staffed cyber emergency response teams. But there's a strong case for moving from a voluntary to a binding approach here, to ensure at least a minimum level of joint protection.
Second, different sectors, public and private, need to be involved and responsible. Key infrastructure is operated by a mix of public and private stakeholders: whether it's cloud services, energy grids, transport, healthcare, or the financial sector.
For the telecoms sector, there is already a legal obligation to manage security risks – and report significant security breaches too. But, these days, more and more other sectors interact with, and critically depend on, those ICT networks: there's an urgent case for extending those obligations, and creating a level playing field. And indeed around 90% of respondents to our consultation agreed there should be network and information security requirements in sectors like banking, energy, transport, healthcare, internet services and public administrations.
Plus, it's often the private sector which can produce the technical solutions to defend against cyber-attacks. And our strategy, supported by the EU's research programme, will help them to do just that, and stimulate a rich and competitive EU industry.
What's more, we must cooperate within the private sector; cooperate between critical infrastructure sectors; and cooperate with public partners. That's essential nationally, and also at EU level. I am aware that many of you have a very positive and proactive attitude to this and I can only support that.
Third, the responsibility for cyber-security lies with everyone, down to each and every ordinary internet user. In fact, there are many simple steps people can take to improve their security online: like choosing a sound password, and storing information safely. We need to raise awareness of those steps. That's why I'm delighted that this month is European Cyber Security Month – a great way to present these issues to the general public in fun, engaging ways. And there are such initiatives going on in many Member States. Currently just a pilot, I hope it's something we can build on in years to come.
And finally, cooperation doesn't stop at Europe's borders. We are working with partners like the US: and very constructively. Our working group on Cyber-security and Cyber-crime has already shown its worth as a tool for information-sharing and joint activities; like the joint workshop on smart grids yesterday. And indeed events like this very conference stem from that cooperation. I think this is a great and workable model; and hope it extends further.
And I'm delighted we are later signing the World Economic Forum's Partnership for Cyber Resilience. These are not just a set of important principles: they are evidence of how we can work together, as public and private sector leaders, to raise awareness and build resilience.
I'm fully committed to such principles. In a hyper-connected world, we must contribute to a safe, shared digital environment. And we should recognise our own responsibility in setting the right tone and structure for cyber resilience.
Ladies and gentlemen,
Cyber-security is a top priority, and needs top political attention. On the other side of the Atlantic, President Obama has long recognised this as a national security priority. He's right: it is.
It's time we took that attitude here in Europe too. It's time to give cyber-security the attention it deserves. Let's be strategic, let's work together, and let's ensure we protect our infrastructure, and our citizens, in the digital age.