Speech - Towards a coherent international cyberspace policy for the EU
European Commission - SPEECH/13/82 30/01/2013
Other available languages: none
Vice-President of the European Commission responsible for the Digital Agenda
Towards a coherent international cyberspace policy for the EU
Global Cyber Security Conference /Brussels
30 January 2013
I welcome today's debate on cybersecurity. This discussion could not come at a better time.
Every day, people across the world use digital technologies for all kinds of activity, from communication to healthcare, from entertainment to banking. Not to mention businesses and governments using these networks to deliver their many services.
The digital transformation offers a boost to all. A stronger society; a more prosperous economy; a platform to exercise human rights. We must ensure that our citizens and our businesses can get all those benefits, securely.
Overall the internet offers a boost to productivity, innovation, economic growth. It creates 5 jobs for every 2 lost. That’s an opportunity we can't turn our backs on: we should do everything we can to achieve them. But rising threats, rising vulnerabilities, and lack of trust all stand in the way.
The reasons for these risks vary. Sometimes it's about outright attacks; sometimes it's people making mischief; sometimes just mistakes or natural disasters.
And indeed some of these cases are high-profile. In 2011, for example, you may recall the case of Dutch certification company Diginotar; or the security breaches at national registries for the EU's emissions trading system. Two years ago the Dagmar storm wrecked millions of communications links. And so on.
The costs of insecure systems are high. According to the World Economic Forum, over the next decade, there is a 10% chance of a major breakdown costing over a quarter of a trillion dollars.
In just one year, PWC found that three quarters of UK small businesses, and 93% of large ones, had suffered a cybersecurity breach. Bear in mind each breach can cost tens of thousands of euros; for a large business ten times that. And the cost of data breaches can be millions, not to mention the reputational damage.
And risks are mounting. According to Symantec, the total number of attacks increased by 81% in just one year. And in ever more forms: denial-of-service, Trojans, worms, identity theft, botnets, phishing, you name it. And I know that many of you will yourself have experienced incidents with significant impacts.
Such events undermine trust, and often mean vital services or transactions need to be suspended.
Yet in spite of those issues, most ICT users are not aware enough of the risks they face online: and many are insufficiently prepared. And the majority of incidents could be prevented, by taking just simple or cheap measures.
These risks aren't constrained by borders – neither within or outside the EU. They don't stay meekly contained within one sole jurisdiction, under the watchful eye of a single authority. On a globally interconnected network, they travel freely, and they seek out the weakest link in the chain.
And if threats do not stop at national borders, nor does the responsibility to secure ourselves against them. This is a global problem needing a global response.
Fragmentation and duplication won't help: we need to cooperate, in all kinds of ways. We have long supported measures to boost that cooperation within the EU. But as its importance rises, so does the imperative to do more.
Our EU Cybersecurity Strategy will propose a comprehensive approach. To improve the resilience and security of network and information systems, step up the fight against cybercrime, strengthen our international cybersecurity policy, and explore synergies with defence.
Alongside the Strategy will be a proposed Directive to strengthen cyber resilience and network and information security, within our internal market.
Let me outline our objectives. I've already mentioned the need for cooperation. And that will take place on several levels.
For a start, we need cooperation between policy areas. There are many aspects to cybersecurity: like prevention, resilience, law enforcement and defence. That calls for collaboration between those responsible for digital affairs, home affairs and external action. And that is exactly why I have been working closely with Cathy Ashton and Cecilia Malmstrom, and we will be presenting this strategy together.
Second, cooperation means cooperation between the countries of the EU. But that can only happen with some consistency, involving everyone: it shouldn't just be an exclusive club for the top performers. And across the EU, some countries are still not prepared enough: there are gaps in their capabilities. So we will propose that all EU countries equip themselves properly for network and information security: like by requiring each to have a well-functioning Computer Emergency Response Team. Member States would also need a competent authority for network and information security, who should cooperate at EU level, supported by the European Network and Information Security Agency.
Third, we need cooperation between public and private sectors. On the one hand, the public sector can set the framework, providing the right incentives to secure their systems, and can lead by example. On the other, it is the private sector that actually owns and operates most of the networks.
There is already much, welcome cooperation happening between public and private sectors. So we will encourage and develop Public-Private Partnerships, by leveraging existing work, like the European Public-Private Partnership for Resilience.
But we all need to do our bit. Did you know, for example, that as of last year, only one in four EU companies had a regularly-reviewed, formal ICT security policy? Even among ICT companies, the figure is only one in two. That's not enough.
Here's one way to help. In the Diginotar case, they did not report that their systems were hacked, nor did they revoke the digital certificates. That resulted in certificates being fraudulently issued and circulating online; ultimately undermining trust in the system.
In the telecoms sector, we already have obligations to report significant incidents. And some Member States have taken similar measures in a number of sectors, including the Dutch, following Diginotar.
The fact is, more and more sectors use telecoms networks in ways vital to our economy and society – energy, transport, banking, healthcare, and key internet companies. So we should extend those reporting obligations to those new sectors.
Fourth, we need international cooperation: this isn't just the EU's issue. We need a coherent international cyberspace policy for the EU.
We will strengthen cooperation with key international partners like the US, Japan, OECD, OSCE, UN and ITU. We will take an active part in the global debate to develop norms for responsible behaviour in cyberspace. And we will help build cybersecurity capacity in third countries.
Overall, our international actions must promote EU core values and fundamental rights: like freedom of expression, access to information, privacy and data protection.
Fifth, we will develop an integrated market for secure ICT solutions. With initiatives and incentives so all players in the ICT value chain embrace a cybersecurity culture. From equipment manufacturers to software sellers; service providers to operators; online banks to online retailers.
With the right investment in R&D, and the right policy framework, we can turn research results into commercial reality. And indeed the new European research and innovation programme, Horizon 2020, will be a key instrument. To boost our industrial policy, promote a trustworthy European industry, advance the internal market and reduce our dependence on foreign technologies.
Sixth, there will be a number of other measures: like stepping up the fight against cybercrime. Like improving EU coordination. And indeed the European Cybercrime Centre, recently opened within Europol in The Hague, could gradually serve as a voice for the law enforcement community, in the EU fight against cybercrime.
Plus we will take further measures to fight botnets; improve the security and resilience of Industrial Control Systems and Smart Grids; and make users both more aware of risks — and empowered to tackle them, so we can all play our part in this common responsibility.
In short, this Strategy will help Europe get its own house in order — and become an even more trusted partner at the international level.
I hope that this Strategy will open a constructive debate: and I hope you will take part in it.
As more people come to rely on the Internet, they rely on it to be secure. And as the online world becomes a part of everything we do, securing that world is essential to ensuring a society that remains secure, prosperous and free. Thank you.