Speech - How to make Europe the world's safest online environment
European Commission - SPEECH/13/903 11/11/2013
Other available languages: none
Vice-President of the European Commission responsible for the Digital Agenda
How to make Europe the world's safest online environment
Cyber Summit /Bonn
11 November 2013
To add your comment to this speech, see the social version of the speech here
Our world is entering the digital age. And it is becoming ever more important to keep that digital world safe and secure.
Recent headlines show us the sheer scale of hacking and spying, and the significance for our privacy, and for our economy.
But let's recall three trends.
First: the online world is coming to benefit every aspect of our lives, bringing innovation, convenience and efficiency.
And no wonder. New innovations like the cloud offer a hundred-billion euro boost to Europe.
We cannot turn our backs on those benefits. But, with that growing spread, online threats have correspondingly growing consequences. And a lack of trust can only hamper widescale use, and constrain those benefits.
Second: risks are mounting. According to Symantec, the total number of attacks increased by 81% in just one year. In ever more forms: from identity theft and phishing — to botnets, Trojans and denial-of-service attacks. And more besides.
Third: these risks imply significant costs. Each year, many businesses, if not the majority, face security breaches: even for a smaller business, the cost can be tens of thousands of euros per breach. For a major incident the cost could amount to over a quarter of a trillion dollars. Let's hope that doesn't happen.
But let's not get confused between the different issues in play here. Let's understand the situation, recognise which tools we have available, and use the right one for the right job. Let's not confuse privacy with security, or confidentiality with integrity.
Data protection is a fundamental right that we must safeguard. People have a right to know and control how their data is used.
Not least because the further data is spread, it more vulnerable it becomes.
We must protect our citizens, so their data is not misused in that way. Not destroying the digital opportunities they enjoy every day, but protecting proportionately.
So data protection is an important part of the picture. But let's be realistic.
Spying may be unacceptable. But it's been going on for some time. Maybe it's the world's second oldest profession. And it's not about to stop.
You won't prevent it just by making it illegal. Nor just by fining a handful of US corporations.
That's not the way the world works. So let's not be naïve.
Recent revelations about the scale of online spying have been astonishing. But let's not just sit there stunned like a rabbit in the headlights. Nor submit to hysteria. Let's protect ourselves.
And the fact is, if you want to stop a burglar breaking through your front door, you don’t need a good lawyer, you need a good lock.
The answer does not lie in constraining data within national borders. Hiking up the drawbridge and creating isolated national fortresses.
With separate systems in each country, slicing our single market into tiny pieces.
That wouldn't promote secure European innovations. It would merely throw out the baby with the bathwater.
Rather the answer lies in bringing those barriers down. For a unified European market, with economies of scale, where new secure ideas can flourish and find a home. So Europe can become the safest online environment in the world.
Our cybersecurity strategy is about ensuring an online world that is open, free, safe and secure. Promoting the EU's core values, and human rights. Online just as we do offline.
With measures like to drastically reduce cybercrime.
And to enhance our international cyberspace policy. We already discuss these issues regularly with major international partners, and are looking into cooperation with yet more. And in multilateral fora, like the Seoul conference on cyberspace. We don't need new legal treaties; and the Budapest Convention is already there to be ratified. But international norms for state behaviour in cyber space could boost both free trade and fundamental rights.
And we can continue to help other countries to build their capacity: in areas from technical to judicial, to law enforcement.
But cybersecurity goes beyond those issues.
It's also about building European resilience and know-how.
If we want Europeans to have confidence in the online world. If we want strong European players able to provide that assurance. If we want European data and European systems subject to European safeguards.
Then we need networks and systems that are strong and secure.
We need an environment where those who manage and use ICT have the incentives to use high-quality security. Public and private.
And we need the best technology. Maybe this means that we make it ourselves in Europe, thanks to a vibrant, European market that innovates to create those security solutions. And this is why we are increasing R&D in cybersecurity. Or maybe it requires that we verify that the ICT equipment and applications we buy are not designed with backdoors built in!
There are a range of ways we are achieving those goals.
Our European Cloud Partnership is about governments joining forces, to stimulate a market and find secure cloud solutions for Europe. Using the power of public procurement, worth one fifth of the cloud market.
With common standards so Governments can leap into the cloud, without compromising on security. And indeed that Partnership is meeting once again in just a few days, in Berlin.
We also need to build the resilience of our networks and systems.
We already have rules so telecoms operators stay secure: to ensure they take the right measures and notify any significant incidents.
But we need to extend those rules.
Because there is so much critical infrastructure out there – energy, transport, health, banks. Infrastructure that increasingly relies on telecoms networks, but is not run by telecoms operators. Infrastructure that needs to operate continuously, and to stay secure.
Attackers can just target the weakest link in the chain, and we need protections across that chain.
And it's not right that telecoms operators should have to take all the precautions and shoulder all the burden. When other over-the-top internet companies do not. That isn't fair competition and it is jeopardising our security.
So those are the kinds of safeguards we are trying to create through our proposed legislation. The three C's: better capabilities to avoid and respond to cyber attacks. A better culture: more aware, more proactive and more transparent. And more cooperation between EU countries, at strategic and operational levels.
But we are not just relying on legislation.
We will also be providing general guidance, so governments and the private sector can adapt, and take the tailored measures that match the specific risks they face, and the arrangements they already have in place.
We have created a network and information security "platform" – where 180 public and private organisations get together to identify best practices that can inform our work. Ensuring more consistency for a truly European market. Looking at areas from public procurement, to security labels, to research and development priorities.
We are raising awareness through events like European cybersecurity month.
And of course we are also investing in research and innovation in security. New ideas to build securer societies and industrial leadership in cybersecurity, trustworthy ICT and privacy. Keeping systems safe and data secure.
This is not about heavy-handed measures, and it's not about trying to devise "one size that fits all". It's about a risk-based approach, one where different companies and organisations of different sizes do what is needed, proportionately to the threat they face.
Often the solution is relatively simple. Some reckon as many as 85% of successful intrusions could be prevented just by decent "cyber-hygiene" practices.
Any reasonable company, of any shape or size, will already manage the risks and threats to their business. Now, as business goes online, we need to make cyber-threats a part of their thinking, too.
This is important.
The EU's most senior politicians realise this. Just a few weeks ago, EU leaders, including Chancellor Merkel, formally acknowledged the importance of the digital economy. And they endorsed some bold decisions to get our economy online, and give it the single market boost. For high-quality, pan-European networks and services. Creating the environment where we can get every European digital: within a telecoms single market.
They also underlined the essential role of trust in that digital economy, and for completing the European digital single market. They called for Europe to stay at the forefront in taking up the cloud. To promote high standards for secure, high-quality and reliable cloud services. And for timely adoption of our network and information security Directive.
So now I hope we can treat these issues with the urgency they deserve. And in particular to adopt the Directive before the European Parliament rises.
We are prepared to work with Member States and the Parliament on that issue. And I hope that we can put minor disagreements aside, for the sake of a stronger, more secure Europe.
We cannot ignore the mandate leaders have given us. Nor the imperative for a secure, resilient connected continent. We must act, and fast.