Andrea Servida Deputy Head of Unit

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 7 months ago)

71 views

Andrea Servida

Deputy Head of Unit

European Commission

DG INFSO
-
A3

Andrea.servida@ec.europa.eu


Security and resilience in
Information Society:

towards a CIIP policy in the EU


What’s ahead:

mobile & ubiquitous Information Society

Broaden communication parties, networking, and business opportunities



B3G Radio Access

B3G Mobile Network

Ubiquitous
World

Networks with low performance

devices

(e.g. RF tags and sensors)




Mobile World


(Real World)

Networks with high performance

devices

(e.g. home appliances)


Mobile NW

Ubiquitous

Local

NW

Mobile
-
Ubiquitous NW

Mobile Edge

Network and information security:

The European Context


Strategy for a Secure Information Society

[COM(2006)251]



Policy initiatives on:


fighting against spam, spyware and malware
[COM(2006)688]


promoting data protection by PET
[COM(2007)228]


fighting against cyber crime
[COM(2007)267]



Proposed package to
reform the Regulatory Framework
for e
-
communications

[COM(2007)697, COM(2007)698,
COM(2007) 699]



European Network and Information Security Agency
,

(ENISA) established in 2004



A policy initiative on CIIP is announced

in the CLWP
2008 [COM(2007) 640]

Towards a secure Information Society

DIALOGUE

structured and


multi
-
stakeholder

Open & inclusive

multi
-
stakeholder

debate

EMPOWERMENT

commitment to responsibilities

of all actors involved

PARTNERSHIP

greater awareness &

better understanding

of the challenges

CIP at the EU level


In

June

2004
,

the

European

Council

asked

for

an

overall

strategy

to

protect

critical

infrastructures



On

17

November

2005
,

the

Commission

adopted

a

Green

Paper

on

the

policy

options

for

a

European

Programme

on

Critical

Infrastructure

Protection

(COM(
2005
)
576
)


Contributions

from

22

Member

States

and

over

100

private

companies

and

industry

associations


need

for

action

at

the

European

level

to

enhance

the

protection

and

resilience

of

critical

infrastructures




In

December

2006

the

Commission

adopted



a

communication

and


a

proposal

for

a

directive

on

the

identification

and

designation

of

European

Critical

Infrastructure


Dialogue & Partnership:

CLWP 2008 Policy initiative on CIIP


Objectives


Enhance the level of
CIIP preparedness and response
across the EU


Ensure that adequate and consistent levels

of
preventive, detection, emergency and recovery
measures are put in operation



Approach


Build on
national and private sector initiatives


Engage

relevant public and private stakeholders


Adopt
All
-
hazards


Strengthen

the synergies between 1
st

and 3
rd

pillar
measures

Dialogue & Partnership:

Challenges for CIIP


Organisational
:

build trusted relationships

and
engage
the stakeholders at the EU level


Policy orientations
:

achieve a better understanding
and clarity
on the guiding policy principles


Issues:



National vs. European information Infrastructures
(criteria);


long
-
term Internet stability & resilience;


preventive, detection/early warning & responsive
measures;


recovery and continuity strategies;


sharing knowledge and good practices;


cross
-
sectors proactive information assurance methods;


risk management culture and tools;


inter
-
dependencies, in particular across heterogeneous
infrastructures; etc.


CIIP
-

Preparatory activities (1)


2006


Study on “Availability and Robustness of Electronic
Communications Infrastructures” (ARECI)



2007


Informal meeting of National experts on CIIP


Brussels, 19 January 2007


Public consultation on the final ARECI report drafted
by Alcatel
-
Lucent
-

April 2007


Joint Member States and private sector meeting o


Brussels, 18 June 2007”


Workshop on “cc TLD’s Contingency practices”,
19/09/2007


Workshop on challenges for awareness raising,
07/12/2007


Study on “Critical dependencies of energy, finance and
transport infrastructures on ICT infrastructures (under
negotiation)


CIIP
-

Preparatory activities (2)


2008


Workshop on “Learning from large scale
attacks on the Internet: policy
implications”,
Brussels, 17 January 2008;


Meeting with MS
on the criteria to identify
European Critical Infrastructures in the ICT
sector
, Brussels,
5 February 2008;


Planned studies and projects

funded under
EPCIP financial scheme:
"
Prevention,
Preparedness and Consequence Management of
Terrorism and other Security Related Risks


Workshop on “Learning from large
scale attacks on the Internet:

policy implications



Objectives


Foster discussions on lessons learnt and best
practices


Raise awareness on further Internet security issues


Discuss and investigate the value of:


EU cooperation


International cooperation


Public Private Partnership


Attendance


86 participants


57 delegates from EU MS + EFTA from ministries of
defence, interior affairs, industry, communications,
finance, and Telecom National Regulatory Authorities


12 experts from academia and industry


Lessons learned

critical issues to be considered


Availability and reliability of the DNS service

underpinning the resolution of web names


Security of traffic exchange

between operators
(in particular IXP)


Increased complexity
: sophistication of attacks;
professional malware’s development cycle;
commercial
-
alike distribution pattern (malware
toolkits)


Web

pages

are becoming the vector for infections


Increased targeted

attacks


Information Asymmetry

between attackers and
targets


Attacks
exploit P2P

and increasingly
WEB 2.0

Lessons learned

current situation


The
distributed nature

of the Internet


Enhances its resilience


But also provides structural vulnerability




public policy

should respect this distributed
nature


Critical trends


Computers at the edges are more and more part of the
global infrastructure


The distributed nature of P2P is more and more exploited to
decentralise the
command
of malware

-

Attackers are
hard if not impossible to identify


Internet’s security is a shared responsibility


Every stakeholder has a role and responsibility


Ones security
brings more benefits to others




Hence, the question of the
incentives for
stakeholders

to adopt security measures

Lessons learned

the way forward (1/2)


Build resilience / Harden the infrastructure


Servers and links redundancy, Anycast


Security of routing protocol / traffic exchange


Security of DNS service


Profiling attackers and understanding

their
objectives (know your enemies)


Response preparedness


National contingency plan for the Internet


Cyber exercises on National/international level are crucial


Strengthen multinational cooperation for rapid response
(formal rather than informal)


Importance of CERTs/CSIRTs and their role for national and
international cooperation


Measurement
-

monitoring

of traffic to
understand what is going on


Computers at the edges could be leveraged to build
collective intelligence

Lessons learned

the way forward (2/2)


Technology will not be sufficient


Study the
economics of security and cyber
crime


Set
-
up
Public Private Partnership (PPP)


Importance of the role of government, which is to
coordinate
and
be a good user


Develop
cross
-
sector and cross
-
organisational cooperation

on National, EU and
international levels


Agree on responsibility’s allocation


Information and best practices sharing



importance of
trust


Raising awareness

and education of individuals,
public bodies, corporate users and
service
providers

CIIP


next steps


Criteria for the ICT sector


Questionnaire out


牥spons攠by mid
-
M慲ah



Comments to JRC report
by mid
-
March



Next meeting mid
-
May (tentative)


Time Frame: end 2008


Survey on MS Policy approaches on CIIP


Focus on i) definitions/criteria; ii) risk
assessment activities; iii) incident response
capability; iv) Public Private Partnership; v)
International dimension


Questionnaire ou


牥spons攠by mid
-
M慲ah


Report: second half of 2008


Thematic workshops


Meetings with Member States


Call for tenders & proposals (next slides)


A Commission policy on CIIP in early
2009

CIIP


Planned public procurements

EPCIP financial scheme


2008


In cooperation with DG JLS, three
planned studies to:


Analyse and improve emergency preparedness

in the field of fixed and mobile telecommunications
and Internet (400 k

)
;


Identify rationale and propose criteria

to
designate European CII

in the sub
-
sectors of
information system and network protection,
Internet, fixed and mobile telecommunications

(500 k

)

and,


Idem in the sub sectors of

instrumentation
automation and control systems

(350 k


-

via
arrangements with JRC)
;



CIIP


Planned calls for proposals

EPCIP financial scheme


2008


In cooperation with DG JLS, calls on:


Analysis of new media capabilities and identification of
requirements to ensure
critical communications
between authorities and the public


Prototype of a
European multilingual information
sharing and alert system

to provide appropriate and
timely information via dedicated е
-
security web portals
on threats, risks and alerts as well as on best practices.


Analysis of the
dependency on electrical power of
modern ICT infrastructures

supporting the Internet
as well as fixed and mobile telecommunications
networks;


Supporting information sharing in the context of the
Directive 2006/24/EC on the retention of data
generated or processed in connection with the provision
of publicly available electronic communications services
or networks and amending Directive 2002/58/EC

Web Sites



DG INFSO Web site on the EU
policy on secure Information
Society

http://ec.europa.eu/information_society/policy/n
is/index_en.htm


Page on CIIP

http://ec.europa.eu/information_society/policy/nis/strategy/activ
ities/ciip/large_scale/index_en.htm