Prsentation resilience

Document Sample
Prsentation resilience Powered By Docstoc
					     Security and resilience in
          Information Society:
towards a CIIP policy in the EU

    Andrea Servida
  Deputy Head of Unit
 European Commission
     DG INFSO-A3
                         What’s ahead:
mobile & ubiquitous Information Society

Broaden communication parties, networking, and business opportunities

   Mobile World                       Ubiquitous
                                      World                  Networks with low performance
                            (Real World)                     devices
                                                             (e.g. RF tags and sensors)
                  B3G Radio Access

            B3G Mobile Network

                                                               Networks with high performance
                                                               (e.g. home appliances)

              Mobile NW
                                                Local NW
                                       Mobile Edge

              Mobile-Ubiquitous NW
       Network and information security:
                  The European Context
• Strategy for a Secure Information Society

• Policy initiatives on:
   – fighting against spam, spyware and malware
   – promoting data protection by PET [COM(2007)228]
   – fighting against cyber crime [COM(2007)267]

• Proposed package to reform the Regulatory Framework
  for e-communications [COM(2007)697, COM(2007)698,
  COM(2007) 699]

• European Network and Information Security Agency,
  (ENISA) established in 2004

• A policy initiative on CIIP is announced in the CLWP
  2008 [COM(2007) 640]
Towards a secure Information Society

  DIALOGUE                               PARTNERSHIP
structured and                          greater awareness &
multi-stakeholder                       better understanding
                                          of the challenges

                    Open & inclusive

            commitment to responsibilities
               of all actors involved
                              CIP at the EU level

• In June 2004, the European Council asked for an overall
  strategy to protect critical infrastructures

• On 17 November 2005, the Commission adopted a Green
  Paper on the policy options for a European Programme
  on Critical Infrastructure Protection (COM(2005)576)
   – Contributions from 22 Member States and over 100
     private companies and industry associations
   – need for action at the European level to enhance the
     protection and resilience of critical infrastructures

• In December 2006 the Commission adopted
   – a communication and
   – a proposal for a directive on the identification and
     designation of European Critical Infrastructure
                 Dialogue & Partnership:
       CLWP 2008 Policy initiative on CIIP
• Objectives
  – Enhance the level of CIIP preparedness and response
    across the EU
  – Ensure that adequate and consistent levels of
    preventive, detection, emergency and recovery
    measures are put in operation

• Approach
  –   Build on national and private sector initiatives
  –   Engage relevant public and private stakeholders
  –   Adopt All-hazards
  –   Strengthen the synergies between 1st and 3rd pillar
                       Dialogue & Partnership:
                           Challenges for CIIP

• Organisational: build trusted relationships and
  engage the stakeholders at the EU level
• Policy orientations: achieve a better understanding
  and clarity on the guiding policy principles
• Issues:
   – National vs. European information Infrastructures
   – long-term Internet stability & resilience;
   – preventive, detection/early warning & responsive
   – recovery and continuity strategies;
   – sharing knowledge and good practices;
   – cross-sectors proactive information assurance methods;
   – risk management culture and tools;
   – inter-dependencies, in particular across heterogeneous
     infrastructures; etc.
          CIIP - Preparatory activities (1)
• 2006
  – Study on “Availability and Robustness of Electronic
    Communications Infrastructures” (ARECI)

• 2007
  – Informal meeting of National experts on CIIP –
    Brussels, 19 January 2007
  – Public consultation on the final ARECI report drafted
    by Alcatel-Lucent - April 2007
  – Joint Member States and private sector meeting o–
    Brussels, 18 June 2007”
  – Workshop on “cc TLD’s Contingency practices”,
  – Workshop on challenges for awareness raising,
  – Study on “Critical dependencies of energy, finance and
    transport infrastructures on ICT infrastructures (under
         CIIP - Preparatory activities (2)

• 2008
  – Workshop on “Learning from large scale
    attacks on the Internet: policy
    implications”, Brussels, 17 January 2008;
  – Meeting with MS on the criteria to identify
    European Critical Infrastructures in the ICT
    sector, Brussels, 5 February 2008;
  – Planned studies and projects funded under
    EPCIP financial scheme: "Prevention,
    Preparedness and Consequence Management of
    Terrorism and other Security Related Risks“
         Workshop on “Learning from large
             scale attacks on the Internet:
                        policy implications

•   Objectives
    –   Foster discussions on lessons learnt and best
    –   Raise awareness on further Internet security issues
    –   Discuss and investigate the value of:
         • EU cooperation
         • International cooperation
         • Public Private Partnership
•   Attendance
    –   86 participants
         • 57 delegates from EU MS + EFTA from ministries of
           defence, interior affairs, industry, communications,
           finance, and Telecom National Regulatory Authorities
         • 12 experts from academia and industry
                      Lessons learned
     critical issues to be considered

– Availability and reliability of the DNS service
  underpinning the resolution of web names
– Security of traffic exchange between operators
  (in particular IXP)
– Increased complexity: sophistication of attacks;
  professional malware’s development cycle;
  commercial-alike distribution pattern (malware
– Web pages are becoming the vector for infections
– Increased targeted attacks
– Information Asymmetry between attackers and
– Attacks exploit P2P and increasingly WEB 2.0
                             Lessons learned
                            current situation

– The distributed nature of the Internet
  • Enhances its resilience
  • But also provides structural vulnerability
   public policy should respect this distributed
– Critical trends
  • Computers at the edges are more and more part of the
    global infrastructure
  • The distributed nature of P2P is more and more exploited to
    decentralise the command of malware
- Attackers are hard if not impossible to identify
– Internet’s security is a shared responsibility
  • Every stakeholder has a role and responsibility
  • Ones security brings more benefits to others
  Hence, the question of the incentives for
 stakeholders to adopt security measures
                        Lessons learned
                  the way forward (1/2)
– Build resilience / Harden the infrastructure
  • Servers and links redundancy, Anycast
  • Security of routing protocol / traffic exchange
  • Security of DNS service
– Profiling attackers and understanding their
  objectives (know your enemies)
– Response preparedness
  • National contingency plan for the Internet
  • Cyber exercises on National/international level are crucial
  • Strengthen multinational cooperation for rapid response
    (formal rather than informal)
   Importance of CERTs/CSIRTs and their role for national and
    international cooperation
– Measurement - monitoring of traffic to
  understand what is going on
  • Computers at the edges could be leveraged to build
    collective intelligence
                       Lessons learned
                 the way forward (2/2)

– Technology will not be sufficient
– Study the economics of security and cyber
– Set-up Public Private Partnership (PPP)
  • Importance of the role of government, which is to
    coordinate and be a good user
– Develop cross-sector and cross-
  organisational cooperation on National, EU and
  international levels
– Agree on responsibility’s allocation
– Information and best practices sharing 
  importance of trust
– Raising awareness and education of individuals,
  public bodies, corporate users and service
                            CIIP – next steps
•   Criteria for the ICT sector
     •   Questionnaire out  response by mid-March
     •   Comments to JRC report by mid-March
     •   Next meeting mid-May (tentative)
     •   Time Frame: end 2008
•   Survey on MS Policy approaches on CIIP
     •   Focus on i) definitions/criteria; ii) risk
         assessment activities; iii) incident response
         capability; iv) Public Private Partnership; v)
         International dimension
     •   Questionnaire ou  response by mid-March
     •   Report: second half of 2008
•   Thematic workshops
•   Meetings with Member States
•   Call for tenders & proposals (next slides)
•   A Commission policy on CIIP in early
  CIIP – Planned public procurements
              EPCIP financial scheme

• 2008
  – In cooperation with DG JLS, three
    planned studies to:
    • Analyse and improve emergency preparedness
      in the field of fixed and mobile telecommunications
      and Internet (400 k€);
    • Identify rationale and propose criteria to
      designate European CII in the sub-sectors of
      information system and network protection,
      Internet, fixed and mobile telecommunications
      (500 k€) and,
    • Idem in the sub sectors of instrumentation
      automation and control systems (350 k€ - via
      arrangements with JRC);
     CIIP – Planned calls for proposals
               EPCIP financial scheme
• 2008
  – In cooperation with DG JLS, calls on:
    • Analysis of new media capabilities and identification of
      requirements to ensure critical communications
      between authorities and the public
    • Prototype of a European multilingual information
      sharing and alert system to provide appropriate and
      timely information via dedicated е-security web portals
      on threats, risks and alerts as well as on best practices.
    • Analysis of the dependency on electrical power of
      modern ICT infrastructures supporting the Internet
      as well as fixed and mobile telecommunications
    • Supporting information sharing in the context of the
      Directive 2006/24/EC on the retention of data
      generated or processed in connection with the provision
      of publicly available electronic communications services
      or networks and amending Directive 2002/58/EC
                                              Web Sites

   DG INFSO Web site on the EU
    policy on secure Information

                   Page on CIIP

Shared By: