Strategy for a secure information society (2006 communication)

The purpose of this Communication is to revitalise European policy on network and information security by identifying current challenges and proposing measures to tackle them. The strategy proposed by the Commission involves all relevant stakeholders and is based on dialogue, partnership and empowerment.

ACT

Communication from the Commission of 31 May 2006: A strategy for a Secure Information Society - "Dialogue, partnership and empowerment" [COM(2006) 251 final - not published in the Official Journal].

SUMMARY

Community action: overview

Up to now, the European Commission has tackled security issues in the Information Society by adopting a three-pronged approach embracing:

specific network and information security measures;
the regulatory framework for electronic communications and, in particular, the Directive on privacy and electronic communications;
the fight against cybercrime.

Community measures in this area also include:

European programmes devoted to research and development - the 7th Framework Programme will help reinforce security-related research by establishing a European Security Research Programme;
the Safer Internet programme, which promotes safer Internet usage and aims to protect end-users against undesirable content.
involvement in international forums addressing these topics, such as the Organisation for Economic Co-operation and Development, the Council of Europe and the United Nations. At the world summit on the Information Society, held in Tunis in November 2005, the European Union (EU) strongly supported the discussions on the availability, reliability and security of networks and information.

In 2004, the Community established the European Network and Information Security Agency (ENISA). ENISA's mission is to help increase network and information security within the Community and to promote the emergence of a culture of network and information security for the benefit of citizens, consumers, businesses and public sector organisations.

These measures and initiatives are to a large extent interdependent and involve many different stakeholders, and so a coordinated strategy is called for. This Communication sets out such a strategy for developing a coherent, holistic approach to network and information security.

KEY CHALLENGES

Despite the efforts already made, security continues to pose challenges to public bodies, businesses and private users alike. The risks are often underestimated even though the relevance of information and communication technologies (ICT) for the European economy and European society as a whole is undeniable. Furthermore, other critical infrastructures are also becoming more and more dependent on the integrity of their respective information systems.

Attacks on information systems

Attacks on information systems are increasingly motivated by financial profit. Personal data are illegally mined without the user's knowledge, while the number of malware variants is increasing rapidly, as is the rate at which they are evolving. For example, spam is now used as a vehicle for spreading viruses and spyware.

Use of mobile devices

The increasing deployment of mobile devices (including 3G mobile phones, portable videogame consoles, etc.) and mobile-based network services poses new threats to security. These threats could turn out to be more dangerous than attacks on PCs as the latter already have a significant level of security.

Advent of "ambient intelligence"

Another significant development in the Information Society is the advent of "ambient intelligence", where intelligent devices supported by computing and network technology will become a ubiquitous part of everyday life in the near future. This development brings with it many opportunities, but it will also create additional security and privacy-related risks.

Raising awareness of users

In order to successfully tackle the problem of underestimating the risks, all stakeholders need reliable data on security incidents and trends.

At the same time, it is important that awareness programmes designed to highlight security threats do not undermine the trust and confidence of consumers and users by focusing only on the negative aspects of security. Network and information security should be presented as a virtue and an opportunity rather than as a liability and a cost.

THE PROPOSED APPROACH

In order to tackle the challenges presented by network and information security, the Commission proposes an approach which is based on dialogue, partnership and empowerment.

Dialogue

The Commission proposes a series of measures designed to establish an open, inclusive and multi-stakeholder dialogue:

benchmarking exercise for national policies relating to network and information security. This should help identify the most effective practices so that they can then be deployed on a broader basis throughout the EU. In particular, this exercise will identify best practices to improve awareness among small and medium-sized enterprises (SMEs) and citizens of the risks and challenges associated with network and information security;
a structured multi-stakeholder debate on how best to exploit existing regulatory instruments. This debate will be organised within the context of conferences and seminars.

Partnership

Effective policy making requires a clear understanding of the nature of the challenges to be tackled. This calls for reliable, up-to-date statistical and economic data. Accordingly, the Commission will ask ENISA

to build up a partnership of trust with Member States and stakeholders in order to develop an appropriate framework for collecting data;
to examine the feasibility of a European information sharing and alert system to facilitate effective responses to threats. This system would include a multilingual European portal to provide tailored information on threats, risks and alerts.

In parallel, the Commission will invite Member States, the private sector and the research community to establish a partnership to ensure the availability of data pertaining to the ICT security industry.

Empowerment

The empowerment of stakeholders is a prerequisite for fostering their awareness of security needs and risks, thus promoting network and information security.

For this reason, Member States are invited to

proactively participate in the proposed benchmarking exercise for national policies;
promote, in cooperation with ENISA, awareness campaigns on the benefits of adopting effective security technologies, practices and behaviour;
leverage the roll-out of e-government services to promote good security practices;
stimulate the development of network and information security programmes as part of higher-education curricula.

Private sector stakeholders are also encouraged to take initiatives to

define responsibilities for software producers and Internet service providers in relation to the provision of adequate and auditable levels of security;
promote diversity, openness, interoperability, usability and competition as key drivers for security, and to stimulate the deployment of security-enhancing products and services to combat ID theft and other privacy-intrusive attacks;
disseminate good security practices for network operators, service providers and SMEs;
promote training programmes in the private sector to provide employees with the knowledge and skills necessary to implement security practices;
work towards affordable security certification schemes for products, processes and services that will address EU-specific needs;
involve the insurance sector in developing risk management tools and methods.

COMPLEMENTARY INITIATIVES

The Commission will complement this approach with other initiatives by

adopting a Communication on the way in which spam and other threats, such as spyware, is evolving;
making proposals for improving cooperation between law enforcement authorities and for addressing new forms of criminal activity - this issue will be the subject of a Communication dealing specifically with cybercrime;
creating an action plan to achieve the objectives of the Commission's Green Paper on the European Programme for Critical Infrastructure Protection;
conducting a review of the regulatory framework for electronic communications in 2006.

Background

This Communication follows on from the " i2010- A European Information Society for growth and jobs " initiative, which aims to boost the e-economy in Europe. The i2010 initiative highlights the importance of network and information security for the creation of a single European information space.

RELATED ACTS

Communication from the Commission of 1 June 2005: "i2010 -A European Information Society for growth and employment" [COM(2005) 229 final - not published in the Official Journal].

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.

Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency [Official Journal L 77, 13.3.2004].

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [Official Journal L 201, 31.7.2002].

Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions of 6 June 2001: "Network and Information Security: Proposal for a European Policy Approach" [COM (2001) 298 final - not published in the Official Journal].

Communication from the Commission to the Council of 26 January 2001: "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime" [COM(2000) 890 final - not published in the Official Journal].

See also