16.12.2014   

EN

Official Journal of the European Union

C 451/31

Rapporteur:

Mr McDonogh

1.1

The Committee would like to see an EU-level authority for cyber security created, analogous to the central authority in the aviation industry, the European Aviation Safety Agency (EASA), to provide the strength of leadership required at EU-level to deal with the complexities of implementing an effective Europe-wide cyber security policy.

1.2

Informed and empowered citizens are critical to strong cyber security in Europe. The education of citizens in personal cyber security and data protection should be a fundamental part of school curricula and workplace training programmes. Furthermore, the EU should drive public information programmes and initiatives across the Union on these topics.

1.3

Businesses should be required by law to have a proactive approach to protecting themselves from cyber attacks, including secure and resilient information and communications technology (ICT) and training for staff on security policies, just as there are on health and safety issues.

1.4

Every Member State should have an organisation whose job it is to inform, educate and support the SME sector on issues regarding cyber security best practice. The large firms can easily acquire the knowledge they need but SMEs need support.

1.5

The mandate of the European Network and Information Security Agency (ENISA) should be extended and funding provided to take more direct responsibility for cyber security education and awareness programmes especially targeted at citizens and small and medium-sized enterprises (SMEs).

1.6

Businesses and organisations need to heighten the awareness of responsibility for cyber security at Board-level. The potential corporate liabilities resulting from inadequate cyber security policy and actions should be explicitly communicated to the directors of all organisations.

1.7

Because of their critical role in the provision of online services, all Internet Service Providers (ISPs) in the EU should have special responsibility for protecting their customers from cyber attacks. This responsibility should be defined and enshrined in legislation at EU level.

1.8

To ensure that the great potential for economic growth from the dynamic expansion of cloud computing is quickly realised (1), special security requirements and obligations should also be imposed at EU level on the providers of cloud services.

1.9

The Committee considers that voluntary measures are not enough, and so there need to be strong regulatory obligations on Member States to ensure harmonisation, governance and enforcement of European cyber security. Legislation is also needed to make notification of significant cyber security incidents mandatory for all businesses and organisations, not just for critical infrastructure providers. This would help increase Europe's response to threats, as well as increase the knowledge and understanding of cyber attacks so that better defences can be developed.

1.10

The Committee strongly recommends that the EU takes a design-led approach to tackling the menace of cyber attacks, by ensuring that all the technology and services used in Europe to provide Internet connectivity and online services are designed to provide the highest possible levels of security from cyber attacks. Design considerations should especially focus on the man-machine interface.

1.11

The EESC wants to see substantial cyber security standards developed and disseminated for all ICT networking technology and services by European Standardisation Organisations. These standards should include a compulsory code of practice to ensure that all ICT equipment and Internet services sold to European citizens conform to the highest standards.

1.12

The EU must act without delay to ensure that every Member State has a fully functioning Computer Emergency Response Team (CERT) in place to protect itself and Europe from cyber attacks.

1.13

The Committee demands that the European Cyber Crime Centre (EC3) at Europol receives the additional funding it requires to fight cybercrime and to strengthen cooperation between police forces in Europe and with forces outside the Union, to increase Europe’s capability to capture and prosecute cyber criminals.

1.14

To sum up, the EESC considers that EU cyber security policy needs to deliver in particular on the following points: strong EU leadership; cyber security policies that enhance security while preserving privacy and other fundamental rights; awareness raising among citizens and encouraging proactive protection approaches; comprehensive Member State governance; informed and responsible business action; deep partnership between governments, the private sector and citizens; adequate investment levels; good technical standards and sufficient R&D&I investments; international engagement. To this end, the Committee reiterates its recommendations concerning cyber security policy as voiced out in many previous opinions (2) and calls on the Commission to follow-up on the actions demanded therein.

2.1

The Internet economy generates over one fifth of GDP growth in the EU and 200 million Europeans buy online each year. We depend on the Internet and connected digital technology to support our vital energy, health, government and financial services. However, the critical digital infrastructure and services that play such an essential role in our economic and social lives are vulnerable to a growing risk of cyber attacks that threaten our prosperity and quality of life.

2.2

The Committee believes that the Union’s increasing dependency on the Internet and digital technology is not sufficiently matched by practices and policies that provide an adequate level of cyber security across Europe now and into the future. The purpose of this opinion is to highlight the gaps that the Committee sees in EU cyber security policy and to recommend enhancements that would increase the mitigation of cyber attack risks.

2.3

The motivations for cyber attacks can range from the very personal, for example revenge against a person or a company, to cyber spying by nation states and cyber war between countries. While preparing this opinion, it was decided to narrow the scope to deal purely with criminally motivated cyber attacks, so as to focus the recommendations on the problems of primary concern to the majority of the Committee. The complex political debate on cyber attacks by Member States against citizens and other states might be a topic for a future opinion.

2.4

This opinion deals only with cyber attacks by cyber criminals motivated by money, which account for the vast majority of attacks. By putting in place cyber security policies and practices to deal effectively with cyber attacks for criminal motives, the risks from cyber attacks motivated by political or more personal motives are also reduced.

2.5

Whereas the EU has made good progress with the implementation of the Trust and Security actions in the Digital Agenda and has developed a wide-ranging cyber security strategy that addresses most of the objectives outlined above, more needs to be done.

3.1

A cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer networks, and/or personal digital devices by various means of malicious acts to steal, alter, or destroy a specified target. The target can be money, data or information technology.

3.2

Cyber criminals launch cyber attacks to steal money or data, to commit fraud, criminal espionage or extortion. Cybercrime attacks can damage the essential networks and services that we depend on for health, safety and economic well-being, including government, transport, and energy networks.

3.3

The threat from cyber attacks is keeping pace with our growing dependence on the Internet and digital technology. According to a recent report from Symantec, the total number of data breaches in the world increased by 62 % in 2013, amounting to more than 552 million records exposed. These breaches often exposed real names, birth dates, or government ID numbers, medical records or financial information. Furthermore, 38 % of mobile users have experienced mobile cyber crime in the past 12 months.

3.4

Cyber attacks can have a major impact on individual companies and on Europe's wider economy:

3.5

Cyber attack techniques are constantly evolving:

3.6

There is common agreement among cyber security organisations on the priority actions that citizens and businesses should take to protect themselves from cyber attacks. These practices should be the communicated in every cyber security awareness and education programme:

3.7

Small companies often lack sufficient IT support to keep abreast of potential cyber threats; so they need special help to protect themselves from cyber attacks.

3.8

Disclosure of cyber attacks and system vulnerabilities is essential to combatting cyber attacks, especially when tackling so-called zero-day attacks, i.e. new varieties of attacks not previously known to the cyber security community. However, businesses often do not publicise cyber attacks because of reputational and liability fears. This lack of disclosure hurts Europe's ability to respond speedily and effectively to cyber threats, and to improve general cyber security through shared-learning.

3.9

Citizens and businesses buy Internet access and services through Internet Service Providers (ISP). Because of their critical role in the provision of online services it is vital that ISPs provide the highest possible level of protection from cyber attacks to their customers. In addition to ensuring that their own services and infrastructure are designed and maintained to provide the highest levels of cyber security, the ISPs should provide excellent advice on cyber security to their customers, and should have special protocols in place to help identify and combat cyber attacks on customers as they occur. This responsibility should be defined and enshrined in legislation at EU level.

3.10

Accelerating the adoption of cloud computing by citizens and business in Europe is very important to the economy of the EU (3). As the reliance on cloud computing for personal and business applications increases, it is important for Europe to especially ensure the cyber security of cloud service providers. Uncertainty about the security of cloud services is negatively impacting the rate of adoption of this dynamic technology. The Committee would like the EU to impose special security requirements and obligations on the providers of cloud services to support the growth of cloud computing in Europe.

3.11

Special efforts must be made to recruit employees for Europe's cyber security industry. The demand for graduate-level information security workers is expected to grow by more than twice the rate of increase for the overall computer industry. In this context, the Committee draws the attention of the Commission to the success of competitions in the US and in some Member States, at raising cyber security awareness and cultivating the next generation of cyber security professionals.

3.12

One of the best strategies for protection from cyber attacks is to take a design-led approach by ensuring that all the technology and services used in Europe to provide Internet connectivity and online services are designed to provide the highest possible level of security from cyber attacks. Design considerations should especially focus on the man-machine interface. This would involve collaboration between technology manufacturers, Internet service providers, the cyber security industry, EC3, ENISA, the national defence and security agencies of Member States, and citizens. The organisation of this design approach to cyber security could be organised at EU-level by the Commission and perhaps coordinated by ENISA.

4.1

The EU is developing a comprehensive strategy (4) to increase cyber security for Europe’s citizens:

4.2

The EESC reacted forcefully to the Commission's proposal for the Directive on Network and Information Security (NIS) (6) because the proposed measures were considered too soft and would not push Member States sufficiently to protect their citizens and business against cyber attacks. However, while adopting the proposed Directive, the Parliament further weakened its usefulness by strictly limiting the Directive's application to providers of ‘critical infrastructure’, thus removing its application to search engines, social media platforms, Internet payment gateways and cloud computing services providers.

4.3

The proposed NIS Directive will not now be sufficient to provide the legislation required to enhance threat awareness and responsiveness to cyber attacks in the Union. The Committee would like to see new legislation enacted to make notification of all significant cyber security incidents mandatory, not just for critical infrastructure providers. The lack of mandatory reporting helps cyber criminals thrive on the ignorance of vulnerable targets.

4.4

The EU should consider expanding the mandate of ENISA to strengthen cyber attack threat awareness and response across the Union. Perhaps the role of ENISA could be expanded to take more direct responsibility for cyber security education and awareness programmes especially targeted at citizens and SMEs.

4.5

The European Cyber Crime Centre (EC3) was established at Europol in 2013 to increase Europe’s ability to fight cyber crime. EC3 acts as a central hub in Europe for criminal intelligence and it supports Member States' operations and investigations of cyber attacks. However, in its first annual report EC3 warns that its current resources are already constraining the progress of investigations and that EC3 will not be able to cope with the level of major investigations coming-into it.

4.6

The EU should request the European Standardisation Organisations — CEN, CENELEC and ETSI — to develop cyber security standards for any software, ICT hardware or Internet-based services for sale in the EU. These standards should be continually updated to keep pace with new threats.

4.7

Legislation is needed to make notification of significant cyber security incidents mandatory for all businesses and organisations, not just for critical infrastructure providers. This would help increase the mitigation response to live threats as well as increase knowledge and understanding of cyber attacks being perpetrated, thus helping authorities, the cyber security industry, businesses and citizens to improve cyber security and to combat threats. To encourage the sharing of cyber attack information, any legislation should provide appropriate anonymity for businesses and organisations providing notification of an attack. Considerations should also be given to the provision of liability protection where appropriate.

4.8

Despite the initiatives undertaken by the EU, the Member States have very different levels of capabilities and preparedness, leading to fragmented responses to cyber attacks across the EU. Given the fact that networks and systems are interconnected, those Member States with a very weak approach to cyber security weaken the overall ability of the EU to deal with cyber attacks. Action is needed to bring all Member States up to an acceptable level of cyber security. Special attention is needed to ensure that every MS has a fully functioning Computer Emergency Response Team (CERT) in place.

4.9

As advised in previous opinions (7), to increase EU protection from cyber attacks, the Committee believes that voluntary measures do not work and that there need to be strong regulatory obligations on Member States to ensure harmonisation, governance and enforcement of European cyber security.

4.10

In summary, to put itself in a position to provide real and updated protection to citizens and businesses from cyber attacks, that EU cyber security policy should focus on the following actions: