28.4.2007   

EN

Official Journal of the European Union

C 97/21

1.1

The EESC firmly believes that information security is of growing concern for businesses, administrations, public and private bodies and individuals.

1.2

In general, the EESC agrees with the analyses and considerations calling for a new strategy, to increase network and information security against attacks and intrusion, which have no geographical boundaries.

1.3

The EESC believes that the Commission should make further endeavours to achieve an innovative, coordinated strategy, given the scale of the issue and its economic implications and impact on privacy.

1.3.1

Moreover, the EESC points out that the Commission has recently adopted a new Communication on information security and that another document is due to be issued in the near future on the same subject. The EESC reserves the right to issue a more comprehensive Opinion in the future which takes all the Communications into account.

1.4

The EESC stresses that the issue of information security cannot in any way be separated from the need to increase protection of personal data and to protect freedoms, as safeguarded by the European Convention on Human Rights.

1.5

The EESC wonders, as things stand, what the proposal's added value is over the integrated approach adopted in 2001, whose aim was the same as that specified in this Communication (1).

1.5.1

The Impact Assessment (2) appended to the proposal is an improvement on the 2001 position in a number of respects, but it has only been published in one language and is therefore inaccessible to many European citizens, who form their opinion from the official document, which is in the Community languages.

1.6

The EESC draws attention to the conclusions of the 2005 Tunis World Summit relating to the information society, endorsed by the UN Assembly of 27 March 2006:

1.7

The EESC stresses that a dynamic, integrated Community strategy should tackle, in addition to dialogue, partnership and responsibility:

1.8

Lastly, the EESC believes that in order to ensure a dynamic, integrated Community strategy, relevant budgetary appropriations need to be allocated and enhanced-cooperation initiatives and measures planned at Community level which can present Europe to the world with a unified voice.

2.1

Security in the information society is a fundamental issue in terms of ensuring reliable communication networks and services inspiring confidence, which are key factors in economic and social development.

2.2

Information networks and systems need to be protected to preserve competitive and trade capacities, ensure the integrity and continuity of electronic communications, prevent fraud and guarantee protection of privacy by the law.

2.3

Electronic communications and related services are the largest segment in the entire telecommunications sector: in 2004 approximately 90 % of European businesses actively used the Internet, with 65 % of them creating their own website, while an estimated 50 % of European people regularly use the Internet and 25 % of households use broadband access on an ongoing basis (5).

2.4

Despite faster investment growth, only 5-13 % of total investment in information technologies is spent on security. This is too little. Recent studies have revealed that out of an average of 30 protocols that share key structures, 23 are vulnerable to multi-protocol attacks (6). In addition, on average, an estimated 25 million spam (7) emails are sent every day and so the EESC welcomes the Commission's recent proposal on the subject.

2.5

As regards computer viruses (8), worms (9) and spyware (10) have mushroomed with the increasingly rapid development of electronic communication networks and systems, which have become increasingly complex and, at the same time, vulnerable, thanks, not least, to the convergence of multimedia, mobile telephony and GRID infoware (11): extortion, DDoS (distributed denial of service), Internet ID theft, phishing (12), piracy (13) etc. are security problems for the information society, which the European Community addressed in a Communication in 2001 (14). The EESC commented on the Communication (15), identifying three lines of action:

2.6

Finding adequate solutions is a challenge when it comes to recording, identifying and preventing information attacks concerning a network system, given the constant configuration changes, the variety of network protocols and services provided and developed and the extremely complex, asynchronous nature of attacks (16).

2.7

Regrettably, however, the poor visibility of the return on investments in security and the fact that few users assume responsibility have resulted in risks being underestimated and little focus on developing a security culture.

3.1

The Commission's Communication on a Strategy for a Secure Information Society (17) attempts to improve information security through a dynamic, integrated strategy based on:

3.2

Furthermore, the Communication envisages a trusted partnership with ENISA to develop a suitable framework for collecting data on breaches of security, user confidence and developments in the security industry:

setting up a multilingual EU information and risk alert portal, with a view to a strategic partnership between the private sector, Member States and researchers.

3.2.1

The Communication also provides for greater empowerment of stakeholders with regard to security needs and risks.

3.2.2

As regards international cooperation with third countries, the Commission states that ‘the global dimension of network and information security challenges the Commission, both at international level and in coordination with Member States, to increase its efforts to promote global cooperation on NIS’ (18). However, this recommendation is not reflected in the dialogue, partnership and empowerment actions.

4.1

The EESC agrees with the analyses and arguments in favour of a dynamic, integrated European strategy for secure networks and information; it believes that the issue of security is essential to fostering a more favourable attitude towards using information technologies, and to boosting trust in them. The EESC's views have been stressed in numerous opinions (19).

4.1.1

The EESC reiterates (20) that: ‘… the Internet and new technologies for online communication (for example, mobile telephones and palmtop computers with Internet and multimedia functions, currently undergoing rapid growth) are of fundamental importance for the development of the knowledge economy, the eeconomy and egovernment.’

4.2.1

The Commission proposes to base this dynamic, integrated strategy on an open, inclusive multi-stakeholder dialogue which includes users in particular, together with enhanced partnership and empowerment. The EESC feels that the approach could be made even wider.

4.2.2

This view has been stressed in previous opinions: ‘… to be effective, this programme should directly involve all Internet users, who need to be trained and informed of the precautions to take and the resources to use in order to protect themselves from being sent harmful or unwanted content, or from being used to forward such content. In the view of the EESC, one of the priorities of the action plan in regard to information and training should be to gain the support of users …’ (21).

4.2.3

However, the EESC feels that users' and citizens' support must be gained in such a way as to reconcile the necessary protection of information and networks with civil liberties and users' right to secure, reasonably-priced access.

4.2.4

It should be borne in mind that information security entails cost for the consumer, not least in terms of the time wasted in removing or circumnavigating obstacles. The EESC believes that a requirement should be introduced for automatic bundling of anti-virus software with every computer; the user could decide whether or not to activate it but it would be included in the product at manufacture.

4.3.1

In addition to this, the EESC feels that the EU should set itself more ambitious goals and launch an innovative, integrated, dynamic strategy with new initiatives such as:

4.3.2

The EESC advocates the creation of an inter-DG ICT-Security Focal Point (23). The Focal Point would allow action:

4.4.1

The EESC also attaches great importance to the creation of a European Network and Information Security Network, which could act as a channel for the promotion of surveys, research and workshops on security mechanisms and the interoperability thereof, advanced cryptography and the protection of privacy.

4.4.2

The EESC believes that the role of European research in this very sensitive sector would be optimised by a useful synthesis of the provisions of:

4.4.3

Another suggestion is to launch a ‘European Secure Computer Day’, supported by national education campaigns in schools and information campaigns targeting consumers, on IT information protection procedures. This would, of course, be in addition to information on the technological progress made in the huge, ever-changing field of computers.

4.4.4

The EESC has pointed out on a number of occasions that ‘The perceived security of and trust in digital transactions determines the speed with which enterprises are likely to exploit ICT in their business. Consumers' willingness to provide credit card numbers on a web page is greatly influenced by the perceived safety of the action’ (26).

4.4.5

The EESC firmly believes that, given the sector's huge growth potential, specific policies must be introduced and existing policies brought into line with new developments. An integrated information security strategy linking European initiatives is needed, breaking down the borders between sectors and ensuring uniform, secure dissemination of ICTs throughout society.

4.4.6

In the EESC's view, a number of major strategies, including the one in question, are progressing too slowly because of bureaucratic and cultural hindrances, introduced by Member States, to the essential decisions which have to be taken at Community level.

4.4.7

The EESC also believes that Community resources are insufficient to achieve numerous, urgent projects which can only provide practical responses to the new challenges of globalisation if implemented at Community level.

4.5.1

The EESC is aware that the technological security measures and security management procedures introduced by Member States are geared to their individual needs and tend to focus on different aspects. That is another reason why it is difficult to provide a single, effective response to security issues. With the exception of some administrative networks, there is no systematic cross-border cooperation between Member States, despite the fact that security issues cannot be addressed by each individual country on its own.

4.5.2

The EESC notes, moreover, that Council Framework Decision 2005/222/JHA introduced a framework for cooperation between judicial and other competent authorities to ensure, by approximating Member States' criminal law on attacks against information systems, that their approaches are coherent in the following areas:

4.5.3

The Framework Decision also lays down criteria for establishing the liability of legal persons and any penalties that may be applied once their liability has been ascertained.

4.5.4

As regards dialogue with Member States' public authorities, the EESC supports the Commission's proposal that these authorities should initiate an exercise to benchmark national NIS-related policies, including specific policies for the public sector. This suggestion was made in an EESC Opinion in 2001 (27).

4.6.1

With regard to involvement of the information security industry, the industry must protect its customers' right to privacy and confidentiality by providing effective guarantees that the tools used for the material surveillance of their installations — and for commercial encryption — are in line with technological developments (28).

4.6.2

As regards awareness-raising campaigns, the EESC believes that a genuine ‘security culture ’must be created, in such a way as to be fully compatible with freedom of information, communication and expression. Numerous users are unaware of all the risks related to computer piracy, while many service providers, sellers and operators are unable to assess the existence and extent of vulnerable aspects.

4.6.3

Although the main aim is to protect privacy and personal data, consumers also have the right to genuinely effective protection against improper personal profiling by spyware and web bugs, or other means. Effective measures are also needed to curb spamming (29) (mass sending of unsolicited mail) which often also arises out of such misuse. Intrusion of this kind is damaging to those concerned (30).

4.7.1

The EESC is in favour of a greater, more effective role for the European Network and Information Security Agency (ENISA), as regards both awareness-raising campaigns and, most importantly, information and training schemes for operators and users. This has already been recommended by the EESC in a recent opinion (31) on the provision of public electronic communication services.

4.7.2

Lastly, as regards the proposed initiatives to empower each stakeholder group, these appear to entail strict observance of the subsidiarity principle. Indeed, they are to be the responsibility of the Member States and the private sector, in accordance with their specific remits.

4.7.3

ENISA should be able to use contributions from the European Network and Information Security Network to organise joint activities, as well as the multilingual Community information-security alert web portal for personalised, interactive, user-friendly information targeted particularly at individual users of all ages and small and medium-sized businesses.

—

EESC opinion on the Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC — OJ C 69 of 21.3.2006, page 16 ;

—

EESC opinion on the Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions on i2010 — A European Information Society for growth and employment — OJ C 110 of 9.5.2006, page 83;

—

EESC opinion on the Proposal for a Decision of the European Parliament and of the Council on establishing a multi-annual Community programme on promoting safer use of the Internet and new online technologies — OJ C 157 of 28.6.2005, page 136;

—

EESC opinion on the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach — OJ C 48 of 21.2.2002, page 33.