Euro-View: ENISA’s Steve Purser on Cyber Security
In the last 10 years a new information security concept has gradually developed – that of cyber security. As we stand today there is still no globally accepted definition for this term.
Given this lack of an agreed common definition, it is instructive to look at what is being discussed under the heading cyber security in international conferences. Not surprisingly, the term is used to cover a wide range of issues. However, a common theme has two strands: that the main challenges are cross-border in nature and that successful mitigation strategies require international agreements and collaboration.
From this point of view, cyber security is by definition a global concern. Given the cross-border factor, advances in cyber security will most likely unfold via international cooperation, but will make full use of techniques to secure information and systems at a local level.
One of the most fundamental principles of information security is that of ‘defence in depth’ – the idea that threats are mitigated by a number of complementary measures, meaning that a threat can still be countered even when individual measures fail. Where cross-border security is concerned, this idea translates into security measures applied at local, national, regional (e.g. European) and international levels which are complementary and mutually reinforcing.
The EU’s approach to cyber security is based on the principle of subsidiarity (i.e., doing only at EU level what cannot be achieved at individual national level). This adheres perfectly to this principle of defence in depth: responsibility for securing infrastructure lies at local and national level, while efforts to improve regional and international security approaches are collectively decided by the member states with EU support. The central idea here is that compensating procedures and mechanisms at the EU level can be called into play when systems fail at the local or national level.
By way of example, the EU’s 2009 CIIP (critical information infrastructure protection) action plan provides a framework to boost the 27 EU nations’ preparedness against a major cross-border incident.
In the end, implementing cyber security policies is all about combining people, process and technology in an effective way to mitigate risk, but it must be done in a rational way by building on existing tools and methods. Otherwise there will be a risk of reinventing the wheel. However, international governance structures for cyber security are not adapted to the reality of the global threat. Roles and responsibilities need to be clarified at national and international levels, while different communities will have to align their goals and methods to benefit from synergies and avoid duplication of work.
ENISA supports the EU27 and the Commission via its supporting mechanisms to build effective communities that address common cyber security problems. Within the EU structure substantial amount of work is going on to improvecross-border processes relating to cyber security. Information sharing needs to be improved and a coherent framework of cross-border procedures must be agreed.
In particular, approaches must be aligned so that security solutions are inter-operate over national boundaries. Minimum security standards are needed to avoid the “weakest link” and principles such as defence-in-depth should be applied at EU level.
Equally important, but less prominent, is the need to align approaches across different stakeholder communities. By abolishing the EU’s so-called “pillar” system of different decision-making mechanisms, the Treaty of Lisbon has opened the door for the EU institutions and bodies to promote more extensive dialogue between these communities.
Pan-European cyber security exercises are good example of how ENISA supports the Commission and member states in this regard. These exercises have proved to be an effective way to build communities and have led to a number of parallel initiatives that are improving pan-European contingency planning.
The first pan-European exercise took place in November 2010 as a table-top exercise based on an incident affecting all member states. For this first exercise, only public authorities and bodies (mainly from the CIIP community) were involved. No political escalation mechanisms were built into the exercise. Instead it tested three things:
- whether contact points in the member states were well documented and easy to find
- the understanding that member states have of the role and mandate of their counterparts in other member states
- the extent to which the rules for exchanging data over secure channels were respected. The results are published on the ENISA web site.
That pan-European exercise has served as a catalyst for building a strong stakeholder community that is responding to the future challenges of CIIP in a proactive manner.
The next cyber exercise will be on 4 October 2012. It illustrates how the EU and the member states can work together to improve their level of cyber security preparedness and to align different “front-line” communities that must deal with cyber security.