Kommission plant gemeinsamen Schutz vor Internetangriffen[en] 

The cyber attack carried out against Estonian public and private strategic infrastructure last summer led EU and NATO authorities to rethink the common approach to telecommunications network protection.

Last week, NATO leaders assembled at the Bucharest Summit agreed upon a common policy for cyber defence and made a commitment to establish a new authority with the primary task of coordinating NATO's "political and technical" reactions to cyber attacks (see EurActiv 04/04/08).

In her proposed review of the telecoms sector, Commissioner Reding has already highlighted the importance of improving the security of information networks. Speaking at a conference on 'European security awareness ', she said yesterday (7 April) that telecoms security has an increasingly significant part to play in protecting the effective functioning of other key activities such as energy supplies and financial services.

Now the Commission is proposing to clarify its plans on this regard. An essential element will be the replacement of the existing EU temporary agency dealing with information networks security, ENISA, with a new authority. The body would be in charge of the entire EU Telecoms sector, with powers ranging from security to regulation (see EurActiv 06/03/08). However, the idea has thus far been strongly criticised by different actors and decision makers (see EurActiv 29/02/08).

On the eve of the NATO Summit in Bucharest, Reding's spokesperson Martin Selmayr already clearly outlined to EurActiv the role the Commission plans to attribute to the new authority as far as security issues are concerned: "We need a rapid reaction force. What ENISA is doing now is sitting around a table and drafting reports. They are very accurate but this is not enough. We need a body that operationally deals with the security," he said (see EurActiv 04/04/08).

The Crete-based ENISA will end its mandate in 2009 but widespread agreement has already been reached to extend this for a further two years until 2011, when the new EU authority is expected to take over, according to the Commission's plans.

However, apart from a new EU body, a veritable common European approach to cyber defence also requires every member state to establish a national structure for the prevention of and defence against cyber attacks, the so-called Computer Emergency Readiness Teams (CERTs). Currently only a few European states have such structures.

Information Society Commissioner Viviane Reding announced: "At the beginning of 2009 I will present a communication on the protection of critical telecoms infrastructure. It is aimed at improving the preparation and the response capability at the European level" in case of cyber attacks.

The commissioner underlined the importance of technical developments without forgetting the necessity of increased education regarding the advantages and risks of the information society. This line is strongly supported by the industry.

Marc Dacier, director of the research labs at Symantec, the biggest provider of security software on the Internet, echoed Reding's position by commenting: "Security is about having the right mindset with the right technology."

Francisco Mingorance, the director of European public policy at the Business Software Alliance (BSA) - which represents almost all the big ICT companies and organised the conference on security awareness – said: "Building trust in the Internet and ensuring the security of information systems is a continuous process of education, requiring collaboration among industry and government. As we approach next week's anniversary of the Estonian botnet attacks, promoting strong and comprehensive pan-European cyber crime legislation is even more critical for the security of European citizens in the fight against online criminals."

On ENISA's future, the Slovenian presidency confirmed its support for the planned temporary extension of its mandate. "ENISA was the best choice in 2004 when it was established. Now the best solution is to extend it for two years. We have more time to think but we have to do it quickly," said Milos Kuret, deputy director for the information society at the Slovenian Ministry of Science and Technology.

Socialist MEP Silvia-Adriana Ticau said "strengthening information security is not a cost but an investment". "Cyber defence should be at the top of the European agenda and dispose of enough funding," she added.