The atrocities of 11 September 2001 in New York, the Madrid train bombing in 2004 and the London Underground attacks in July 2005 have indicated terrorists' willingness to target infrastructures such as transport, energy and communication. On 12 December 2006, the European Commission adopted a Communication to improve the protection of European Critical Infrastructure (ECI) from terrorism.
The European Commission wants to co-ordinate efforts in member states and reassure the public that efficient alert and information systems are in place to protect the main elements of critical infrastructure. In its main policy document, 'Critical infrastructure protection in the fight against terrorism’' from 2004, the Commission offers this broad description:
"Critical infrastructures consist of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in the member states. Critical infrastructures extend across many sectors of the economy, including banking and finance, transport and distribution, energy, utilities, health, food supply and communications, as well as key government services."
In the Green Paper on Critical Infrastructure, published on 24 November 2005, the Commission adressed key issues such as against what threats the EPCIP should protect, the definition of what is EU critical infrastructure and what is national critical infrastructure and the role of owners and operators of infrastructure.
The EPCIP identifies the following ECI sectors:
- nuclear industry;
- information, communication technologies, ICT;
- chemical industry;
- research facilities.
The European Programme for Critical Infrastructure Protection (EPCIP) includes:
- A Directive of the Council on the identification and designation of ECI and the assessment of the need to improve their protection. The proposed Directive establishes a procedure for the identification and designation of CI, and a common approach to the assessment of the needs to improve the protection of such infrastructure;
- measures designed to facilitate the implementation of EPCIP including an EPCIP Action Plan, the Critical Infrastructure Warning Information Network (CIWIN), the use of expert groups at and the identification and analysis of interdependencies, and;
- support for member states concerning National Critical Infrastructures (NCI);
- accompanying financial measures and in particular the proposed EU programme on "Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks" for the period 2007-2013, which will provide funding opportunities for CIP-related measures having a potential for EU transferability.
Because of the private ownership of major elements of critical infrastructure any security and control measures will (almost by definition) require the involvement of both private and public interests. National authorities will often have sole competence in the area. There is, however, often a level of transnational interdependence involved, which makes it clear that the EU should also play a certain co-ordinating role.
In sectors such as aviation and maritime security, inspection services have been created within the European Commission to check the implementation of security legislation by member states. Further initiatives are in progress with the creation of the European Network and Information Security Agency (ENISA) for communication security.
The European Programme for Critical Infrastructure Protection, EPCIP, demands that the Commission produces an annual communication to take stock of progress made and challenges ahead. This will integrate the various analyses and measures across the different sectors of the economy. Member-state governments would continue to develop and maintain databases of significant critical infrastructure on a national basis and would be responsible for developing, validating and auditing relevant plans to ensure continuity of services in case of an attack under their jurisdictions.
In the course of 2005 the Commission created a Critical Infrastructure Warning Information Network (CIWIN), which brings together member-state CIP specialists to assist the Commission in drawing up a programmes to facilitate exchange of information on shared threats and vulnerabilities and appropriate counter-measures and strategies. The USA has a similar system known as Critical infrastructure Warning Information Network (CWIN), operational since 2003.
Security of Aircraft in the Future European Environment (the SAFEE project) was begun in 2004 with the aim of improving security on commercial aircraft. It addresses classic hijacking situations, September 11-type scenarios and futuristic scenarios involving electronic jamming and hacking of computer systems. Sub-projects will address technical issues such as onboard-threat detection, threat assessment and response management plus flight protection.
The maritime sector:
TheInternational Ship and Port Facility Security, ISPS code, was introduced in July 2004. It requires ports and vessels to show that they have put adequate security systems in place - and vessels to show that they have been calling only at certified ports. The purpose of the code is to provide a standardised, consistent framework for evaluating risk.
The EU has set up a task force to explore what its 25 member states are doing to combat cyber-threats against critical infrastructure. As part of the EU's Critical Information Infrastructure Research Coordination, CI2RCO project, announced in April 2005, the task force aims to identify research groups and programmes focused on IT security in critical infrastructures, such as telecommunications networks and power grids. The scope of the cooperation goes beyond the EU; the task force also wants to include USA, Canada, Australia and Russia.
- Launching the new measures, Justice, Freedom and Security Commissioner Franco Frattini said: "The security and economy of the European Union as well as the well-being of our citizens depend on certain infrastructure and the services they provide. The disruption of such infrastructure could mean the loss of lives, the loss of property and a collapse of public confidence in the EU. The package we present today aims at ensuring that any eventual disruptions or manipulations of critical infrastructure remain as brief, infrequent, manageable, geographically isolated and minimally detrimental as possible."
- EP Rapporteur Stavros Lambrinidis points to the need for all the relevant authorities at national, European and international level which share critical information to be adequately interlinked.
- Victor M. Aguado is the Director General of Eurocontrol, which discusses the evolution of Air Traffic Management (ATM) policies in Europe and the US. He argues that it is vital that standards, rules, and practices are universal. Interoperability, rather than an identical system, is needed and will lead to greater compatibility and efficiency across the Atlantic.
- Tim Robinson, senior vice-president of Thales’ security division, on the changing homeland security market: "I see a shift in emphasis and an increasing balance between what we see as defence and homeland security. 'Security' is a more politically acceptable way of describing what was traditionally defence."
- Bill Mawer, head of strategy and technology at Smiths Detection, the UK-based defence company, reflects on how the new threats have paved the way for a technology transfer from the military to civilian law enforcement: "Airport security is completely split from the military side. When people started to worry about asymmetric attacks and chemical warfare, what happened was that military technology was put in the hands of the police."
- Paul Friessem, director at the Fraunhofer Institute for Secure Information Technology (SIT) of the CI2RCO taskforce: "While most EU member states are aware of the threat of cyber-attacks on their critical infrastructure and are thus willing to share information, some are less willing. We hope to overcome these barriers."
- Fears of an 'electronic 9/11' are questioned by some: "Nobody is getting blown to bits. It's not real terrorism. But if you add 'terrorism' to things you get more budget," comments Bruce Schneier, founder and CTO of UK security firm Counterpane. Schneier believes that the level of threat posed by 'cyberterrorism' is deliberately over-hyped in order to secure more funding for certain IT-security projects.
- July 2007: MEPs backed a pan-European plan to safeguard critical infrastructure against terrorist attacks in areas including energy, health, communication and transport was backed on 10 July 2007.