Wednesday, May 31, 2006

EU infrastructure security proposals

The EU has released a Communication on a strategy for a Secure Information Society – “Dialogue, partnership and empowerment” COM(2006) 251. This seems to be a serious atempt to advance the preservation of the Internet as critical infrastructure from the various current security threats - viruses, worms, DoS, hacking, spoofing et al. This was first advanced as an EC priority in Communication “i2010 – A European Information Society for growth and employment”( COM (2005) 229 final of 1.6.2005). The EU's press release announces that the Commission will report to Council and Parliament in the middle of 2007 on the activities launched, the initial findings and the state of play of individual initiatives, including those of ENISA (the European Network and Information Security Agency established in 2004, also as a result of the i2010 document) and those taken at Member State level and in the private sector. If appropriate, the Commission will then propose a Recommendation on network and information security (NIS).

The Communication identifies three key threats to Internet security.

"Firstly, attacks on information systems are increasingly motivated by profit rather than by the desire to create disruption for its own sake... [Secondly] The increasing deployment of mobile devices (including 3G mobile phones, portable
videogames, etc.) and mobile-based network services will pose new challenges, as IP based services develop rapidly. These could eventually prove to be a more common route for attacks than personal computers since the latter already deploy a significant level of security... [Thirdly} Another significant development is the advent of “ambient intelligence”, in which intelligentdevices supported by computing and networking technology will become ubiquitous (e.g. through RFID11, IPv6 and sensor networks). A totally interconnected and networked everyday life promises significant opportunities. However, it will also create additional security and privacy-related risks... The emergence of certain “monocultures” in software platforms and applications can greatly facilitate the growth and spread of security threats such as malware and viruses. Diversity, openness and interoperability are integral components of security and should be promoted."

What solutions does the Communication propose?

".. given the ubiquity of ICTs and information systems, network and information security is a challenge for everybody:
• Public administrations need to address the security of their systems, not just to protect
public sector information, but also to serve as an example of best practice for other players;
• Enterprises need to address NIS more as an asset and an element of competitive
advantage than as a “negative cost”;
• Individual users need to understand that their home systems are critical for the overall “security chain”.

In order to successfully tackle the problems described above, all stakeholders need reliable data on information security incidents and trends... one of the cornerstones in developing a culture of security is improving our knowledge of the problem... [And] Wherever possible, therefore, NIS should be presented as a virtue and an opportunity rather than as a liability and a cost. It needs to be viewed as an asset in building trust and consumer confidence, a competitive advantage for enterprises operating information systems, and a service quality issue for both public and private sector service providers."

PanGloss finds all this rather pleasing, as she has recently spent much time recommending , like the new EU instrument, a "holistic approach" to computer security, rather than one based, as at present, primarily on the ineffective tool of criminal law.

We are also promised a specific work programme which includes:

- two specific Communications on (i) spam, spyware and related threats; and (ii) cybercrime, including law enforcement authority co-operation.
- the scheduled review of the regulation of electronic communications due within 2006, to be expanded to include consideration of network and information security (NIS)
- the creation of a European multilingual info sharing and alert system (this to be a goal for ENISA)
- a "multi stakeholder dialogue" on economic, business and societal drivers towards NIS
- allocation of resources to NIS research under the 7th Framework programme

And in among the succeeding detail, is a para which sparks this writer's own little obsession - how far ISPs - and indeed software companies - should be held responsible for creating the new more secure Internet.

"3.3.2 The Commission also invites private sector stakeholders to take initiatives to:
• Develop an appropriate definition of responsibilities for software producers and
Internet service providers in relation to the provision of adequate and auditable levels of security. Here, support for standardised processes that would meet commonly agreed security standards and best practice rules is needed."

This is fascinating and much needed stuff. More comment when I have had time to look in more detail.

No comments: