EU Needs Bigger Role in Coordinating National Cybersecurity Activities, U.K. Panel Says
The EU and NATO “need their heads knocking together” over their failure to coordinate against cyberattacks, the chairman of a U.K. Lords panel said Thursday. The two bodies “barely speak to each other,” causing too many overlapping efforts, Michael Jopling said. His comments followed the publication, by the EU Subcommittee on Home Affairs, of a report responding to an April 2009 European Commission statement on protecting Europe from large-scale cyberattacks. The panel backed EC calls for more EU coordination of national critical infrastructure protection.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The EC noted the importance of the information and communication technology sector for all segments of society, and the rising level and sophistication of cyberattacks such as those in Estonia, Lithuania and Georgia. Europe’s response is being hampered by uneven and uncoordinated national approaches, governance problems affecting critical information infrastructures, a lack of public-private partnerships and a limited early warning and response capability, it said. The EC wants more pan-European cooperation and better industry-public sector partnerships. It also called for an information-sharing and alert system, national, pan-European and global contingency planning and exercises and better relationships between national and governmental computer emergency response teams (CERTs).
The Lords inquiry examined what role the EU should play in helping countries prevent, detect and respond to cyberattacks, lessen their effects and recover from them. While most believe the EU has a legitimate part in preventing attacks, there’s little agreement on what it should be, the report said.
The panel recommended the EU help coordinate activities of its member countries, spread best practices and bring the slowest nations up to the speed of the fastest. Some countries don’t even have CERTs yet, a “ridiculous” situation, Jopling said. The report urged the U.K. government and the EU to pay more attention to how cybersecurity could be developed on a global basis. The EC statement said little about that, but the more advanced countries, such as Britain, could be influential in expanding the dialogue with key international players such as the U.S., Russia and China, lawmakers said.
The panel said it was “shocked” by the lack of coordination between the EU and NATO. The two bodies have similar interests in defending against cyberattacks and work in similar ways, “yet there is virtually no communication between them,” Jopling said. The report urged the government to encourage cooperation instead of duplication.
British ISPs also came in for criticism. The Estonian attack, in which people looked to the government for a response to the assault on mostly privately-owned infrastructure, showed the need for genuine public-private partnerships, the panel said. The EC remains vague on how it will work and is waiting for industry to come forward, lawmakers said, so the EC should take the initiative. “We would be better placed to assess the extent of the problem” if any U.K. ISPs had come forward to testify, the panel said. With one exception, U.K. networking companies, Internet trade bodies and Internet exchange points “showed a similar lack of interest,” it said. The resounding silence may mean service providers think the EC statement won’t affect them, it said.
The U.K. Internet Services Providers’ Association was approached about sending someone, but due to time constraints no one was available, a spokesman told us. “It is a very busy regulatory time for ISPs and it is the choice of members how they prioritise their regulatory resources.” Critical infrastructure protection is an important issue for ISPs, who take steps to protect the security of their networks, he said.
The EC wants European countries to develop national conting ency plans and hold regular exercises to ensure they can respond to cyberattacks, the panel said. Only two nations, the U.K. and Sweden, have run such tests, making any kind of pan-European exercise premature, it said. The U.K.’s successful November exercise, “White Noise,” focused on the consequences of a widespread failure of the public switched telephone network causing the loss of all telephony services except for VoIP, it said.
The report also recommended more staff for the European Network and Information Security Agency and that the organization have a voice in new cybersecurity mandates. Lawmakers criticized the decision to site ENISA in Heraklion, Greece, 2400 kilometers (1,491 miles) away from Brussels. The hard-to-reach location continues to cause staff recruitment and retention problems and makes meeting scheduling difficult, they said. The report now goes to Parliament for possible debate.