An EU cybersecurity strategy to be launched Feb. 7

Agenda Commissioner Neelie Kroes Wednesday at a global cybersecurity conference in Brussels. Despite the high costs of insecure network and information systems, most information and communication technology users aren’t aware enough of the risks they face online and many aren’t prepared to deal with them, she said. Most cyberincidents could be prevented through simple or cheap measures, she said. And because the risks aren’t contained within borders, fragmentation and duplication of preventative measures must stop, she said. The European Commission will propose a comprehensive approach and legislation to strengthen cyber-resilience and network and information security, she said. The strategy will be a joint effort by Kroes, Home Affairs Commissioner Cecilia Malmström, and EU High Representative for Foreign Affairs and Security Policy Catherine Ashton, a briefing document said. The strategy aims to attain a high level of cyber-resilience by boosting capabilities, preparedness, cooperation, information-exchange and awareness at the national and EU level in network and information security, and to drastically cut cybercrime by strengthening the expertise of agencies dealing with such cases. The strategy also calls for development of an EU cyberdefense policy, and the creation of a European industry and market for secure ICT. It will also expand EU international cyberspace policy to promote the respect of core EU values, and help non-EU third countries toughen their information infrastructure, the document said. The strategy will also clarify the roles and duties of the various EU players in the cybersecurity field. The EC is also proposing, in a draft directive, to require all governments to set up a well-functioning national CERT, appoint a national network and information security (NIS) authority, and adopt a national NIS contingency and cooperation plan and strategy. The EC also wants to extend breach reporting requirements now applicable only to the telecom sector to banking, energy (electricity and natural gas), transport (air and maritime freight and passenger carriers and ports among them), health; key Internet services companies (social networks, search engines, cloud providers and others), and public administrations. For example, it said, an incident affecting an e-commerce platform that prevents the completion of online transactions over several hours would have to be reported, as would a maintenance incident of an information system at a power plant that stops electricity to a small city for several hours. The European Network and Information Security Agency (ENISA) would continue to offer support and technical advice to EU government and the private sector, it said. There will be other measures as well, Kroes said. They include further measures to fight botnets; improve the security and resilience of industrial control systems and smart grids; and make users more aware of the risks and how to tackle them, she said. The plan “will help Europe get its own house in order.” Kroes announced Tuesday night that the EC, European Parliament and Council of Ministers reached political agreement on renewing ENISA’s mandate. “This is a timely development” in light of the upcoming cybersecurity strategy and legislative proposals, she said.