EU seeks unified cybersecurity regime

The European Security Round Table ESRT held, in conjunction with the Estonian Ministry of Defence (1), the European Cyber Security Conference, titled “Shared Threats – Shared Solutions: Towards a European Cyber Policy,” that discussed the notion of collaborative cyber security within the European Union.  The conference was led by Estonian Defense
Minister Mart Laar:  “we need to build up EU cyber defense teams to train us and to fight battles in cyberspace.” He said, opening the conference.

In lively panel discussions, policymakers, industry speakers and various experts debated a range of cyber security issues to promote “a comprehensive policy approach to cyber-security among EU institutions.”

Featured among these were Critical Information Infrastructure Protection, the importance of the private sector in cyber security and EU cooperation with NATO. In discussing the danger presented by cyber attacks for technologically dependent societies, a discussion emerged regarding the need to prepare for worst-case scenarios to enable effective protection and decisive multilateral responses. The audience, comprised of representatives from international and EU institutions, think tanks, NATO, member-state governments and industry, engaged in fruitful Q&A sessions with the speakers.

Laar said that goal is imperative to keeping the continent safe from the kind of cyberattacks that Estonia endured four years ago,  “If we are serious about the possible damage that bombs and bullets can cause, then we should also give serious consideration to the dangers that can be sent through global networks, because they can be used to strike at a country’s energy security, and damage its economy and intellectual property,” Laar said.

Laar said the current EU approach to cyberthreats should be overhauled to protect the bloc as a whole. To do so, however, the member nations need to iron out many questions and grey areas — such as, what exactly constitutes a “cyberattack” and sabotage? How would a cyberthreat’s damage potential to critical infrastructure be quickly assessed and responded to?

As it now stands, it’s mainly private companies that respond to such threats. To develop an EU-wide security policy, it may become necessary to at least partially cede those functions to governments. And if so, public private partnerships allowing for knowledge-sharing with cybersecurity companies would need to hammered out, conference organizers said.

Several other knotty problems also need to be overcome. For instance, which country has legal jurisdiction over attacks conducted through stateless “cyberspace” — the originating country or the target nation?

Although these questions have been discussed many times in recent years, there are still no clear answers, which organizers of the conference — entitled “Shared Threats, Shared Solutions: Towards a European Cyber Policy” — sought to address.

Cecilia Malmstrom, member of the European Commission responsible for Home Affairs, said she is working with European Commission Vice President Neelie Kroes and EU foreign affairs and security chief Catherine Ashton in “coordinating a joint response to the challenges we are facing.” Included in that effort, she said, will be the establishment of a European cybercrime center by 2013, which “will become the focal point in the EU’s fight against cybercrime and it will also ensure faster reactions in the event of cyberattacks.”

Cecilia Malmström stressed “there is no doubt that threats in cyberspace are real ones,” and that “the number of cyber attacks is rising.” She added that cyber attacks on EU institutions and on the EU’s Emissions Trading System had accelerated the creation of a CERT (Computer Emergency Response Team) for the EU institutions, which has been active since the beginning of June.

Malmström stressed the importance of working together, both within the EU and with NATO. “National CERTs and European CERTs and the cybercrime center are excellent places where actors can meet and identify solutions to attacks before they arrive, preferably, and also after [attacks],” she said.

The center is expected to be a focal point in the fight against cyber crime and to provide future responses to cyber attacks.

“A lot of cyber crimes are not put on record because they are not reported,” Malmström said. “This must change. … If we don’t have the reports, how can we understand the patterns of criminal behavior?”

The commissioner also urged countries that had not done so to ratify the Council of Europe’s Budapest Convention on Cybercrime, which set out legal rules governing cyberspace.

The commission proposed an EU directive setting out criminal penalties for attacks against information technology systems, which Malmström said is “largely based” on the Budapest Convention.

Lt. Gen. Kurt Herrmann, Director of the NATO Communication and Information Systems Services Agency  “NATO is also seeking to play a role in the formulation of a single European cybersecurity policy” he informed. Assistant Secretary-General Gabor Iklody told that closer cooperation between the alliance and the EU is a key part of NATO’s updating of its own computer security systems

Soruce: Defense News, United Press International, Inc., ESRT

(1) Estonia was hit with a 3-week barrage of cyberattacks in 2007 aimed at disabling Web sites for its government, private companies, political parties, banks and newspapers. Tallinn, which blamed the attacks on Russian agents, estimated the financial damages from the episode at $27.5 million-$40.5 million.