The dilemma of information infrastructures security against threats is up-to-date and its relevance is increasing. Herewith the pressure in terms of legal norms, organizational, methodical and also technical systematic solution creation is increasing too. This situation is described in COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on Critical Information Infrastructure Protection "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" issued 30.3.2009. Here are some citations.
Information and Communication Technologies (ICTs) are increasingly intertwined in our daily activities. Some of these ICT systems, services, networks and infrastructures (in short, ICT infrastructures) form a vital part of European economy and society, either providing essential goods and services or constituting the underpinning platform of other critical infrastructures. They are typically regarded as critical information infrastructures (CIIs) as their disruption or destruction would have a serious impact on vital societal functions. Recent examples include the large-scale cyber-attacks targeting Estonia in 2007 and the breaks of transcontinental cables in 2008. The World Economic Forum estimated in 2008 that there is a 10 to 20% probability of a major CII breakdown in the next 10 years, with a potential global economic cost of approximately 250 billion US$.
The ICT sector is vital for all segments of society. Businesses rely on the ICT sector both in
terms of direct sales and for the efficiency of internal processes. ICTs are a critical component of innovation and are responsible for nearly 40% of productivity growth.20 ICTs are also pervasive for the work of governments and public administrations: the uptake of eGovernment services at all levels, as well as new applications such as innovative solutions
related to health, energy and political participation, make the public sector heavily dependent
on ICTs. Last, not least, citizens increasingly rely on and use ICTs in their daily activities: strengthening CII security would increase citizens' trust in ICTs, not least thanks to a better protection of personal data and privacy.
Cyber-attacks have risen to an unprecedented level of sophistication. Simple experiments are now turning into sophisticated activities performed for profit or political reasons. The recent large scale cyber-attacks on Estonia, Lithuania and Georgia are the most widely covered examples of a general trend. The huge number of viruses, worms and other forms of malware, the expansion of botnets and the continuous rise of spam confirm the severity of the problem.
In order to ensure that ICT infrastructures are used to their maximum extent, thus fully realizing the economic and social opportunities of the information society, all stakeholders must have a high level of confidence and trust in them. This depends on various elements, the most important of which is ensuring their high level of security and resilience. Diversity, openness, interoperability, usability, transparency, accountability, audit ability of the different
components and competition are key drivers for security development and stimulate the deployment of security-enhancing products, processes and services.
Taking up such responsibilities calls for a risk management approach and culture, able to respond to known threats and anticipate unknown future ones, without over-reacting and stifling the emergence of innovative services and applications.
Enhancing the security and the resilience of CIIs poses peculiar governance challenges. While Member States remain ultimately responsible for defining CII-related policies, their implementation depends on the involvement of the private sector, which owns or controls a
large number of CIIs. On the other hand, markets do not always provide sufficient incentives for the private sector to invest in the protection of CIIs at the level that governments would normally demand.
To address this governance problem public-private partnerships (PPPs) have emerged at the national level as the reference model. However, despite the consensus that PPPs would also be desirable on a European level, European PPPs have not materialized so far. A Europe-wide multi-stakeholder governance framework, which may include an enhanced role of ENISA, could foster the involvement of the private sector in the definition of strategic public policy objectives as well as operational priorities and measures. This framework would bridge the gap between national policy-making and operational reality on the ground.
Governance mechanisms will be truly effective only if all participants have reliable information to act upon. This is particularly relevant for governments that have the ultimate responsibility to ensure the security and well-being of citizens.
However, processes and practices for monitoring and reporting network security incidents differ significantly across Member States. Some do not have a reference organization as a monitoring point. More importantly, cooperation and information sharing between Member States of reliable and actionable data on security incidents appears underdeveloped, being either informal or limited to bilateral or limitedly multilateral exchanges.
Public policy discussions in the aftermath of the events in Estonia suggest that the effects of similar attacks can be limited by preventive measures and by coordinated action during the actual crisis. A more structured exchange of information and good practices across the EU could considerably facilitate fighting cross-border threats. It is necessary to strengthen the existing instruments for cooperation, including ENISA, and, if necessary, create new tools. A multi-stakeholder, multi-level approach is essential, taking place at the European level while fully respecting and complementing national responsibilities.
7. 05. 2014
17. 04. 2013