Kroes announced the pillars of a new internet security strategy, which she said would be issued during the third quarter of 2012. The planned approach was delivered during a video keynote for conference attendees.
She prefaced the details by noting the cybercrime market is worth nearly $380bn. “While online attacks could pose significant risk to critical systems, so far we have not done enough to protect ourselves”, Kroes insisted, adding simply, “That’s worrying”.
Perhaps the most concerning aspect of the cybercrime trend is not just the staggering commercial losses that are possible, she noted, but the variety of sources from which they emanate and their motivations – whether they be for profit, for political gain, or pure vandalism.
“Given that internet attacks have such a wide mix of sources and impact, the solution is not simple. Internet security cannot be left to the traditional instruments of national security – as if cyberspace was just another military theatre. We need a comprehensive response that covers all” aspects of cybersecurity, Kroes said.
“That is why we need a new vision to address the particular features in cyberspace”, which she called “a European strategy for internet security” that involves shared responsibility by all stakeholders, including governments, businesses, and end-users.
Kroes contended the new strategy would transform Europe’s approach to internet security, “while ensuring wider internet governance policies take security issues fully into account”. She outlined five core standards to be included in the strategy proposal:
- Networks must respond to threats: EU member states will need to “guarantee minimal capabilities” and securely and confidentially share critical information among the private and public sectors.
- A new governance structure that requires EU member states to establish “competent authorities” that centralize information and share that information with partners. A new “European Forum” would ensure the authorities and the private sector cooperate as required.
- Mandatory safeguards and prompt reporting of security breaches among private sector organizations that own, operate and service internet infrastructure.
- Increased investment via the EU’s budget and public/private partnerships to create a “more vibrant internal [security] market…to seamlessly bring bright ideas to market”.
- Global cooperation: identifying barriers to European market access and “ensuring security throughout the supply chain”, which includes third-country products that enter the EU.
The information-sharing aspect of this strategy, she added, should be “based on a trusted network and a common reference framework within the internal [EU] market.”
Perhaps more controversial is the proposal for mandatory, prompt reporting of security incidents to a central authority by ICT-related providers. Kroes, however, said that doing so would be in these companies’ best interest, since they are not only responsible for keeping these services operational, but are also major users of information and communication technology. The EC vice president reminded the audience that such mandatory reporting already exists for the telecommunications sector, but should also be extended to transportation, energy, and other critical infrastructure.
“Internet security is not a problem that is going to go away”, Kroes concluded. “But, by building response networks, a decent governance structure, the right incentives for the private sector, a vibrant internal market, and an international outlook, then we can deliver an internet that is safe and secure for everyone.”