Firstly, Kroes said, she wants better exchange of and faster reaction to information on cyber attacks, which “might require obliging private companies to notify cyber security breaches, incidents or attacks to the authorities”. There are two elements to this: sharing security information and reporting incidents. The latter can be legislated, but the former can only be encouraged.
It is possible, Dr Prescott Winter, a chief technology officer at HP Enterprise Security Products, told Infosecurity. “Examples of this kind exist today; for example, intelligence agencies and militaries share information across various boundaries.”
The difficulty in widening the scope to include general commerce comes in the danger of inadvertently sharing sensitive information. The process of data sharing would need to be policy-driven to exclude personal, operational or technically sensitive data. “But the basic elements of network attacks and protective responses can, I believe, be shared without compromising these particularly sensitive classes of information,” added Winter.
In her second clue, Kroes wants to stimulate private sector efforts to improve security “by providing the right incentives, and by raising awareness among users”.
Winter believes that incentives could be achieved by greater use of and emphasis on security standards, leading to greater confidence in security. “This process can be led by governments and driven by government standards, or by industry participation in codes and other forms of activity such as the Australian Internet Industry Code of practice for ISPs.”
But Winter has some concern that just ‘raising awareness among users’ isn’t enough. Companies need to be aware of the dangers of stolen intellectual property. “This is much more important than just what the government wants; it goes to the very economic strength and competitiveness of our industries and the ability of government agencies to execute their missions – to ensure our place of leadership in the world.”
In the Commissioner’s third clue, she says “I want to invest in innovation for security technologies".
This is not so easy, comments Winter. Government can encourage innovation with new standards, but we should “recognize that the technical standards that have given the Internet remarkable levels of reliability and availability in terms of performance were all defined by network participants for commercial implementations.” This suggests, he added, “that the private sector should lead this effort, perhaps with government encouragement. Again, the Australian Internet Code of practice comes to mind.”
These three clues from Neelie Kroes provide an indication of EU thoughts on internet security. Winter believes that much of it is possible; but we will need to wait for the full publication to see how they are to be implemented.