According to the office of the Cyprus Presidency, the precise purpose of the meeting was “to assess progress on Europe’s cyber security and identify where cooperation and capacity building can help make the Internet more secure for everyone.” But ENISA has provided little information on the discussions themselves: soundbites without meat. “Europe’s information society depends on secure technology, well-built laws and policies and security-aware citizens,” said Professor Udo Helmbrecht, ENISA’s executive director. “The key to strong cyber security is sharing responsibility. That is the 'name of the game’,” said Neelie Kroes, the EC’s commissioner for the Digital Agenda. Any discussion on how this might be achieved is left undisclosed by ENISA.
Attendance was by invitation only, but included Paul Nicholas, senior director at Microsoft, and Tom Koehler, CEO at Cassidian for industry; and Amelia Andersdotter, MEP for the Swedish Pirate Party and a member of the European Parliament’s committee on industry, research and energy. It could be described as tri-partite, with Microsoft and Cassidian representing industry; Kroes and Paul Timmers (director at DG Connect) for the executive branch of the EU; and Amelia Andersdotter, for the people.
Andersdotter has provided Infosecurity with more information in an email exchange – and she seems a little exasperated by the difficulty for industry and traditional bureaucracy (the Pirate Party can hardly be described as ‘traditional bureaucracy’) to find common ground and a common language. “The political presence,” she said, “was clearly much more agitated with security concerns, and the staggering increases of security threats, than the experts – who were more concerned with politicians being concerned.
“We tried to entertain the thought that the Commission will finally be able to give clear messages on what they are going to do with their network security strategy,” Andersdotter told Infosecurity, “but they were only able to confirm that they have expanded its scope to cyber-space.” The Commission, she said, seemed to be strongly in favour of cooperation between economic sectors and “left all calls for a soundly regulated network security space uncommented.”
For industry, “Microsoft and Cassidian, were presenting mixes of non-intervention messages. Essentially, they wish for as much security work to be voluntary as possible, but also said that some regulation, and particularly appropriate regulation, is necessary. Therefore they called for politicians to be aware of this - security breach notifications can be good and advisable, but one must take care to have a definition of notification which is suitable for the task, and not one which is defined by lawyers in a way that is not necessarily conducive to better security research.”
And for the people, Andersdotter told Infosecurity, “I repeatedly lamented the inability of political institutions, including the Commission, to be clear and non-alarmist.” She pointed to 2-page resolution on cybersecurity and defense agreed by parliament last week: it “contains no less than 7 synonyms for the word ‘threat’ combined with the prefix ‘cyber’. It is bordering on being prose, rather than a serious addition to any ongoing political and needed process.” Adding insult to industry, she says, that resolution “starts out by calling for harmonized terminology, something which the High-Level Meeting yesterday concluded was a very unlikely development.”