Electronic communications: network and information security, role of the public sector

PURPOSE : to propose a European policy approach aimed at improving network and information security. CONTENT : the explosion in the use of communication networks such as the Internet has led to the recognition that greater measures are needed to protect network and information security. Network and information security is considered a priority mainly because of the need to offer adequate data protection, ensuring a functioning economy, national security and the wish to promote e-commerce in the European Union. The Stockholm European Council accordingly requested the European Commission to come up with plans to reinforce and strengthen information security. The Commission accordingly prepared this Communication in which it outlines plans for future EU activities in the field of network security. The Communication notes that security has become a key challenge for policy makers largely because networks are no longer controlled through state enterprises. Rather, networks are now in the hands of the private sector - on a European, indeed global level. Some measures already exist at the European level aimed at safeguarding networks from unwanted attacks including the telecommunications and data protection framework Directive. In view of changing technologies and increased use of networks the provision currently existing are clearly inadequate and in need of additional supporting measures. The Communication defines the ultimate objective of network security as "the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions". Attacks on a network are not necessarily always the result of malicious intruders such a "hackers" or viruses, but also the result of unforseen and unintentional events such as natural disasters (including floods, storms, earthquakes) hardware of software failures or simply, even, human error. To strengthen network and information security the Commission Communication proposes the following measures: - An awareness raising campaign. As the report notes many users of networks are simply not aware of certain dangers to their security. Hence the need for a pubic information and education campaign. - A European warning and information system. Here the Commission urges Member States to strengthen their Computer Emergency Response Teams (CERTs) and improve co-ordination amongst themselves. - Technology support. The Commission urges greater funding under the 6th Framework Programme for research into security measures. - Support for market oriented standardisation and certification. The Commission hopes that standardisation organisations such as CENELEC will accelerate work into inter-operability. - Legal framework. The Commission will propose legislation on cyber-crime. - Security in government use. The Commission calls on Member States to incorporate effective inter-operable security solutions in their e-government and e-procurement activities. - International co-operation. The Commission will reinforce dialogue with international organisations and partners on network and information security. The Commission proposes to launch a wide-ranging discussion withindustry and users on the practical detail of implementing the actions proposed and calls on interested parties to submit comments by the end of August 2001.�