Comment Neelie (Kroes)

Making speeches talk

Comment Neelie

Cyber-security – a shared responsibility

Chicago, 5 November 2012

Information Security Forum Conference
SPEECH/12/774 (see the source)
by Neelie Kroes
Vice-President of the European Commission responsible for the Digital Agenda

Every day, people worldwide rely on digital technologies and on the Internet for any kind of activity. Spanning from communication to healthcare and banking. Business in virtually all sectors and governments also rely on digital networks and infrastructure to provide their essential services.sentence permalink

+

However, growing cyber-security threats and higher vulnerability of networks and systems may hinder the benefits brought about by the Internet.sentence permalink

+

Incidents (also linked to human mistakes) and attacks are clearly on the rise. The number of web-based attacks went up 36% in the year 2011.sentence permalink

+

And the majority of respondents to the public consultation on cyber-security, that we recently run in the EU, affirmed to have experienced in the past year an incident with a significant impact on their activities.sentence permalink

+

If we want to preserve and promote the benefits of the digital world, we must put cyber security on the top of the agenda.sentence permalink

+

Cyber-security is a shared responsibility of public and private players and our policies strive to address this.sentence permalink

+

I believe however that we need to do more.sentence permalink

+

Networks and infrastructure are mainly privately owned and run.sentence permalink

+

However, the private sector clearly lacks adequate incentives to invest in security and to be transparent regarding the threats faced and the incidents occurred.sentence permalink

+

For example, according to Eurostat, by January 2012 only 26% of enterprises in the EU had a formally defined ICT security policy with a plan for regular review.sentence permalink

+

This share rose to over 50 % among those enterprises whose principal activity was ICT. This is however not enough.sentence permalink

+

Also, a very large majority of the respondents to our public consultation said that users are not sufficiently aware of the threat landscape.sentence permalink

+

I understand that companies do not share information due to fear of reputational damages or liability.sentence permalink

+

But the lack of information sharing slows down the capability to react.sentence permalink

+

In particular when an incident has repercussions outside the organisation and the other parties affected are unaware of an imminent threat or an incident that has already taken place.sentence permalink

+

Here is where the public sector comes into play.sentence permalink

+

Governments can not only provide the right incentives but also lead by example by strengthening their preparedness.sentence permalink

+

The European Strategy for Cyber-Security, which I plan to present with Commissioner Malmström and High Representative Ashton, would provide a comprehensive vision on cyber-security and would address both the EU and the international dimension.sentence permalink

+

The Strategy will focus on the need to improve the overall resilience of network and information systems, by stimulating the competitiveness of the European ICT industry as well as user demand for security functionalities in ICT products and services.sentence permalink

+

Those initiatives will be complemented by actions stepping up the fight against cybercrime. And by initiatives aiming at developing an external EU cyber security policy.sentence permalink

+

In the context of the Strategy, I also plan to present a legislative proposal setting up a high level of network and information security across the EU, with a view to ensuring the smooth functioning of the internal market.sentence permalink

+

First, I plan to require the Member States to be appropriately equipped and to cooperate among themselves.sentence permalink

+

We need to have no weak links across the EU.sentence permalink

+

Secondly, I am considering extending to new sectors (enablers of key Internet services, banking, energy, transport, health, public administrations) the obligations to adopt risk management measures and to report significant incidents to competent authorities that currently apply in the telecom sector in the EU.sentence permalink

+

These days, more and more sectors interact with, and critically depend on, ICT: there's an urgent case for creating a level playing field.sentence permalink

+

And indeed, almost all respondents to our public consultation indicated that there should be network and information security requirements in sectors like banking, energy, healthcare, Internet services and public administrations.sentence permalink

+

This legislation will overall help Europe get its own house in order and become and even more trusted partner at the international level.sentence permalink

+

International cooperation on cyber-security is one of my key priorities.sentence permalink

+

We work both bilaterally with key partners, including the US and Japan, and in multilateral fora, such as OECD, OSCE, UN, ITU.sentence permalink

+

Overall, it is for me of the utmost importance that in all activities we conduct internationally we strive to promote EU core values and fundamental rights, including freedom of expression and access to information as well as data protection and privacy.sentence permalink

+

The Strategy will address these aspects and take them forward.sentence permalink

+

Cyber-security should be recognised as a top political priority.sentence permalink

+

Here in the US it has long obtained political attention. It is time we do the same in Europe and worldwide.sentence permalink

+