Comment Neelie (Kroes)

Making speeches talk

Comment Neelie

Towards a coherent international cyberspace policy for the EU

Brussels, 30 January 2013

Global Cyber Security Conference
SPEECH/13/82 (see the source)
by Neelie Kroes
Vice-President of the European Commission responsible for the Digital Agenda

I welcome today's debate on cybersecurity. This discussion could not come at a better time.sentence permalink

+

Every day, people across the world use digital technologies for all kinds of activity, from communication to healthcare, from entertainment to banking. Not to mention businesses and governments using these networks to deliver their many services.sentence permalink

+

The digital transformation offers a boost to all. A stronger society; a more prosperous economy; a platform to exercise human rights. We must ensure that our citizens and our businesses can get all those benefits, securely.sentence permalink

+

Overall the internet offers a boost to productivity, innovation, economic growth. It creates 5 jobs for every 2 lost. That’s an opportunity we can't turn our backs on: we should do everything we can to achieve them. But rising threats, rising vulnerabilities, and lack of trust all stand in the way.sentence permalink

+

The reasons for these risks vary. Sometimes it's about outright attacks; sometimes it's people making mischief; sometimes just mistakes or natural disasters.sentence permalink

+

And indeed some of these cases are high-profile. In 2011, for example, you may recall the case of Dutch certification company Diginotar; or the security breaches at national registries for the EU's emissions trading system. Two years ago the Dagmar storm wrecked millions of communications links. And so on.sentence permalink

+

The costs of insecure systems are high. According to the World Economic Forum, over the next decade, there is a 10% chance of a major breakdown costing over a quarter of a trillion dollars.sentence permalink

+

In just one year, PWC found that three quarters of UK small businesses, and 93% of large ones, had suffered a cybersecurity breach. Bear in mind each breach can cost tens of thousands of euros; for a large business ten times that. And the cost of data breaches can be millions, not to mention the reputational damage.sentence permalink

+

And risks are mounting. According to Symantec, the total number of attacks increased by 81% in just one year. And in ever more forms: denial-of-service, Trojans, worms, identity theft, botnets, phishing, you name it. And I know that many of you will yourself have experienced incidents with significant impacts.sentence permalink

+

Such events undermine trust, and often mean vital services or transactions need to be suspended.sentence permalink

+

Yet in spite of those issues, most ICT users are not aware enough of the risks they face online: and many are insufficiently prepared. And the majority of incidents could be prevented, by taking just simple or cheap measures.sentence permalink

+

These risks aren't constrained by borders – neither within or outside the EU. They don't stay meekly contained within one sole jurisdiction, under the watchful eye of a single authority. On a globally interconnected network, they travel freely, and they seek out the weakest link in the chain.sentence permalink

+

And if threats do not stop at national borders, nor does the responsibility to secure ourselves against them. This is a global problem needing a global response.sentence permalink

+

Fragmentation and duplication won't help: we need to cooperate, in all kinds of ways. We have long supported measures to boost that cooperation within the EU. But as its importance rises, so does the imperative to do more.sentence permalink

+

Our EU Cybersecurity Strategy will propose a comprehensive approach. To improve the resilience and security of network and information systems, step up the fight against cybercrime, strengthen our international cybersecurity policy, and explore synergies with defence.sentence permalink

+

Alongside the Strategy will be a proposed Directive to strengthen cyber resilience and network and information security, within our internal market.sentence permalink

+

Let me outline our objectives. I've already mentioned the need for cooperation. And that will take place on several levels.sentence permalink

+

For a start, we need cooperation between policy areas. There are many aspects to cybersecurity: like prevention, resilience, law enforcement and defence. That calls for collaboration between those responsible for digital affairs, home affairs and external action. And that is exactly why I have been working closely with Cathy Ashton and Cecilia Malmstrom, and we will be presenting this strategy together.sentence permalink

+

Second, cooperation means cooperation between the countries of the EU. But that can only happen with some consistency, involving everyone: it shouldn't just be an exclusive club for the top performers. And across the EU, some countries are still not prepared enough: there are gaps in their capabilities. So we will propose that all EU countries equip themselves properly for network and information security: like by requiring each to have a well-functioning Computer Emergency Response Team. Member States would also need a competent authority for network and information security, who should cooperate at EU level, supported by the European Network and Information Security Agency.sentence permalink

+

Third, we need cooperation between public and private sectors. On the one hand, the public sector can set the framework, providing the right incentives to secure their systems, and can lead by example. On the other, it is the private sector that actually owns and operates most of the networks.sentence permalink

+

There is already much, welcome cooperation happening between public and private sectors. So we will encourage and develop Public-Private Partnerships, by leveraging existing work, like the European Public-Private Partnership for Resilience.sentence permalink

+

But we all need to do our bit. Did you know, for example, that as of last year, only one in four EU companies had a regularly-reviewed, formal ICT security policy? Even among ICT companies, the figure is only one in two. That's not enough.sentence permalink

+

Here's one way to help. In the Diginotar case, they did not report that their systems were hacked, nor did they revoke the digital certificates. That resulted in certificates being fraudulently issued and circulating online; ultimately undermining trust in the system.sentence permalink

+

In the telecoms sector, we already have obligations to report significant incidents. And some Member States have taken similar measures in a number of sectors, including the Dutch, following Diginotar.sentence permalink

+

The fact is, more and more sectors use telecoms networks in ways vital to our economy and society – energy, transport, banking, healthcare, and key internet companies. So we should extend those reporting obligations to those new sectors.sentence permalink

+

Fourth, we need international cooperation: this isn't just the EU's issue. We need a coherent international cyberspace policy for the EU.sentence permalink

+

We will strengthen cooperation with key international partners like the US, Japan, OECD, OSCE, UN and ITU. We will take an active part in the global debate to develop norms for responsible behaviour in cyberspace. And we will help build cybersecurity capacity in third countries.sentence permalink

1

Overall, our international actions must promote EU core values and fundamental rights: like freedom of expression, access to information, privacy and data protection.sentence permalink

+

Fifth, we will develop an integrated market for secure ICT solutions. With initiatives and incentives so all players in the ICT value chain embrace a cybersecurity culture. From equipment manufacturers to software sellers; service providers to operators; online banks to online retailers.sentence permalink

+

With the right investment in R&D, and the right policy framework, we can turn research results into commercial reality. And indeed the new European research and innovation programme, Horizon 2020, will be a key instrument. To boost our industrial policy, promote a trustworthy European industry, advance the internal market and reduce our dependence on foreign technologies.sentence permalink

+

Sixth, there will be a number of other measures: like stepping up the fight against cybercrime. Like improving EU coordination. And indeed the European Cybercrime Centre, recently opened within Europol in The Hague, could gradually serve as a voice for the law enforcement community, in the EU fight against cybercrime.sentence permalink

+

Plus we will take further measures to fight botnets; improve the security and resilience of Industrial Control Systems and Smart Grids; and make users both more aware of risks — and empowered to tackle them, so we can all play our part in this common responsibility.sentence permalink

+

In short, this Strategy will help Europe get its own house in order — and become an even more trusted partner at the international level.sentence permalink

+

I hope that this Strategy will open a constructive debate: and I hope you will take part in it.sentence permalink

+

As more people come to rely on the Internet, they rely on it to be secure. And as the online world becomes a part of everything we do, securing that world is essential to ensuring a society that remains secure, prosperous and free. Thank you.sentence permalink

+