Brussels, 29/06/2011 (Agence Europe) - According to a report by the European Network and Information Security Agency (ENISA), the state of preparedness of the European countries to deal with cyber-attacks varies greatly between the states. The mechanisms for sharing information and cooperation between the key players also vary. ENISA's principal conclusion is that no national model exists in terms of network and information Security (NIS), although many countries are making additional efforts in this field. 'Mapping the IT security position for each country provides a key source of information for sharing of good practices with policy and decision makers”, said Professor Udo Helmbrecht, Executive Director of ENISA.
The reports for each country offer an overview of the current landscape of NIS in the 27 member states of the EU and three countries of the EEA zone (Iceland, Lichtenstein and Norway). Each country has supplied the following information: the individual NIS strategy of the country, the regulatory framework and major political measures, the key players and their missions, roles and responsibilities. The report also gives an overview of the main NIS activities, interactions between stakeholders, information-sharing mechanisms, cooperation platforms, and facts, trends and studies of cases of good practice specific to each country. The factors used to assess the effectiveness of the models include the management and communication of security incidents, risk management and emerging risks, network resilience, confidentiality and confidence, and awareness-raising.
Most of the European countries have no national strategy as such for network security, but many of them are taking steps to improve their response to cyber-attacks. Generally speaking, the government and the public authorities play a central part in defining the strategies and the stakeholders have only a very small role in the process. ENISA highlights four national examples of the development of a national strategy. France, which set in place a strategy in February 2011, which aims to make the French policy into a global leader in cyber-security issues. Germany, which wishes to intensify its relations with the European countries and the whole world and calls for the creation of a national cyber-defence centre. The Netherlands, which has drafted a full and complex strategy, together with an action plan, which were presented to the national parliament in February. Lastly, Estonia, which saw major cyber-attacks in 2007, has also set a new strategy in place. ENISA also noted the following specific issues in NIS governance:
. Key players: more and more countries are creating centralised cyber-security authorities (the United Kingdom, France and the Netherlands). In other countries, these centralised institutions are sometimes recognised as important, even though they have not been officially set up. The national or governmental CERTs (Computer Emergency Response Team), the cornerstone in protecting the critical information infrastructure, are also increasing in number. Their number often depends on the size of the country and the importance it attaches to cyber-security.
. Cooperation: cyber-attacks, which do not stop on the borders of the country, call for a global response from the states, based on strong cooperation. Cooperation between the key players has increased overall and certain states have created consultation platforms.
. Management of incidents: these are generally the responsibility of the national CERTs, but only during “working hours” and are ignored over the weekend. However, increasing numbers run 24/7.
. Resilience: the gathering of information on good practice in e-communication network resilience is generally carried out by the various authorities and there is no central service. Best practice is the subject of recommendations by the responsible authorities. ENISA cites Austria, France and Malta as particularly effective in this matter.
. Privacy and confidence: most of the countries have implemented the data protection directive or set similar national legislation in place. In Germany, there are 20 authorities which supervise the implementation of the rules on data protection. Although the scope of these legislations is practically identical everywhere, Latvia goes furthest in banning the use of sensitive personal data.
. Consumer awareness: there are many national campaigns designed to make consumers aware of cyber-security. The British initiative “Get Safe Online” is of particular interest, with a website to provide consumers with information. Austria is organising a “Day of Data Protection”. It is worth noting that in the new member states, where fraud is more prevalent, the citizens are informed of the dangers by their access providers and banks.
. Unsolicited messages and malware: actions for awareness of spam and malware are on the increase, and are generally the results of initiatives by the industry and consumer organisations. Romania has had a blacklist of spammers for some time, while in other countries this information has become current, as is the case in Germany, for example. (I.L./transl.fl)