Brussels, 07/02/2013 (Agence Europe) - There are more than 150,000 computer viruses circulating every day, and more than 1 million attacks daily, costing tens of billions of euro worldwide every day (between €290-750 billion, according to different studies). Only 26% of European companies have a real policy for tackling cyber attacks, although most of these attacks could be avoided. This is the rather disturbing picture painted on Thursday by the EU High Representative, Catherine Ashton, the Commissioner for the Digital Strategy, Neelie Kroes and Commissioner Cecilia Malmström, during the presentation of the EU's new cyber security strategy.
A directive accompanies this strategy on network and information security (NIS). The three EU leaders insisted that this strategy is expected to help maintain the sensitive balance between security imperatives and the need for a free and open internet.
The action plan presented on Thursday is based on five priorities: achieving cyber resilience; drastically reducing cybercrime; developing cyber defence policy and capabilities in liaison with the Common Security and Defence Policy (CSDP); developing the industrial and technological resources for cyber-security; establishing a coherent international cyberspace policy for the European Union and promoting core EU values.
In a press release, the Commission explained that the draft NIS directive will will compel all member states, key internet service facilitators and critical infrastructure operators, such as e-commerce platforms and social networks, as well as operators in energy, transport, banking and healthcare services “to ensure a secure and trustworthy digital environment throughout the EU”. It will require member states to adopt an NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents. A cooperation mechanism between member states and the Commission should be created, “for sharing early warnings on risks and incidents through a secure infrastructure”, and operators of critical infrastructures in some sectors (financial services, transport, energy) and also search engines, social networks and other internet providers will have to report major security incidents or breakdowns on an online reservation site.
Internet access providers are already required to an obligation to provide information about security incidents. A report from ENISA, the competent European agency responsible noted 51 serious incidents in 2011, the majority (60%) of which involved telephony and the mobile internet. In its next report, ENISA believes, this figure could to be multiplied by 10, once member states have their mechanisms in place.
The EU cyber security strategy received a rather mixed welcome. Although the EPP Group welcomed the presentation of an action plan, it regretted the delay and deplored the fact that member states are not subject to a strict deadline for implementing their cyber security policy, state the rapporteurs Tunne Kelam and Monika Hohlmeier. Marietje Schaake MEP (Liberal, the Netherlands) said that the Commission plan simply lacked long-term vision and was exclusively focusing on an assessment of the weaknesses. It also created a significant number of uncertainties about how digital freedoms would be taken into account. The MEP also believes that member states will need more than just a “telephone chain” to make themselves secure in the long run against cyber attacks. (SP/transl.fl)