Commission proposes new measures to improve IT security
The European Commission has adopted a communication reviewing current security threats to the information society and outlining measures to revitalise its existing information technology (IT) security strategy. Despite efforts at international, European and national level, network and information security continues to pose challenging problems. Whereas attacks on information systems in the past were seen to be motivated by a desire to create disruption, nowadays they appear to be spurred on by profit. The Commission's document cites the example of spam, which it says is now becoming a vehicle for fraudulent and criminal activities such as spyware, a programme which illegally mines data without the user's knowledge. The communication points to the increasing deployment of mobile devices and mobile-based network services, which it estimates will also pose new challenges, as IP-based services develop rapidly. These could eventually prove to be a more common route for attacks than personal computers since the latter already deploy a significant level of security. Indeed, all new forms of communication platform and information system inevitably provide new windows of opportunity for malicious attacks. Given the relevance of the information and communication technologies (ICT) sector for the European economy, the Commission estimates that breaches in network and information security (NIS) could have devastating results for productivity and growth. In addition, there is a general concern that security problems may lead to user discouragement and lower take-up of ICT. Experts also believe that due to increased interconnectedness, NIS will affect larger infrastructures such as transport and energy. Security presently represents only around 5-13 per cent of IT expenditure, figures which the Commission says are too low. To ensure greater security, the communication proposes adopting a more 'dynamic and integrated' approach to the current IT security strategy by designing a framework involving all stakeholders. This is based around a number of initiatives promoting dialogue, partnership and empowerment. As a first step, the communication suggests initiating a benchmarking exercise on national NIS-related policies, including specific security policies for the public sector. If appropriately structured, the results of such an exercise could help to identify best practices for increasing awareness among small and medium sized enterprises (SMEs) and citizens of the need to address their own specific NIS challenges and requirements as well as their ability to do so. To ensure greater partnership with Member States and other stakeholders, the European Network and Information Security Agency (ENISA) in Heraklion, Greece, will be entrusted to develop an appropriate data collection framework to handle security incidents and measured levels of consumer confidence from all over Europe. ENISA will also be asked to examine the feasibility of a multilingual information sharing and alert system. Finally, the communication encourages stakeholders to play a more proactive and energetic role in enhancing network and information security. In the case of Member States, it suggests measures such as participating in the proposed national NIS benchmarking, or introducing network and information security programmes as part of higher education curricula. For the private sector, the communication points to the need for software producers and Internet service providers to define and agree to common security standards and best practices. The Commission will report to Council and Parliament in the middle of 2007 on the activities launched, the initial findings and the state of play of individual initiatives, including those of ENISA and those taken at Member State level and in the private sector. If appropriate, the Commission says it will make a recommendation on network and information security (NIS).