Wednesday, November 24, 2010

EU Internal Security Strategy Published

The Commission has just published an internal security strategy document setting out a four year plan for European level action on the issues of "fighting and preventing serious and organised crime, terrorism and cybercrime, strengthening the management of our external borders and building resilience to natural and man-made disasters."

While the entire plan is likely to be controversial (and the sections on border control have already been criticised), I'd like to focus on the section on cybercrime and to offer a few thoughts:
Action 1: Build capacity in law enforcement and the judiciary

By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe's fight against cybercrime.

At national level, Member States should ensure common standards among police, judges, prosecutors and forensic investigators in investigating and prosecuting cybercrime offences. In liaison with Eurojust, CEPOL and Europol, Member States are encouraged by 2013 to develop their national cybercrime awareness and training capabilities, and set up centres of excellence at national level or in partnership with other Member States. These centres should work closely with academia and industry.
The recommendations for action at EU level are welcome, but unfortunately Ireland has a long way to go to meet the recommendations for action at national level. I've written about the failings in the Irish response to cybercrime recently in the Sunday Business Post.
Action 2: Work with industry to empower and protect citizens

All Member States should ensure that people can easily report cybercrime incidents. This information, once evaluated, would feed into national and, if appropriate, the European cybercrime alert platform. Building on the valuable work under the Safer Internet Programme, Member States should also ensure that citizens have easy access to guidance on cyber threats and the basic precautions that need to be taken. This guidance should include how people can protect their privacy online, detect and report grooming, equip their computers with basic anti-virus software and firewalls, manage passwords, and detect phishing, pharming, or other attacks. The Commission will in 2013 set up a real-time central pool of shared resources and best practices among Member States and the industry.

Cooperation between the public and private sector must also be strengthened on a European level through the European Public-Private Partnership for Resilience (EP3R). It should further develop innovative measures and instruments to improve security, including that of critical infrastructure, and resilience of network and information infrastructure. EP3R should also engage with international partners to strengthen the global risk management of IT networks.

The handling of illegal internet content – including incitement to terrorism – should be tackled through guidelines on cooperation, based on authorised notice and take-down procedures, which the Commission intends to develop with internet service providers, law enforcement authorities and non-profit organisations by 2011. To encourage contact and interaction between these stakeholders, the Commission will promote the use of an internet based platform called the Contact Initiative against Cybercrime for Industry and Law Enforcement.
Much of this is uncontentious, but the references to handling illegal internet content require careful scrutiny. The "guidelines on cooperation" and "notice and takedown procedures" reflect a worrying trend at EU level towards bringing about internet censorship by means of self-regulation. The result is that decisions about legality are being made in a way which doesn't have a legislative basis and excludes judicial oversight. This trend can already be seen in relation to internet filtering but this strategy, if implemented, would seem to extend it significantly further. It is hard to see how this proposal could be compatible with Article 10 of the European Convention on Fundamental Rights.
Action 3: Improve capability for dealing with cyber attacks

A number of steps must be taken to improve prevention, detection and fast reaction in the event of cyber attacks or cyber disruption. Firstly, every Member State, and the EU institutions themselves should have, by 2012, a well-functioning CERT. It is important that, once they are set up, all CERTs and law enforcement authorities cooperate in prevention and response. Secondly, Member States should network together their national/governmental CERTs by 2012 to enhance Europe's preparedness. This activity will also be instrumental in developing, with the support of the Commission and ENISA, a European Information Sharing and Alert System (EISAS) to the wider public by 2013 and in establishing a network of contact points between relevant bodies and Member States. Thirdly, Member States together with ENISA should develop national contingency plans and undertake regular national and European exercises in incident response and disaster recovery. Overall, ENISA will provide support to these actions with the aim of raising standards of CERTs in Europe.
The Irish CERT body (IRISS) does not have any state funding at present - will this recommendation encourage the Irish government to provide funding?

No comments:

Post a Comment