ENISA, a pan-European agency designed to promote closer coordination on information security, is calling for a revamp of cyber-security laws and best practices in a bid to combat the growing economic impact of cyber attacks and botnet spam.
The adoption in Europe of US-style information security breach disclosure laws is a key plank in this manifesto, and emerged in a technical briefing by The European Network and Information Security Agency to journalists on Tuesday.
ENISA reckons security breach reporting, applied consistently across Europe, would reveal the scope of information security problems. The agency wants to strike a balance between transparency and confidentiality rules (for example, in the banking sector) in setting up a security breach reporting regime. It wants this framework to be applied across the EU unlike security breach disclosure laws in the US, which are applied on a state-by-state basis.
ENISA's executive director Andrea Pirotti said that six million computers worldwide are compromised by malware and connected to a botnet. "They are used for fraudulent activity by criminals. This is why we can state that info security is the most serious concern of any public or private organisation. Our critical national infrastructure, our business, our private communication goes online. We don't want such structures to be disrupted. We don't want our critical infrastructures to collapse."
Dr Ronald De Bruin, head of the cooperation and support department at ENISA, said that spam is growing ten per cent year on year. "Spam costs €64.5bn for service providers, double that of 2005, even though 94 per cent of spam is filtered out before it reaches users' in-boxes. Spam introduces all sorts of security risks from virus infection and phishing to botnets."
ENISA is a brainchild of EU Commission. The agency, established three years ago, acts as a centre of expertise for policy formation in the area of information security. It can only recommend courses of action which the EU, in consultation with industry, needs to apply.
ENISA helps counter cyber-attacks such as those faced by Estonia last year. It supports member states in setting up Computer Emergency Response Teams (CERTs), which De Bruin described as digital fire brigades. Europe has 14 national CERTs compared to eight in 2005. This figure is expected to grow to 24 over the next two years or so.
The agency has launched a three year programme designed to improve the resilience of public e-communications and services. It aims to perform a gap analysis prior to identifying and promoting best practices. "Our target is that by 2010 the Commission and at least half the member states have made use of our recommendations in policy," explained De Bruin. He added that it was piloting risk management tools for SMEs, who are seen as fighting on the front line against cyber-crooks.
ENISA wants to act as a clearing house for best practices in cybersecurity. "We need to build on existing national systems where the EU has no operational role but acts as a facilitator of best practices," he said.
De Bruin highlighted gaps in cyber-security reporting as a particular problem.
The briefing also covered concerns within the agency about privacy and social networking sites. Existing EU laws were written before the advent of social networking websites, such as Facebook and MySpace. De Bruin described social networking as a "digital cocktail party" which it wants to encourage. At the same time ENISA wants to develop recommendations to consumers, users and social networking sites designed to guard against privacy risks.
For example, it reckons EU legislation needs to be expanded to cover the posting and tagging of photos of people which, at present, can be made without a subject's consent. "Our position is not to scare people however we feel we have to make recommendation to help protect against risks and therefore create a better and safer environment," Dr De Bruin explained.
A video on ENISA's work on "Security in Online Social Networking" can be found here.