EU plans pan-European network of cybersecurity services

Joint press conference by Catherine Ashton (centre), Neelie Kroes (left) and Cecilia Malmström. (EC Audiovisual Services). 7/2/2013.

The European Union proposes the creation of a pan-European network of digital security services. Last week, Neelie Kroes, Commissioner for the Digital Agenda, Catherine Ashton, High Representative for Foreign Affairs and Security Policy and Cecilia Malmström, Member of the EC in charge of Home Affairs, made jointly the relevant announcement. They unveiled a plan for a Directive aimed at creating an EU network of digital national authorities, which together with European Cybercrime Centre will make sure that EU citizens and business get the best network and information security (NIS).

Within such a huge network however “side effects” may appear threatening the democratic rights of businesses and individuals. For one thing compulsory reporting of cyber security incidents may damage the reputation of companies. By the same token cyber security government services empowered also with EU authority, might be tempted to “overlook” under certain circumstances the democratic and human rights of citizens.  But let’s follow what the Commission is proposing.

The Commission demands that member states employ adequate means to be used for this ambitious plan. They are forgetting however in Brussels that practically all member states have already created their own national digital security centres and services. Obviously this matter is of utmost importance for all governments and the resources devoted to this area are increasing exponentially. This new EU Directive will make sure that this cooperation is institutionalised. Of course every country will maintain its own “secrete” areas, but after some time of cooperation the EU network may develop its own goals.

It is also important that those national cybersecurity centres will be empowered with the authority to receive and analyse NIS risks and incidents. They will be also able to impose fines for negligence to network operators and services providers. Reporting will be mandatory for major cybersecurity incidents. However making those incidents public may create problems, damaging the reputation of reporting companies. In any case the decision to make public those incidents will be taken by the national digital security centres under certain conditions. Those conditions though must be very well defined and the procedures meticulously followed.

The EU network

According to the Commission the new cyber security EU network will have the following characteristics.

(a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents;

(b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews;

(c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.

Cybersecurity industry

Apart from the apparent goals, of reducing cybercrime and create a better environment for economic growth, the new Commission initiative has more targets. Developing new tools for cyber defence policies and capabilities related to the Common Security and Defence Policy (CSDP) will mobilise the relevant industrial and technological resources. In this field there will be for sure more public subsidies for innovation and development. It is also certain that there will be more government spending and jobs in this sector. The EU Commission has rightly sensed that governments are favourable to that kind of expenditure, despite the fiscal restrictions imposed by the economic crisis.

Protection from protectors

For a long time member states are already very active on those fronts and have developed special police and army units to control cybercrime and. In view of this the EU Commission’s initiative should contain and a democratic element authorising controls on protectors and enforcing restrictions, to safeguard citizens’ rights. This should be on top of the existing national provisions.

In short Brussels must include in this initiative a democratic element. A huge pan-European network of cybersecurity services may create fertile ground for the development of anti-social activities, by obscure groups within it. This danger should not be underestimated. Probably the European Parliament could intervene in the drafting of the Directive and include such provisions. “Protecting us from our protectors” is not a small issue and Brussels must take good care of that.

Trending now: