Global Perspectives
i2010
The European Parliament adopted a Resolution on i2010 at its plenary session on 14 March 2006. Relevant extracts include:
- "Digital convergence has the potential to provide consumers with
access to a great diversity of improved services and rich content,
and thus, the security of the infrastructure must be improved and strengthened
and a favourable and secure environment created which stimulates the
competitive deployment of these converging services."
- [The European Parliament] "Calls on the Commission to specify clear
actions to provide protection from harmful content, and in this context,
to promote, inter alia, the role of the European Network and Information
Security Agency."
- [The European Parliament] "Recalls that the development of network security
is indispensable in order to increase confidence in all network services,
commercial and eGovernment services; urges that network security be promoted
by technical and legislative means and through education, e.g. by creating
a Europe-wide information security strategy and launching an annual European
information security day to increase citizens’ awareness of information
security, while taking care to ensure that this security does not restrict
freedom of expression and citizens’ rights; welcomes the Commission proposal
to launch a safe information society strategy in 2006 seeking to increase
both investor and user confidence in internet services and their reliability
as a means of addressing the issues of fraud (affecting purchases), illegal
and harmful content (concerning the protection of minors and human dignity
and the protection of privacy) and technological shortcomings (so as to
ensure the efficient and effective use of ICT);"
http://www.europarl.eu.int/omk/sipade3?PUBREF=-//EP//TEXT+TA+P6-TA-2006-0079+0+DOC+XML+V0//EN&L=EN&LEVEL=1&NAV=S&LSTDOC=Y&LSTDOC=N
The European Economic and Social Committee (EESC) adopted an Opinion on
i2010 on 16 March 2006. It includes several references to security:
- "The EESC would also like to stress the importance of enhancing awareness
with regard to security matters, since confidence in IT is a prerequisite
for its frequent use and of particular relevance to the exploitation of
the full potential of the Internet. In order to elevate awareness, public
authorities at local, national and EU level should encourage cooperation
with business in order to combat cyber-crime."
- "In the information society debate, security is central to the development
of attitudes towards and trust in IT. The perceived security of and trust
in digital transactions determines the speed with which enterprises are
likely to exploit ICT in their business. Consumers' willingness to provide
credit card numbers on a web page is greatly influenced by the perceived
safety of the action. In addition, users' trust in ICT is an essential ingredient
to the acceptance of eGovernment and to its rollout."
- "The security of information and computer-related crime is increasingly
a major problem affecting businesses, administrations, employees and consumers
alike. The EESC would stress that information society policy must be framed
in such a way that confidence is enhanced and all players dare to exploit
the full potential of the Internet."
- "As information networks become increasingly integrated, society is ever
more dependent on 24/7 functioning of the system; consequently, functioning
of the physical infrastructure is crucial when information- and network
security is under discussion. It is important that the systems should include
network redundancy."
- "For ICT users it is essential that computer-related crime is tackled,
where possible, in an internationally harmonised way, and that enforcement
of legislation is vigorously pursued, thereby demonstrating that such crime
does not pay. Initiatives to combat computer-related crime must, however,
be assessed to ensure they are not at the expense of industry or at the
expense of fundamental rights such as the right to privacy. Such assessments
are important, notably in the current debate regarding stricter data retention
requirements."
- "The security problem has been acknowledged by the Commission in numerous
communications and recommendations, as well as through the establishment
of the European Network and Information Security Agency. The EESC believes
that a common environment should be created through the Agency where public
and private sectors can work together to protect their information systems,
taking into account the increasingly rapid changes in technology and without
imposing inappropriate administrative or financial burdens."
http://eescopinions.esc.eu.int/EESCopinionDocument.aspx?identifier=ces\ten\ten220\ces415-2006_ac.doc&language=EN
Data retention
The Data Retention Directive has been allocated the following reference number: Directive 2006/24/EC.
The Article 29 Working Party adopted an Opinion on the Data Retention Directive on 25 March 2006. It notes that the Directive lacks some "adequate and specific safeguards as to the treatment of communication data and leaves room for diverging interpretation and implementation by the member states in this respect." The Working Party considers it crucial that the provisions of the Directive are interpreted and implemented in a "harmonised way to ensure that European citizens can enjoy throughout the European Union the same level of protection". The Working Party notes that "This should also be done with a view to reducing the considerable costs to be borne by the service providers when complying with the provisions of the Directive."
On the issue of security, the Opinion states: "Minimum standards should be defined concerning the technical and organisational security measures to be taken by providers, specifying more in detail the general requirements of the Directive on data retention."
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2006/wp119_en.pdf
ENISA Update
The first edition of the ENISA Quarterly of 2006 has been published. It includes an article on outsourcing of IT security by Bruce Schneier, CTO of Counterpane. (He will be the keynote speaker at ISSE 2006 in October.)
http://www.enisa.eu.int/doc/pdf/publications/enisa_quarterly_03_06.pdf
Two of ENISA’s technical experts, Carsten Casper and Pascal Manzano, have prepared a study on spam and security measures. The study is based on more than 90 responses to questionnaires that were sent to providers and National Regulatory Authorities. The outline of the study follows Directive 2002/58/EC, in particular Article 4 (Security) and Article 13 (Unsolicited Communications). Security breaches are dealt with on page 22 and subsequent. The section concludes: "All providers should be proactive and monitor their networks for risks of security breaches. Providers could also be asked to report which networks they monitor. […] Having providers report on the risk of security breaches is very important in order to get an overview of the risk that can be expected from a particular problem. This assumes that information on such risk of breaches has been communicated properly. Reporting of actual security breaches, publicly or anonymously, would help even further. Additional research is necessary. […] A cost versus risk perspective in the reporting on the risk of security breaches could be encouraged. This also requires research in the area of cost and risk measurements."
http://www.enisa.eu.int/doc/pdf/deliverables/enisa_security_spam.pdf
Rainer Lau of the European Commission visited ENISA on 23 March 2006. Mr Lau is an Adviser on relations with EU Agencies in the Commission’s Secretariat General. The Executive Director of ENISA, Andrea Pirotti commented: "It is a pleasure to welcome Mr Lau as a high level Adviser, and to discuss ENISA’s organization and future in detail at our own premises here on Crete. I would like to express many thanks in advance to Mr Lau to take the effort to visit us, and I look forward to fruitful discussions."
http://www.enisa.eu.int/news/lauvisit/index_en.htm
Article 29 Working Party / RFID
The American Chamber of Commerce to the European Union (AmCham EU) has issued a position paper on RFID. AmCham EU states that new technologies, such as RFID, will not only create supply-chain efficiencies and productivity gains but will also improve security, decrease counterfeiting, ensure food and product safety, and increase pharmacovigilance. The paper recognises that adequate privacy and security safeguards remain key for wide consumer acceptance of the technology. AmCham EU concludes that "there are many positive uses of RFID technology, not only in boosting the competitiveness of companies in Europe, but also in improving the safety and security of its citizens" and states its intention to continue to be involved in the Commission’s work on RFID through attendance at the workshops (see last edition of this newsletter).
http://www.amchameu.be/Pops/2006/rfid_310306.pdf
Other Issues of Relevance
- Electronic signatures: On 15 March 2006, the Commission
issued a progress report on the operation of Directive 1999/93/EC on a
Community framework for electronic signatures. According to the Commission,
the reluctant take-up of electronic signature tools is slowing down the
growth of trade in goods and services via the Internet. However, growing
use of electronic ID cards and the use of e-signatures in e-government
services, such as on-line income tax returns, are expected to drive demand
in the future. The report also confirms that the 1999 Directive continues
to provide, for the moment, a valid basis for electronic signatures in
the internal market. The Commission will also prepare a report on standards
for electronic signatures in 2006 to see whether further regulatory measures
by the EU are required.
http://europa.eu.int/information_society/eeurope/i2010/docs/single_info_space
/com_electronic_signatures_report_en.pdf
http://europa.eu.int/rapid/pressReleasesAction.do?reference=IP/06/325&
format = HTML&aged=0&language=EN&guiLanguage=en
- Phishing: EuroISPA, the European Internet service provider
association, hosted a roundtable panel on "A Coordinated Approach to Online
Fraud: Combating Phishing", in Brussels on 20 March 2006. The event was
organized in association with Microsoft and Interpol. Pat Cox, former President
of the European Parliament, moderated a panel discussion that included
Kurt Einzinger, EuroISPA Vice President; Neil Holloway, President Microsoft
EMEA; and Bernhard Otupal, Crime Intelligence Officer with Interpol´s High
Tech Crime Unit. The panel evaluated current anti-phishing initiatives,
discussed how these fit with the EU policy agenda and showcased new approaches
to combat this threat. In a statement, Wolfgang Gattringer, Deputy Chief
of Staff of the Austrian Federal Ministry of the Interior, said: "The Austrian
EU presidency welcomes the efforts by industry in partnership with European
government to address the phishing threat to consumers. Public-Private
Partnerships are the way to make the Internet safe and secure for all."
http://www.euroispa.org/antiphishing/
Microsoft launched legal action against 100 phishing gangs based in Europe, the Middle East and Africa in the month of March. By the end of the month, 53 cases were due to have been started according to Microsoft, with all 100 filed by the end of June 2006. Seven of the criminal groups behind fake websites that trick people into handing over confidential information are known to be in the UK. The legal cases follow investigative work undertaken by Microsoft, national police forces and Interpol. By the end of 2005 it is estimated there were more than 7,000 phishing sites on the net, many run by the same established groups. This legal action follows similar action in the US in which Microsoft filed 117 lawsuits against phishing suspects and which has led to the closure of more than 4,700 phishing websites.
http://news.bbc.co.uk/1/hi/technology/4825072.stm - eu: Registrations for .eu Internet addresses open for
all EU citizens at 11am (CET) on 7 April 2006. Registrations will be
allocated on a first-come, first-served basis. This follows a four-month
sunrise period during which applications were received from administrations
and companies with "prior rights" to specific names. Commissioner Reding
will hold a press conference to mark the occasion.
http://www.europa.eu.int/rapid/pressReleasesAction.do?reference=AGENDA/06/13&format=HTML&aged=0&language=EN&guiLanguage=en - EDPS opinion on the interoperability of European databases: The European
Data Protection Supervisor (EDPS) issued an Opinion on 10 March 2006 on
the Commission’s Communication on the interoperability of European databases
(issued in November 2005). Peter Hustinx, the EDPS, states: "It is regrettable
that the protection of personal data has not been explored sufficiently
as an inherent part of the improvement of the interoperability of relevant
systems. The EDPS suggests adding to this Communication a more consistent
analysis on data protection, including privacy-enhancing technologies to
improve both effectiveness and data protection." This Opinion may well
feed into discussions on the Commission’s Communication in the other EU
institutions.
http://www.edps.eu.int/legislation/Comments/06-03-10_Comments_interoperability_EN.pdf - European Information Society Technology Grand Prize for 2006: The European
Prize has been awarded to firms from France (Advestigo), Denmark (Guardia)
and the Netherlands (Cavendish Kinetics). Worth €200,000 each, the prize
went to the following projects: a digital fingerprints' system for multimedia
digital content, a 3D face recognition system for security applications
and a nanotechnology innovation in computer storage enhancing "non-volatile" memory.
The European IST Prize is organised by the Commission together with the European Council of Applied Sciences, Technologies and Engineering (Euro-CASE). It is open each year to companies or organisations that present an innovative information technology product with promising market potential. Products entered must be at least at demonstrable prototype stage and if already marketed should not have been introduced more than 18 months prior to the launch of the competition.
http://www.ist-prize.org/