In This Issue

• Executive Director’s Message
• Cyber Security Status:
  Comments Heard on the Hill
• Data Security Legislation Snapshot
• Information Security: A Regulatory Train Wreck
• Congressional Spotlight
• Congresswoman
  Loretta Sanchez (D-CA)
  
• Cyber Security Leadership and Vision: Where are the Answers and Actions?
• CSIA Member Spotlight
• F-Secure Corporation
  
• F-Secure article
  
• Legislative Update
• Global Perspectives
• CSIA in the News
• Upcoming Events
• Member List
• Contact Us
• Archives
• CSIA Home Page

Global Perspectives

Review of the Regulatory Framework

The European Commission published proposals for a review of the Regulatory Framework for electronics communications on 29 June 2006. Links to the relevant documents are below:

• Communication on the Review of the EU Regulatory Framework for electronic communications networks and services



• Commission staff working document (Proposed changes)
  
  
• Impact assessment

The Communication states that: "Boundaries between electronic communications products and services will continue to blur; new forms of mobile and portable devices will appear with interactive and broadcasting features. Privacy and security will continue to be a concern for users." This is very much in line with the wording in the Communication: Strategy for a Secure Information Society. The Commission intends to review the framework by seeking changes that will:

• consolidate the single market;
• strengthen consumers and user interests;
• improve security; and
• remove outdated provisions.

Section 5.5 of the Communication on the Review deals with Improving Security and states:

"Security is identified in i2010 as one of the four challenges for the creation of a Single European Information Space. Modern electronic communications networks and services are becoming essential for everyday life, in business and at home. The availability of communications services can be threatened by technical, organisational or human failure. The trend towards IP technology also means that networks are in general more open and vulnerable than in the past.

"The growth of spam, viruses, spyware and other forms of malware, which undermines users’ confidence in electronic communications, is partly due to that openness, and partly due to the lack to appropriate security measures. The Communication on a strategy for a secure Information Society (COM(2006) 251) highlighted the need to ensure the right balance between technological development, self-regulation and regulatory measures. Specific regulatory measures are proposed in the context of this review. In order to reinforce the trust and confidence of business and individual users in electronic communications, a series of measures is proposed: 1) to impose specific requirements on providers of electronic communications to notify certain breaches of security and to keep users informed; 2) to authorise competent national authorities to require specific security measures that implement Commission recommendations or decisions; and 3) to modernise the provisions on network integrity."

The Staff Working Document on Proposed Changes to the Regulatory Framework also includes a section on security which looks, inter alia, at breaches.

The Commission has launched a consultation on the basis of these documents. A public hearing is taking place on 13 July 2006. The deadline for submissions to the consultation is 27 October 2006. The Commission then hopes to present legislative proposals before the end of the year.

ENISA Update

The European Network and Information Security Agency (ENISA) Quarterly was published at the end of June 2006. The lead article is by CSIA Executive Director, Paul Kurtz and entitled: "Information Security: A Regulatory Train Wreck". Referring to various pieces of information security legislation, Paul states that: "Business will be burdened by conflicting, costly regulation inhibiting innovation and growth. Consumers will be confused by conflicting privacy and security regimes." Paul goes on to say that governments on both sides of the Atlantic should apply a needs test when considering new laws or regulations. The article concludes that "without a robust and ongoing transatlantic dialogue on information security law and regulation, we will soon be faced with a morass of bureaucracy which is both impossible to apply, let alone untangle."

ENISA has issued "A Users’ Guide: How to Raise Information Security Awareness." The Guide "illustrates the main processes necessary to plan, organise and run information security awareness raising initiatives: plan & assess, execute & manage, evaluate & adjust. Each process is analysed and time-related actions and dependencies are identified. The process modelling presented provides the basis for "kick-starting" the scoping and planning activities as well as the execution and assessment of any programme. The Guide aims to deliver a consistent and robust understanding of major processes and activities among users."

ENISA has also published a new fact sheet on awareness raising. It looks at "why awareness raising is important, ENISA’s objectives in this area and planned activities for 2006. In addition to the Guide described above, ENISA plans in 2006 to:

• Revisit the Information Package 2005 and elaborate on the current trends and progress in the awareness raising field. An inventory of member states’ best practices will be delivered and compiled in a CD Rom;

• Develop a communication plan to disseminate the Information Package 2006; and

• Disseminate the main findings among the member states representatives organising a focused workshop.

A commentary of Directive 1999/93/EC on electronic signatures has been published by Dr Andreas Mitrakas, the Legal Adviser of ENISA, in the volume: Alfred Buellesbach, Yves Poullet, J.E.J. Prins "Concise European IT Law," Kluwer Law International, Alphen aan den Rijn, 2006. Concise European IT Law provides an extended overview of EU IT law.

Article 29 Working Party / RFID

An online public consultation on how the European Commission can help to ensure that the "growing use of RFID devices spurs the competitiveness of Europe's economy and enhances the quality of life of its citizens, whilst safeguarding the protection of their privacy," was launched on 3 July 2006.

Five European Commission workshops on RFID took place between March and June 2006. They brought together around 500 stakeholders from Europe and other regions of the world, who discussed the key challenges and opportunities facing the further development and deployment of RFID technologies.

The European Commission will organise a conference on 16 October 2006 on RFID. The conference will be opened by Commissioner Reding and will feature European Commission officials, Members of the European Parliament (MEPs) as well as key sector actors from industry, government and civil society. It will be the last stage of the Commission’s work on RFID, before it issues a Communication to the Council and the European Parliament, scheduled for December 2006. It will provide an opportunity for reporting on almost one year of consultation and for pointing to the main topics that will be addressed in the Communication.

Other Issues of Relevance

• .eu: According to a press release from EURid (the registry for the .eu domain) .eu is already the third most widely-used domain in Europe (behind .uk and .de) and the seventh most widely-used internationally (behind .com, .net, .org and .info). Marc Van Wesemael, Managing Director for EURid said: "When we opened .eu for the public in April this year we were convinced it would prove popular, but no one anticipated these high numbers. We are pleased to see that people from all European countries have shown an interest in conveying a European identity on the Internet."
  
  
  EURid announced on 4 July that it had removed the possibility of gathering lists of domain names. EURid's online service makes it possible for registrars, via the on-line registration interface, to get information about the domain names they have registered. This feature was returning more information than strictly needed, namely the sequence number of the domain name asked for. By using this sequence number registrars were able to extract lists of names. As soon as this extraneous side effect of the online service was recognized, EURid removed it.
  
  
• European Court of Justice (ECJ) Judgement on Passenger data: The European Parliament has drafted a draft Recommendation to the Council on the agreement with the United States of America on the use of passenger name records (PNR) data to prevent and combat terrorism and transnational crime, including organised crime. Prepared by MEP Sophia in 't Veld, the draft "Reiterates its previous demand that the new agreement should grant to European passengers the same level of data protection as US citizens enjoy;" and "Proposes that a dialogue, in which parliamentary representatives would take part, be launched before the end of 2006 between the EU, the US, Canada and Australia with a view to preparing jointly the 2007 review and establishing a global standard for the transmission of PNR, if that is deemed necessary."
  
  
• Biometric passports: The European Commission adopted, on 28 June 2006, the second part of the technical specifications required for the introduction of biometric identifiers (fingerprints) into passports and other travel documents issued by member states following Council Regulation (EC) 2252/2004 on the introduction of common security standards and biometrics into passports and other travel documents issued by member states. Vice-President Franco Frattini, the European Commissioner responsible for freedom, security and justice, declared "this is a key step forward to render passports of EU citizens more secure and reliable. I am particularly proud," the Vice-President continued "that the EU is among the first in the world issuing passport requirements with a high level of protection against unauthorised access by providing "Extended Access Control," whilst at the same time complying with the recommendations of the International Civil Aviation Organisation (ICAO) in order to ensure interoperability."
  
  
• Internet Censorship: The European Parliament adopted on 6 July 2006 a Resolution on Freedom of Expression on the Internet. The Resolution:
  
  • Refers to a number of countries, including: China, Belarus, Burma, Cuba, Iran, Libya, Maldives, Nepal, North Korea, Uzbekistan, Saudi Arabia, Syria, Tunisia, Turkmenistan and Vietnam, and companies such as: Yahoo, Google and Microsoft;
  
  • Calls on EU member states to agree a joint statement confirming their commitment to the protection of rights of Internet users and the promotion of free expression on the Internet;
  
  • "Strongly condemns restrictions on Internet content, whether they apply to the dissemination or to the receipt of information, that are imposed by governments and are not in strict conformity with the guarantee of freedom of expression;" and
  
  • Calls on the Commission and the Council to draw up a voluntary code of conduct that would put limits on the activities of companies in repressive countries.
  
  
  
• Interception of bank transfer data: The European Parliament adopted on 6 July 2006 a Resolution relating to the interception of bank transfer data from the SWIFT system by the US secret services. The Resolution calls on the European Commission, the Council and European Central Bank (ECB) to explain the extent to which they were aware of the agreement between SWIFT and the US government. The Parliament has also called for a hearing with the ECB, the Commission, the Council, the European Data Protection Supervisor and other private and public bodies that are involved in the affair.
  
  
• e-Government: the European Commission has published its latest survey on e-government (carried out by CapGemini), which shows that online public services are increasingly interactive and full two-way interaction between citizens and governments is the norm. Austria leads the online public service league, followed by Malta and Estonia. The Commission has been carrying out this survey since 2001, and it measures the share of public services fully available on line in the EU (plus Iceland, Norway and Switzerland). The Commission’s e-Government Action Plan (adopted in April 2006) found that billions of euros could be saved by European taxpayers every year through administrative modernisation across the 25 EU Member States.
  
  Commissioner Viviane Reding welcomed the report, saying: “On-line service delivery is now a mature service delivery model in the EU, and a new paradigm of 'intelligent', user-oriented e-services is beginning to emerge. According to our estimates, the economic impact of e-Government research and development programmes may be as high as 1.54% of EU GDP by 2010 (€166 billion with 2005 GDP), provided that research and deployment initiatives are supported. This is why we launched the ambitious i2010 e-Government Action Plan. Measuring member states’ progress in making their online services more available, more effective and more user-centric is now more important than ever. I hope that these results further encourage Member States to implement the Action Plan.”
  
  
• International roaming: the European Commission issued on 12 July 2006 a Proposal for a Regulation on international roaming. It sets wholesale price caps for calls made and received when EU citizens use mobile phones in another member state than their home country. It also recommends that retail regulation be introduced six months after the Regulation comes into force to ensure the savings are passed on to end customers.
  


• Smart systems integration platform: The European Technology Platform on Smart Systems Integration (EpoSS) was launched on 5 July 2006. It brings together European private and public stakeholders working in the field with the aim of coordinating research into smart systems in relation to automotives, aerospace, telecommunication, medical technologies, logistics and underlying technologies. Commissioner Viviane Reding welcomed the launch, saying that European industry must do more to ensure that it keeps its position as world leader in advanced technologies. Smart Systems Integration (SSI) is an emerging area with applications in many sectors. Systems comprise components which are able to obtain information from the environment, process it electronically, and then communicate signals and data.