Cyber Security Industry Alliance Newsletter •  Volume 2, Number 10  • June 2006

Global Perspectives


On 31 May 2006, the European Commission issued a Communication entitled: " A strategy for a secure information society – dialogue, partnership and empowerment". The Communication "aims to promote a general security consciousness and an awareness of the actions that people and organisations need to take for themselves, in order to protect their own information and equipment."

Specific proposals include benchmarking national policies on network and information security to improve the dialogue between public authorities, identifying best practices and raising the security awareness of end-users. ENISA, the European Network and Information Security, Agency will be entrusted with developing an appropriate data collection framework to handle security incidents all over Europe. ENISA will also be asked to examine the feasibility of a multilingual information sharing and alert system. Member states and the private sector are invited to play more proactive and energetic roles in enhancing network and information security.

The Communication foresees two other initiatives in 2006:

  • a Communication on the evolution of spam and threats, such as spyware and other forms of malware; and

  • a Communication on cybercrime and proposals on how to improve cooperation between law enforcement authorities and addressing new forms of criminal activity that exploit the Internet and undermine the operation of critical infrastructures.

The Commission will report in the middle of 2007 on the activities launched, the initial findings and the state of play of individual initiatives, including those of ENISA, member states and the private sector. If appropriate, the Commission will adopt a formal proposal for a Recommendation on network and information security.


Data retention

The Irish government announced on 19 May 2006 that it plans to challenge the Data Retention Directive in the European Court of Justice (ECJ). Ireland and Slovenia voted against the Directive prior to its formal adoption by EU Justice and Home Affairs Ministers on 21 February 2006. Ireland objects to the legal base of the legislation; arguing that Article 95 (first pillar, internal market) does not provide an appropriate legal basis for adopting a law enforcement measure. (The Council had originally proposed legislation under the third pillar, but an institutional tussle led to a compromise where a first pillar directive was eventually adopted.)


Review of the Regulatory Framework

A presentation of the Communication on the Review of the EU Regulatory Framework for electronic networks and services is provisionally planned for 13 July 2006 and a public workshop for 20 September 2006 (both in Brussels). Both events will be open to interested parties, but prior registration is required. Further details will be made available on the following website:

The American Chamber of Commerce to the European Union (AmCham EU) issued a position paper on the regulatory review on 23 May 2006. On privacy and security, the paper recommends that the Commission should carefully consider two areas: " first, act to correct any new legislation which aims to amend the [ePrivacy] Directive in such a way as to create an imbalance in the proportionate burden of its requirements; and second, gauge the extent to which the Directive has resulted in proportionately enforced and harmonised regulatory requirements so vital for multinational communications in a converged network world."

On spam, the paper argues that " the Commission should use this review to separate the issue of spam from the regulation of legitimate online direct marketing. Its focus should be on the former, but through use of different and new instruments that address spam as a type of cybercrime. In particular, the Commission needs to propose legislation to narrowly tailor the applicability of data protection legislation to anti-spam technical measures, and thus, clearly legalise spam filtering when conducted according to certain objective criteria. Part of this effort would also include the softening of any specific obligations that an ISP must accept and deliver any and all communications presented to it."

On 11 May 2006, Viviane Reding, Commissioner for Information society and Media, discussed the review of the regulatory framework in a speech. She referred to this effort as her biggest task for 2006. She announced that the Commission would adopt a "Review Communication" in late June 2006 that identifies suggested changes to legislation to improve the performance of e-communications. These ideas will be open for public consultation until September, so that, by the end of 2006, the Commission can make concrete legislative proposals.


ENISA Update

The Permanent Stakeholders’ Group (PSG) of ENISA has published a document entitled: "PSG Vision for ENISA". It analyses current and future network security threats and risks of both a technical and non-technical nature. This document serves as advice to the Executive Director of ENISA from Network and Information Security stakeholders (NIS).

On the future role of ENISA, the PSG advises the Agency to be:

  • the recognised spokesperson of European NIS interests in global cooperation, seeking to develop necessary relationships to promote European interests, with a clearly defined role relative to the Commission and individual member states;

  • a highly respected European centre of excellence in NIS, and a trusted expert whose opinion is sought by both the public and private sectors;

  • the driving force behind the creation, development and dissemination of trusted, secure information security technology; thus enabling computer users in both the public and private sectors to use digital technology without undue security risks; and

  • a recognised consultation centre for European Union bodies and member states as well as other international standardisation and legislative bodies.

For the current and foreseen security issues, the PSG looks at a number of risks and threats eg malware, worms, rootkits, botnets, DDoS attacks, identity theft, attacks on mobile and wireless networks, spam and SPIT, as well as more general issues such as the lack of security awareness, professionalism of cyber criminals and increased reliance on the Internet and networked resources.


Article 29 Working Party / RFID

Following the first workshop in March, the European Commission has held four further workshops on RFID;

  • RFID Application Domains and Emerging Trends (15 and 16 May);

  • RFID Security, Data Protection & Privacy, Health and Safety Issues (16 and 17 May);

  • Interoperability, standardization, governance, and Intellectual Property Rights (1 June); and

  • RFID Frequency spectrum - requirements and recommendations (2 June).

Presentations and background documents can be found at:

The workshops were intended to provide a way for the European Commission to take on board stakeholders’ views, and provide the basis for an open on-line consultation from which the Commission will derive concrete elements for a Communication to the Council and European Parliament which has been scheduled for the end of 2006.

The consultation paper will be published this month on Submissions will be presented and discussed during a final workshop in October 2006.


Safer Internet Plus Programme

On 2 May 2006, EUROPE DIRECT, the European Commission’s free information service, announced that it will help parents, teachers and children throughout the EU to provide answers to questions about the safer use of the Internet and new online technologies. This is to support the European Commission’s Safer Internet Plus Programme which aims to promote a safer use of the Internet and online technologies, particularly for children - a subject of concern to parents across the EU-25. In the latest Eurobarometer survey, 44% of parents declared they would like more information about how to protect their child from illegal or harmful content and contact.


Other Issues of Relevance
  • Cyber Security in Estonia: Estonia has launched a Computer Emergency Response Team (CERT) with responsibility for handling network security incidents and providing assistance in case of network security threats. CERT Estonia opened its doors in early May 2006 and has already dealt with network security breaches related to Internet banking fraud. It reports to the Estonian Informatics Centre, part of the Ministry of Economic Affairs and Communication, and is responsible for handling security incidents that originate via Estonian networks.

    The new unit prioritises its response to security incidents according to their scope and severity, as well as the number of users potentially affected. Its main task "is to assist our Internet users in the implementation of preventive measures so as to reduce possible damage from security incidents and help users in responding to them," said Hillar Aarelaid, CEO of CERT Estonia, which manages the service on behalf of the Ministry.

  • Protection of minors: the Culture and Audiovisual Council reached political agreement on a Recommendation on 18 May 2006 on the protection of minors, human dignity and the right of reply in the audiovisual and online information services industry. The draft recommendation "calls on member states, the industry and interested parties (viewers' associations), as well as the Commission, to enhance the protection of minors and human dignity in the broadcasting and Internet sectors. It also recommends that member states consider the introduction of measures regarding the right of reply in relation to online media." The Recommendation is subject to the co-decision procedure where the Council and European Parliament jointly decide on the final text. Parliament adopted its first reading in September 2005. The Council must now formally adopt the text before it can be sent back to Parliament for second reading.

  • Common Visa Application Centres: the European Commission adopted a proposal on 2 June 2006 for a Regulation introducing biometric identifiers in the Visa Information System (VIS). The proposal also includes different options allowing member states to jointly organize the reception and processing of visa applications. It is hoped that the process will facilitate the visa issuing process, prevent visa shopping, facilitate checks at external borders and strengthen the fight against fraud and, within the territory of the EU, assist in the identification and return of illegal immigrants and the prevention of threats to the internal security of the member states. The system will allow pooling of member state resources and ensure the data protection requirements are met through the central access point.

  • European Court of Justice (ECJ) Judgment on Passenger data: the ECJ issued a ruling on 1 June 2006 relating to the EU - US agreement under which European aviation operators are obliged to share with US authorities 'passenger name records' (34 items of personal information on each passenger). The ECJ ruled that this was not founded on an appropriate EU legal base and that the EU must therefore withdraw from the agreement.

    The European Parliament referred the agreement to the ECJ, asking it to rule on the compatibility of the agreement with EU law. Parliament argued that the US did not guarantee adequate levels of data protection.

    The ECJ gave the European Commission one month to inform US authorities that the EU wishes to cancel the agreement. A three-month period of notice applies, so the agreement will cease to apply at the end of September 2006 at the earliest. Most EU airlines, however, already followed US requests for passenger name records prior to the signature of the agreement on a voluntary basis and may continue to do so even after the agreement will cease to apply. It seems the Commission and US authorities will seek to find a new agreement before the end of September 2006, taking account of both the ECJ judgment and US security concerns.

  • eVAT: the European Commission has proposed to extend the EC VAT and E-Commerce Directive until 31 December 2008. The Directive took effect on 1 July 2003 and introduced rules ensuring that:
    • electronic services supplied for consumption outside of the European Union are exempted from VAT;
    • when supplied for consumption within the European Union, they are subject to EU VAT;
    • non EU-operators benefit from simplified registration and reporting obligations allowing them to deal with a single European tax administration of their choice.

    The Directive remains in force until 30 June 2006. The Commission’s report to the European Council concluded that the Directive had operated in a satisfactory manner and had achieved its objective of creating a level playing field for the taxation of electronic services. Without this extension in time, the VAT rules would have reverted to those prevailing before the Directive was introduced which, in the Commission’s view, put EU suppliers at a competitive disadvantage.