Cyber Security Industry Alliance Newsletter •  Volume 3, Number 1  • September 2006

Global Perspectives


NEWS! CSIA recently opened its Brussels office and appointed Marika Konings as
Director of European Affairs. Further details in next month's newsletter.

Making Europe’s online content market more competitive – Commission opens public consultation: a public consultation on ways to stimulate the growth of a true EU single market for online digital content, such as films, music and games, was launched by the European Commission on 28 July 2006. The Commission intends to encourage the development of innovative business models and to promote the cross-border delivery of diverse online content services. It is also keen to ascertain how European technologies and devices can be successful in the creative online content markets. Input from this consultation will help to shape a Commission Communication on Content Online, due to be adopted at the end of the year. The creation of an open and competitive single market for online content is one of the key aims of the EU’s i2010 initiative – a European Information Society for growth and jobs, started by the Commission on 1 June 2005.

Security is one of the issues raised by the consultation. In particular, the Commission asks: "Do you think the present environment (legal, technical, business, etc.) is conductive to developing trust in and take-up of new creative content services online? If not, what are your concerns: insufficient reliability/security of the network? Insufficient speed of the networks? Fear for your privacy? Fears of a violation of protected content? Unreliable payment systems?"

Review of the Regulatory Framework

On 25 August 2006 the European Commission made public three studies which are intended to be "food for thought" in the ongoing review of the 2002 EU telecoms rules:

  • "An Assessment of the Regulatory Framework for Electronic Communications: Growth and Investment in the EU e-Communications Sector" (London Economics, in association with PriceWaterhouseCoopers).

  • "Preparing the Next Steps in Regulation of Electronic Communications" (Hogan & Hartson and Analysys)

  • "Experts’ report in relation with the Review of the Recommendation on markets subject to ex ante regulation" (Dr. Uli Stumpf, Prof. Martin Cave and Prof. Tomasso Valletti)

On 29 June 2006, the Commission published a Communication on the review of the regulatory framework for electronic communications, a Staff Working Paper and an Impact Assessment, which include several policy proposals for boosting competition and building a single market for wireless services. The three studies prepared by external consultants deal with some of the key subjects of the review process: growth and investment in the EU electronic communications sector, regulatory reform and the state of competition in the electronic communications markets. While the three studies are not binding on the Commission, they will contribute to the public debate on the review of the EU telecom rules during the public consultation that will last until the end of October.

The first study, "An Assessment of the Regulatory Framework for Electronic Communications: Growth and Investment in the EU e-Communications Sector", found that the effectiveness of national regulation under the EU telecom rules plays a significant and positive role in attracting investment into the telecoms sector, next to other factors, such as per capita GDP, regional population density and industry structure. The study thus supports the Commission’s assessment that "regulatory holidays" would be counterproductive for individual member states, as well as the EU as a whole.

The second study, "Preparing the Next Steps in Regulation of Electronic Communications", takes a broad look at the key features of the current framework and submits 65 concrete proposals for reform. It finds that a majority of those interviewed consider that the internal market for electronic communications is not yet complete. It is important to note, that one part of the study is dedicated to consumer protection aspects and examines measures safeguarding user privacy, security and confidentiality of online communications, including the integrity and security of public communications networks, pursuant to the e-Privacy Directive and the Universal Service Directive.

The third study, "Experts’ report in relation with the Review of the Recommendation on markets subject to ex ante regulation", covers the work of economic experts on the state of competition on narrowband, broadband and mobile services. Their final report calls for a removal of much of the regulation of retail markets included in the Recommendation on relevant markets of 2003 – a proposal already taken into account in the Commission documents of 29 June, which conclude that, on most retail markets, wholesale regulation on its own can ensure effective competition, and that, therefore, ex ante regulation should be removed in relation to retail calls and leased lines markets.

ENISA Update

On 10 August 2006, the European Network and Information Security Agency (ENISA) published "A Users’ Guide: How to Raise Information Security Awareness". The Guide features step-by-step practical advice for Member States on how to "kick start" planning, organising and running information security awareness raising campaigns targeted at different audiences (e.g. home users and SMEs), including a series of steps and recommendations.

The Executive Director of ENISA, Mr. Andrea Pirotti, commented: "Security incidents across Europe have a significant economical impact every year. It is time for European business to wake up when it comes to Network and Information Security. Only in the UK, an average large business is suffering from security incidents costing up to 193,000 €/year, but spends only 4-5% of its IT budget on security. (…) I’m confident that this Guide will be a powerful tool for the EU and its member states to prepare and implement awareness raising initiatives. This Guide is an excellent receipt of ENISA collecting and spreading models for raising awareness in security among SMEs across Europe."

The Guide makes three key recommendations:

  • Effective communication planning – a proper communication strategy must be at the centre of any awareness programme, based on communication goals and principles, and tailored to the needs of the target group.

  • A change management approach (i.e. targeted communications, involvement, training and evaluation) – change must be managed holistically to ensure that efforts are integrated and the change achieves real and enduring benefits.

  • Measurement of the value of awareness programmes – campaign evaluation is essential for understanding effectiveness and making adjustments. Four main categories have been identified against which to measure security awareness: process improvement, resistance to attacks, efficiency and effectiveness, and internal protection.

Online public procurement

The European Commission has published an interpretative communication on the application of EC law to the award of public contracts which either fall outside the scope of the public procurement directives (due to their low value) or that do not attract the full procedural obligations of the directives (such as contracts for "Part B" services: catering, legal, security, educational services). The Communication provides guidelines for member states and other stakeholders.

RFID / Article 29 Working Party

The European Commission will organise a Conference on International Transfers of Personal Data, together with the Article 29 Data Protection Working Party and the United States Department of Commerce’s International Trade Administration on 23-24 October 2006 in Brussels.

This Conference is a follow up to the Seminar on Safe Harbour held in Washington in December 2005 organised by the US Department of Commerce and the Article 29 Working Party.

Safer Internet Programme

The July/August edition of the InSafe newsletter, focusing on internet safety awareness practices, is now available.

A virtual ID card designed to keep children safe while they are surfing the net has been launched in Australia, Canada, the UK and US. The Net-ID-me is a secure electronic identity card that displays the user’s first name, age, gender, and general location. It can be swapped by children online when using chat rooms, instant messaging and social networks.

The UK House of Lords Select Committee on Science and Technology has appointed a Sub-Committee to investigate personal Internet security. The inquiry invites evidence on security issues affecting private individuals when using communicating computer-based devices, either connecting directly to the Internet, or employing other forms of inter-connectivity. Areas the Committee will consider: What is the nature of the security threat to private individuals and what is the scale of the problem? How well does the public understand the nature of the threat it faces? What can be done to provide greater personal Internet security? How much does this depend on software and hardware manufacturers? Is the regulatory framework for Internet services adequate? How well equipped is Government to combat cyber crime? Is the legislative framework in UK criminal law adequate to meet this growing challenge?

Commenting, Lord Broers, Chairman of the Science and Technology Committee, said: "We are doing more and more online, from our weekly grocery shop to banking to downloading music and video and, increasingly, using the Internet to make telephone calls. Those who haven’t yet done so are being encouraged to get online - but how many of us know about the risks? Technology is changing so fast that no-one seems to have had time to step back and look in the round at the emerging threats to personal security, and the ways society might counter them. This inquiry gives Parliament a chance to do just that. "

Internet fraud accounts for eight percent of all fraud in the UK, according to the Attorney General’s office, which says that fraud costs the UK billions of pounds every year. The Attorney General, Lord Goldsmith, has published the final report on his fraud review and has found that internet fraud can sometimes slip through current policing procedures and cost users and businesses dearly.

"It is often confusing for victims to know who to report the fraud to, particularly if it crosses geographical or sectoral boundaries", said the report. "Fraudsters benefit from this lack of continuity of response. Internet fraud is a particularly good example of how a fraud can become difficult to report."

Lord Goldsmith has proposed the formation of a National Fraud Strategic Authority and lead police force to tackle fraud on a national scale. He also proposes setting up a National Fraud Reporting Centre.

Other issues of relevance
  • eu: a study by Internet Statistics Company Ipwalk revealed that taking population size into account shows large irregularities in .eu domain name registrations. Cyprus, Luxembourg, Malta and the Netherlands have a very high number of registrations compared to their population size, much larger than strong Internet countries such as Germany and the UK. Malta has almost twice as many .eu domain names per citizen as Luxembourg in second place, more than five times as many as Germany, and almost seven times as many as the United Kingdom. EURid, the registry managing the .eu TLD (top-level domain) recently suspended 74,000 .eu domain names and sued 400 registrars for breach of contract citing registration abuse using fronts (see Bi-Monthly Report of 26 July 2006 where this was reported).

    UK Member of the European Parliament (MEP) Diana Wallis has tabled a written question to the European Commission seeking explanations on the management of .eu domain names by EURid. Complaints have been received from several people who have applied to register a .eu domain name only to discover that the name already belonged to a company or individual, willing to sell the name for much more than EURid’s original selling price. "It is unacceptable that people are apparently being charged extortionate amounts of money for a .eu domain name that they have a genuine interest in, and which appears to have been bought in advance by companies or individuals on a speculative basis for future sale". Ms Wallis has called on the Commission to investigate the complaints as quickly as possible.

  • Piracy and counterfeiting: the Business Action to Stop Counterfeiting and Piracy (BASCAP) project, which is run by the International Chamber of Commerce, has published its mid-year 2006 report, collating information on reported incidents of piracy and counterfeiting, the brands involved, country locations and seizure values. BASCAP also publishes daily and monthly statistics, all of which are available free of charge from its website.
    A number of trends have been discovered from analysing 764 incidents of counterfeiting and piracy activity valued at US$699.3 Million from 46 countries in the first half of 2006.  A growth of 7% in intellectual property theft over similarly reported data for 2005 and the most heavily counterfeited brands were found in the clothing and software sectors.

  • Mass e-mail attack teen sentenced: a teenager in the UK who bombarded a firm with millions of e-mails, causing its server to collapse, has been given a two month curfew after pleading guilty. In early 2004, David Lennon, 19, sent five million e-mails to the Domestic and General Group, a UK-based insurance company. Lennon was a part-time employee of the company before he was sacked in 2003.
    It was a "denial of service" attack where the sheer number of e-mails not only collapsed the server and the router but caused the firm to lose an estimated £30,000. DCI Charlie McMurdie, head of the Metropolitan Police's Computer Crime Unit, said: "This is the first successful prosecution in the UK for this type of offence. This demonstrates the commitment of the MPS Computer Crime Unit to work with industry to prosecute individuals who use technology to cause harm". The mail server was responsible for processing the company's e-mails in France, Germany, Spain and the UK.

  • File-sharing "darknet" unveiled: a "darknet" service that allows users to share music files anonymously on the web has been launched in Sweden. Rellaks, as the service is known, allows users to send and receive files through a heavily-encrypted connection. It is the first example of a darknet, a virtual network set up to share files between trusted users. The service is endorsed by political group the Pirate Party which is running for election in Sweden under a banner to reform the country’s copyright laws. The new system claims to be the world’s first commercial darknet. It works by giving users’ computer a new IP address, the unique number the machine uses to identify itself and communicate with other over the net. Computers using the Rellaks system look like they have a Swedish IP address, no matter where they are in the world.