Select Committee on European Scrutiny Second Report


INFORMATION AND NETWORK SECURITY


(a)
(22580)


(b)
(22472)
9727/01
COM(01) 298


Draft Council Resolution on e-Europe Action Plan: information and network security.


Commission Communication on network and information security: proposal for a European policy approach.


Legal base:
Documents originated: (b) 6 June 2001
Forwarded to the Council: (b) 7 June 2001
Deposited in Parliament: (b) 20 June 2001
Department: Trade and Industry
Basis of consideration: EMs of 3 August 2001
Previous Committee Report: None
Discussed in Council: (a) 31 May 2001
(b) 27 June 2001
Committee's assessment: Politically important
Committee's decision: (Both) Cleared



34.1 The Stockholm European Council of 23-24 March 2001 concluded that:

    "The Council together with the Commission will develop a comprehensive strategy on security of electronic networks including practical implementing action. This should be presented in time for the Göteborg European Council."[81]

The Resolution

34.2 The draft Resolution recalls this Conclusion and commits the Council to undertake to:

    "examine rapidly the proposals for practical implementing action with a view to strengthening and increasing the coherence of policies for information security in the Union, and in addition consider whether institutional structures and procedures for information and network security issues should be strengthened (inter alia by setting up an independent European entity for information security, independent observatory, council working party, another appropriate forum, or by strengthening the existing co-operation between the existing Computer Emergency Response Teams (CERTs))."

34.3 The Resolution notes that information and network security is about providing security for the identities of senders and receivers, protecting information from unauthorised changes and unauthorised access, and providing a reliable supply of equipment, services and information.

34.4 It recognises that confidence in information security is an important prerequisite for the widespread use of information and communication technologies (ICTs) and that "malicious activities or hazardous events directed at information systems pose a significant risk to important functions in society".

34.5 It also recognises that information and network security calls for a comprehensive cross-pillar[82] approach to developing policies and refers to the Commission Communication Creating a safer information society by improving the security of information infrastructures and combatting computer-related crime.[83]

The Communication

34.6 The Commission introduces this paper by commenting that networks and information systems are now supporting services and carrying data to an extent that was inconceivable only a few years ago. The availability of these systems is now of critical importance to some services, such as those supplying water and electricity. Echoing the language of the Resolution, it says that the security of these systems is a prerequisite for further progress. Everyone, whether as private individuals, businesses or public administrations, wants to exploit their potential.

34.7 Finding an adequate policy to ensure security is a complex task, which poses a challenge to policy makers. Communication services are no longer provided by state-owned operators, but on a competitive basis by many different private operators. Security has become a commodity which is bought and sold as part of a contractual agreement. However, many security risks have remained unsolved, or solutions have been slow in coming to market because of market imperfections.

34.8 The Commission analyses threats which could compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data. It groups security incidents as follows:

    "— electronic communication can be intercepted and data copied or modified. This can cause damage both through invasion of the privacy of individuals and through the exploitation of data intercepted;

    — unauthorised access into computer and computer networks is usually done with malicious intent to copy, modify or destroy data;

    — disruptive attacks on the Internet have become quite common and in future the telephone network may also become more vulnerable;

    — malicious software, such as viruses, can disable computers, delete or modify data. Some recent virus attacks have been extremely destructive and costly;.

    — misrepresentation of people or entities can cause substantial damages, e.g. customers may download malicious software from a website masquerading as a trusted source, contracts may be repudiated, confidential information may be sent to the wrong persons; and

    — many security incidents are due to unforeseen and unintentional events such as natural disasters (floods, storms, earthquakes), hardware or software failures, human error."

34.9 The measures which the Commission then proposes are intended to address the market imperfections it has identified and to improve the functioning of the legal framework. It contends that common solutions should benefit the internal market and European competitiveness in the global market and suggests that:

    • measures should be taken to raise awareness through public information and education programmes and promote best practice;

    • Member States should strengthen their CERTs and improve co-ordination between them at EU level;

    • together with the Member States, the Commission will look into how to organise data collection and analysis and how to plan forward-looking responses to threats;

    • research and development to improve networks and security should be a key element of the 6th Framework Programme;

    • work on interoperability of European standards should be speeded up, with Member States giving more support for market-oriented standardisation and certification. They should review all the relevant security standards. The Commission will assess the need for a legal initiative on the mutual recognition of certificates before the end of 2001;

    • Member States should incorporate effective, interoperable, security solutions in their electronic systems of Government and procurement. They should introduce electronic signatures when offering online public services;

    • the Commission should set up an inventory of national measures taken in accordance with relevant Community law. At the moment, there is no approximation of criminal law at the EU level on unauthorised access to computer networks, including the violation of personal data security. This can lead to problems in investigating offences and means that there is no strong deterrent to hacking. The Commission will propose legislation under Title VI of the Treaty on European Union on cyber-crime; and

    • the contribution which the Commission makes to work on security issues in international fora, such as the G8, the OECD and the UN, should be supported by greater dialogue with international organisations and partners.

34.10 Under the heading 'Legal Framework', the Commission notes that the convergence of networks is bringing together regulation and regulatory traditions from various sectors. These include:

  • the telecommunications sector, which is covered by the most comprehensive regulatory framework. This sector is being "regulated and deregulated at the same time";

  • the computer industry, which is largely unregulated, with security requirements governing the electrical components of a computer but none on the security of data handled by a computer;

  • the Internet, which has functioned mainly on the basis of a 'hands off' approach; and

  • e-commerce, which is increasingly subject to specific regulation.

34.11 Areas of concern about security are cyber-crime, electronic signatures, data protection, third-party liability and export regulations.

The Government's view

34.12 The Secretary of State for Trade and Industry at the Department of Trade and Industry (Ms Patricia Hewitt) says that the Internal Market, Consumer Affairs and Tourism (IMCT) Council of 30/31 May adopted the Resolution but that a formal copy is not yet available. It continues the impetus from the French Presidency for a higher priority to be given to information security issues. The Minister adds that the Resolution also helpfully notes the need to find mechanisms to co-ordinate the development of policy, taking into account the interests of all three pillars.

34.13 The Minister says that the Government supports the intention of the Communication. It is seen, she says "as a contribution to a dialogue within the Council on the sort of measures which should be taken at the European level to promote an acceptable level of information security throughout Europe".

34.14 The Minister adds that the Government will not be initiating a formal UK consultation on the Communication but the Department of Trade and Industry will consult the industry and other interested parties informally.

Conclusion

34.15 We recognise the value of tackling at EU level the difficult problems of protecting the security of electronic networks and of information carried on them. However, these are matters of international concern and we urge the Government to press for wider solutions to be sought at the same time, reinforcing the Commission's suggestion that there should be increased dialogue with international organisations and partners.

34.16 We expect that any proposals for legislation on matters discussed in this Communication will be deposited and that any further Resolutions of substance will be submitted for scrutiny.

34.17 We ask the Minister to inform us in the meantime if difficulties arise in the cross-pillar co-ordination called for in the Resolution or if any other substantial obstacles impede progress on the important issues outlined.

34.18 We now clear both these documents.


81  Press Release No. 100/01, paragraph 36. Back

82  Information and network security is dealt with under both the EC and EU treaties. In practice, this means that the Commission works on some aspects of the policies and measures being developed, whilst others are dealt with inter-governmentally. Back

83  (22136) 5894/01; see HC 28-x (2000-01), paragraph 12 (28 March 2001). Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2001
Prepared 2 November 2001