Cyber Security Industry Alliance Newsletter •  Volume 2, Number 8 • April 2006

Global Perspectives

i2010

The European Parliament adopted a Resolution on i2010 at its plenary session on 14 March 2006. Relevant extracts include:

  • "Digital convergence has the potential to provide consumers with access to a great diversity of improved services and rich content, and thus, the security of the infrastructure must be improved and strengthened and a favourable and secure environment created which stimulates the competitive deployment of these converging services."

  • [The European Parliament] "Calls on the Commission to specify clear actions to provide protection from harmful content, and in this context, to promote, inter alia, the role of the European Network and Information Security Agency."

  • [The European Parliament] "Recalls that the development of network security is indispensable in order to increase confidence in all network services, commercial and eGovernment services; urges that network security be promoted by technical and legislative means and through education, e.g. by creating a Europe-wide information security strategy and launching an annual European information security day to increase citizens’ awareness of information security, while taking care to ensure that this security does not restrict freedom of expression and citizens’ rights; welcomes the Commission proposal to launch a safe information society strategy in 2006 seeking to increase both investor and user confidence in internet services and their reliability as a means of addressing the issues of fraud (affecting purchases), illegal and harmful content (concerning the protection of minors and human dignity and the protection of privacy) and technological shortcomings (so as to ensure the efficient and effective use of ICT);"

    http://www.europarl.eu.int/omk/sipade3?PUBREF=-//EP//TEXT+TA+P6-TA-2006-0079+0+DOC+XML+V0//EN&L=EN&LEVEL=1&NAV=S&LSTDOC=Y&LSTDOC=N

The European Economic and Social Committee (EESC) adopted an Opinion on i2010 on 16 March 2006. It includes several references to security:

  • "The EESC would also like to stress the importance of enhancing awareness with regard to security matters, since confidence in IT is a prerequisite for its frequent use and of particular relevance to the exploitation of the full potential of the Internet. In order to elevate awareness, public authorities at local, national and EU level should encourage cooperation with business in order to combat cyber-crime."

  • "In the information society debate, security is central to the development of attitudes towards and trust in IT. The perceived security of and trust in digital transactions determines the speed with which enterprises are likely to exploit ICT in their business. Consumers' willingness to provide credit card numbers on a web page is greatly influenced by the perceived safety of the action. In addition, users' trust in ICT is an essential ingredient to the acceptance of eGovernment and to its rollout."

  • "The security of information and computer-related crime is increasingly a major problem affecting businesses, administrations, employees and consumers alike. The EESC would stress that information society policy must be framed in such a way that confidence is enhanced and all players dare to exploit the full potential of the Internet."

  • "As information networks become increasingly integrated, society is ever more dependent on 24/7 functioning of the system; consequently, functioning of the physical infrastructure is crucial when information- and network security is under discussion. It is important that the systems should include network redundancy."

  • "For ICT users it is essential that computer-related crime is tackled, where possible, in an internationally harmonised way, and that enforcement of legislation is vigorously pursued, thereby demonstrating that such crime does not pay. Initiatives to combat computer-related crime must, however, be assessed to ensure they are not at the expense of industry or at the expense of fundamental rights such as the right to privacy. Such assessments are important, notably in the current debate regarding stricter data retention requirements."

  • "The security problem has been acknowledged by the Commission in numerous communications and recommendations, as well as through the establishment of the European Network and Information Security Agency. The EESC believes that a common environment should be created through the Agency where public and private sectors can work together to protect their information systems, taking into account the increasingly rapid changes in technology and without imposing inappropriate administrative or financial burdens."

    http://eescopinions.esc.eu.int/EESCopinionDocument.aspx?identifier=ces\ten\ten220\ces415-2006_ac.doc&language=EN


Data retention

The Data Retention Directive has been allocated the following reference number: Directive 2006/24/EC.

The Article 29 Working Party adopted an Opinion on the Data Retention Directive on 25 March 2006. It notes that the Directive lacks some "adequate and specific safeguards as to the treatment of communication data and leaves room for diverging interpretation and implementation by the member states in this respect." The Working Party considers it crucial that the provisions of the Directive are interpreted and implemented in a "harmonised way to ensure that European citizens can enjoy throughout the European Union the same level of protection". The Working Party notes that "This should also be done with a view to reducing the considerable costs to be borne by the service providers when complying with the provisions of the Directive."

On the issue of security, the Opinion states: "Minimum standards should be defined concerning the technical and organisational security measures to be taken by providers, specifying more in detail the general requirements of the Directive on data retention."

http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2006/wp119_en.pdf



ENISA Update

The first edition of the ENISA Quarterly of 2006 has been published. It includes an article on outsourcing of IT security by Bruce Schneier, CTO of Counterpane. (He will be the keynote speaker at ISSE 2006 in October.)

http://www.enisa.eu.int/doc/pdf/publications/enisa_quarterly_03_06.pdf

Two of ENISA’s technical experts, Carsten Casper and Pascal Manzano, have prepared a study on spam and security measures. The study is based on more than 90 responses to questionnaires that were sent to providers and National Regulatory Authorities. The outline of the study follows Directive 2002/58/EC, in particular Article 4 (Security) and Article 13 (Unsolicited Communications). Security breaches are dealt with on page 22 and subsequent. The section concludes: "All providers should be proactive and monitor their networks for risks of security breaches. Providers could also be asked to report which networks they monitor. […] Having providers report on the risk of security breaches is very important in order to get an overview of the risk that can be expected from a particular problem. This assumes that information on such risk of breaches has been communicated properly. Reporting of actual security breaches, publicly or anonymously, would help even further. Additional research is necessary. […] A cost versus risk perspective in the reporting on the risk of security breaches could be encouraged. This also requires research in the area of cost and risk measurements."

http://www.enisa.eu.int/doc/pdf/deliverables/enisa_security_spam.pdf

Rainer Lau of the European Commission visited ENISA on 23 March 2006. Mr Lau is an Adviser on relations with EU Agencies in the Commission’s Secretariat General. The Executive Director of ENISA, Andrea Pirotti commented: "It is a pleasure to welcome Mr Lau as a high level Adviser, and to discuss ENISA’s organization and future in detail at our own premises here on Crete. I would like to express many thanks in advance to Mr Lau to take the effort to visit us, and I look forward to fruitful discussions."

http://www.enisa.eu.int/news/lauvisit/index_en.htm



Article 29 Working Party / RFID

The American Chamber of Commerce to the European Union (AmCham EU) has issued a position paper on RFID. AmCham EU states that new technologies, such as RFID, will not only create supply-chain efficiencies and productivity gains but will also improve security, decrease counterfeiting, ensure food and product safety, and increase pharmacovigilance. The paper recognises that adequate privacy and security safeguards remain key for wide consumer acceptance of the technology. AmCham EU concludes that "there are many positive uses of RFID technology, not only in boosting the competitiveness of companies in Europe, but also in improving the safety and security of its citizens" and states its intention to continue to be involved in the Commission’s work on RFID through attendance at the workshops (see last edition of this newsletter).

http://www.amchameu.be/Pops/2006/rfid_310306.pdf



Other Issues of Relevance
  • Electronic signatures: On 15 March 2006, the Commission issued a progress report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures. According to the Commission, the reluctant take-up of electronic signature tools is slowing down the growth of trade in goods and services via the Internet. However, growing use of electronic ID cards and the use of e-signatures in e-government services, such as on-line income tax returns, are expected to drive demand in the future. The report also confirms that the 1999 Directive continues to provide, for the moment, a valid basis for electronic signatures in the internal market. The Commission will also prepare a report on standards for electronic signatures in 2006 to see whether further regulatory measures by the EU are required.

    http://europa.eu.int/information_society/eeurope/i2010/docs/single_info_space
    /com_electronic_signatures_report_en.pdf


    http://europa.eu.int/rapid/pressReleasesAction.do?reference=IP/06/325&
    format = HTML&aged=0&language=EN&guiLanguage=en


  • Phishing: EuroISPA, the European Internet service provider association, hosted a roundtable panel on "A Coordinated Approach to Online Fraud: Combating Phishing", in Brussels on 20 March 2006. The event was organized in association with Microsoft and Interpol. Pat Cox, former President of the European Parliament, moderated a panel discussion that included Kurt Einzinger, EuroISPA Vice President; Neil Holloway, President Microsoft EMEA; and Bernhard Otupal, Crime Intelligence Officer with Interpol´s High Tech Crime Unit. The panel evaluated current anti-phishing initiatives, discussed how these fit with the EU policy agenda and showcased new approaches to combat this threat. In a statement, Wolfgang Gattringer, Deputy Chief of Staff of the Austrian Federal Ministry of the Interior, said: "The Austrian EU presidency welcomes the efforts by industry in partnership with European government to address the phishing threat to consumers. Public-Private Partnerships are the way to make the Internet safe and secure for all."

    http://www.euroispa.org/antiphishing/

    Microsoft launched legal action against 100 phishing gangs based in Europe, the Middle East and Africa in the month of March. By the end of the month, 53 cases were due to have been started according to Microsoft, with all 100 filed by the end of June 2006. Seven of the criminal groups behind fake websites that trick people into handing over confidential information are known to be in the UK. The legal cases follow investigative work undertaken by Microsoft, national police forces and Interpol. By the end of 2005 it is estimated there were more than 7,000 phishing sites on the net, many run by the same established groups. This legal action follows similar action in the US in which Microsoft filed 117 lawsuits against phishing suspects and which has led to the closure of more than 4,700 phishing websites.

    http://news.bbc.co.uk/1/hi/technology/4825072.stm


  • eu: Registrations for .eu Internet addresses open for all EU citizens at 11am (CET) on 7 April 2006. Registrations will be allocated on a first-come, first-served basis. This follows a four-month sunrise period during which applications were received from administrations and companies with "prior rights" to specific names. Commissioner Reding will hold a press conference to mark the occasion.

    http://www.europa.eu.int/rapid/pressReleasesAction.do?reference=AGENDA/06/13&format=HTML&aged=0&language=EN&guiLanguage=en


  • EDPS opinion on the interoperability of European databases: The European Data Protection Supervisor (EDPS) issued an Opinion on 10 March 2006 on the Commission’s Communication on the interoperability of European databases (issued in November 2005). Peter Hustinx, the EDPS, states: "It is regrettable that the protection of personal data has not been explored sufficiently as an inherent part of the improvement of the interoperability of relevant systems. The EDPS suggests adding to this Communication a more consistent analysis on data protection, including privacy-enhancing technologies to improve both effectiveness and data protection." This Opinion may well feed into discussions on the Commission’s Communication in the other EU institutions.

    http://www.edps.eu.int/legislation/Comments/06-03-10_Comments_interoperability_EN.pdf


  • European Information Society Technology Grand Prize for 2006: The European Prize has been awarded to firms from France (Advestigo), Denmark (Guardia) and the Netherlands (Cavendish Kinetics). Worth €200,000 each, the prize went to the following projects: a digital fingerprints' system for multimedia digital content, a 3D face recognition system for security applications and a nanotechnology innovation in computer storage enhancing "non-volatile" memory.

    The European IST Prize is organised by the Commission together with the European Council of Applied Sciences, Technologies and Engineering (Euro-CASE). It is open each year to companies or organisations that present an innovative information technology product with promising market potential. Products entered must be at least at demonstrable prototype stage and if already marketed should not have been introduced more than 18 months prior to the launch of the competition.

    http://www.ist-prize.org/