Re: Réf. : [AfrICANN-discuss] Protecting Critical Information Infrastructures:Something for RECs to think about?

[media tic]

J'ai plaidé dans le même sens. Peut-être que si tous les francophones
"limités en anglais" comme Abdallah et moi se font aussi entendre, il
pourrait y avoir évolution. Après tout, internet c'est aussi la diversité,
non?
 Gratien

 On Tue, Mar 31, 2009 at 4:07 PM, Emile ONANGA-ANOTHO <onanga at hotmail.com>
wrote:
> Morning Inné,
> Ah, would you written (or wrote) in french please, because my english
level
> is some bad!!!
> think you
>  Je crois tu m'as bien compris et que je ne viens pas de dire une grosse
> betise!!!
> Merci en tout cas pour l'entreprise que tu as pour nous informer
davantage!
> A bientôt
> E ONANGA-ANOTHO
>
> -------Message original-------
>
> De : Anne-Rachel Inné
> Date : 03/30/09 17:54:42
> A : africann at afrinic.net
> Sujet : [AfrICANN-discuss] Protecting Critical Information
> Infrastructures:Something for RECs to think about?
>
>
> Protecting Critical Information Infrastructures: Frequently Asked
Questions
>
> What are Critical Information Infrastructures?
>
> There is no globally shared definition of Critical Information
> Infrastructures (CII). In its Green Paper on a European Programme for
> Critical Infrastructure Protection (EPCIP), the European Commission
captured
> the concept of CII as being all "ICT systems that are critical
> infrastructures for themselves or that are essential for the operation of
> critical infrastructures (telecommunications, computers/software,
Internet,
> satellites, etc.)". In 2008, the OECD defined CII as "those interconnected
> information systems and networks, the disruption or destruction of which
> would have a serious impact on the health, safety, security, or economic
> well-being of citizens, or on the effective functioning of government or
the
> economy".
>
> Despite the existing differences in national and international policy
> contexts, what is important is that the notion of CII is conducive to a
> holistic policy perspective on the secure and continuous functioning of
ICT
> systems, services, networks and infrastructures (ICT infrastructures) of
> which the Internet is a very important component, due to its widespread
> diffusion and the process of technological convergence.
>
> Why is action at EU level to protect these infrastructures urgently
needed?
>
> Cyber attacks have risen to an unprecedented level of sophistication. What
> used to be simple experiments are now turning into sophisticated
activities
> performed for profit or political reasons. The recent large scale
> cyber-attacks on Estonia, Lithuania and Georgia are the most widely
covered
> examples of a general trend. The huge number of viruses, worms and other
> forms of malware, the expansion of botnets[1] and the continuous rise of
> spam confirms that this is a severe problem.
>
> The high dependence on CII, their cross-border interconnectedness and
> interdependencies with other infrastructures (e.g. energy
infrastructures),
> as well as the vulnerabilities and threats they face raise the need to
> address their security and resilience in a systemic perspective as the
> frontline of defence against failures and attacks.
>
> Because of the transnational dimension of this issue, a more integrated
and
> coordinated approach throughout the European Union will usefully
complement
> and add value to the programmes which are already in place within Member
> States. This will also reinforce the wealth creation capabilities of the
> Single Market.
>
> It is clear that no single "silver bullet" solution will be able to
provide
> all the answers, but simply leaving the situation as is will not lead to
> satisfactory results. It is necessary to establish the right policy
> framework – in particular for economic and societal drivers and incentives
–
> on the basis of a shared responsibility and cooperation amongst all the
> involved stakeholders. It is vital to promote operational/ tactical
> cooperation in the short and medium term (until 2010-2011) as well as
> strategic policy discussion for long-term scenarios (2012 and beyond). The
> work must start now in order to prepare Europe against large-scale cyber
> attacks and disruptions.
>
> How does this initiative relate to the debate around European efforts
> towards an increased and modernised network and information security
policy?
>
> The Commission's initiative on Critical Information Infrastructure
> Protection focuses on prevention, preparedness and awareness and defines a
> plan of immediate actions running until 2011 to strengthen the security
and
> resilience of CII. The focus and timeframe are consistent with the debate
> launched at the request of the Council and the European Parliament to
> address the challenges and priorities for network and information security
> policy and the most appropriate instruments needed at EU level to tackle
> them beyond 2012. The work conducted and the lessons learned under the
> Commission's proposed action plan will be an important contribution to the
> more general debate on an increased and modernised European policy in this
> area.
>
> Why is the Commission proposing voluntary rather than binding measures?
>
> Ensuring the security and resilience of CII requires cooperation between
> public and private actors, which is largely based on trust. A non-binding
> approach will be more effective in steering a dialogue through which
> interested parties can work out the best way to cooperate and share best
> practices. During the consultation process prior to the launch of this
> initiative, Member States' and private sector representatives strongly
> supported the proposed initiative and confirmed the need and willingness
to
> cooperate at EU level, as long as this remained voluntary.
>
> This does not mean that a binding approach can not be used to enhance the
> level of security and resilience of CII. Proposals by the European
> Commission to reform the Electronic Communication regulatory package –
> including provisions to strengthen operators’ obligations to ensure that
> appropriate security measures are taken, and those on mandatory security
> breach notification – show that binding measures are considered when it is
> feasible and useful.
>
> Moreover, there is not yet sufficient data on security incidents and their
> impact across the different sectors to define and frame additional
> regulatory measures in a consistent economic and public policy
perspective.
>
> What are the specific objectives of the Critical Information
Infrastructure
> Protection initiative?
>
> The Commission's proposal covers the following objectives:
>
> Foster cooperation, exchange of information and transfer of good policy
> practices between Member States via a newly-established European Forum.
> Develop a public-private partnership at the European level on security and
> resilience of CII to support sharing of information and dissemination of
> good practices between public and private stakeholders.
> Enhance incident response capability in the EU by increasing national
> capacities, possibly built on National or Governmental Computer Emergency
> Response Teams/Computer Security Incidents Response Teams (CERTs/CSIRTs)
as
> well as by encouraging and supporting the European cooperation between
these
> entities with a view to facilitate the exchange of information, technical
> measures and good practices.
> Promote the organisation of national and European exercises for
contingency
> planning and disaster recovery on simulated large-scale network security
> incidents.
> Reinforce international cooperation on global issues, in particular on
> resilience and stability of Internet.
>
> What is the purpose and value of a European Forum for Member States?
>
> Although there are commonalities among the challenges and the issues
faced,
> measures and regimes to ensure the security and resilience of CII, as well
> as the level of expertise and preparedness, differ across Member States.
>
> Purely national approaches run the risk of producing fragmentation and
> inefficiency across Europe. Differences in national approaches and the
lack
> of systematic cross-border co-operation substantially reduce the
> effectiveness of domestic countermeasures, inter alia because, due to the
> interconnectedness of CII, a low level of security and resilience of CII
in
> a country has the potential to increase vulnerabilities and risks in other
> ones.
>
> To overcome this situation a European effort is needed to bring added
value
> to national policies and programmes by fostering the development of
> awareness and common understanding of the challenges; stimulating the
> adoption of shared policy objectives and priorities; reinforcing
cooperation
> between Member States and integrating national policies in a more European
> and global dimension.
>
> These are the reasons why the Commission has proposed to establish a
> European Forum for Member States to share information and good policy
> practices on security and resilience of CII.
>
> Why a Public-Private Partnership for Resilience (EP3R)?
>
> Enhancing the security and the resilience of CII poses peculiar governance
> challenges. While Member States remain ultimately responsible for defining
> CII-related policies, their implementation depends on the involvement of
the
> private sector, which owns or controls a large number of CII. On the other
> hand, markets do not always provide sufficient incentives for the private
> sector to invest in the protection of CII at the level that public
> authorities would normally demand.
>
> Public-private partnerships (PPPs) have emerged at the national level as
the
> reference model to address this governance challenge. However, despite the
> consensus that this approach would also be desirable on the EU level,
> European PPPs have not materialised so far.
>
> PPP at the EU level could play an important role to complement the work
> carried out by Member States at national level – in particular, in areas
> like the exchange/promotion of good policy practices and measures, the
> implementation of cross-border security and resilience measures for CII,
the
> adoption of preventive measures and response strategies, etc.
>
> A Europe-wide multi-stakeholder governance framework, which may include an
> enhanced role of ENISA, could foster the involvement of the private sector
> in the definition of strategic European public policy objectives as well
as
> operational priorities and measures. The focus would be on enhancing the
> security and resilience of CII and the coordination of preventive and
> response activities.
>
> This framework would bridge the gap between national and EU policy-making
> and operational reality on the ground.
>
> What will be the remit and the form of the proposed Public-Private
> Partnership?
>
> The concrete remit of this PPP might initially consist of:
>
> Knowledge sharing to deepen the understanding and mastering of European
> challenges for the security and resilience of CII;
> Identification and dissemination of good baseline practices and commonly
> agreed guidelines and standards for the security and resilience of CII.
>
> The work of this PPP should be focused on specific issues and be
> action-oriented. The topics discussed should have a cross-border or global
> dimension.
>
> In terms of form, it is proposed that the setting-up of the European
Public
> Private Partnership for Resilience (EP3R) CII would follow a step-by-step
> approach so that, on the one hand, stakeholders would discuss and design
the
> necessary building blocks that would best match their requirements and, on
> the other hand, the work on the key challenges that require this kind of
> approach could immediately start. The first step of this process is the
> workshop on the EU policy dimension of vulnerability management and
> disclosure process of 31 March 2009.
>
> What is the role of the European Network and Information Security Agency
in
> this initiative?
>
> The Commission has called on the European Network and Information Security
> Agency (ENISA) to play a key role in supporting this initiative by
> encouraging dialogue and cooperation between Member States, the private
> sector and other relevant players across Europe, building on the findings
> and results it has already contributed in this area.
>
> How does this initiative relate to the European Programme on Critical
> Infrastructure Protection and other EU activities in the area of justice
and
> home affairs?
>
> The activities planned in today's Communication are conducted under and in
> parallel to the European Programme for Critical Infrastructure Protection
> (EPCIP). A key element of EPCIP is the Directive on the identification and
> designation of European Critical Infrastructures, which identifies the ICT
> sector as a future priority sector. One element of the CIIP action plan is
> to further develop the criteria for identifying European Critical
> Infrastructures for the ICT sector which will help implement the above
> mentioned Directive.
>
> The proposed actions are also complementary to existing third pillar
> initiatives – e.g. fight against cyber-crime – as envisaged by the Council
> Framework Decision on Attacks Against Information Systems adopted in 2005
> (2005/222/JHA). As the CIIP initiative focuses on prevention, preparedness
> and awareness to enhance the intrinsic security and resilience of CII, it
> does not conflict with or duplicate the efforts carried out under the
third
> pillar, i.e. by police and judicial cooperation addressing measures to
> prevent, fight and prosecute criminal and terrorist activities targeting
> CII.
>
> How does the Commission's action plan relate to international efforts in
> this area?
>
> This initiatives takes stock and builds upon recognised international
> principles such as the G8 principles on CIIP, the UN General Assembly
> Resolution 58/199 'Creation of a global culture of cybersecurity and the
> protection of critical information infrastructures' and the recent OECD
> Recommendation on the Protection of Critical Information Infrastructures.
>
> The initiative complements work conducted by NATO on cyber-security –
> specifically the common policy on cyber defence and the activities of the
> Cyber Defence Management Authority (CDMA), announced by NATO on April
2008,
> as well as the outputs of the NATO's Cooperative Cyber Defence Centre of
> Excellence (CCD-COE). NATO initiatives are mostly focused on military
> defence whereas the Commission's proposal works to facilitate the
> coordination and cooperation of public and private resources and
> capabilities across Member States.
>
> Does the action plan include regulatory measures for the Internet?
>
> The action plan does not propose any measure aimed at regulating the
> Internet. It proposes three complementary activities to enhance the
> resilience and stability of the Internet.
>
> The Commission will launch a Europe-wide debate to define EU priorities
for
> the long-term resiliency and stability of the Internet.
> The Commission will work with Member States to define appropriate
principles
> and guidelines for Internet resilience and stability.
> The Commission, together with Member States, will develop a roadmap to
> promote these principles and guidelines at the global level, building upon
> strategic cooperation with third countries.
>
> What is the timing envisaged by the action plan?
>
> The different actions have different targets and timelines, running from
> 2009 until the end of 2011. However continuous European efforts will still
> be needed beyond 2011. A stock-taking exercise will already be conducted
at
> the end of 2010 and lessons learned will be used as an input into the
debate
> on the future of Network and Information Security beyond 2012.
>
> How will the Commission monitor the implementation of the action plan?
>
> The Commission identified in the impact assessment of the Communication a
> number of indicators for achieving the objectives of the action plan.
These
> include, the number of meetings and conferences organised at EU level with
> relevance to security and resilience of CII; the agreements on common
> terminology and procedures for the collection and dissemination of
> information on economic impacts of security incidents; the number of
> National/Governmental CERTs participating in the European Governmental
CERTs
> Group; the number of international agreements on mutual assistance,
> recovery, and remedial strategies for the resilience and stability of the
> Internet.
>
>
http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm
>
> IP/09/494
>
> ________________________________
>
> [1] A group of computers, often very large, that malicious hackers have
> brought under their control. While most owners are oblivious to the
> infection, the networks of tens of thousands of computers are used to
launch
> spam e-mail campaigns, denial-of-service attacks or online fraud schemes.
>
>
> _______________________________________________
> AfrICANN mailing list
> AfrICANN at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/africann
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090331/0a2e67a1/attachment-0001.htm