<h1><b>Protecting Critical Information
Infrastructures: Frequently Asked Questions</b></h1>
<p><b>What are Critical Information Infrastructures?</b></p>
<p><u><b>There is no globally shared definition of Critical Information
Infrastructures (CII).</b></u> In its <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2005:0576:FIN:EN:PDF">Green
Paper on a European Programme for Critical Infrastructure Protection</a>
(EPCIP), the<b> </b>European Commission captured the concept of CII as being
all<b> </b><i>"ICT systems that are critical infrastructures for themselves or
that are essential for the operation of critical infrastructures
(telecommunications, computers/software, Internet, satellites, etc.)".</i> In
2008, the OECD defined CII as <i>"those interconnected information systems and
networks, the disruption or destruction of which would have a serious impact on
the health, safety, security, or economic well-being of citizens, or on the
effective functioning of government or the economy".</i></p>
<p>Despite the existing differences in national and international policy
contexts, what is important is that the notion of CII is conducive to a holistic
policy perspective on the secure and continuous functioning of ICT systems,
services, networks and infrastructures (ICT infrastructures) of which the
Internet is a very important component, due to its widespread diffusion and the
process of technological convergence. </p>
<p><b>Why is action at EU level to protect these infrastructures urgently
needed?</b></p>
<p>Cyber attacks have risen to an unprecedented level of sophistication. What
used to be simple experiments are now turning into sophisticated activities
performed for profit or political reasons. The recent large scale cyber-attacks
on Estonia, Lithuania and Georgia are the most widely covered examples of a
general trend. The huge number of viruses, worms and other forms of malware, the
expansion of botnets<sup><b><a name="fnB1" href="http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/09/141&format=HTML&aged=0&language=EN&guiLanguage=en#fn1">[1]</a></b></sup> and
the continuous rise of spam confirms that this is a severe problem. </p>
<p>The high dependence on CII, their cross-border interconnectedness and
interdependencies with other infrastructures (e.g. energy infrastructures), as
well as the vulnerabilities and threats they face raise the need to address
their security and resilience in a systemic perspective as the frontline of
defence against failures and attacks.</p>
<p>Because of the transnational dimension of this issue, a more integrated and
coordinated approach throughout the European Union will usefully complement and
add value to the programmes which are already in place within Member States.
This will also reinforce the wealth creation capabilities of the Single
Market.</p>
<p>It is clear that no single "silver bullet" solution will be able to provide
all the answers, but simply leaving the situation as is will not lead to
satisfactory results. It is necessary to establish the right policy framework
– in particular for economic and societal drivers and incentives –
on the basis of a shared responsibility and cooperation amongst all the involved
stakeholders. It is vital to promote operational/ tactical cooperation in the
short and medium term (until 2010-2011) as well as strategic policy discussion
for long-term scenarios (2012 and beyond). The work must start now in order to
prepare Europe against large-scale cyber attacks and disruptions. </p>
<p><b>How does this initiative relate to the debate around European efforts
towards an increased and modernised network and information security
policy?</b></p>
<p>The Commission's initiative on Critical Information Infrastructure Protection
focuses on prevention, preparedness and awareness and defines a plan of
immediate actions running until 2011 to strengthen the security and resilience
of CII. The focus and timeframe are consistent with the debate launched at the
request of the Council and the European Parliament to address the challenges and
priorities for network and information security policy and the most appropriate
instruments needed at EU level to tackle them beyond 2012. The work conducted
and the lessons learned under the Commission's proposed action plan will be an
important contribution to the more general debate on an increased and modernised
European policy in this area.</p>
<p><b>Why is the Commission proposing voluntary rather than binding
measures?</b></p>
<p>Ensuring the security and resilience of CII requires cooperation between
public and private actors, which is largely based on trust. A non-binding
approach will be more effective in steering a dialogue through which interested
parties can work out the best way to cooperate and share best practices. During
the consultation process prior to the launch of this initiative, Member States'
and private sector representatives strongly supported the proposed initiative
and confirmed the need and willingness to cooperate at EU level, as long as this
remained voluntary.</p>
<p>This does not mean that a binding approach can not be used to enhance the
level of security and resilience of CII. Proposals by the European Commission to
reform the Electronic Communication regulatory package – including
provisions to strengthen operators’ obligations to ensure that appropriate
security measures are taken, and those on mandatory security breach notification
– show that binding measures are considered when it is feasible and
useful. </p>
<p>Moreover, there is not yet sufficient data on security incidents and their
impact across the different sectors to define and frame additional regulatory
measures in a consistent economic and public policy perspective.</p>
<p><b>What are the specific objectives of the Critical Information
Infrastructure Protection initiative? </b></p>
<p>The Commission's proposal covers the following objectives:</p>
<ul><li>Foster cooperation, exchange of information and transfer of good policy
practices between Member States via a newly-established <b>European
Forum</b>.</li><li>Develop a <b>public-private partnership</b> at the European level on
security and resilience of CII to support sharing of information and
dissemination of good practices between public and private stakeholders.</li><li>Enhance <b>incident response capability</b> in the EU by increasing national
capacities, possibly built on National or Governmental Computer Emergency
Response Teams/Computer Security Incidents Response Teams (CERTs/CSIRTs) as well
as by encouraging and supporting the European cooperation between these entities
with a view to facilitate the exchange of information, technical measures and
good practices.</li><li>Promote the organisation of <b>national and European exercises for
contingency planning and disaster recovery</b> on simulated large-scale network
security incidents.</li><li>Reinforce <b>international cooperation</b> on global issues, in particular
on resilience and stability of Internet.</li></ul><p><b>What is the purpose and
value of a European Forum for Member States? </b></p>
<p>Although there are commonalities among the challenges and the issues faced,
measures and regimes to ensure the security and resilience of CII, as well as
the level of expertise and preparedness, differ across Member States.</p>
<p>Purely national approaches run the risk of producing fragmentation and
inefficiency across Europe. Differences in national approaches and the lack of
systematic cross-border co-operation substantially reduce the effectiveness of
domestic countermeasures, <i>inter alia</i> because, due to the
interconnectedness of CII, a low level of security and resilience of CII in a
country has the potential to increase vulnerabilities and risks in other
ones.</p>
<p>To overcome this situation a European effort is needed to bring added value
to national policies and programmes by fostering the development of awareness
and common understanding of the challenges; stimulating the adoption of shared
policy objectives and priorities; reinforcing cooperation between Member States
and integrating national policies in a more European and global dimension.</p>
<p>These are the reasons why the Commission has proposed to establish a
<b>European Forum</b> for Member States to share information and good policy
practices on security and resilience of CII.</p>
<p><b>Why a Public-Private Partnership for Resilience (EP3R)? </b></p>
<p>Enhancing the security and the resilience of CII poses peculiar governance
challenges. While Member States remain ultimately responsible for defining
CII-related policies, their implementation depends on the involvement of the
private sector, which owns or controls a large number of CII. On the other hand,
markets do not always provide sufficient incentives for the private sector to
invest in the protection of CII at the level that public authorities would
normally demand.</p>
<p>Public-private partnerships (PPPs) have emerged at the national level as the
reference model to address this governance challenge. However, despite the
consensus that this approach would also be desirable on the EU level, European
PPPs have not materialised so far. </p>
<p>PPP at the EU level could play an important role to complement the work
carried out by Member States at national level – in particular, in areas
like the exchange/promotion of good policy practices and measures, the
implementation of cross-border security and resilience measures for CII, the
adoption of preventive measures and response strategies, etc.</p>
<p>A Europe-wide multi-stakeholder governance framework, which may include an
enhanced role of ENISA, could foster the involvement of the private sector in
the definition of strategic European public policy objectives as well as
operational priorities and measures. The focus would be on enhancing the
security and resilience of CII and the coordination of preventive and response
activities.</p>
<p>This framework would bridge the gap between national and EU policy-making and
operational reality on the ground.</p>
<p><b>What will be the remit and the form of the proposed Public-Private
Partnership? </b></p>
<p>The concrete remit of this PPP might initially consist of:</p>
<ul><li>Knowledge sharing to deepen the understanding and mastering of European
challenges for the security and resilience of CII;</li><li>Identification and dissemination of good baseline practices and commonly
agreed guidelines and standards for the security and resilience of
CII.</li></ul><p>The work of this PPP should be focused on specific issues and
be action-oriented. The topics discussed should have a cross-border or global
dimension.</p>
<p>In terms of form, it is proposed that the setting-up of the <b>European
Public Private Partnership for Resilience (EP3R)</b> CII would follow a
step-by-step approach so that, on the one hand, stakeholders would discuss and
design the necessary building blocks that would best match their requirements
and, on the other hand, the work on the key challenges that require this kind of
approach could immediately start. The first step of this process is the
<b>workshop on the EU policy dimension of vulnerability management and
disclosure process</b> of 31 March 2009.</p>
<p><b>What is the role of the European Network and Information Security Agency
in this initiative?</b></p>
<p>The Commission has called on the European Network and Information Security
Agency (ENISA) to play a key role in supporting this initiative by encouraging
dialogue and cooperation between Member States, the private sector and other
relevant players across Europe, building on the findings and results it has
already contributed in this area. </p>
<p><b>How does this initiative relate to the European Programme on Critical
Infrastructure Protection and other EU activities in the area of justice and
home affairs? </b></p>
<p>The activities planned in today's Communication are conducted under and in
parallel to the <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0786:FIN:EN:PDF">European
Programme for Critical Infrastructure Protection (EPCIP</a>). A key element of
EPCIP is the <a href="http://register.consilium.europa.eu/pdf/en/08/st10/st10934.en08.pdf">Directive
on the identification and designation of European Critical Infrastructures</a>,
which identifies the ICT sector as a future priority sector. One element of the
CIIP action plan is to further develop the criteria for identifying European
Critical Infrastructures for the ICT sector which will help implement the above
mentioned Directive.</p>
<p>The proposed actions are also complementary to existing <b>third pillar
</b>initiatives – e.g. fight against cyber-crime – as envisaged by
the <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32005F0222:EN:NOT">Council
Framework Decision on Attacks Against Information Systems adopted in 2005
(2005/222/JHA)</a>. As the CIIP initiative focuses on prevention, preparedness
and awareness to enhance the intrinsic security and resilience of CII, it does
not conflict with or duplicate the efforts carried out under the third pillar,
i.e. by police and judicial cooperation addressing measures to prevent, fight
and prosecute criminal and terrorist activities targeting CII.</p>
<p><b>How does the Commission's action plan relate to international efforts in
this area? </b></p>
<p>This initiatives takes stock and builds upon recognised international
principles such as the <a href="http://www.cybersecuritycooperation.org/documents/G8_CIIP_Principles.pdf">G8
principles on CIIP</a>, the UN General Assembly Resolution 58/199 '<a href="http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_58_199.pdf.">Creation
of a global culture of cybersecurity and the protection of critical information
infrastructures'</a> and the recent <a href="http://www.oecd.org/dataoecd/1/13/40825404.pdf">OECD Recommendation on the
Protection of Critical Information Infrastructures</a>.</p>
<p>The initiative complements work conducted by NATO on cyber-security –
specifically the common policy on cyber defence and the activities of the Cyber
Defence Management Authority (CDMA), announced by NATO on April 2008, as well as
the outputs of the <a href="http://transnet.act.nato.int/WISE/TNCC/CentresofE/CCD">NATO's Cooperative
Cyber Defence Centre of Excellence</a> (CCD-COE). NATO initiatives are mostly
focused on military defence whereas the Commission's proposal works to
facilitate the coordination and cooperation of public and private resources and
capabilities across Member States. </p>
<p><b>Does the action plan include regulatory measures for the Internet?</b></p>
<p>The action plan does not propose any measure aimed at regulating the
Internet. It proposes three complementary activities to enhance the resilience
and stability of the Internet. </p>
<ul><li>The Commission will launch a Europe-wide debate to define EU priorities for
the long-term resiliency and stability of the Internet. </li><li>The Commission will work with Member States to define appropriate principles
and guidelines for Internet resilience and stability.</li><li>The Commission, together with Member States, will develop a roadmap to
promote these principles and guidelines at the global level, building upon
strategic cooperation with third countries.</li></ul><p><b>What is the timing
envisaged by the action plan? </b></p>
<p>The different actions have different targets and timelines, running from 2009
until the end of 2011. However continuous European efforts will still be needed
beyond 2011. A stock-taking exercise will already be conducted at the end of
2010 and lessons learned will be used as an input into the debate on the future
of Network and Information Security beyond 2012. </p>
<p><b>How will the Commission monitor the implementation of the action
plan?</b></p>
<p>The Commission identified in the <a href="http://ec.europa.eu/governance/impact/cia_2009_en.htm">impact assessment
of the Communication</a> a number of indicators for achieving the objectives of
the action plan. These include, the number of meetings and conferences organised
at EU level with relevance to security and resilience of CII; the agreements on
common terminology and procedures for the collection and dissemination of
information on economic impacts of security incidents; the number of
National/Governmental CERTs participating in the European Governmental CERTs
Group; the number of international agreements on mutual assistance, recovery,
and remedial strategies for the resilience and stability of the Internet. </p>
<p><a href="http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm">http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm</a></p>
<p><a href="http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/494&format=HTML&aged=0&language=EN&guiLanguage=en">IP/09/494</a>
</p>
<hr><p><sup><b><a name="fn1" href="http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/09/141&format=HTML&aged=0&language=EN&guiLanguage=en#fnB1">[1]</a></b></sup>                 A group of computers,
often very large, that malicious hackers have brought under their control. While
most owners are oblivious to the infection, the networks of tens of thousands of
computers are used to launch spam e-mail campaigns, denial-of-service attacks or
online fraud schemes.</p>