<div><font color="#3366ff">J'ai plaidé dans le même sens. Peut-être que si tous les francophones "limités en anglais" comme Abdallah et moi se font aussi entendre, il pourrait y avoir évolution. Après tout, internet c'est aussi la diversité, non?</font></div>
<div><font color="#3366ff"></font></div>
<div><font color="#3366ff">Gratien</font></div>
<div> </div>
<div></div>
<div>On Tue, Mar 31, 2009 at 4:07 PM, Emile ONANGA-ANOTHO <<a href="mailto:onanga@hotmail.com">onanga@hotmail.com</a>> wrote:</div>
<div>> Morning Inné,</div>
<div>> Ah, would you written (or wrote) in french please, because my english level</div>
<div>> is some bad!!!</div>
<div>> think you</div>
<div>> Je crois tu m'as bien compris et que je ne viens pas de dire une grosse</div>
<div>> betise!!!</div>
<div>> Merci en tout cas pour l'entreprise que tu as pour nous informer davantage!</div>
<div>> A bientôt</div>
<div>> E ONANGA-ANOTHO </div>
<div>> </div>
<div>> -------Message original-------</div>
<div>> </div>
<div>> De : Anne-Rachel Inné</div>
<div>> Date : 03/30/09 17:54:42</div>
<div>> A : <a href="mailto:africann@afrinic.net">africann@afrinic.net</a></div>
<div>> Sujet : [AfrICANN-discuss] Protecting Critical Information</div>
<div>> Infrastructures:Something for RECs to think about?</div>
<div>> </div>
<div>></div>
<div>> Protecting Critical Information Infrastructures: Frequently Asked Questions</div>
<div>></div>
<div>> What are Critical Information Infrastructures?</div>
<div>></div>
<div>> There is no globally shared definition of Critical Information</div>
<div>> Infrastructures (CII). In its Green Paper on a European Programme for</div>
<div>> Critical Infrastructure Protection (EPCIP), the European Commission captured</div>
<div>> the concept of CII as being all "ICT systems that are critical</div>
<div>> infrastructures for themselves or that are essential for the operation of</div>
<div>> critical infrastructures (telecommunications, computers/software, Internet,</div>
<div>> satellites, etc.)". In 2008, the OECD defined CII as "those interconnected</div>
<div>> information systems and networks, the disruption or destruction of which</div>
<div>> would have a serious impact on the health, safety, security, or economic</div>
<div>> well-being of citizens, or on the effective functioning of government or the</div>
<div>> economy".</div>
<div>></div>
<div>> Despite the existing differences in national and international policy</div>
<div>> contexts, what is important is that the notion of CII is conducive to a</div>
<div>> holistic policy perspective on the secure and continuous functioning of ICT</div>
<div>> systems, services, networks and infrastructures (ICT infrastructures) of</div>
<div>> which the Internet is a very important component, due to its widespread</div>
<div>> diffusion and the process of technological convergence.</div>
<div>></div>
<div>> Why is action at EU level to protect these infrastructures urgently needed?</div>
<div>></div>
<div>> Cyber attacks have risen to an unprecedented level of sophistication. What</div>
<div>> used to be simple experiments are now turning into sophisticated activities</div>
<div>> performed for profit or political reasons. The recent large scale</div>
<div>> cyber-attacks on Estonia, Lithuania and Georgia are the most widely covered</div>
<div>> examples of a general trend. The huge number of viruses, worms and other</div>
<div>> forms of malware, the expansion of botnets[1] and the continuous rise of</div>
<div>> spam confirms that this is a severe problem.</div>
<div>></div>
<div>> The high dependence on CII, their cross-border interconnectedness and</div>
<div>> interdependencies with other infrastructures (e.g. energy infrastructures),</div>
<div>> as well as the vulnerabilities and threats they face raise the need to</div>
<div>> address their security and resilience in a systemic perspective as the</div>
<div>> frontline of defence against failures and attacks.</div>
<div>></div>
<div>> Because of the transnational dimension of this issue, a more integrated and</div>
<div>> coordinated approach throughout the European Union will usefully complement</div>
<div>> and add value to the programmes which are already in place within Member</div>
<div>> States. This will also reinforce the wealth creation capabilities of the</div>
<div>> Single Market.</div>
<div>></div>
<div>> It is clear that no single "silver bullet" solution will be able to provide</div>
<div>> all the answers, but simply leaving the situation as is will not lead to</div>
<div>> satisfactory results. It is necessary to establish the right policy</div>
<div>> framework – in particular for economic and societal drivers and incentives –</div>
<div>> on the basis of a shared responsibility and cooperation amongst all the</div>
<div>> involved stakeholders. It is vital to promote operational/ tactical</div>
<div>> cooperation in the short and medium term (until 2010-2011) as well as</div>
<div>> strategic policy discussion for long-term scenarios (2012 and beyond). The</div>
<div>> work must start now in order to prepare Europe against large-scale cyber</div>
<div>> attacks and disruptions.</div>
<div>></div>
<div>> How does this initiative relate to the debate around European efforts</div>
<div>> towards an increased and modernised network and information security policy?</div>
<div>></div>
<div>> The Commission's initiative on Critical Information Infrastructure</div>
<div>> Protection focuses on prevention, preparedness and awareness and defines a</div>
<div>> plan of immediate actions running until 2011 to strengthen the security and</div>
<div>> resilience of CII. The focus and timeframe are consistent with the debate</div>
<div>> launched at the request of the Council and the European Parliament to</div>
<div>> address the challenges and priorities for network and information security</div>
<div>> policy and the most appropriate instruments needed at EU level to tackle</div>
<div>> them beyond 2012. The work conducted and the lessons learned under the</div>
<div>> Commission's proposed action plan will be an important contribution to the</div>
<div>> more general debate on an increased and modernised European policy in this</div>
<div>> area.</div>
<div>></div>
<div>> Why is the Commission proposing voluntary rather than binding measures?</div>
<div>></div>
<div>> Ensuring the security and resilience of CII requires cooperation between</div>
<div>> public and private actors, which is largely based on trust. A non-binding</div>
<div>> approach will be more effective in steering a dialogue through which</div>
<div>> interested parties can work out the best way to cooperate and share best</div>
<div>> practices. During the consultation process prior to the launch of this</div>
<div>> initiative, Member States' and private sector representatives strongly</div>
<div>> supported the proposed initiative and confirmed the need and willingness to</div>
<div>> cooperate at EU level, as long as this remained voluntary.</div>
<div>></div>
<div>> This does not mean that a binding approach can not be used to enhance the</div>
<div>> level of security and resilience of CII. Proposals by the European</div>
<div>> Commission to reform the Electronic Communication regulatory package –</div>
<div>> including provisions to strengthen operators’ obligations to ensure that</div>
<div>> appropriate security measures are taken, and those on mandatory security</div>
<div>> breach notification – show that binding measures are considered when it is</div>
<div>> feasible and useful.</div>
<div>></div>
<div>> Moreover, there is not yet sufficient data on security incidents and their</div>
<div>> impact across the different sectors to define and frame additional</div>
<div>> regulatory measures in a consistent economic and public policy perspective.</div>
<div>></div>
<div>> What are the specific objectives of the Critical Information Infrastructure</div>
<div>> Protection initiative?</div>
<div>></div>
<div>> The Commission's proposal covers the following objectives:</div>
<div>></div>
<div>> Foster cooperation, exchange of information and transfer of good policy</div>
<div>> practices between Member States via a newly-established European Forum.</div>
<div>> Develop a public-private partnership at the European level on security and</div>
<div>> resilience of CII to support sharing of information and dissemination of</div>
<div>> good practices between public and private stakeholders.</div>
<div>> Enhance incident response capability in the EU by increasing national</div>
<div>> capacities, possibly built on National or Governmental Computer Emergency</div>
<div>> Response Teams/Computer Security Incidents Response Teams (CERTs/CSIRTs) as</div>
<div>> well as by encouraging and supporting the European cooperation between these</div>
<div>> entities with a view to facilitate the exchange of information, technical</div>
<div>> measures and good practices.</div>
<div>> Promote the organisation of national and European exercises for contingency</div>
<div>> planning and disaster recovery on simulated large-scale network security</div>
<div>> incidents.</div>
<div>> Reinforce international cooperation on global issues, in particular on</div>
<div>> resilience and stability of Internet.</div>
<div>></div>
<div>> What is the purpose and value of a European Forum for Member States?</div>
<div>></div>
<div>> Although there are commonalities among the challenges and the issues faced,</div>
<div>> measures and regimes to ensure the security and resilience of CII, as well</div>
<div>> as the level of expertise and preparedness, differ across Member States.</div>
<div>></div>
<div>> Purely national approaches run the risk of producing fragmentation and</div>
<div>> inefficiency across Europe. Differences in national approaches and the lack</div>
<div>> of systematic cross-border co-operation substantially reduce the</div>
<div>> effectiveness of domestic countermeasures, inter alia because, due to the</div>
<div>> interconnectedness of CII, a low level of security and resilience of CII in</div>
<div>> a country has the potential to increase vulnerabilities and risks in other</div>
<div>> ones.</div>
<div>></div>
<div>> To overcome this situation a European effort is needed to bring added value</div>
<div>> to national policies and programmes by fostering the development of</div>
<div>> awareness and common understanding of the challenges; stimulating the</div>
<div>> adoption of shared policy objectives and priorities; reinforcing cooperation</div>
<div>> between Member States and integrating national policies in a more European</div>
<div>> and global dimension.</div>
<div>></div>
<div>> These are the reasons why the Commission has proposed to establish a</div>
<div>> European Forum for Member States to share information and good policy</div>
<div>> practices on security and resilience of CII.</div>
<div>></div>
<div>> Why a Public-Private Partnership for Resilience (EP3R)?</div>
<div>></div>
<div>> Enhancing the security and the resilience of CII poses peculiar governance</div>
<div>> challenges. While Member States remain ultimately responsible for defining</div>
<div>> CII-related policies, their implementation depends on the involvement of the</div>
<div>> private sector, which owns or controls a large number of CII. On the other</div>
<div>> hand, markets do not always provide sufficient incentives for the private</div>
<div>> sector to invest in the protection of CII at the level that public</div>
<div>> authorities would normally demand.</div>
<div>></div>
<div>> Public-private partnerships (PPPs) have emerged at the national level as the</div>
<div>> reference model to address this governance challenge. However, despite the</div>
<div>> consensus that this approach would also be desirable on the EU level,</div>
<div>> European PPPs have not materialised so far.</div>
<div>></div>
<div>> PPP at the EU level could play an important role to complement the work</div>
<div>> carried out by Member States at national level – in particular, in areas</div>
<div>> like the exchange/promotion of good policy practices and measures, the</div>
<div>> implementation of cross-border security and resilience measures for CII, the</div>
<div>> adoption of preventive measures and response strategies, etc.</div>
<div>></div>
<div>> A Europe-wide multi-stakeholder governance framework, which may include an</div>
<div>> enhanced role of ENISA, could foster the involvement of the private sector</div>
<div>> in the definition of strategic European public policy objectives as well as</div>
<div>> operational priorities and measures. The focus would be on enhancing the</div>
<div>> security and resilience of CII and the coordination of preventive and</div>
<div>> response activities.</div>
<div>></div>
<div>> This framework would bridge the gap between national and EU policy-making</div>
<div>> and operational reality on the ground.</div>
<div>></div>
<div>> What will be the remit and the form of the proposed Public-Private</div>
<div>> Partnership?</div>
<div>></div>
<div>> The concrete remit of this PPP might initially consist of:</div>
<div>></div>
<div>> Knowledge sharing to deepen the understanding and mastering of European</div>
<div>> challenges for the security and resilience of CII;</div>
<div>> Identification and dissemination of good baseline practices and commonly</div>
<div>> agreed guidelines and standards for the security and resilience of CII.</div>
<div>></div>
<div>> The work of this PPP should be focused on specific issues and be</div>
<div>> action-oriented. The topics discussed should have a cross-border or global</div>
<div>> dimension.</div>
<div>></div>
<div>> In terms of form, it is proposed that the setting-up of the European Public</div>
<div>> Private Partnership for Resilience (EP3R) CII would follow a step-by-step</div>
<div>> approach so that, on the one hand, stakeholders would discuss and design the</div>
<div>> necessary building blocks that would best match their requirements and, on</div>
<div>> the other hand, the work on the key challenges that require this kind of</div>
<div>> approach could immediately start. The first step of this process is the</div>
<div>> workshop on the EU policy dimension of vulnerability management and</div>
<div>> disclosure process of 31 March 2009.</div>
<div>></div>
<div>> What is the role of the European Network and Information Security Agency in</div>
<div>> this initiative?</div>
<div>></div>
<div>> The Commission has called on the European Network and Information Security</div>
<div>> Agency (ENISA) to play a key role in supporting this initiative by</div>
<div>> encouraging dialogue and cooperation between Member States, the private</div>
<div>> sector and other relevant players across Europe, building on the findings</div>
<div>> and results it has already contributed in this area.</div>
<div>></div>
<div>> How does this initiative relate to the European Programme on Critical</div>
<div>> Infrastructure Protection and other EU activities in the area of justice and</div>
<div>> home affairs?</div>
<div>></div>
<div>> The activities planned in today's Communication are conducted under and in</div>
<div>> parallel to the European Programme for Critical Infrastructure Protection</div>
<div>> (EPCIP). A key element of EPCIP is the Directive on the identification and</div>
<div>> designation of European Critical Infrastructures, which identifies the ICT</div>
<div>> sector as a future priority sector. One element of the CIIP action plan is</div>
<div>> to further develop the criteria for identifying European Critical</div>
<div>> Infrastructures for the ICT sector which will help implement the above</div>
<div>> mentioned Directive.</div>
<div>></div>
<div>> The proposed actions are also complementary to existing third pillar</div>
<div>> initiatives – e.g. fight against cyber-crime – as envisaged by the Council</div>
<div>> Framework Decision on Attacks Against Information Systems adopted in 2005</div>
<div>> (2005/222/JHA). As the CIIP initiative focuses on prevention, preparedness</div>
<div>> and awareness to enhance the intrinsic security and resilience of CII, it</div>
<div>> does not conflict with or duplicate the efforts carried out under the third</div>
<div>> pillar, i.e. by police and judicial cooperation addressing measures to</div>
<div>> prevent, fight and prosecute criminal and terrorist activities targeting</div>
<div>> CII.</div>
<div>></div>
<div>> How does the Commission's action plan relate to international efforts in</div>
<div>> this area?</div>
<div>></div>
<div>> This initiatives takes stock and builds upon recognised international</div>
<div>> principles such as the G8 principles on CIIP, the UN General Assembly</div>
<div>> Resolution 58/199 'Creation of a global culture of cybersecurity and the</div>
<div>> protection of critical information infrastructures' and the recent OECD</div>
<div>> Recommendation on the Protection of Critical Information Infrastructures.</div>
<div>></div>
<div>> The initiative complements work conducted by NATO on cyber-security –</div>
<div>> specifically the common policy on cyber defence and the activities of the</div>
<div>> Cyber Defence Management Authority (CDMA), announced by NATO on April 2008,</div>
<div>> as well as the outputs of the NATO's Cooperative Cyber Defence Centre of</div>
<div>> Excellence (CCD-COE). NATO initiatives are mostly focused on military</div>
<div>> defence whereas the Commission's proposal works to facilitate the</div>
<div>> coordination and cooperation of public and private resources and</div>
<div>> capabilities across Member States.</div>
<div>></div>
<div>> Does the action plan include regulatory measures for the Internet?</div>
<div>></div>
<div>> The action plan does not propose any measure aimed at regulating the</div>
<div>> Internet. It proposes three complementary activities to enhance the</div>
<div>> resilience and stability of the Internet.</div>
<div>></div>
<div>> The Commission will launch a Europe-wide debate to define EU priorities for</div>
<div>> the long-term resiliency and stability of the Internet.</div>
<div>> The Commission will work with Member States to define appropriate principles</div>
<div>> and guidelines for Internet resilience and stability.</div>
<div>> The Commission, together with Member States, will develop a roadmap to</div>
<div>> promote these principles and guidelines at the global level, building upon</div>
<div>> strategic cooperation with third countries.</div>
<div>></div>
<div>> What is the timing envisaged by the action plan?</div>
<div>></div>
<div>> The different actions have different targets and timelines, running from</div>
<div>> 2009 until the end of 2011. However continuous European efforts will still</div>
<div>> be needed beyond 2011. A stock-taking exercise will already be conducted at</div>
<div>> the end of 2010 and lessons learned will be used as an input into the debate</div>
<div>> on the future of Network and Information Security beyond 2012.</div>
<div>></div>
<div>> How will the Commission monitor the implementation of the action plan?</div>
<div>></div>
<div>> The Commission identified in the impact assessment of the Communication a</div>
<div>> number of indicators for achieving the objectives of the action plan. These</div>
<div>> include, the number of meetings and conferences organised at EU level with</div>
<div>> relevance to security and resilience of CII; the agreements on common</div>
<div>> terminology and procedures for the collection and dissemination of</div>
<div>> information on economic impacts of security incidents; the number of</div>
<div>> National/Governmental CERTs participating in the European Governmental CERTs</div>
<div>> Group; the number of international agreements on mutual assistance,</div>
<div>> recovery, and remedial strategies for the resilience and stability of the</div>
<div>> Internet.</div>
<div>></div>
<div>> <a href="http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm">http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm</a></div>
<div>></div>
<div>> IP/09/494</div>
<div>></div>
<div>> ________________________________</div>
<div>></div>
<div>> [1] A group of computers, often very large, that malicious hackers have</div>
<div>> brought under their control. While most owners are oblivious to the</div>
<div>> infection, the networks of tens of thousands of computers are used to launch</div>
<div>> spam e-mail campaigns, denial-of-service attacks or online fraud schemes.</div>
<div>></div>
<div>> </div>
<div>> _______________________________________________</div>
<div>> AfrICANN mailing list</div>
<div>> <a href="mailto:AfrICANN@afrinic.net">AfrICANN@afrinic.net</a></div>
<div>> <a href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">https://lists.afrinic.net/mailman/listinfo.cgi/africann</a></div>
<div>></div>
<div>></div>
<div></div>
<div></div>