www.enisa.europa.eu

Digital evolution: why, for Europe's future, cyber must mean safer

Udo Helmbrecht, Executive Director, ENISA

Institute of International and European Affairs, Dublin 12th March 2013

1

www.enisa.europa.eu

Agenda • Introduction to ENISA - Why cyber must mean safer • Understanding the threats • ENISA – making cyber safer • ENISA’s role in the EU Cyber Security Strategy and the

Directive on NIS • Extension of ENISA’s mandate tasks • Conclusion • Questions

2

www.enisa.europa.eu 3

Introduction to ENISA

3

www.enisa.europa.eu

ENISA

• The European Network & Information Security Agency (ENISA), formed in 2004

• Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security

• Facilitates the exchange of information between EU institutions, the public sector and the private sector

• Based in Heraklion, Greece

• New Athens office just opened (1st March)

• New mandate due later this year

4

www.enisa.europa.eu

Recent ENISA Missions

© S

hutt

ers

tock

5

www.enisa.europa.eu 6

Why cyber must mean safer

6

www.enisa.europa.eu

Life is online

• Life for Europeans in 2013 is online, 24/7

• Life is evolving in a digital direction

• We stay informed through the web

• Work online from practically anywhere

• Order goods and services

• Download music, movies…

• Plus much more

• All depend on our personal information and financial data being safe and secure

7

www.enisa.europa.eu

Trend is for web to be integrated

• The trend is more activities to take place online

• Even non-IT systems, such as power grids and other Industrial Control Systems (ICS) now depend on secure IT systems

• As online activity increases, so does the opportunity for cyber attacks or accidental security problems

• Therefore, for personal security, data protection, Europe’s economy and industry, for a digital society…

…..cyber must mean safer!

8

www.enisa.europa.eu 9

Understanding the threats

9

www.enisa.europa.eu

What are the threats?

10

www.enisa.europa.eu

The ENISA Threat Landscape

• The ENISA Threat Landscape provides an overview of threats and current and emerging trends.

• It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends.

• Over 120 recent reports from a variety of resources analysed

11

www.enisa.europa.eu 13

ENISA – making cyber safer

13

www.enisa.europa.eu

• Protecting Critical Information Infrastructure

• Input to European Union & Member States’ Cyber Security Strategies

• Assisting Operational Communities

• Security & Data Breach Notification

• e-privacy

Key tasks

Plus…….

14

www.enisa.europa.eu

• Cyber Europe 2010

• Europe’s first ever international cyber security exercise

• EU-US exercise, 2011

• Also a first : work with Commission & Member States (MS) to build transatlantic cooperation

• Cyber Europe 2012

• Developed from 2010 & 2011 exercises

• Involved MS, private sector and EU institutions

• Highly realistic exercise, Oct 2012

Cyber security exercises

15

www.enisa.europa.eu

Cyber Europe 2012 (Oct 2012)

• Objectives:

• Test effectiveness and scalability of existing mechanisms, procedures and information flow.

• Explore the engagement and cooperation between public and private stakeholders in Europe.

• Identify gaps and challenges on how large-scale cyber incidents could be handled more effectively in Europe

Cyber Europe 2012 video

16

www.enisa.europa.eu

Recommendations – Findings Report

• Develop the European cyber exercise area

• Future exercises should explore inter-sectoral dependencies

• Provided an opportunity for international cooperation and

strengthening of community

• EU Member States and EFTA countries should further improve

effectiveness, scalability of, and familiarity with, existing

mechanisms, procedures and information flows

• All stakeholders need to be trained on procedures

• Private sector brought value: consider involvement in future

exercises.

• Cyber-incident community could be strengthened with

input from other European critical sectors

Note: Great PR value! 250 media stories

globally

17

www.enisa.europa.eu

Securing New Technologies

18

www.enisa.europa.eu

• Good Practice Guide on Cyber Security Strategies (2012)

• Known good practices, standards and policies

• The elements of a good Cyber Security Strategy

• Institutions and roles identified in a Strategy

• Parties involved in the development lifecycle

• Challenges in developing and maintaining a Strategy

National Cyber Security Strategies

19

www.enisa.europa.eu

Security & Data Breach Notification

• Supporting MS in implementing Article 13a of the Telecommunications Framework Directive

• Supported NRA’s in implementing the provisions under article 13a

• Developed and implemented the process for collecting annual national reports of security breaches

• Developed minimum security requirements and propose associated metrics and thresholds

• Supporting MS in defining technical implementation measures for Article 4 of the ePrivacy Directive.

• Recommendations for the implementation of Article 4.

• Collaboration with Art.29 TS in producing a severity methodology for the assessment of breaches by DPAs

23

www.enisa.europa.eu 25

ENISA’s role in the EU Cyber Security Strategy and NIS Directive

25

www.enisa.europa.eu

EU Cyber Security Strategy & ENISA

• The Commission asks ENISA to:

• Assist the Member States in developing strong national cyber resilience capabilities

• Examine in 2013 the feasibility of Computer Security Incident Response Team(s) for Industrial Control Systems (ICS-CSIRTs) for the EU

• Continue supporting the Member States and the EU institutions in carrying out regular pan-European cyber incident exercises

26

www.enisa.europa.eu

Cyber Security Strategy - ENISA

• The Commission asks ENISA to

• Propose in 2013 a roadmap for a "Network and Information Security driving licence"

• Support a cyber security championship in 2014, where university students will compete in proposing NIS solutions

• Support the organisation of a yearly cyber security month

• Develop, in cooperation with relevant stakeholders, technical guidelines and recommendations for the adoption of NIS standards and good practices in the public and private sectors

• Collaborate with Europol to identify emerging trends and needs in view of evolving cybercrime and cyber security patterns so as to develop adequate digital forensic tools and technologies

27

www.enisa.europa.eu 28

Extension of ENISA’s mandate tasks

28

www.enisa.europa.eu

the agreement reached today, subject to final approval by the Committee of Permanent Representatives, will lead to a more robust, reinforced agency, better able to meet the technological challenges and demands facing the EU now and in the future.

Irish EU Presidency

30th January 2013

New ENISA Regulation, 2013

Plus…….

”

“

29

www.enisa.europa.eu

• Greater flexibility, adaptability and capability to focus.

• Better alignment of the Agency to the EU regulatory process, providing EU countries and institutions with assistance and advice.

• Interface with the fight against cybercrime; the Agency would take into account the network and information security aspects of the fight against cyber crime.

• Strengthened governance structure: stronger supervisory role of the Management Board, in which the EU Member States and the European Commission are represented.

• Simplification of procedures to improve efficiency.

• Gradual increase of the Agency's financial and human resources

Key points of the mandate

30

www.enisa.europa.eu 31

Conclusion

31

www.enisa.europa.eu

• Increasing integration of cyber and real worlds means secure IT is crucial for everything we do

• Therefore, in order for Europe to be a truly digital society, cyber has to mean safer

• ENISA’s record of supporting cyber security across for the EU makes it able to help this happen

• The Cyber Security Strategy, Directive and forthcoming ENISA Regulation mean ENISA will be able to play an even more integral and active role in supporting Europe’s economy and citizens

Conclusion

32

www.enisa.europa.eu

European Network and Information Security Agency Science and Technology Park of Crete P.O. Box 1309 71001 Heraklion Crete Greece 1 Vass Sofias & Meg. Alexandrou Maroussi 151 24 Athens Greece http://www.enisa.europa.eu Facebook, Twitter, LinkedIn YouTube, & RSS feeds

Contact details

www.enisa.europa.eu 34

Questions

34