EPP Policy Paper adopted by the EPP Political Assembly (28th January 2014) EPP Policy Guidance on Cyber

Security

EPP POLICY GUIDANCE ON CYBER SECURITY ADVISED BY THE EPP CYBER SECURITY ADVISORY BOARD

Introduction Cyber Security is high on the agenda of European Politics and recent attacks against governments, industry, business and citizens emphasise the need for action to prevent and adequately react to unauthorised and potentially dangerous attacks. To the degree that our dependency on online and offline services increases, our European society becomes more vulnerable. Therefore, the European Peoples Party (EPP) aims to incorporate the topic into the framework of the party in the form of policy guidance. Against this backdrop, the task of the EPP Cyber Security Advisory Board (CSAB) is to advise the party on policy formation and structure. Consisting of experts on cyber security from industry, academia, EPP-led governments, EU institutions and agencies as well as from other backgrounds, the Advisory Board serves as an exclusive Public Private Partnership initiative, in order to gain knowledge in this field and ultimately assist the EU legislator and national governments in implementing cyber security strategies as well as making the EPP the driving policy force in this field. Objectives Reaching a high level of cyber security requires responses to a wide variety of challenges ranging from behavioural change of the individual user to economic incentives and efforts to changes in law and international diplomatic initiatives. These fields of actions could be divided into three main categories or policy objectives: 1. Public security, 2. Economic competitiveness, and 3. International coordination. An overall goal should be to avoid the duplication of efforts. Our European citizens do not want to observe the implementation of multiple platforms for the same purpose. Many sectors in Cyber Security are interconnected especially when it comes to Critical Information Infrastructure Protection (CIIP), but responsibilities on the executive, judicial and legislative levels have to be clearly defined. The European policy spectrum has its limits and with this paper we want to give input to the debate on Cyber Security whilst recognising that. As a horizontal principle in the field of cyber security, cooperation between different private and public actors should be applied wherever possible. Cooperation can be understood as the sharing of relevant information about the threats, responses or any other knowledge that helps in reaching a high level of cyber security. Without prejudice to possible legal provisions for information sharing, actors should be encouraged to use available sources, as well as channels of information such as those provided by ENISA, national authorities or competent and certified private bodies.

1. Ensuring Public Security First and foremost, cyber security helps to improve public security. By providing the security fence for critical infrastructure and fostering the proper functioning of such infrastructure; cyber security measures should increase confidentiality, integrity and availability, and focus both on technical and organisational measures to protect the relevant IT-systems, components, processes and data of critical infrastructure, and be based on continuous assessment, in order to maintain the wellbeing of societies. When speaking of critical infrastructure, the understanding thereof should focus on the essential in line with legislation on CIP and CIIP. All Member States and EU institution agencies should develop their effective and sustainable cyber security strategies and CERTs as fast as possible and also further develop contingency plans and promote cyber aspects in all risk analysis and crisis management plans on all levels from public to private. The CSAB will, furthermore will aim to map the correlations of data protection and cyber security. Whereas security and data protection are closely interlinked and need to be seen in a smart and cooperative way, the latter should not impede reaching high standards of cyber security. For such a security fence, first, it is indispensable that the legislator together with stakeholders define patterns alongside with existing legislation to identify and categorise critical infrastructure. Second, for each risk level, minimum performance based requirements should be defined, for each risk level identified, taking into account relevant information from the security industry, in particular best practices and guidelines. Finally, efforts on the EU level should aim towards achieving the compatibility of the various national measures taken, share their used resources and acquired knowledge. The European Cybercrime Centre (EC3) should play a role in helping to address related cybercrime issues, in close cooperation with ENISA and the national CERTs and other institutional stakeholders to address cyber security issues on an operational basis. Bearing in mind the far-reaching implications of the Centre's task, this needs to be addressed not only in technical and financial but also with sufficient human resources. The prevention of cyber attacks should start at home. It is both linked to increasing a culture of security amongst users and minimising the vulnerabilities of relevant IT systems. The user himself plays a relevant factor through pro-active behaviour. Security updates and the use of the newest software considerably increase the security of the overall eco-system. Minimum security requirements for suppliers of services and solutions, especially to public administration or private industry tasked with maintaining critical information infrastructure, should be fostered. Education, training and awareness campaigns should be developed using different means of communication with simple and clear language, targeting citizens, businesses (in particular SMEs) and public authorities. Furthermore, this can be achieved by preparing the digital generation, including from the earliest age possible in school programmes on risk awareness and safe behaviour when using the cyberspace. For this purpose, the education of citizens, and continuous training of businesses and public authorities is necessary, in order to raise the understanding of the threat scenario to achieve widespread and conscious risk avoidance.

Given the fast development of new technologies, absolute cyber security and prevention of attacks can never be guaranteed. Therefore, it is pertinent that actors prepare for possible incidents, by fostering an active mutual exchange on incidents, threats and possible countermeasures while increasing the capabilities in the field of risk management considering a public and business alert system that has a direct connection to the national CERTs (CH) and their partner organisations. Likewise, incident management processes to cyber attacks targeting our critical infrastructure need to be developed as a goal for the conduct of an effective multinational response mechanism capable to react simultaneously. Beyond the actual immediate reaction to an attack, legal mechanisms such as the Directive on attacks against information systems have to be in place and further developed, in order to identify and sanction offences. 2. Raising Economic Competitiveness As a second strategic objective, we want to ensure and safeguard economic competitiveness in cyber security in the European Union. This is a threefold target as we need to work on the supply and demand of cyber security as well as research & education of cyber security specialists. The broader security market in the European Union can be described as supplying not only 'traditional' security devices and services but also highly specified solutions to public and private consumers. To better connect this market and align its strengths can provide for improvement. Therefore, gaps and shortcomings in the current market have to be analysed and policy initiatives should be taken to foster a European security industry. The development of innovative solutions for cyber security as well as the industrial production of key elements for security systems in the EU itself should be fostered by raising economic competitiveness in the market. Facilitation of a competitive and innovative market for cyber security is needed to also enable SMEs to operate in the field. Innovation and competition can only be sustained by a strong and vivid research environment. To create and to support such an environment is in the interest of the EU to develop own tools and systems in a harmonised way through joint research undertakings, such as the Horizon 2020 programme. The security solutions market, which currently can be identified as a "vendors-push market" should be subject of stimulation directly from user communities towards a "consumers-pull market", encouraging the security sector to produce solutions fit to the needs of users. In addition to that, it is necessary to prevent or mitigate harmful computer network exploitations. Actions with the intent to intercept systems, including listening to, monitoring or surveillance of the content of communications, the loss or alteration of commercially important and confidential information or other data can cause irreversible damage to our innovative and competitive economy. An adequate supply is also strongly dependent on sufficient expertise and qualified professionals in the EU, Research and development, as well as education and the development of adequate curricula play a vital role. By pooling knowledge, expertise and research on cyber security and threats Member States as well as relevant EU

bodies could highly contribute to placing businesses in the EU at the spearhead of producing and making use of cyber security tools. On the other hand, we need to ensure a sufficient demand for cyber security. Where the costs and benefits of investing into cyber security are not always clear to the private sector, understanding of what is at stake needs to be raised and incentives need to be put in place. This may result in positive/rewarding mechanisms or negative/costly consequences though legal or contractual requirements. Incentives should also be considered for those designing new products, devices, services and applications with security-by-design as a central feature. Stronger public investment in information- and cyber security helps to ensure better standards for IT-based structures and the private sector including the most significant level of attacks, which go beyond the skill sets of the private sector and small and medium enterprises in particular. In addition, targeted and clear-cut public private partnerships based on complementary and mutual trust could contribute to better understanding the economic value of cyber security. Further to this, a considerable part of the demand in the security market stems from the public sector. Defence support for internal security and civil security still function within national or even regional boundaries. A common understanding of standards and purchase policy could help to foster a European security industry suited to the special requirements of the civil security and military sector when it comes to internal security. Common Standards and Certifications are considered play an essential part in achieving this objective. 3. Fostering International Coordination Cyber security depends also on actors outside the EU. It is necessary, therefore, to identify international key interlocutors, ensure a common understanding of the issues at stake and commit to joint efforts. Cyber security as a subject should be mainstreamed in all the EU actions with external dimension. One important partner to the EU are the United States of America as well as other actors on all continents. While there are already manifold forms of public and private cooperation to alter cyber security, we need to closely take stock of these efforts and evaluate, where the coordination could be improved, intensified and enhanced under equal conditions. The EU should be proactive in concluding international cooperation agreements. Regular exchange of best practices and joint cyber exercises are concrete measures that already show an added value. EU cooperation with NATO should be complementary in order to avoid duplications, however taking in to account the respective responsibilities. Practical cooperation with a view to exchanging experience and learning about how to build resilience for EU systems should be deepened; further practical cooperation concerning planning, technology, training and equipment should be intensified. Member States as well as the EU and NATO themselves should incorporate the financial and organisational requirements of such cooperation into their considerations. Cyber defence has to be included in the agenda when talking about cyber security to ensure a comprehensive approach. Close cooperation with the European Defence Agency is important to assist Member States in 5

developing their cyber defence capabilities and in promoting pooling and sharing of information both among Member States and with the EU level. Cyber defence units in military forces are a good example of practical measure of cyber defence that could be implemented in all Member States. Additionally, a better understanding of cyber warfare with regard to relevant in international law should be developed. This includes aspects of state responsibility, attribution, classification and countermeasures in order to the legal understanding of cyber attacks. Yet, there are further state actors and international bodies that play an equally important role or will gain in prominence in the cyberspace. Aiming towards a common understanding of the necessity for global cyber security and hence global norms of behaviour in cyberspace, it is indispensable to closely coordinate such efforts. With regard to incidents of trust involving state action, efforts are indispensible to enhance trust and create confidence between the relevant actors, also by applying international law in cyberspace. Still, the intention is not to reach an 'autocratic' level of censorship and monitoring. Such norms should rely on fundamental rights and freedom in order to strengthen the security awareness on a public, an individual and business level, and the overall benefits of the cyberspace. In order to reach a high cyber security, the EU should be at the forefront of international efforts to develop international standards concerning network security. The norms prevalent in the EU could set a model for international partners in all practical areas of cyber security, Critical Information Infrastructure Protection and in cyberspace governance issues. The EU should actively promote the effective communication between different national and international communities, as for example intelligence agencies, law enforcement authorities, national security entities and incident response teams. The Union should actively promote the provisions and the further ratification of the Council of Europe Convention on Cybercrime and in that manner ensure computer network exploitations are deemed as criminal offences under national law. Cyber security capacity and skills are not distributed evenly around the globe. The EU should, together with its international partners, should enhance the efforts to support the more vulnerable regions in addressing cyber crime. The EU should make use of measures within its neighbourhood and cooperation policies to strengthen cyber security in a wider area. In summary, it has become clear that a high level of cyber security requires efforts at all levels, be it international, the EU, national, or even the individual level. The EPP will focus on the three main objectives of public security, economic competitiveness and international coordination in order to achieve a robust and comprehensive level of cyber security.