• No results found

Financial Services and Technology Forum 10 July TOPIC: Cyber Security

N/A
N/A
Protected

Academic year: 2021

Share "Financial Services and Technology Forum 10 July TOPIC: Cyber Security"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

Financial Services and Technology Forum

10 July 2013

TOPIC: Cyber Security

Panellists:

MEP Christian Engström (Greens, Sweden)

Emmanuel Cabau, DG CONNECT, European Commission

Cathrin Bauer-Bulst, DG HOME, European Commission

Peter Gillespie, Fidelity Worldwide Investment

Cornelia Kutterer, Microsoft

Moderator: Pierre Francotte, Chair of the Financial Services and Technology Forum

and Senior Adviser, Kreab Gavin Anderson

Report on panel discussion

PANELLISTS’ STATEMENTS

Christian Engström MEP

MEP Engström started explaining his view that cyber security can be split in three areas, which partly overlap and are partly separated.

The first issue is resilience. Cyber security is about avoiding single points of failure. Often, when the internet is down, this is not because of a malicious attack, but because something went wrong. Resilience needs to be designed into the system, in its hardware. This also applies to payments systems. We are more and more moving towards a system where we are over-relying on credit cards. What do you do when the system does not work and there is no money?

The second issue is related to cyber crime and attacks by nations. When this is about the ordinary use of the internet by criminals, that is a police matter. When other nations attack, that is an act of war. Police and military are different and you don’t want the military to fight criminals. From the news of the last weeks, we know we are under attack. The most concerning aspect of PRISM is that the US are accessing our personal data. This is very disturbing.

(2)

A third aspect is industrial espionage and the reading of email communications. I am sure that happens. The transfer of bulk data via the Swift agreement also has espionage concerns. This is not in the scope of the Directive, but we need to think about this.

I am not entirely sure the cyber security Directive is a necessary and useful thing. Network and Information Security is handled by a lot of private companies working on the protection of the internet. We need to consider what should and what should not be laid down in law. Legislation is slow, but the internet moves very quickly. A structure based on informal cooperation is more appropriate. Otherwise, in a couple of years we are reporting lots of things that are completely irrelevant.

Also, the legal basis is shaky. Resilience can’t be improved by law. Crime and defence are dealt with by Member States. The EU is not a police or defence union, but a market union. I am sorry to be so negative, but I don’t think this Directive is a good idea.

Emmanuel Cabau, European Commission

I agree with you on a number on things. There is no confusion over what is done by the military and the police. This is a purely civilian Directive. We want to tackle civil resilience to make network and information security function properly. We really shouldn’t have a one-size-fits-all solution. Security is not a tick-the-box exercise. The intention is to have a flexible Directive and to allow the framework to evolve. Therefore, there are no precise definitions of internet services and market operators, and that’s why we have opted for a Directive and not for a Regulation. We don’t want to be over-prescriptive.

Some Member States are ahead in cyber security, others are not doing what they should. Cyber threats can have a strong impact on the internal market. They spread from one Member States to others. Only the Member States that are well advanced are cooperation, but only amongst themselves. Lots of incidents are not noticed by market operators and often there is no time to investigate. the sector could also benefit from sharing information. Therefore, we would like to address three issues with the Directive.

Firstly, we need to have the necessary capacities. We are not over-prescriptive but say Member States at least need to have a strategy. We want to strengthen operational cooperation, the Computer Emergency Response Teams (CERTs), and competent authorities.

Then you can cooperate better in the EU level. We want a soft system at the EU level. Only information that has an impact on EU security has to be shared.

Finally, we impose some obligations on the most concerned market operators: the financial sector, health, transport, energy, information society services. We don’t prescribe specific measures but want to bring about a culture of risk management. Everybody should take the appropriate measures. This is a very balanced approach.

(3)

Cathrin Bauer-Bulst, European Commission

When you see a dark screen, sometimes it takes a couple of weeks before you know whether that was a technical incident, espionage, a political attack, or a cyber attack. What is done to fight cyber crime? Cyber crime is difficult to define and regards a variety of attacks: attacks against information society operators, the internet as a facilitator for everyday crime (like fraud), child sexual abuse and malware (content-based crime). Anybody can go online and purchase or rent tools for these crimes.

The EP just adopted a Directive on attacks against information society infrastructure. The Directive covers direct attacks against ICT systems and infrastructure and criminalises botnets (servers who use infected computers for Distributed Denial of Service (DDos) attacks). When DDoS attacks lead to a breakdown you can retrieve credit card data.

An important part is police cooperation and law enforcement. Cyber crime is a relatively safe crime. There are few cases of prosecution and conviction. It is a crime of choice to make money. Due to the cross border nature of the crime, law enforcement authorities (LEAs) depend on information from each other to fight cyber crime. The European Cyber Crime Centre (EC3) at Europol will support investigations, link with LEAs, collect information and serve as a collective voice of cyber crime investigators. Its work is focused on three types of crime: attacks against information systems, child sexual abuse, and payment fraud.

For cyber crime, more than for other forms of crime, the infrastructure is privately owned. If there is no cooperation, there is no way of fighting cyber crime. It is one of the most underreported crimes due to the lack of incentives and difficulties with sharing information. Better reporting can help prevent further attacks. We also need to apply common standards to improve resilience. And if we want to deter cyber crime, we need to give the LEAs the information they need to prosecute cyber crime. Reporting of at least serious incidents can help to address this.

Peter Gillespie, Fidelity International Ltd

Although we are an asset manager, it is difficult to get a real reassurance that we are not included in the scope. The scope is non-exhaustive, so potentially we could be included, even though we don’t consider ourselves critical. The legislation seems quite simple but seems to tackle a rapidly changing environment. I do support the intent to increase collaboration though this happens irrespective of legislation.

We have some concerns about the reporting mechanism. Depending on the implementation, we may need to notify in one country, but not in another. How does it work if a breach in a UK data centre affects clients outside the UK? Whom do I notify? How does it work if there’s a breach outside the EU with consequences within the EU. We are operating in a complex environment and answers on these questions aren’t always clear. An own interpretation of every Member State won’t increase the clarity. Also, security increases with confidentiality. More people know about a breach, the higher the chance it will be seen by the public. There

(4)

is a risk that data will bring more damage than benefits. We need to be specific what we ask organisation to report, and to meet conditions of confidentiality and minimum traceability. Cooperation is required, and Fidelity has played a role in it. I see more benefit in industry level collaboration than EU cooperation with this level of detail.

Cornelia Kutterer, Microsoft

Security is the key concern of our customers. We are working with the public and private sector, small and large companies, and I am happy to give some feedback on what we hear on resilience.

I think the Cyber Security Directive will help. National Network and Information Security strategies, will help Member States to better understand and assess the risks of cyber security. But the proposal needs to be workable in practice. The information sharing network has to take into account that information comes from the private sector. There is no element of a bi-directional system. Authorities also need to share information with the sector. Reporting on incidents is one-directional. It concerns a wide variety of incidents, with different partners and is very complex. A potential risk of the Directive is that it could be counterproductive as it challenges that what is already working on a voluntary basis.

There are limits to what can be done. We need to have a functioning security risk management structure and put our resources where there is most risk, likelihood and impact. We thus need to focus on the most critical parts: the critical infrastructure.

I agree with Peter one what he said on incident reporting. It is not clear what kind of incident needs to be reported, to whom, and under which circumstances. There are also issues of jurisdiction and scope.

ROUND OF QUESTIONS BY MODERATOR

The moderator asked about the view of the panellists on the scope of the Directive.

Emmanuel Cabau answered that the scope was one of the most difficult parts of the work on the Directive. Risks can spread over a network. Everybody needs to take the appropriate measures, including individuals, but they also need to be proportionate. At this stage, we believe it is best to restrict this to critical information infrastructure and to exclude citizens and micro-enterprises. Public administrations, internet enables and main companies that make use of internet society services are included. The proposal is not prescriptive. We did not want to run the risk of excluding something that could become critical in a couple of years. Cornelia Kutterer argued that a narrow scope would make the framework more workable. It would be necessary to define what an incident is and to address the proportionality and administrative burden. If it is risk-based, we need to narrowly define the scope of what is

(5)

critical to public safety. I’d also suggest to start with public administration and then roll out to other critical sectors.

Peter Gillespie stated that he’d be happy to participate, if reporting requirements are sorted out well. Most of the financial sector does some form or risk assessment.

MEP Engström suggested that the fact that the scope is poorly defined could be an indication of the weakness of the proposal in general. There is too much flexibility in the Directive. Also, the EP is not enthusiastic about the delegated acts. I don’t legislation is the best way. With legislation, we’ll always be far behind the reality of how people are using the internet. Had the Directive come ten years ago, social networks would not be in. Maybe in ten years the internet will look radically different again.

The chair then asked Cathrin Bauer-Bulst how market operators could feel more comfortable about reporting.

Cathrin Bauer-Bulst answered that trust is a central element. When companies report, they need to be assured that information will not be shared, and that there is someone who can help you. There are already CERTs in most Member States and for the EU institutions. Companies that don’t have the resources rely on us. They are happy to report and get assistance. Often, if a virus or Trojan is successful with one bank, criminals will use it others. We need to work together to prevent this.

The moderator then asked the opinion of the panellists on reporting

Peter Gillespie answered the information should be anonymised as soon as possible. We also need to reduce the amount of unnecessary side data.

Cornelia Kutterer said the regime would have be adapted to how information sharing works in practice, according to industry codes.

Emmanuel Cabau answered Peter and Cornelia have well-founded concerns and that they will be taken into account in the negotiations. The other alternative either is to do nothing, or to come with a very prescriptive Regulation. We have seen with the Telecommunication Directive that the number of breaches is not very large, only about 100 for the EU. It will be reporting on significant breaches affecting core services, not on a daily basis. Confidentiality and business secrets are important concerns. I agree with the point on anonymity. Reporting should only happen when needed and with the level of detail that is needed. Information should also be bi-directional.

QUESTIONS FROM THE AUDIENCE

Jonathan Sage of IBM asked about how incentives rather than sanctions could be used to make voluntary reporting more attractive.

(6)

MEP Engström agreed that a sanction-based mechanism is not the best method. He also pointed out that a patchwork of reporting requirements could have negative effects on pan-European operators.

A member of the audience asked about the impact on trade negotiations with the US.

Emmanuel Cabau answered that the Cyber Security Directive should not influence the negotiations. With regard to the extraterritorial aspect, there is a lot of space for voluntary, culture-based exchanges of information. The Directive provides that reporting must be done there were the service is affected.

Katerina Tapio of NYSE Euronext asked about the added value of public disclosure of cyber incidents.

Cornelia Kutterer was not convinced about the necessity of public disclosure. Reporting information needs to remain confidential. Competent authorities should also be audited. Peter Gillespie believed public disclosure needs are already catered for in data protection legislation and pointed at the risks of copycat attacks.

Emmanuel Cabau recalled the competent authority is not obliged to disclose and that this should be first discussed between authorities and the notifying company. He argued the authorities should have this possibility when reporting is in the public interest.

David Reed of Kreab Gavin Anderson asked whether from the EP’s perspective, s strengthened cyber security could be a tool to overcome consumers’ hesitance to online banking.

MEP Engström answered that the lack of consumer confidence is holding back all electronic services. Cyber security is but one aspect, but data protection is another. When you enter data, you don’t know what is happening. It is frustrating that most lobbying on data protection has been very unconstructive.

References

Related documents

course − offerings secno courseno exam name place time marks program eid student name year semester room time takes sid.. Figure 2.4 E-R diagram for

( 2018 ) highlight the importance of logistics in disaster relief operations. While this study provides an excellent overview, their discourse on such a matter is primarily focused

U integriranom upisnom području osnovnih škola smještenih u Rovinju na prometnu udaljenost svakako utječe površina upisnog područja koja je gotovo trostruko veća od

Formula terpilih tablet hisap Spi- rulina berdasarkan uji fisik Departemen Kesehatan RI (1995) memiliki tingkat kekerasan yang tinggi jika dibandingkan dengan formulasi tablet

[r]

JPEG XT image coding system is organized into nine parts that hierarchically define the baseline coding architecture, known from the legacy JPEG standard, an extensible file

Consider preventive treatment (given on an ongoing basis whether or not an attack is present) for those patients whose migraine has a substantial impact on their lives and have

Alternator Engine stop Coolant overheat Hydraulic oil level Auto lubrication Fast-filling Tension Electric lever Emergency engine stop Top valve.. Engine over run Coolant level