The European Commission have recently published a more detailed action plan to support their draft Internal Security Strategy from earlier this year (that’s “internal” as in “within the continent”, by the way!). Most of the strategy covers physical security, including natural and man-made disasters, but one of the five strategic objectives is to “Raise levels of security for citizens and businesses in cyberspace”. Having given evidence on CSIRTs to the House of Lords sub-committee last year, I’ve been asked for JANET’s comments on this new paper as well.
Each of the three Actions for cyberspace on pages 9 and 10 recommends both improvements in provision within countries and the creation of a pan-European body. In each case we’ve suggested that the role of the pan-European body should be to identify and promote best practice and help countries implement it locally, rather than involving itself in individual operations.
Thus on dealing with cyber-attacks it’s good to see more encouragement for filling in the gaps in CSIRT coverage but the proposed European Information Sharing and Alert System (EISAS) should help countries to create national resources like GetSafeOnline, rather than trying to create a single poly-lingual site for all EU citizens. On empowering citizens there are recommendations to create somewhere that users can report incidents and receive guidance on threats and precautions. Again, language issues indicate that this is better done at national, rather than central level. On improving law enforcement and judicial capability there is a proposal to create a central cybercrime centre, which appears again to be a faciliator for the development of coordinated national operational expertise, though others appear to be interpreting it as having a more operational role. Having briefly been responsible for a pan-European CSIRT a long time ago my feeling is that centralising operational activities at that level is likely to be more trouble than it is worth.
[UPDATE] the full list of written responses has now been published. Note that they cover a wide range of areas (not just cybercrime) and a very wide range of opinions! Transcripts of oral evidence sessions and the Committee’s final report are also available from the committee inquiry page.