Reference:
SPEECH/12/732
Event Date: 16/10/2012
Top Level Conference on Cyber Security of Industrial Control Systems and Smart Grids/Amsterdam,
16 October 2012
Every day, people everywhere rely on the
internet ecosystem for ever more services. No longer just a tool for
simple information and communication, it can now be a forum for almost
any kind of interaction or transaction.
Even today, and increasingly in the
future, it will be the tool supporting systems from healthcare to
banking; underpinning networks from transport to energy; essential
infrastructure for businesses and governments alike.
Those developments are promising
for our economy; offering a great boost to competitiveness and
productivity. They are great for citizens, opening up a world of
convenience and opportunity. And they are great for governments, giving
them the 21st century tools to deliver more effective services for their citizens – at less cost.
But as the internet grows in
importance, so grows the need to protect our networks and systems. The
more we depend on ICT, the more we depend on it to be secure.
The areas you are looking at today
are a case in point. Take smart grids. For example "smart electricity
meters" can incorporate computing and communication ability. These
technologies can inform and empower consumers, integrate small-scale
renewable energy better to the grid, and better manage electricity
supply. But, on the other hand, those features increase the risk and
consequences of attack. With every household potentially a weak link, we
would also make our system of power generation and distribution more
vulnerable.
Equally, attacks on industrial
control systems could prove devastating; and not just economically. We
already know of viruses deliberately targeted to nuclear facilities.
Attacks on information networks can
occur for a variety of reasons: whether the perpetrators seek financial
gain, political activism, or merely attention.
But one thing is clear, these are
growing in number and seriousness: the number of web-based attacks went
up 36% between 2010 and 2011. The range of actors taking part in
cyber-attacks is growing – including, sometimes, state actors. And the
economic consequences of a major breakdown of Critical Information Infrastructure could amount to hundreds of billions of euros.
The Commission has been working to
boost cyber-security for over 10 years now. But in today's new
environment, we need to raise our game. We need to act strategically; we
need to work together; and we need to give this attention at the
highest political level. And that is exactly what we will do with our
forthcoming European Cyber-security Strategy.
Thank you to the many of you who
took part in our consultation on that Strategy, which closed yesterday.
Well over one hundred organisations and individuals did so. Let me give
you some early outcomes from that exercise, and some early indications
of our thinking.
Two in three responses to our
consultation agreed on the need for regulatory requirements to manage
these security risks, of whom the great majority believed it should be
at EU level. And here's what I think our EU strategy needs to contain.
First, it's clear that dealing with
this issue calls for serious cooperation between the countries of the
EU. The internet knows no borders; we are only as strong as the weakest
link in the chain.
So we need protection within the EU
to be consistent, and high. Not through centralised EU control – an
approach based on dialogue, partnership and empowerment is much more
appropriate. But equally, disconnected individual actions risk raising
barriers to entry, and shattering our Single Market: cyber-protectionism
is not the answer.
Our strategy will set out how to raise
protection levels across Member States; ensure countries are more
prepared; and establish mechanisms for cross-border cooperation. For
example: already every country should have functioning and well-staffed
cyber emergency response teams. But there's a strong case for moving
from a voluntary to a binding approach here, to ensure at least a
minimum level of joint protection.
Second, different sectors, public
and private, need to be involved and responsible. Key infrastructure is
operated by a mix of public and private stakeholders: whether it's cloud
services, energy grids, transport, healthcare, or the financial sector.
For the telecoms sector, there is
already a legal obligation to manage security risks – and report
significant security breaches too. But, these days, more and more other
sectors interact with, and critically depend on, those ICT networks:
there's an urgent case for extending those obligations, and creating a
level playing field. And indeed around 90% of respondents to our
consultation agreed there should be network and information security
requirements in sectors like banking, energy, transport, healthcare,
internet services and public administrations.
Plus, it's often the private sector
which can produce the technical solutions to defend against
cyber-attacks. And our strategy, supported by the EU's research
programme, will help them to do just that, and stimulate a rich and
competitive EU industry.
What's more, we must cooperate
within the private sector; cooperate between critical infrastructure
sectors; and cooperate with public partners. That's essential
nationally, and also at EU level. I am aware that many of you have a
very positive and proactive attitude to this and I can only support
that.
Third, the responsibility for
cyber-security lies with everyone, down to each and every ordinary
internet user. In fact, there are many simple steps people can take to
improve their security online: like choosing a sound password, and
storing information safely. We need to raise awareness of those steps.
That's why I'm delighted that this month is European Cyber Security
Month – a great way to present these issues to the general public in
fun, engaging ways. And there are such initiatives going on in many
Member States. Currently just a pilot, I hope it's something we can
build on in years to come.
And finally, cooperation doesn't
stop at Europe's borders. We are working with partners like the US: and
very constructively. Our working group on Cyber-security and Cyber-crime
has already shown its worth as a tool for information-sharing and joint
activities; like the joint workshop on smart grids yesterday. And
indeed events like this very conference stem from that cooperation. I
think this is a great and workable model; and hope it extends further.
And I'm delighted we are later
signing the World Economic Forum's Partnership for Cyber Resilience.
These are not just a set of important principles: they are evidence of
how we can work together, as public and private sector leaders, to raise
awareness and build resilience.
I'm fully committed to such
principles. In a hyper-connected world, we must contribute to a safe,
shared digital environment. And we should recognise our own
responsibility in setting the right tone and structure for cyber
resilience.
Ladies and gentlemen,
Cyber-security is a top priority,
and needs top political attention. On the other side of the Atlantic,
President Obama has long recognised this as a national security
priority. He's right: it is.
It's time we took that attitude here in
Europe too. It's time to give cyber-security the attention it deserves.
Let's be strategic, let's work together, and let's ensure we protect our
infrastructure, and our citizens, in the digital age.