What has been your biggest challenge in
the role of Executive Director of ENISA?
How has your background helped shape
your role in the organization?
Probably the greatest challenge for me at
ENISA is to increase the Agency’s visibility
and to create a bigger impact with our work.
The entire ENISA team puts maximum effort
into identifying how we can improve cyber security
in Europe and making sure that we
communicate our knowledge as effectively as
possible. We’re constantly looking at how we
get our message across to everyone who has
a stake in network and information security.
There’s a huge potential audience for us to
reach, and it’s one that is constantly growing
as information technology (IT) touches the
lives of an ever-increasing number of Europe’s
citizens.
ENISA is a relatively small organization -
about 60 people, including directly employed
staff, experts seconded from EU Member
States, contractors and agency personnel -
and while our work supports IT security all
across Europe, we focus on issues where our
expertise can make a real difference, whether
that means giving advice to Member States on
good practice in safeguarding critical information
infrastructure, or in advising on new European
laws to ensure that sensitive information
stays protected.
A large part of ENISA’s work relates to bringing
together the various organizations and individuals
involved in network and information
security. Information technology plays a role in
practically every aspect of our lives, and staying
abreast of this constantly evolving picture
is another big, but very enjoyable challenge.
I have worked in a number of different spheres
over the past 25 years, and this has allowed
me to experience and be part of how different
organizations operate and shape themselves
to meet their varying tasks. My experience includes
working in the aerospace industry, with
DASA/MBB, starting out in systems analysis,
and ending as the company’s Programme
Manager for IT.
I have also worked in the insurance industry,
and in the academic world. Immediately before
joining ENISA in 2005, I was President of
Germany’s Federal Office for information
www.insecuremag.com 16
Security (BSI) for six years. While there, I took
the lead in building a cooperation between BSI
and the IT security industry, and was also responsible
for raising public awareness about
information security issues.
I would say that my background has helped
me to develop an approach focused on analyzing
the organization’s objectives, and constantly
seeking to find the best structure to
meet them. The way the Agency (or any other
organization) operates needs to be in tune
with the challenges the Agency faces. For example,
we often need to be “on the spot” at a
short notice to provide support to Member
States.
To support this, last September we launched a
Mobile Assistance Team (MAT) that operates
out of our Athens branch office. This small unit
consisting of four people has clocked up more
than 40 assistance missions within the year to
support the Member States in addressing security
issues. This flexible, responsive approach
is also favored by Neelie Kroes (the
European Commissioner for Digital Agenda)
and we plan to do more work in this way.
THE PAST YEAR HAS SEEN GREAT SUCCESS IN INTERNATIONAL
COOPERATION ON CYBER SECURITY EXERCISES
When taking into account all the research
that ENISA has done in the past year, how
would you rate the current state of information
security in Europe? What key areas
still need work?
There has been a lot of progress in IT security
over the past year. ENISA’s work on this has
included supporting new Computer Emergency
Response Teams (CERTs) that have
been set up in Romania, Malta and Ireland,
and we’ve done a great deal of work to help
CERTs in all Member States build stronger
links and share good practices. For example,
there is our annual CERT workshop, which
last year included Europol as a participant, so
that we could bring the dimension of cybercrime
into the picture. This type of knowledge
sharing is crucial.
The past year has also seen great success in
international cooperation on cyber security
exercises. In 2011, ENISA worked with the
European Commission, Member States and
the US to hold the first ever EU-US cyber security
exercise, Cyber Atlantic 2011. This was
built on the experience we gained from facilitating
the first ever pan-European exercise in
2010, and we are currently finalizing arrangements
for Cyber Europe 2012, which is
scheduled for this autumn. (The exact date is
kept confidential for security reasons.)
More widely, with Article 13a of the Commission’s
Telecomms Regulation, we have seen
moves towards standardized reporting of data
security breaches, and steps are being made
towards a common IT security governance
structure for the EU.
Of course, there is still much work to be done
on consolidating knowledge and building
shared approaches and understanding in all of
these areas. In addition, there are newer,
emerging areas that offer great opportunities
for us as users of information technology, but
also require an understanding of new security
challenges.
Cloud computing, for example, offers great
savings in terms of cost end efficiency, but
needs to be implemented with due regard to
data security requirements. The laws and legal
regimes of countries that are hosting data
need to be known, and care must be taken to
ensure that adequate legal safeguards are in
place.
Another emerging area is smart grids, which
can provide more efficient use of power networks.
However, the relationships between
new, Internet-based technologies and existing
traditional control systems that are now becoming
“embedded” in the Internet need to be
understood to ensure that they do not create a
vulnerable point that could be used as a way
in for cyber attackers. Recent ENISA reports
have looked at both cloud computing and
smart grids, and these will be areas of ongoing
work for us.
www.insecuremag.com 17
Which European countries are excelling
when it comes to computer security? What
actions are they taking and how can those
be an example for other members of the
European Union?
There are so many factors involved in network
and information security that it’s difficult to
draw comparisons between countries. In any
event, different Member States have had different
evolutions in the way they have developed
their IT infrastructure and policies, so
their security requirements can be very different.
Having said that, countries that have longestablished
IT and telecoms infrastructures
and home-based IT industries also tend to
have well-developed and mature strategies for
security. One of ENISA’s core activities is to
facilitate the sharing of good practices, and we
actively work to find Member States that have
expertise in a particular area that they are willing
to share with countries that are keen to
learn from the experience of others.
While some consider compliance to be an
essential step towards greater security,
others largely dismiss it as an expensive
step that yields a false sense of security.
What is your take on compliance and its
influence on information security in
Europe?
Compliance is essential. Laws and regulations
are developed and standards are put in place
so that consumers and businesses can be assured
that protection is in place, and that legal
remedies are available if anything goes wrong.
Of course, that does not mean that players in
the IT or telecoms field should do nothing
more than comply with legal minimums, or
wait for legislation to push them towards implementing
good security practices. Providers
can themselves do much to anticipate and
take measures against cyber attacks. This can
include actions they take by themselves and
recommendations for customers on how to
stay secure online. Again, ENISA has developed
and offers guidance on these areas.
In parallel with compliance, ENISA is working
with the Commission to further develop publicprivate
partnerships (PPPs) under the European
Public Private Partnership for Resilience
(EP3R) programme.
This works by ENISA establishing trusted information
sharing relationships with national
PPPs and then disseminating that knowledge
more widely. We’ve produced a good practice
guide on this, and can, on request, also assist
in developing a national PPP by, for example,
providing strategic and technical advice at the
planning, establishment and execution
phases.
When taking into account all that can happen,
a nation's critical infrastructure is
fragile and in serious need of protection. In
an era of cyber attacks, concerns grow
even more. What should be done in order
to make Europe's smart grid attack proof?
As I mentioned briefly earlier with regard to
smart grids, they can give rise to new information
security challenges for electricity networks.
Vulnerabilities can be exploited to disrupt
networks or even shut down power plants
for financial or political motivation. This is reported
to have happened in 2009, when US
officials recognized that cyber spies had
hacked into the US electricity grid. This makes
both the software and hardware for smart grid
infrastructure high-value and high-risk targets.
In a report earlier this year, ENISA looked at
smart grids, and concluded that the two “separate
worlds” of the energy and IT security sectors
must be aligned to achieve security. We
estimate that without taking cyber security into
serious consideration, smart grids may evolve
in an uncoordinated manner.
I would therefore suggest that smart grids’ security
be made part of the EU’s forthcoming
Internet Security Strategy, and we recommend
that The European Commission and Member
States provide a clear regulatory and policy
framework at EU and national level – something
that is currently missing. We also suggest
that ENISA collaborate with Member
States and the private sector on developing a
minimum set of safety guidelines based on
existing standards. Other steps should include
the promotion of a security certification
scheme for the entire value chain of smart grid
components and organizational security.
www.insecuremag.com 18
Member States should also take advantage of
existing capabilities. Smart grids are a relatively
new development, so there is the opportunity
to build security into them from the outset.
The number of social networking users in
Europe is growing fast, with most of them
unaware of the privacy and security consequences
of the personal data they make
available online. Are we in dire need of new
and improved privacy laws? Should the
companies running social networking sites
make sure their users understand the privacy
implications of their actions even
though it hurts their bottom line?
The European Commission is adopting new
data protection rules that will strengthen the
position of citizens as well as consolidating
existing data protection requirements into one
new single EU law. The new rules will also require
data controllers to make data protection
integral to their processes. ENISA was one of
the bodies consulted before the new directive
was produced, and the new rules will give a
sound legal framework for protecting privacy.
However, implementation will be challenging.
Service providers and all other data controllers
will need to fully understand and comply with
their responsibilities.
With regard to social networks in particular,
users need to be aware of what information
they are sharing and who may be able to access
it, now or in the future. Social network
providers certainly have a role to play in ensuring
that users understand privacy, and how
information will be shared.
As for the service providers’ bottom line, we’d
hope that users, and therefore advertisers, will
go to the sites they know will respect their privacy
and protect their personal data.
Of course, there are always risks from deliberate
abuse of social media sites. For example,
an investigation earlier this year in the UK
found that more than 80 children were
groomed for sexual abuse through the online
game Habbo Hotel. This happened even
though the company had signed up to the
European Commission’s Safer Social Networking
Principles. For all users, and particularly
children, service providers need to show
that they are fully complying with their privacy
and security responsibilities. The alternative is
further regulation, which could limit freedom
and economic opportunity, and in any event,
may prove unworkable in practical terms.
What are your future plans for ENISA?
What would you like to focus on in more
detail?
We’ve often said that no one state or organization
has all the answers when it comes to
ensuring cyber security. Our plans for the future
include a lot more collaboration, and
building bridges between the diverse groups
and individuals involved in cyber security, so
that we can find answers together. For example,
we will be cooperating very closely with
Europol on its new Cybercrime Centre in The
Hague, looking particularly at security and
crime prevention.
ENISA also has an excellent reputation as an
information broker, and this is also something
we plan to build on by helping all of our stakeholders
to share and learn from each other. In
addition to this facilitator role, ENISA also acts
as a centre of expertise on network and information
security.
One of our work areas looks at how we can
assess and be prepared for emerging and future
risks, and this is an area that we plan to
develop further.
Cyber attackers are becoming more sophisticated
in their approaches, as we’ve seen recently
with the Flamer spyware attacks in the
Middle East, and the Stuxnet worm before
that, which targeted control systems.
If we can look ahead, to predict what types of
attack are being planned and how they might
be launched, we can stay one step ahead of
the cyber criminals and terrorists. Of course,
ENISA itself will not have all of the answers,
but by working with all of our stakeholders, we
can ensure that Europe’s citizens and economy
have the highest possible levels of network
and information security.
Mirko Zorz
Source: http://www.net-security.org/dl/insecure/INSECURE-Mag-35.pdf
the role of Executive Director of ENISA?
How has your background helped shape
your role in the organization?
Probably the greatest challenge for me at
ENISA is to increase the Agency’s visibility
and to create a bigger impact with our work.
The entire ENISA team puts maximum effort
into identifying how we can improve cyber security
in Europe and making sure that we
communicate our knowledge as effectively as
possible. We’re constantly looking at how we
get our message across to everyone who has
a stake in network and information security.
There’s a huge potential audience for us to
reach, and it’s one that is constantly growing
as information technology (IT) touches the
lives of an ever-increasing number of Europe’s
citizens.
ENISA is a relatively small organization -
about 60 people, including directly employed
staff, experts seconded from EU Member
States, contractors and agency personnel -
and while our work supports IT security all
across Europe, we focus on issues where our
expertise can make a real difference, whether
that means giving advice to Member States on
good practice in safeguarding critical information
infrastructure, or in advising on new European
laws to ensure that sensitive information
stays protected.
A large part of ENISA’s work relates to bringing
together the various organizations and individuals
involved in network and information
security. Information technology plays a role in
practically every aspect of our lives, and staying
abreast of this constantly evolving picture
is another big, but very enjoyable challenge.
I have worked in a number of different spheres
over the past 25 years, and this has allowed
me to experience and be part of how different
organizations operate and shape themselves
to meet their varying tasks. My experience includes
working in the aerospace industry, with
DASA/MBB, starting out in systems analysis,
and ending as the company’s Programme
Manager for IT.
I have also worked in the insurance industry,
and in the academic world. Immediately before
joining ENISA in 2005, I was President of
Germany’s Federal Office for information
www.insecuremag.com 16
Security (BSI) for six years. While there, I took
the lead in building a cooperation between BSI
and the IT security industry, and was also responsible
for raising public awareness about
information security issues.
I would say that my background has helped
me to develop an approach focused on analyzing
the organization’s objectives, and constantly
seeking to find the best structure to
meet them. The way the Agency (or any other
organization) operates needs to be in tune
with the challenges the Agency faces. For example,
we often need to be “on the spot” at a
short notice to provide support to Member
States.
To support this, last September we launched a
Mobile Assistance Team (MAT) that operates
out of our Athens branch office. This small unit
consisting of four people has clocked up more
than 40 assistance missions within the year to
support the Member States in addressing security
issues. This flexible, responsive approach
is also favored by Neelie Kroes (the
European Commissioner for Digital Agenda)
and we plan to do more work in this way.
THE PAST YEAR HAS SEEN GREAT SUCCESS IN INTERNATIONAL
COOPERATION ON CYBER SECURITY EXERCISES
When taking into account all the research
that ENISA has done in the past year, how
would you rate the current state of information
security in Europe? What key areas
still need work?
There has been a lot of progress in IT security
over the past year. ENISA’s work on this has
included supporting new Computer Emergency
Response Teams (CERTs) that have
been set up in Romania, Malta and Ireland,
and we’ve done a great deal of work to help
CERTs in all Member States build stronger
links and share good practices. For example,
there is our annual CERT workshop, which
last year included Europol as a participant, so
that we could bring the dimension of cybercrime
into the picture. This type of knowledge
sharing is crucial.
The past year has also seen great success in
international cooperation on cyber security
exercises. In 2011, ENISA worked with the
European Commission, Member States and
the US to hold the first ever EU-US cyber security
exercise, Cyber Atlantic 2011. This was
built on the experience we gained from facilitating
the first ever pan-European exercise in
2010, and we are currently finalizing arrangements
for Cyber Europe 2012, which is
scheduled for this autumn. (The exact date is
kept confidential for security reasons.)
More widely, with Article 13a of the Commission’s
Telecomms Regulation, we have seen
moves towards standardized reporting of data
security breaches, and steps are being made
towards a common IT security governance
structure for the EU.
Of course, there is still much work to be done
on consolidating knowledge and building
shared approaches and understanding in all of
these areas. In addition, there are newer,
emerging areas that offer great opportunities
for us as users of information technology, but
also require an understanding of new security
challenges.
Cloud computing, for example, offers great
savings in terms of cost end efficiency, but
needs to be implemented with due regard to
data security requirements. The laws and legal
regimes of countries that are hosting data
need to be known, and care must be taken to
ensure that adequate legal safeguards are in
place.
Another emerging area is smart grids, which
can provide more efficient use of power networks.
However, the relationships between
new, Internet-based technologies and existing
traditional control systems that are now becoming
“embedded” in the Internet need to be
understood to ensure that they do not create a
vulnerable point that could be used as a way
in for cyber attackers. Recent ENISA reports
have looked at both cloud computing and
smart grids, and these will be areas of ongoing
work for us.
www.insecuremag.com 17
Which European countries are excelling
when it comes to computer security? What
actions are they taking and how can those
be an example for other members of the
European Union?
There are so many factors involved in network
and information security that it’s difficult to
draw comparisons between countries. In any
event, different Member States have had different
evolutions in the way they have developed
their IT infrastructure and policies, so
their security requirements can be very different.
Having said that, countries that have longestablished
IT and telecoms infrastructures
and home-based IT industries also tend to
have well-developed and mature strategies for
security. One of ENISA’s core activities is to
facilitate the sharing of good practices, and we
actively work to find Member States that have
expertise in a particular area that they are willing
to share with countries that are keen to
learn from the experience of others.
While some consider compliance to be an
essential step towards greater security,
others largely dismiss it as an expensive
step that yields a false sense of security.
What is your take on compliance and its
influence on information security in
Europe?
Compliance is essential. Laws and regulations
are developed and standards are put in place
so that consumers and businesses can be assured
that protection is in place, and that legal
remedies are available if anything goes wrong.
Of course, that does not mean that players in
the IT or telecoms field should do nothing
more than comply with legal minimums, or
wait for legislation to push them towards implementing
good security practices. Providers
can themselves do much to anticipate and
take measures against cyber attacks. This can
include actions they take by themselves and
recommendations for customers on how to
stay secure online. Again, ENISA has developed
and offers guidance on these areas.
In parallel with compliance, ENISA is working
with the Commission to further develop publicprivate
partnerships (PPPs) under the European
Public Private Partnership for Resilience
(EP3R) programme.
This works by ENISA establishing trusted information
sharing relationships with national
PPPs and then disseminating that knowledge
more widely. We’ve produced a good practice
guide on this, and can, on request, also assist
in developing a national PPP by, for example,
providing strategic and technical advice at the
planning, establishment and execution
phases.
When taking into account all that can happen,
a nation's critical infrastructure is
fragile and in serious need of protection. In
an era of cyber attacks, concerns grow
even more. What should be done in order
to make Europe's smart grid attack proof?
As I mentioned briefly earlier with regard to
smart grids, they can give rise to new information
security challenges for electricity networks.
Vulnerabilities can be exploited to disrupt
networks or even shut down power plants
for financial or political motivation. This is reported
to have happened in 2009, when US
officials recognized that cyber spies had
hacked into the US electricity grid. This makes
both the software and hardware for smart grid
infrastructure high-value and high-risk targets.
In a report earlier this year, ENISA looked at
smart grids, and concluded that the two “separate
worlds” of the energy and IT security sectors
must be aligned to achieve security. We
estimate that without taking cyber security into
serious consideration, smart grids may evolve
in an uncoordinated manner.
I would therefore suggest that smart grids’ security
be made part of the EU’s forthcoming
Internet Security Strategy, and we recommend
that The European Commission and Member
States provide a clear regulatory and policy
framework at EU and national level – something
that is currently missing. We also suggest
that ENISA collaborate with Member
States and the private sector on developing a
minimum set of safety guidelines based on
existing standards. Other steps should include
the promotion of a security certification
scheme for the entire value chain of smart grid
components and organizational security.
www.insecuremag.com 18
Member States should also take advantage of
existing capabilities. Smart grids are a relatively
new development, so there is the opportunity
to build security into them from the outset.
The number of social networking users in
Europe is growing fast, with most of them
unaware of the privacy and security consequences
of the personal data they make
available online. Are we in dire need of new
and improved privacy laws? Should the
companies running social networking sites
make sure their users understand the privacy
implications of their actions even
though it hurts their bottom line?
The European Commission is adopting new
data protection rules that will strengthen the
position of citizens as well as consolidating
existing data protection requirements into one
new single EU law. The new rules will also require
data controllers to make data protection
integral to their processes. ENISA was one of
the bodies consulted before the new directive
was produced, and the new rules will give a
sound legal framework for protecting privacy.
However, implementation will be challenging.
Service providers and all other data controllers
will need to fully understand and comply with
their responsibilities.
With regard to social networks in particular,
users need to be aware of what information
they are sharing and who may be able to access
it, now or in the future. Social network
providers certainly have a role to play in ensuring
that users understand privacy, and how
information will be shared.
As for the service providers’ bottom line, we’d
hope that users, and therefore advertisers, will
go to the sites they know will respect their privacy
and protect their personal data.
Of course, there are always risks from deliberate
abuse of social media sites. For example,
an investigation earlier this year in the UK
found that more than 80 children were
groomed for sexual abuse through the online
game Habbo Hotel. This happened even
though the company had signed up to the
European Commission’s Safer Social Networking
Principles. For all users, and particularly
children, service providers need to show
that they are fully complying with their privacy
and security responsibilities. The alternative is
further regulation, which could limit freedom
and economic opportunity, and in any event,
may prove unworkable in practical terms.
What are your future plans for ENISA?
What would you like to focus on in more
detail?
We’ve often said that no one state or organization
has all the answers when it comes to
ensuring cyber security. Our plans for the future
include a lot more collaboration, and
building bridges between the diverse groups
and individuals involved in cyber security, so
that we can find answers together. For example,
we will be cooperating very closely with
Europol on its new Cybercrime Centre in The
Hague, looking particularly at security and
crime prevention.
ENISA also has an excellent reputation as an
information broker, and this is also something
we plan to build on by helping all of our stakeholders
to share and learn from each other. In
addition to this facilitator role, ENISA also acts
as a centre of expertise on network and information
security.
One of our work areas looks at how we can
assess and be prepared for emerging and future
risks, and this is an area that we plan to
develop further.
Cyber attackers are becoming more sophisticated
in their approaches, as we’ve seen recently
with the Flamer spyware attacks in the
Middle East, and the Stuxnet worm before
that, which targeted control systems.
If we can look ahead, to predict what types of
attack are being planned and how they might
be launched, we can stay one step ahead of
the cyber criminals and terrorists. Of course,
ENISA itself will not have all of the answers,
but by working with all of our stakeholders, we
can ensure that Europe’s citizens and economy
have the highest possible levels of network
and information security.
Mirko Zorz
Source: http://www.net-security.org/dl/insecure/INSECURE-Mag-35.pdf