Umfrage der EU-Kommission zum Thema Netzwerksicherheit
From Freiheit statt Angst!
Die EU-Kommission führt bis 09.01.2009 eine Umfrage zum Thema "Netzwerksicherheit" durch. Auf Grundlage der Ergebnisse will sie Vorschläge entwickeln, um Netze vor Angriffen zu schützen. Wir sollten bei der Umfrage mitmachen, um sicherzustellen, dass der Schutz von Netzwerken datenschutzfreundlich erfolgt und nicht durch Überwachung.
Ihr könnt Antworten oder Ideen zur Beantwortung der Fragen hier eintragen.
 Towards a Strengthened Network and Information Security in Europe
Do you wish your contribution to be made public? (compulsory)
- Yes (your contribution and name, country and organisation (if applicable) will be published
- No, I object to the publication of my name, country and organisation (if applicable), I request the publication of my contribution in anonymous form (on the grounds that publication of this personal data would harm my legitimate interests)
Are you replying on behalf of yourself or on behalf of an organisation (company, trade group, public body, interest group, consumer association, academic/research institution, etc) (compulsory)
- On my own behalf
- On behalf of an organisation
Please state your name (compulsory) German Working Group on Data Retention
Please indicate your postal address, telephone and fax numbers (only to the extent applicable) (compulsory)
Please indicate an email address for correspondence (compulsory)
Please state your country of residence (compulsory) Germany
Please state the name of the organisation on whose behalf you are responding (compulsory)
Please indicate the type of organisation (compulsory)
- Private company
- Industry association
- Government/Public Body
- Academic/Research institution
- Consumer association
Please indicate name of contact person, postal address of organisation, telephone and fax numbers (compulsory)
Please indicate an email address for correspondence (compulsory)
Please indicate the sector of the company (compulsory)
Please indicate the interest your organisation represents (compulsory)
The Working Group on Data Retention is a German association of civil rights and privacy activists and Internet users.
Please indicate the number of members the organisation represents (optional)
Please indicate the size of the organisation in relation to the sector its members belong to. (optional)
Please briefly describe your organisation, including its home country and activities (e.g. regulatory or advisory body, international, national or regional, etc.) (compulsory)
Please briefly describe your organisation, including its home country, affiliations, field of activities (compulsory)
The Working Group on Data Retention is a German association of civil rights and privacy activists as well as regular Internet users that is campaigning against the complete logging of all telecommunications. On 11 October 2008, we organised an international “Freedom not Fear” day. Tens of thousands of Europeans participated in protests against excessive surveillance.
Electronic networks and services constitute the nervous system of our society and the economy, and recent large scale cross-border cyber attacks, for example in Estonia, have highlighted our dependence on them. In this context, what are the major challenges for network and information security to be considered at the national, EU and international level, in particular with regard to resilience of electronic communication networks and information infrastructures? (optional)
The major challenge is to find and implement technical solutions to immunize systems and the data contained in them from attacks. The mechanisms needed must not rely on an identification and prosecution of attackers, which is too slow, too easy for professional attackers to circumvent and too prone to abuse and data leaks. Instead, it is necessary to set systems up so that they cannot be harmed by attacks in the first place.
Given the importance of electronic networks and services for society and the economy, what should be the three key priorities for policy to address the evolving challenges to network and information security at the EU and the international level? (optional)
- Ensure that networks can be used anonymously and without leaving identifiable traces. It must be possible to use electronic communications and information services as anonymously as postal mail, libraries, book shops, shopping malls and face-to-face communication. The citizens' trust in electronic information systems is rapidly deteriorating, as shows the high level of concern found by Eurobarometer, for example. In recent years, Europe has suffered from several accidental and intentional disclosures and abuses of information on our communications, movements and Internet use, for example in Germany,1 Italy,2 Greece,3 Latvia,4 Bulgaria,5 Slovakia6 and Hungary.7 These incidents have reminded us of the fact that only erased data is safe data. Limiting the collection of traffic data helps minimize the damage resulting from data leaks or attacks and has proven to effectively maintain our safety from abuse of communications data.
- Make sure that manufacturers of hardware and software design their products safely and without collecting personal information that would be exposed to risks and attacks.
- Make sure that providers protect their systems from attacks and do not collecting personal information that would be exposed to them.
Member States have a key role and overall responsibility in guaranteeing the security and continuity of critical services for citizens and businesses. In this context, what should be the focus of future EU policy in order to: •enhance cooperation at the EU level between national competent bodies; and •achieve a holistic, all-encompassing approach to network and information security; •reinforce the synergy between measures focusing on prevention and resilience (“first pillar”) and measures supporting judicial and law enforcement cooperation (“third pillar”)? (optional)
An informal exchange of best practises could be useful, but it should take place in public and with full participation of civil society stake holders.
With regard to the synergy mentioned in the question, prevention and resilience must be given a clear priority. Only in the event of a reasonable suspicion and on a case by case basis can third pillar investigations take place. Designing systems for maximum traceability is incompatible with the first pillar objectives of prevention and resilience, as it exposes even more data to the threats that are to be addressed, and also threatens user confidence and thus the economical development of information society.
The security and resilience of the Internet is a joint responsibility of all stakeholders, including operators, service providers, hardware and software providers, end-users, public bodies and national governments. This responsibility is shared across geographical boundaries, in particular when responding to large-scale cyber attacks. In this context, what role should the EU play to strengthen the preparedness of the key stakeholders? (optional)
The EU could help elaborate recommendations, which should take place in public and with full participation of civil society and end user stake holders.
Because of the global nature of the Internet, each and every country has a degree of inter-dependence with other countries, not least when responding to large-scale cyber attacks. How can we support trans-national cooperation in the EU to cope with evolving network and information security challenges? (optional)
<The following suggestions need to be examined as to whether they should be addressed at EU level or at the national level:
- Raising awareness of potential targets of attacks, especially businesses and government agencies. Employees should be asked to follow security guidelines and procedures when dealing with information systems. More specific recommendations could be elaborated for every business sector.
- Manufacturers and importers of hardware and software should design their products in a resilient way and make sure they do not collect personal information that would be exposed to risks and attacks. A voluntary seal/audit could be offered to that effect. Government bodies could be allowed to purchase tested products only. Audits could further be encouraged by tax breaks.
- Obliging commercial operators of information systems connected to the Internet to buy insurance could be considered. The insurance should cover all damages resulting from attacks and data breaches from external sources as well as from within the company (the latter constituting the greater threat).
- A regular external audit of information systems could be considered, much like the technical inspections for vehicle safety that are already in place. Alternatively, random inspections by government authorities could be introduced, as known in food safety. The inspections should address the safety of both the systems and the data contained in them, including data minimization.
- Consumers could be given a right to be informed on the safety mechanisms implemented to protect their data. They could also be given a right to sue companies that did not protect their data sufficiently. This would spur data safety efforts.
- Insiders should be offered a mechanism to anonymously report security faults, leaks and other shortcomings in information systems. It is often essential for insiders and whistle blowers to be protected from identification and potential retaliation.
- The EU has got legal instruments in place that hold manufacturers responsible for certain damages caused by improperly designed products. These instruments have been very successful in making products safer as manufacturers fear liability. However, those instruments do not currently cover financial and immaterial damages caused by insecurely designed hardware and software. Holding commercial manufacturers and importers of information system responsible for the safety of their products would be a major contribution to a safe information society. The companies concerned can protect from excessive financial risks by buying insurance.
- Commercial operators should regularly apply manufacturers' updates and patches.
- End users should be made aware and educated not to fall for phishing, skimming or other dubious offers on the Internet. They should know not to disclose personal data whenever possible and how to use the Internet anonymously. Instructions to that regard could be included with every computer system sold.
- Prepaid, anonymous payment services should be encouraged. Unlike credit card or bank account details, the damage that may result of an abuse of prepaid payment card details is very limited.
See also the suggestions prepared by the G8 Workshop on Safety and Security in Cyberspace:
- Report of Workshop 3: Threat Assessment and Prevention, www.mofa.go.jp/policy/i_crime/high_tec/conf0105-6.html
- Report of Workshop 4: Protection of E-Commerce and User Authentication, www.mofa.go.jp/policy/i_crime/high_tec/conf0105-7.html
What instruments are needed at EU level to tackle the challenges and support the policy priorities in the field of network and information security? In particular, what instruments or mechanisms are needed to enhance preparedness to handle large scale cyber disruptions and to ensure high levels of security and resilience of electronic networks and infrastructures? (optional)
A strong and effective European incident response capability could be a key element of ensuring fast responses to cyber attacks and speedy recovery from disruptions. Building upon initiatives at national level, what EU instruments or actions could be considered to reinforce incident response capability? (optional)
Incident response should be addressed at national level.
In 2004, the creation of the European Agency for Network and Information Security (ENISA) was an important step in promoting an EU-wide cooperation in the field of network and information security. Given the evolving network and information security challenges, is an Agency still the right instrument to “enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and respond to network and information security problems”? (compulsory)
If yes, what should be the mandate and the size of such an Agency to successfully meet this objective? (optional)
If no, what are the alternatives that should be considered? (optional)
These matters should be addressed at national level.
Given the shared responsibility of stakeholders for Internet security and resilience, what are the most appropriate instruments to foster international dialogue and cooperation? In particular, what instruments are required to nurture cross-border public-private partnerships to ensure the good functioning of today’s electronic networks and infrastructures? (optional)
Elaborating international recommendations can be useful. This should take place in public and with full participation of civil society and end user stake holders.