2002 symantec corporation, all rights reserved the eu regulations and it security an industry...
TRANSCRIPT
2002 Symantec Corporation, All Rights Reserved
The EU Regulations and IT security An industry perspective
Ilias Chantzos, Government Relations EMEATerena Conference, May 2006
2 – 2002 Symantec Corporation, All Rights Reserved
Some EU terminology
Directive– Not directly applicable, aims to achieve an objective
First Pillar vs Third Pillar
Framework Decision– As opposed to a Directive
Co-decision Process– As opposed to unanimity
3 – 2002 Symantec Corporation, All Rights Reserved
Has the EU been looking at IT security?
For a very long time– OECD Guidelines 1986
– SOGIS
– Council Resolution on NetSec
– Cybercrime Communication
– Network Security Communication
– eEurope 2002 and 2005
– ENISA
– i2010
4 – 2002 Symantec Corporation, All Rights Reserved
Does the EU have security competence?
NO!!
Well, maybe it gradually starts getting one
Originally limited, no operational capabilities yet
Some legislation in place– Data protection Directives
Third Pillar initiatives– Anti-terrorism package– De Hague framework– Framework Decision on attacks against information
systems– CoE Cybercrime Convention– Data retention
ECJ challenged the decision-making structure
5 – 2002 Symantec Corporation, All Rights Reserved
Data protection
Directives 95/46/EC (generic) and 2002/58/EC (specific)
Generic Directive covers all activities related to processing of personal data
Specific Directive covers only electronic communications
Create independent authorities responsible for supervision and enforcement
Very interesting from a security standpoint
6 – 2002 Symantec Corporation, All Rights Reserved
The Generic Directive
Defines data categories
Requires information collection fairly and lawfully subject to consent
Requires information security and availability for the storage of data
Requires access to data subject and rectification of the data
Forbids cross-border transfer of personal data
Determines jurisdiction
7 – 2002 Symantec Corporation, All Rights Reserved
Specific Directive
Defines traffic data
Requires network security
Obliges eCommunication providers to notify users of the services for eminent threats
Obliges the destruction of traffic data if no excluded specific business is applicable
Forbids spam distribution
Leaves the door open for data retention
8 – 2002 Symantec Corporation, All Rights Reserved
Data retention
Commission proposal under serious
discussion among the European institutions
– What is the scope of retention?
– What data?
– How much?
– How long?
Security requirements for data holders
Diverging implementation in MS
9 – 2002 Symantec Corporation, All Rights Reserved
The political landscape of data retention
Too early to say what will happen in every country
Some retention regime already to several jurisdictions
Difficult to argue against the need for security of the retained data
Depending on the implementation there will be issue of costs, technological complexity and compliance
Law enforcement authorities need the appropriate tools to do their job
Privacy law is challenged in Europe
10 – 2002 Symantec Corporation, All Rights Reserved
What does this mean for Service Providers?
Service providers are faced with numerous information integrity challenges by creating huge traffic data vaults
Traffic data will need to be:– Available– Secure– Authentic beyond reasonable doubt– Constantly collected over a wide geographical
region and over a variety of services– Achievable– Searchable– Retrievable/Extractable– Securely communicated upon request– Resilient– Auditable
Cost, complexity and compliance (legal and technical)
11 – 2002 Symantec Corporation, All Rights Reserved
Third pillar legislation
Framework Decision on Attacks Against InfoSystems– Hacking, viruses, DoS is a crime
– Uniform definitions, incriminations, sanctions
Council of Europe Convention on Cybercrime– Everything that the Framework Decision has and more…
– More offences, such as misuse of devices, or childporn
– Procedural rules Preservation Warrants
– Mutual legal assistance
EU cooperation– SIS2, VIS, Eurodac
12 – 2002 Symantec Corporation, All Rights Reserved
Down the pipeline
Traffic data retention has arrived– Applicable to all 25 Countries, albeit with divergences
I2010– Expected Commission communication on network security– Initiatives expected to be announced– Review of 2002/58/EC
Revision of the legal basis as result of ECJ – Framework Decision on cybercrime is effected
ENISA gradually defining a role
CIP consultation completed
13 – 2002 Symantec Corporation, All Rights Reserved
Critical Infrastructure Protection
EU Program aiming at developing policy to protect CIP across Europe
All hazards approach with a terrorism focus
Covers cross-border infrastructure
Several industries affected– Communications/Internet
– Chemicals
– Energy
– Etc
Opportunities for funding but also for government intervention
14 – 2002 Symantec Corporation, All Rights Reserved
So what is the impact?
More regulation increases– Cost
– Complexity
– Compliance
More harmonisation across Europe– Easier to do business cross-border
– Higher standards at Member States level
– A higher level of security
A lot depends on how this will cascade to Member States
15 – 2002 Symantec Corporation, All Rights Reserved
What does the future hold?
Security is very high on the political agenda
Information security will continue to attract political interest as an element of the wider security package
Regulation on other topics will add new security-related rules (for example, corporate governance)
Expect more regulatory intervention from Brussels
