Information Assurance Advisory Council

1
Europe the UK Towards a Strategy
Dr Andrew Rathmell CEO, IAAC
11 February 2003 Critical Times Critical New
Issues Boardroom Vulnerabilities
2
Contents

• Where are We?
• A Global Overview
• A European Action Agenda
• Lessons for the UK

3
A Risk to European Prosperity Safety

• Information and communication infrastructures
  have become a critical part of our economies.
  These infrastructures offer new opportunities
  for criminal conduct
• these offences constitute a threat to industry
  investment and assets, and to safety and
  confidence in the information society.
• Feira Council, 2000

4
Policy Context for the EU RD
ERA EuropeanResearch Area
FP6, Eureka, COST, National RTD Programmes
Enlargement
The candidate countries are full partners in FP5.
towards a Single Market for Research
Other policies
Single Market, Single Currency, Security of
Europeans, Sustainable Development, ...
Broadband access, e-business, e-government,
security, skills, e-health, ...
5
Overview of EU Activitiesin network and
information security
6
Contents

• Where are We?
• A Global Overview
• A European Action Agenda
• Lessons for the UK

7
Global Overview

• Considerable activity in European and other
  countries but progress is very uneven
• All surveyed countries have some form of
  cyber-crime law enforcement units EU has a
  range of initiatives
• But there is a lack of comprehensive policy
  efforts
• France, Switzerland, Great Britain, Germany,
  Norway and Sweden, United States and Australia
  have started to develop comprehensive strategies
• The way the private sector addresses IA concerns
  varies substantially
• In several countries, public-private partnerships
  have been established

8
Highlights

• Comprehensive centrally-led but consultative
  strategy (USA, Australia)
• Build on Y2K interdependency analysis (Canada)
• Close government-industry links make it easier
  to implement solutions (France, Norway)
• But Public Private Partnerships in many forms
• Citizen-awareness/alerting (Netherlands, Belgium)

9
Contents

• Where are We?
• A Global Overview
• A European Action Agenda
• Lessons for the UK

10
Distributed Responsibility
Each participant in information systems and
networks is an important actor for ensuring
security. Participants should be aware of the
relevant security risks and preventive measures,
assume responsibility and take steps appropriate
to their roles and positions to enhance the
security of information systems and
networks. (OECD Guidelines, 2002)
11
Actions - Industry

• Industry has a direct business interest in
  promoting confidence, it also has
  responsibilities as a corporate citizen to
  design out opportunities for misuse and crime.
  Industry actions should include
• Software and hardware vendors adopting secure
  product development practices as a minimum
  standard
• Network providers adopting operational best
  practices
• Users of information systems adopting minimum
  standards for information security management
• Development of industry standard practices upon
  which to base legally binding standards of due
  care in the production, use and management of
  ICT

12
Actions Governments

• Benchmark national policies against peers
• establish a firm policy lead, take pan-government
  action and use the partnership approach
• Update criminal law effectively resource
  policing and investigative bodies
• Educational initiatives
• Use corporate governance levers to promote good
  information governance security management
• Encourage take-up of standards
• Use public procurement and e-government to impose
  minimum security standards
• Promote warning and information sharing
  initiatives

13
Actions European Commission

• POLICY LEAD Strategic policy direction
• Who is in charge?
• DETERRENCE Legal law enforcement
• PROTECTION Awareness market stimulation
• DETECTION/RM Operational support
• PROTECTION/RM RD Shaping the Future

14
Contents

• Where are We?
• A Global Overview
• A European Action Agenda
• Lessons for the UK

15
Shopping Scared
16
Who is IAAC?
Government Liaison Panel
Research Management
Members 70 members from all sectors Partnerships
with sectoral/professional asscns
17
Lessons for the UK
The world
Government
Goodbye, you were connected to the weakest link..
Citizens
Corporate
18
Protecting the Digital Society

• Adopt a coherent, long-term strategy
• Appoint an Information Assurance champion
  reporting to the e-Envoy
• Reform Legislation Regulation
• Computer Misuse Act telecoms regulation
  Companies Law
• Promote Best Practices
• ISO17799 take-up SANS Top 20
• Improve Education and Awareness
• Through education system and media use Y2K
  experience
• Promote information sharing
• Public-private mechanisms

19
Engaging the Board Corporate Governance

• o      Corporate executives should be held to
  account by shareholders and the law if they do
  not adequately protect their information assets
• Board Briefings
• Benchmarking Methods
• Integrated Risk Management Solutions
• Insurance Services
• Company Law and legal liability

Directors IA Network
20
Engaging the Citizen Cyber Hood Watch

• The digital front-line runs through every home
  and office
• gt Make consumers aware responsible

National Awareness Campaign
National Alerting System National Reporting System
21

• European initiatives
• www.ddsi.org
• The UK partnership
• www.iaac.org
• andrew.rathmell_at_iaac.org.uk