What is the purpose of our network security agency?

I am full member of the ITRE (industry, research, energy, formerly also transport but transport is currently in its own committee TRAN) and therefore have voting duty every time there are votes. The objects of my legislative prowess yesterday were the amendments for the European Network and Information Security Agency (ENISA) report (see parliament dossier website). I wrote about this last week but then only in passing.

At the votes, I had the draft amendments and the voting lists at my disposal and found myself in a curious mind-wrestler. Last week, I had agreed with the Greens/EFA shadow rapporteur for the opinion that surely it cannot be good to ”identify and promote risk-prevention technologies” (suggested article 3(1a)) and that the better formulation would be ”identify and promote risk-prevention behaviours”. Of course, promoting a change doesn’t always go easily and the text we voted on yesterday says that one of the competences of ENISA should be ”identifying and promoting risk-prevention behaviours and technologies”. A compromise!

With a South Korean experience from last year in mind, in which South Korean authorities suddenly decided to promote a risk-prevention technology in the shape of anti-virus software by means of suggesting it should be criminal not to have it installed, I feel of course slightly wary of specific technologies being promoted. From a security standpoint, a large diversity will create a bigger resilience in our information systems than homogenization – a bit like how a democratic society is more resilient against anti-democratic tendencies if it has to accommodate for a large manifold of different opinions. We had both questioned the establishment of ENISA Computer Emergency Response Teams (CERTs) (see previous blogpost), which continue to be present in the end-report. And at this stage, what shall I vote? I ended up following the line of the Green shadow rapporteur (approval of the report).

It was a first reading report and probably we’ll see this dossier returning to the parliament. The Council will have to react to the fact that the Parliament is trying to create a second layer of CERT infrastructure on top of the one the Commission revealed plans to launch last year. This Commission-style CERT, set to start in 2013, is more edgy than the one proposed by the Parliament. For one, it is located under DG Home and Cecilia Malmström – the internal-affairs-but-now-also-defense-section of the Commission. Europol is not at all adverse to the idea of being the main responsible agency for this CERT and talk about their previous experience with cybercrime and terrorism.

Personally I like to maintain some skepticism towards overly ambitious formation of public institutions against cybercrime. Surely the vast majority of our infrastructure both in terms of hardware and software, its development or maintenance, is anyway in the hands of private actors, and the actions required to increase resilience and security such that they can be undertaken only by those private actors?

And as for ENISA, the question is why we would want or need a network security research agency in Europe. I can think of at least one question I would like to be answered: differences of company information security policies with respect to end-consumers and public institutions in different member states but where the company is the same (that is, active on several member state markets). If choosing their questions carefully, ENISA would be in a position to produce a lot of valuable material on information and network security in a geographical region (the Union) which is very geographically splitted, with different telecommunications backgrounds and different security threats or needs and that simply is not doable in any other part of the world.

2 kommentarer

ENISA is a mere placebo agency. An annoyance. The last time I met an ENISA representative they were reaching out to the BSA audience to ask them what to do because "they lacked the knowledge". Not only does it fail to suit the dignity of a public office, it also is a case of "go get another job". Then we have ENISA reports for awareness raising of imaginative general audiences. No one listens.

If ENISA would be useful they were into reviewing source code, develop network analysis and static analysis tools, hacking the net and they'd stop to develop close relationships with companies and lobbyists from third countries. It seems to me that the European hacker scene does more to promote security than useless ENISA.

It can't be the role of a public institution to act as a lobby proxy.

They could do useful sociological work on the security sector. My impression is that we could use a good public research institution to keep track of what private agents on the security scene are doing, and maybe compiling or collecting information about the European scene in this regard. Unfortunately, ENISA instead interpret their mission as collecting "best practises" from either large private companies/lobby groups or other security agencies.

I see this with many European institutions with the unfortunate result that we don't know that much about how European jurisdictions compare to each other in some otherwise very border transgressing fields.

Lägg till ny kommentar