As on two previous occasions, I’ve been acting as specialist adviser to a House of Lords Committee. This time it was the European Union Committee, who held an inquiry into “Protecting Europe against large-scale cyber-attacks”.
The report is published today and is available in PDF and in HTML. It’s been covered by The Telegraph, the BBC, the Washington Post, and on Parliament’s own TV channel. Interestingly, there’s not all that consensus on what the main story is, or quite what the recommendations were!
At the end of March 2009, the European Commission published a Communication Protecting Europe from large scale cyber-attacks and disruptions: enhancing
preparedness, security and resilience” which set out a programme for improving the response to natural disasters and to malicious denial-of-service attacks. The work has a big role for the European Network and Information Security Agency (ENISA).
The Lords Committee (as does an equivalent Commons Committee) scrutinises all the proposals coming out of Brussels. Most documents are non-contentious, but some lead to letters back and forth to Minsters to seek assurances or clarification. A handful lead to formal inquiries, as was the case here.
The inquiry report has a number of recommendations, of which I pick out two specifically. I am incidentally, not in any way required to endorse the report — which is the responsibility of the Committee members — but it’s all pretty sound stuff.
The first issue is “National CERTs”. The EU Communication recommends that every country should set up a CERT (Computer Emergency Response Team) for handling reports about Internet security. This is wise for the countries that have no such infrastructure already, but would be somewhat of a distraction for the UK which has a large number of sector-specific CERTs (and most of the ISPs and hosting sites have a functional “abuse@” team). Their lordships, in their formal recommendations said a UK national CERT “would make no sense and would bring no added protection”.
The second issue relates to the EU plans for a pan-European exercise to test out the pan-European response to a large-scale attack or disruption. Most EU countries have not even held a national exercise, so expecting anything useful out of an international exercise is wishful thinking. The Government witnesses described the timescale as “highly aspirational”, which is Sir Humphrey speak for “surely you’re joking”, and the recommendation was to aim for national exercises instead.
Just this week ENISA announced progress on plans for a November exercise — they’ve decided on the high-level scenario, at only 6 months (and August) to go! So perhaps too late for House of Lords recommendations to influence that which is becoming ever more more committed to.
Their Lordships also had some (extremely carefully chosen — two used to be extremely senior diplomats) remarks about the location of ENISA on Crete — rather than five minutes from Athens Airport arrival hall. The reality is that the institution itself isn’t going to be moved, but it did emerge that ENISA now have some meeting rooms in Athens, which will take several hours off the travel time for visitors.
There were 25 conclusions and recommendations in the report, and as I noted above, the press are differing considerably in what to pick out. My own recommendation would be to set aside a few minutes and read it for yourself!