EU agency declares war on botnets
By John Leyden
Published Wednesday 28th May 2008 10:50 GMT
ENISA, a pan-European agency designed to promote closer coordination on information security, is calling for a revamp of cyber-security laws and best practices in a bid to combat the growing economic impact of cyber attacks and botnet spam.
The adoption in
ENISA reckons security breach reporting, applied consistently across
ENISA's executive director Andrea Pirotti said that six million computers worldwide are compromised by malware and connected to a botnet. "They are used for fraudulent activity by criminals. This is why we can state that info security is the most serious concern of any public or private organisation. Our critical national infrastructure, our business, our private communication goes online. We don't want such structures to be disrupted. We don't want our critical infrastructures to collapse."
Dr Ronald De Bruin, head of the cooperation and support department at ENISA, said that spam is growing ten per cent year on year. "Spam costs €64.5bn for service providers, double that of 2005, even though 94 per cent of spam is filtered out before it reaches users' in-boxes. Spam introduces all sorts of security risks from virus infection and phishing to botnets."
ENISA is a brainchild of EU Commission. The agency, established three years ago, acts as a centre of expertise for policy formation in the area of information security. It can only recommend courses of action which the EU, in consultation with industry, needs to apply.
ENISA helps counter cyber-attacks such as those faced by
The agency has launched a three year programme designed to improve the resilience of public e-communications and services. It aims to perform a gap analysis prior to identifying and promoting best practices. "Our target is that by 2010 the Commission and at least half the member states have made use of our recommendations in policy," explained De Bruin. He added that it was piloting risk management tools for SMEs, who are seen as fighting on the front line against cyber-crooks.
ENISA wants to act as a clearing house for best practices in cybersecurity. "We need to build on existing national systems where the EU has no operational role but acts as a facilitator of best practices," he said.
De Bruin highlighted gaps in cyber-security reporting as a particular problem.
The briefing also covered concerns within the agency about privacy and social networking sites. Existing EU laws were written before the advent of social networking websites, such as Facebook and MySpace. De Bruin described social networking as a "digital cocktail party" which it wants to encourage. At the same time ENISA wants to develop recommendations to consumers, users and social networking sites designed to guard against privacy risks.
For example, it reckons EU legislation needs to be expanded to cover the posting and tagging of photos of people which, at present, can be made without a subject's consent. "Our position is not to scare people however we feel we have to make recommendation to help protect against risks and therefore create a better and safer environment," Dr De Bruin explained.
A video on ENISA's work on "Security in Online Social Networking" can be foundhere (http://www.enisa.europa.eu/pages/position_papers.htm#social_ntw_video).
ENISA information security strategy can be found here (pdf)(http://ec.europa.eu/information_society/doc/factsheets/008-esecurity-en.pdf). A recording of Tuesday's meeting (registration required) can be found on ENISA's website here (http://ec.europa.eu/avservices/ebs/schedule.cfm?date=05/27/2008). ®
Soaraway security spending keeps breaches in check (22 April 2008)
Civil liberties groups challenge Data Retention Directive in ECJ (10 April 2008)
Make vendors liable for exploits (10 March 2008)
EC report warns governments on e-trust (23 November 2007)
Consumers baulk at returning to hacked stores (17 April 2007)
Europeans fear data loss disaster (19 February 2007)
European Central Bank wants EU protection from US (4 October 2006)
Commission concerned about Vista security (14 September 2006)
Europe may mandate data breach notification (13 September 2006)
European Cyber security agency is go (21 November 2003)
EU sets up Euro-security agency (19 November 2003)