IT security seminarCopenhagen, April 4th 2002

M. Jean-Michel HUBERT

Chairman of the French Regulation AuthorityIRG Chairman

Security is a global concern

• Security issues are a global concern in the Society in general

• But concerns around IT security significantly increased in the recent years as the Information Society is developing

• The events of September 11th in the United States highlighted

– the ability of Internet to support emergency response, personal and other communications after the attacks

– but also that potential threats can affect its functioning

– and that Internet is a sphere of activity for cybercriminals

• Internet gathers most of the IT security issues

– it is an intrinsically open and international network

– commercial use increased the need for security

– networks and security solutions are heterogeneous

Internet security is a major concern

• Internet is part of the everyday environment for 38 % of European households in average (Eurobarometer 2002, EC)

• It is a working tool for most European companies

• More and more commercial and administrative transactions make use of the Internet : net bank, e-commerce, tax declarations…

• Personal and confidential data are now carried over the Internet, more and more sensitive and economic valuable information

• Usage and applications of the Internet broaden as mobile phones, PDAs, TVs or home electronic equipment are going to be connected, with ‘always-on’ connections

A safer Internet is one of the conditions for its continued development and use: e-commerce, e-government

It is a complex and dynamic issue as technology changes constantly pose new challenges

The European approach

• IT security has been recognized as a public action problem in Europe

• A safer Internet was one of the key objectives of the action plan eEurope 2002

• The European Council adopted a Resolution on IT security in January 2002

• The new EU regulatory framework for electronic services and the data protection Directive contain security and integrity of networks provisions

• The Communication of the Commission on IPv6 in February 2002 gives incentive for the deployment of a more secure Internet protocol

• The proposed new action plan eEurope 2005, to be adopted in Seville next June, will set new objectives and concrete actions for Europe in IT security

What has been done in France ?

• The draft Information Society Act clarify the legal framework for e-commerce as well as reinforce network level of security

• Articles against cybercriminality have been adopted right after September 11th events

• It is planned to totally liberalize the use of encryption

• Electronic signature has been recognized in March 2000

• A CERT dedicated to protect governmental networks has been established at the end of 1999

• A growing number of teleservices and electronic administrative procedures are using security mechanisms: tax teledeclaration for companies and residentials, electronic medical sheets

• A number of initiatives to promote research and education on IPv6, French universities contribute to IPv6 standardization

Progress still need to be done

• raise awareness on IT security : the use of security mechanisms in Europe is lower than in the US

• as well as demystify IT security threats for users

• provide recognized statistic indicators to measure risks and security improvements

• reinforce coordination and cooperation in Europe on procedures for detection, warning and response, exchange best practices

• address the problem of competing and non interoperable standards for security solutions

Secure web servers

0

100

200

300

400

USA EU

pe

r 1

mill

ion

in

ha

bit

an

ts

July 2000

July 2001

Source: OECD

A common policy approach

• IT security should remain a priority for policy makers but what should be the role of National Regulation Authorities ?

• IT security measures should take account of competitive markets, of a rapidly changing environment of new technologies and convergence of networks

• good balance between IT security requirements and costs for operators to implement security mechanisms

• Harmonization on information and procedures is an European objective

Regulators have a key role in raising awareness, encouraging cooperation and participation of players in standardization activities