TUESDAY 17 APRIL 2007

MR ACHIM KLABUNDE, MS MARGARETA TRAUNG, MS ZINAIDA YUDINA, MR ANDREW SERVIDA AND MR ROGIER HOLLA

  Q895  Chairman: Good afternoon and thank you all for agreeing to meet with us. We are members of the House of Lords Select Committee for Science and Technology. I am the Chairman of this Committee and we are in the latter stages of an inquiry into personal Internet security. This Committee looks into issues that involve science and technology but which we feel have an impact upon people in general and upon which we think the government can have an influence. So we have been looking into the security issues that people are faced with in using the Internet. We have been talking to a number of agencies here in the UK and we have visited the United States, but we felt it very important that we talk to you about the EU's work in this area so that we can understand how well the UK is coordinated with those efforts and to learn what you are doing. So that, in the way of introduction, is what we are about. I would be happy to answer any questions before we start with our questions. Do you have any questions for us to start with?

Mr Servida: I would suggest that we introduce ourselves from Brussels and Luxembourg so that you will also get an idea of the role and responsibility that we have in the Directorate-General for Information Society and Media.

  Q896  Chairman: That is an excellent idea. Perhaps you would start by introducing yourself?

  Mr Servida: My name is Andrea Servida; I am the Deputy Head of the Unit in charge of Network and Information Security policy and Internet governance within the Directorate-General for Information Society and Media. I will unfortunately have to excuse myself because in half an hour I would like to move to another site in Brussels because I will be joining you with Commissioner Reding later at five, so I will have to leave this meeting to reach my Commissioner. So I will give the responsibility or keeping order on Brussels to my colleague to my right.

  Mr Holla: My name is Rogier Holla; I also work in the unit for Network and Information Security and I am in particular responsible for relations with the agency ENISA, the European Network and Information Security Agency.

  Mr Bisch: My name is Anthony Bisch; I am working in the same unit as Andrea Servida on the question of Network Information and Security.

  Ms Gayraud: Hello, I am Valérie Gayraud and I also work with Andrea on Network and Information Security policies.

  Mr Klabunde: My name is Achim Klabunde and I am working in the unit in DG for Information Society and Media, which is in charge of the policy development and of the regulatory framework for electronic communications, and I am leading the team that is responsible for privacy, trust and related issues in this respect.

  Mr Schik: My name is Merijn Schik; I work in the team that Achim just introduced and also I am responsible for international co-operation on spam and related matters.

  Ms Traung: My name is Margareta Traung and I am working with the Safer Internet Programme, which is run from Luxembourg.

  Ms Yudina: My name is Zinaida Yudina and I am working at the same unit as Margareta.

  Q897  Chairman: Thank you all very much. Let me open with the first question and ask you who, in your opinion, is responsible for personal Internet security? Would you like to start in Brussels, Mr Servida?

  Mr Servida: Yes, thank you very much. To answer your question I would refer to what we put forward as policy strategy in May 2006, our strategy for a secure information society, and there we have looked at the situation of electronic communication and the Internet in particular with respect to how the situation has changed with respect to what had been the last intervention of the Commission in terms of coordinated policy in this domain. This happened indeed in 2001 and in five years we have seen quite a lot of things changing, in particular with respect to the change of fresh scenarios but also the impact of technology development, which has somehow made Internet develop towards a more ubiquitous type of service and infrastructure. In this respect we believe that the responsibility for personal information security is a shared responsibility that should somehow involve first of all, of course, the users who need to understand what are their duties and also their obligations and their full responsibilities to protect themselves and also to make their security to be an essential component of everybody else's security, everybody else who is connected through the networks to the devices—the computer, the devices that the user is using for his or her own purpose. Also we believe that it is the responsibility of those who are providing the services to the users because of course the users have not only limited capabilities in terms of understanding what the threats are that are out there and how these threats could become real and not only have an impact to them but also how these threats could somehow be exploited through the users themselves and their devices and to have an impact on others who are connected to the same networks. In this respect we have asked the private sector, the service provider to look at the way they can somehow take up the responsibility of, on the one hand, improving the security of their services, including the security of their systems—software and hardware components—but also possibly be available to even more direct awareness campaigns, which should be targeted to the users who are the ultimate customers of the services being provided by those operators. Of course we should also not forget about the responsibility that Member States and the Commission have in ensuring, on the one hand, that there is a regulatory and policy framework in place which is somehow providing certainty with respect to how to pursue these security objectives and protect the users, but also how to motivate the players—therefore, the private sector operators but also the users themselves—to adopt the technologies and the solutions that already exist and that we hope will be refined through more research and development activities to make the Internet a safe place for everybody to work and to act.

  Chairman: Thank you. Would any other of you like to comment on this question? If not, we will go on to the second question and I am going to turn Lord Sutherland, who is three to my right, to ask the second question.

  Q898  Lord Sutherland of Houndwood: Thank you very much, Chairman. Being from Scotland I tend to be interested in money and I wanted to ask a question about the economic impact of Internet-related crime, direct or indirect costs. Can you help give any estimate of what the impact is, what the costs are for the European economy?

  Mr Servida: Perhaps I can help in this respect with clarifying something? We at the Directorate-General for Information Society and Media look at the issue of security and resilience of networks from what we call in Brussels the first pillar perspective, which is, I would say, in the light of what is in need of the internal market, the protection of consumers and the other associated aspects which make our intervention needed as well as of the impact to society. For what concerns cyber crime and everything that has to do with more directly third pillar issues the responsibility is more in the hands of our colleagues in D-G Justice, Freedom and Security, who respond to Commissioner Frattini who I understand you are possibly going to contact later on. So in order not to give numbers that might be considered already obsolete by the police I would ask you to perhaps redirect this question to my colleagues who have more up to date numbers than ourselves, in particular because they have a much tighter co-operation with the police service and law enforcement agencies in Member States, which, altogether, I would say, co-operate in defining what is indeed the impact and the size of cyber crime in Europe. Of course, I must also say that while working on the communication that I mentioned earlier, which was adopted in May last year, we have also tried to look at what is the size of crime-related or security-related problems in Europe and unfortunately we have seen that apart from what is in the area of cyber crime we very much lack data that is consistent all across the different European Member States, and in this respect we have indeed requested inter-communication, we have requested ENISA to work with Member States to define a trusted partnership with a view to developing a framework which should allow the collection and the definition of data associated to security incidents and security problems.

  Q899  Lord Sutherland of Houndwood: Thank you very much indeed; we will take this up with the Commissioner.

  Mr Servida: There is a colleague who would like to add something, if possible.

  Mr Klabunde: I would just like to underline what my colleague has just said. One problem is, of course, that if you say 'cyber crime' or 'Internet-related crime', there is no common definition for these terms, so even when there are statistics produced, the different definitions used make it very difficult to add up the figures and to get a global number. The Commission made a statement in its communication on spam last year where it quoted industry figures which estimated the cost of spam, which is of course not necessarily always crime but often connected to crime, to an amount of 39 billion for the year 2005 worldwide and figures between 3.5 billion and 1.4 billion for the biggest Member States of the EU. But that would only be blowing the snow from the top of the iceberg—it certainly does not give the entire picture.