RSA Vantage Magazine | Fall 2004 | One-Stop Security Shop: ENISA

Vantage

RAMPANT NETWORK OUTAGES, millions in lost business, plummeting productivity and corporate data visible to the masses. That’s precisely the nightmarish scenario that a new agency is striving to help CIOs and CSOs avoid by providing a one-stop shop for coordinated security policies for all of Europe.

In the wake of crippling terrorist attacks, widespread electrical power outages and countless paralyzing hacking incidents, European policymakers decided it was high time to create the European Network and Information Security Agency (ENISA).

A new agency of the European Union, ENISA, based in Heraklion, Greece, was created in March 2004 and will be formally launched this fall. When fully operational, ENISA will boast a staff of 44. The agency is powered by security experts from every EU member state, counts industry organizations among its advisory committee membership and features a public-private partnership approach to the constantly changing environment of cyberspace threats.

“When we began discussing the agency years ago, most folks believed viruses and spam were the most pressing security threats, and that the best approach would be country-by-country,” recalls Wim van Velzen, the architect of the proposal for ENISA and a Brussels-based member of the law firm of Akin Gump Strauss Hauer & Feld, LLP. “What’s been realized since the 9/11 terrorist attacks and high-profile network breaches is that the stakes for doing international business securely are far higher, and that we needed to bring countries together to discuss and create common security policy.”

ENISA will help multinational businesses better craft and manage their global information and network security strategies. It’s the culmination of nearly four years of work by visionaries conscious of rising terrorist and technology threats to the information infrastructure upon which continental and global business rides. It fills a glaring hole by providing a single entity for security policy coordination.

When it comes to the way the U.S. government handles information and network security issues outside its borders, ENISA’s creation represents a quantum step forward, says Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) in Washington, D.C., an advocacy group dedicated to the improvement of electronic security through public policy, education and technology-focused initiatives. He describes the existing system as a complicated series of bilateral agreements with foreign countries, a setup that makes global security quite challenging for enterprises and industry.

“There’s been no central coordination point for information security policy across Europe,” says Kurtz, who is also the former senior director for Critical Infrastructure Protection on the White House Homeland Security Council. “But with ENISA, companies will finally have a one-stop shop for this critical activity.”

Though ENISA has no formal standards-making powers or judicial authority, its broad participation will create a forum for crafting information and network security policies that are critical to companies’ efforts to safely create and expand their international commerce efforts.

“ENISA is a positive move by Europe to have an institution that will greatly increase awareness of information security at the highest levels of public and private organizations,” says Shannon Kellogg, the Washington, D.C.-based director of government affairs for RSA Security. “It should become an important source of information—as well as a central co-ordination point—for companies that have to deal with the threat of a constantly changing environment in cyberspace, which knows no national boundaries.”

Security experts in the United States and Europe recommend that CIOs and CSOs make ENISA part of their global security planning, either by tracking the agency’s work or by participating directly in its activities. That’s because the agency is expected to quickly become an important resource on cybersecurity issues.

“U.S. business technology executives have a powerful opportunity through ENISA to discuss issues, create policy and contemplate legislation covering information and network security,” says Francisco Mingorance, director of public policy for the European component of the Brussels-based Business Software Alliance (BSA).

BSA is the voice of the world’s commercial software industry, and its hardware partners are dedicated to promoting a safe and legal digital world. Leading vendors, including RSA Security, participate in ENISA via the alliance. “Global security planning can’t be done in a vacuum. If you just deal with security issues only in your own backyard, you’re sticking your head in the sand,” Mingorance says. “Through ENISA, CIOs and CSOs can work with their counterparts from around the world to make a difference.”

ENISA’S COMPONENTS

THE DIRECTORS The chairperson of ENISA’s board is Kristiina Pietikainen, a Finnish national who is director of an e-commerce and data security unit in Finland’s Ministry of Transport and Communications. ENISA Vice-Chairperson Ferenc Suba heads a department in Hungary’s Ministry of Informatics and Communications. The recently appointed executive director is Andrea Pirotti, an Italian who has been vice president of Marconi Communications Ltd., since 2002. While at the company, he has been in charge of advanced technology projects for critical IT infrastructure.

THE MANAGEMENT BOARD The agency’s management board includes one representative from each member state, three representatives appointed by the EC, and three non-voting members representing consumer groups, the information and communication technologies industry, and academic experts in network and information security.

THE PERMANENT STAKEHOLDERS GROUP The procedures regarding the composition, number, appointment of members and activities of this group will be specified in the agency’s internal rules of operation.

ORGANIZATIONAL MEMBERSHIP Top industry players such as RSA Security Inc., Microsoft Corp., Symantec Corp., McAfee Inc., Cisco Systems Inc., Hewlett-Packard Co., and IBM are represented through their membership in the Business Software Alliance.

By Bob Wallace
Photograph by David Deal

ENISA’S MISSION
ENISA is organized to help the European Commission (EC), the member states and the business community address, respond to and help prevent network and information security breaches. ENISA will also assist the EC in the technical preparatory work for updating and developing legislation in the field of network and information security.

The agency includes a new executive director, a management board and a group of permanent stakeholders (see “ENISA’s Components”). Though still in its infancy, ENISA has numerous efforts under way, including:

COLLECTING AND ANALYZING DATA on security incidents and emerging risks

RAISING AWARENESS and promoting risk assessment and management methods to enhance the ability to deal with security threats

TRACKING AND DEVELOPMENT of standards for products and services

BUILDING AWARENESS AND COOPERATION between different players in the information-security field, notably through the establishment of public-private partnerships operating at EU or global levels

Countless business technology alliances, groups and agencies have promised much but delivered relatively little over the years. But ENISA proponents emphasize that the all-inclusive makeup of this agency—EU member states, vendors, companies and industry groups—will make coordinated progress a reality.

Security industry experts also believe that using ENISA as a central point for covering security issues in Europe, and possibly beyond, will make it considerably easier for CIOs and CSOs to develop and update robust, comprehensive global information and network security blueprints.

For more information about ENISA, visit www.enisa.eu.int.

Copyright® 2004 RSA Security. All rights reserved.