Next Step in the EU - US Cooperation on Cyber Security and Cybercrime

European Commission

Cecilia Malmström

EU Commissioner for Home Affairs

Next step in the EU - US cooperation on Cyber security and Cybercrime

Homeland Security Policy Institute, George Washington University / Washington

30 April 2013

Ladies and Gentlemen,

I'd like to thank the organisers and in particular director Frank Cilluffo for inviting me.

Cyber security is now an issue on everyone's mind. It provokes a lot of debate and everybody agree that we have to do more. But it is our job to make sure that those commitments are translated into action.

Benjamin Franklin once coined the phrase "well done is better than well said". When it comes to cyber security I could not agree more.

The EU and the US face similar challenges. We see that organised crime groups are getting stronger. State-sponsored attacks are also a growing problem, as is the threat from non-state actors.

And, in some ways even more worrying, are dangerous discussions taking place where some countries – Russia and China included - advocate international regulation which would curb the open and free nature of the internet.

That's why I am here in Washington this week following an invitation from Secretary Janet Napolitano and Attorney General Eric Holder, to discuss how the EU and the US can further deepen our cooperation on cyber security and cybercrime to keep the Internet open, free and secure.

I say deepen the cooperation because a lot has already been done.

The establishment of an EU-US Working Group on Cyber security and Cybercrime at the Summit in November 2010 was our first step to identify common strategic goals and concrete actions.

We have had some early successes, such as the first Cyber Atlantic exercise in 2011, which kicked off a ground-breaking programme of joint cyber-attack exercises that will culminate in a fully-fledged EU-US cyber security exercise next year.

Furthermore, we have beensuccessful in jointly pushing for more countries around the world to ratify the Budapest convention on cybercrime to make it the global instrument.

Another important achievement was the launch last December of a Global Alliance against Child Sexual abuse online. During the past decade we have seen an unprecedented expansion in the despicable market for child abuse images.

Given the magnitude of the problem, Attorney General Eric Holder and I felt it was crucial to engage with Interior and Justice Ministers around the world to share our commitments to fight this heinous crime.

The Global Alliance now consists of 50 countries from Norway to Nigeria, from the Netherlands to New Zealand. And we are expecting the number of participating countries to continue to rise.

In many ways the most important way to measure our cooperation is through our operational success. And we have been effective. By working together, US and EU Law Enforcement Agencies have had success in arresting and prosecuting criminals for cybercrimes from credit card fraud to Child sexual abuse online.

Alongside its cooperation with the US, the EU has spent the last few years doing our own homework to make cyberspace more secure.

We took inspiration from the US, as well as several EU member states which had produced cyber security strategies, and adopted a proposal for an EU cyber security strategy this February.

Our strategy was a close cooperation with my colleagues Neelie Kroes responsible for the Digital Agenda and Catherine Ashton responsible for Foreign policy. The strategy fills two roles. It shows the direction for future work and it provides a basis for greater cooperation between the different actors.

In order to explain a little about the EU's approach here, it is worth saying something about how our method for the strategy differs slightly to that used in the US. Whilst the US has opted to appoint a cyber-tsar, in light of the way the actors fit together in the EU we have gone for joint leadership.

We hope the EU strategy will enable a step-change in how we ensure cyber security. It is based around three main elements:

1. Drastically reducing cybercrime, I will expand on this point shortly;

2. Enhancing our cyber security resilience and response capabilities. This will require new legislation on companies reporting cyber-attacks. We must also improve the security of critical information exchange in both public and private sectors in EU member states, and indeed between the sectors.

3. Supporting the use of Internet as a freedom tool and for building capacities around the world. An EU cyber defence component will also be developed.

While all three elements of the strategy are equally important I would like come back to say a little more about reducing cybercrime and improving the EU's ability to fight cybercrime.

Three months ago I inaugurated the European Cybercrime Centre – EC3 - in the Netherlands.

The EC3 will strive to be the European focal point in the fight against cybercrime, equipped with state-of-the-art technology and a strong team of highly-qualified personnel.

The Centre will fulfil its mission by helping Member States to dismantle and disrupt more cybercrime networks.

• It will develop detection and forensic tools for cybercrime investigators;
• It will provide specialised threat assessments; and
• It will offer more focused training for law enforcement, judges and prosecutors.

While being ambitious we must also be realistic. The Centre cannot initially focus on all types of cybercrime. Fraud, intrusion and internet related abuse of children are therefore amongst the crimes that will be targeted in the initial phase.

The key to success of the EC3 is cooperation. This goes beyond cooperation just in the Law Enforcement Community as EC3 will work with a broad range of partners such as other EU Agencies; computer emergency response teams; private sector companies; and members of the research community.

The Centre won't just be inward facing. It will become the natural partner for international initiatives and law enforcement agencies around the world who operate in the field of cybercrime such as the FBI, Secret Service, ICE and Interpol.

This brings me back to the question on how we can deepen the cooperation between the EU and the US. I think we all agree for the need to team up more. There has been a trend in the last year with technological developments making it more difficult for Law Enforcement to do their job.

And there are no quick fixes. Instead we need to continue focusing on delivering tangible results. Even if each one only feels like a small step, they are steps in the right direction, and that is how we gradually change the game.

The discussions I had with Janet Napolitano and Eric Holder yesterday show that we are on the same path here. I hope that we will already be in a position to announce further actions to be taken together at the EU-US Ministerial in Ireland next month.

I cannot prejudge the final results of those discussions but I can mention a few areas where I think it is important for us to take work forward together:

The first one is to ensure that law enforcement has access to the best tools and training available.

The second is to find better ways to work with industry. This is essential. When it comes to what industry has done so far, the situation we have today is far from satisfactory. It calls to mind a story of two men who are in the jungle when they suddenly hear a lion roar. While both get scared one of the men bends down and say "wait, I'm just gonna tie my shoe laces". The other guy says "are you stupid, you think you can run faster than a lion?" The reply comes "No, but I will run faster than you".

My point is that businesses have not taken sufficient security measures to protect themselves, hoping that the attacker would go after someone else just because they are a bit weaker.

And instead of running away we have to start working together. I'm talking about industry to industry cooperation as well as work between industry and governments. This is the only way to catch the bad guys.

There will be different approaches to this. I understand that CISPA is now on the agenda in the US and we follow this debate with great interest.

In the EU, we have proposed obliging companies to enhance security and report major attacks to governments. But we also need to think about the value of voluntary exchange of information in an environment that can build trust and help the key actors to want to work together on combatting cybercrime.

A third area is child protection online. I want the US and the EU to continue developing the Global Alliance against Child sexual abuse online. And let's not forget that actions taken in this field will also be important for the general fight against cybercrime. By increasing political discussion of these issues and building links between Law enforcement agencies around the world we also create opportunities for wider operational cooperation.

If we could advance on all, or at least some, of these issues I think we continue in the spirit of Benjamin Franklin's "well done is better than well said". There is no doubt we have a lot of work ahead of us. And I cannot think of a stronger partner for the European Union than the US in this fight.

Thank you

1