COUNCIL DECISION OF 31 MARCH 1992 IN THE FIELD OF SECURITY OF INFORMATION SYSTEMS (9212421EEC)

II. BACKGROUND

iii! iii!i ill iii i!i ii ii i ̧ iii ill iii ~ i iii!iiii ili i!! ̧ iii !~i ili ill i! ̧̧ iiiiiii iii !ii i iii~iiii!i iii iil ill iiii!! iii ili i ii!!ilill I !ii iil i iiii~ii!i iii ili i!iii iiii!i i:i i li i iili i!: ill i!i !ii i ilii iii iii i i!ili i i ill !ii iiiii !ii i ilil ili ! i liiiiiiil iil il !ilii iii ii! !iili iili iil i ii ~!iil i i ii iii i ii!i iii i ii ii!i i li iiii if!! i lil i i! ii! i!i i li i i i i!

COUNCIL DECISION IN THE FIELD OF INFORMATION SECURITY

I. INTRODUCTION Samuel Johnson has been attributed with the phrase: ~Knowledge is of two kinds; we know a subject ourselves, or we know where we can find information upon it". If Johnson were alive today, he would indeed be impressed by the way in which information can be found. Technology has liberated an international pool of knowledge open to every- one, unimaginable in Johnson's times. The information, which is today at our finger tips, transcends political and geographic boundaries, language and local traditions. However, as access to information is improved, information becomes more vulnerable and difficult questions emerge as to its use. In its memorandum introducing the draft Council decision of October 2, 1991 in the field of information security the Commission observed:

"Information under its various forms increasingly contri- butes to individual, corporate and national wealth. The growth and performance of an estimated 2/3 of the economy relies on manufacturing or services heavily dependent on information technology, telecommunica- tions, and broadcasting, and therefore depends critically on the accuracy, security and 'trustworthiness' of informa- tion. This is of as great importance and interest for individuals as for commerce, industry and public adminis- trations. Correspondingly, the protection of information in all its aspects ... has become a central policy issue and a major concern world-wide".

In the context of the single market, the Community's aim is to ensure the free movement of information while ensuring the security of the use of information systems. On March 31, 1992, the Council launched its policy in the field of information security systems (see Appendix), which consists of: • the adoption of an action plan, which sets forth the

Community's interim objectives and the means to achieve them; and

• the setting up of a Senior Officials Group with a long-term mandate to advise and assist the Commission on action to be taken in this area.

1. THE PROBLEM The disruption caused by insufficient IT security is well documented. Listed below are five i l lustrations of the problems which can arise: • In February 1990, hackers in the US endangered the 911

service (the number reserved for emergency services). The hackers, who called themselves the "legion of doom", were able to transfer 911 calls to an ordinary telephone number. The consequences for public safety, had the perpetrators succeeded, could have been dramatic.

• In May 1990, Robert T. Morris Junior was found guilty in the US for setting loose a "bugged" program that caused thousands of networked computers to crash. The cost to the users of the network was astronomical;

• In the mid-1980s, a Dutch engineer, William Van Eck, achieved fame in the Netherlands by placing a listening device outside the Amsterdam Postal, Telegram and Telegraph Office and tapped into the computers. "Van Eck listeners", as they are now known in the hacking world, are seen by less upstanding members of the community to be a convenient way of obtaining check lists, access codes, passwords, information, etc;

• In the late 1980s, a group of German computer hackers were brought before the German Courts on charge of espionage. The hackers had penetrated U.S. Government computer systems via the PTT lines and were alleged to have sold their findings to the KGB;

• Similarly, German hackers were alleged to have broken into a computer at Thomson C.S.F., a French military and electronics manufacturer, looking for computer files containing gallium arsenide circuit designs. This technology is used by military designers in electronic warfare applica- tions like jamming enemy radars and intercepting transmis- sions.

The importance of adopting effective measures to curb these activities is further heightened by our increased dependence upon computer systems.

2. THE SOLUTIONS The above section lists the more news-worthy examples of inadequate computer security. The question is: how can this issue be tackled? One obvious step is to ensure that those individuals who wilfully engage in the activity of "hacking" are punished under criminal law. One of the first jurisdictions to deal specifically with the problem of unauthorized access .to computer systems was the United States, which in 1986 adopted the Computer Fraud and Abuse Act. The Act created the offence of:

58

Current Development in European Information Technology Law . , . . , , , , . , . , , , . ~ , , ~ , . . . ~ , . ~ , . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . , ~ . , . ~ , . , . . , . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . , , , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , , . , . , , , , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . ,

"Knowingly [accessing] a computer without authorization or exceeds access, and by means of such conduct obtain information".

The Act allows for the imposition of prison sentences of up to twenty years. However, its weakness was its limitation to information contained in financial records, or held by Government departments. In 1990, the UK Government passed the Computer Misuse Act which provided in Section 1(1) that: "A person is guilty of an offence if (a) he causes a computer to perform any function with intent

to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorized, and (c) he knows at the time when he causes the computer to

perform the function that that is the case". Penalties under the Act range from imprisonment for a period of up to five years to a fine not exceeding the statutory maximum or both. Thus the UK has taken a firm stance against computer misuse. Criminal legislation does, however, have its limitations. Firstly, it would be imprudent to rely solely on the criminal law to solve this problem. Individual computer users must bear a degree of responsibility for the protection of their own data. Secondly, over-zealous enforcement can shift public sympathy towards the hackers which is, of course, counter-productive. There are indications that dawn raids on teenage computer "freaks" in the United States are generating a degree of concern.

III. THE COUNCIL DECISION Compared to criminal law legislation, the Council Decision represents a sober attempt to develop a concerted approach to IT security, based on close collaboration with senior officials in the Member States. The Decision - which was unanimously adopted on the basis of Article 235 of the Treaty, (since there is no specific legal basis in the EEC Treaty for issues such as information security) - has a dual function: • to provide a substantive action plan for an initial period of

24 months; and

• to introduce a procedural mechanism, whereby a Senior Officials Group is given the long-term mandate to advise the Commission on action to be undertaken in the field of security of information.

The action plan has as its objective the development of overall strategies aimed at providing users and producers of electronically stored, processed or transmitted information with appropriate protection against accidental or deliberate threats. The action plan is not designed to substitute global or national standardization activities in this domain, but rather to take them into account and complement them. The plan, which is to be implemented by the Commission, is organized along the following lines of action: • the development of a strategic framework for the security

of information;

• the identification of user and service provider's require- ments;

• the provision of immediate and interim solutions;

• the development of specifications, standards and evalua- tion and certification criteria;

• the promotion of technological and operational develop- ments; and

• the promotion of the provision of security of information systems.

The Commission will work in close association with Member States and in conjunction with Community research and development actions. Subsequent to the adoption of the Decision, the Senior Officials Group for Security of Information Systems has proposed the establishment of common IT security evaluation criteria. In response, on September 10, 1992 the Commission submitted to the Council a proposal for a Council Recommendation on common Information Technology Secur- ity Evaluation Criteria (COM(92)298 final). The draft Recom- mendation - which has yet to be adopted, contains detailed harmonized criteria, based on the experiences accumulated in various Member States. An important reason for this initiative is to provide a compatible basis for certification of evaluations by national certification bodies with the objective of permitting international recognition of certifications. The Recommenda- tion observes that its findings are based on extensive international consultation and practical experience. Mark Powell Forrester Norall & Sutton

59