Aici se pot găsi actele normative românești și europene cu privire la protecția infrastructurilor critice:
“Proiectul a fost prezentat in dezbatere publica de catre Ministerul pentru Societate Informationala.
“Proiectul de lege adoptat de Guvern va permite operationalizarea Sistemului National de Securitate Cibernetica – SNSC, care va facilita adoptarea de masuri proactive si reactive privind informarea, monitorizarea, diseminarea, analizarea, avertizarea, coordonarea, decizia, reactia, refacerea si constientizarea. De asemenea, actul normativ defineste o terminologie unitara in domeniul securitatii cibernetice si a unui cadru armonizat de actiune a autoritatilor si institutiilor publice”, se arata in comunicat.
La inceputul lunii aprilie, Consiliul Suprem de Aparare a Tarii a decis luarea unor masuri care sa permita contracararea amenintarilor cibernetice la adresa Romaniei, in conditiile in care in ultima perioada acestea s-au diversificat.
“S-a apreciat ca in ultima perioada aceste amenintari s-au diversificat, devenind o optiune tot mai atractiva pentru actorii statali sau nonstatali intrucat nu implica resurse foarte mari. Membrii CSAT au decis luarea unor masuri care sa permita urgentarea adoptarii cadrului normativ si operationalizarii Agendei Digitale 2020 ca parte integranta a efortului european de dezvoltare a societatii informationale si implicit a actiunilor subsecvente ce sunt dedicate securitatii cibernetice”, informa un comunicat al Administratiei Prezidentiale.”
While conflict in cyberspace is not new, the legality of hostile cyber activity at a state level remains imperfectly defined. While there is broad agreement among the United States and its allies that cyber warfare would be governed by existing laws of armed conflict, with no need for additional treaties or conventions to regulate hostilities online, this view is not shared by many nations that the United States could potentially face as adversaries.
The NATO’s cyberdefense situation is not perfect. In addition to political will, funding and other considerations, there is in the field a degree of mutual distrust not found in other areas. Members are not always eager to divulge what they are doing, notwithstanding art. 5 of the NATO Treaty.
There were strong protests in Europe at the extent of NSA listening in or reading emails and text, including those of our closest allies and even their leaders. Listening to Chancellor Merkel mobile phone conversation probably was out of line. Actually the listening started when she emerged fresh out of Eastern Germany and someone neglected to stop it when she became head of the CDU then Chancellor. Speculation was that Germany because of her widespread business interests was the weak point about standing up to Russian aggression. But they forgot who the Chancellor was.
There are cases where such spying can be shown to be warranted however. One can quote the example of the German chancery when Willy Brandt was chancellor and one of his close aides, Günter Guillaume, was found to be an HVA spy (the HVA was the foreign intelligence branch of the Stasi with the late Markus Wolf as director). I don’t know whether the US spied on the German chancery at the time, but if it did, it certainly helped. And of course US intelligence wouldn’t have told the BND of the BfV, though some clues would have been spread around. Of course this is purely hypothetical.
Another case was that of the network of gas pipelines set up by several EU countries -in particular Germany- and Russia. At the time -the Cold War and Communism hadn’t ended yet- the Reagan administration tried to stop the move by forbidding US companies and US technology from being used. This was not well received by the Europeans, including Margaret Thatcher who was very unhappy, while Secretary of State Alexander Haig showed a lot of understanding for the European position. The US move floundered.
Around 23 years later when Europe started to depend excessively on Russian gas for her energy needs, suppose NSA spying had found that Chancellor Gerhard Schröder was planning to boost imports of Russian gas through a series of new contracts and would after his retirement be the head of Russian-owned companies – something that looks very much like a reward. Suppose, again purely hypothetically that NSA found out and that the Europeans were warned, but that the US could not refer to signals intelligence that told the story and to Schröder’s future reward which could not have been proved without disclosing the spying. US fears were described by the Europeans as out of proportion. This is of course purely hypothetical: how could one imagine such a thing?
Now the non-hypothetical. In August 2008, Gerhard Schröder laid the blame for the 2008 South Ossetia war squarely on Mikhail Saakashvili and “the West”, hinting at American foreknowledge and refusing to criticize any aspect of Russian policy at the time.
In March 2014, Schröder likened Russia’s intervention in Crimea with NATO’s intervention in Kosovo, citing both cases as violations of international law and the UN Charter. On 13 March 2014, the German Green Party not very realistically tried to have the European Parliament ban Schröder from speaking in public about Ukraine against his own Social Democratic party line – the SPD’s Frank-Walter Steinmeier is Germany’s foreign minister.
Nobody believes privacy will be much enhanced in the US by allowing telephone companies rather than NSA to store the data and that a court order should not be necessary, except of course for accessing the content of the telephone conversations. The proposed measure will not only slow down the process when sometimes speed is of the essence but seriously hinder it. We’ll have to await the full text of the proposed legislation to test the part about national security emergencies under which the process could be bypassed, but even without the need of a court order the process will be slowed.
The problem is that the suspicion precisely arises from the metadata. If anybody calls a number that has been directly or indirectly associated with terrorism (or spying), then the program will look at the network of his communications. If there is an emerging pattern then a warrant will be sought from a FISC to listen in to his conversations. PRISM does nothing at all with metadata that shows no association with a suspicious number. Considering the millions of calls per day, NSA has better to do.
The private company will have to keep the data as plaintiffs, who are also defendants in terrorist cases, will ask for access to it. Unless the program is completely scrapped, the data will have to be kept. In any event this data was already kept by phone companies for billing and similar purposes, but for much shorter periods.
The issue is not whether without PRISM such terrorist wouldn’t have been caught, nor even whether that this particular terrorist was caught thanks to the program. The real question is whether the program, as part of a whole array of methods, made the whole more effective and the terrorist perhaps caught somewhat earlier. Placing additional bureaucratic and legal hurdles between NSA analysts and the bulk data will inevitably waste time which in certain cases will be critical.
The need to store call metadata for five years or more is not a NSA or an Obama administration demand, but has been forced upon the administration by court actions from people who claim they have been trapped because of the metadata. NSA would be happy with 2 or 3 years. The American Congress cannot prevent litigants from demanding access to old data: this would give rise to Supreme Court action.
The European Commission proposes measures to strengthen the European Union’s (EU) prevention, preparedness and response to terrorist attacks on critical infrastructure.
Communication from the Commission to the Council and the European Parliament of 20 October 2004 – Critical Infrastructure Protection in the fight against terrorism [COM(2004) 702 final – Not published in the Official Journal].
The European Council of June 2004 asked the Commission and the High Representative to prepare an overall strategy to strengthen the protection of critical infrastructure.
This communication gives an overview of the actions taken by the Commission to protect critical infrastructure and proposes additional measures to strengthen existing instruments.
The potential for catastrophic terrorist attacks that affect critical infrastructure is increasing. The consequences of an attack on the control systems of critical infrastructure could vary widely. It is commonly assumed that a successful cyber attack would cause few, if any, casualties but might result in the loss of vital infrastructure service. For example, a successful cyber attack on the public telephone switching network might deprive customers of telephone services while technicians reset and repair the switching network. An attack on the control systems of a chemical or liquid gas facility might lead to more widespread loss of life as well as significant physical damage.
The failure of part of the infrastructure (even in different European countries – see the example of electricity blackouts in Europe over the past two years) could lead to failures in other sectors, causing a cascade effect because of the synergistic effect of infrastructure industries on each other. A simple example might be an attack on electrical utilities where electricity distribution is disrupted; sewage treatment plants and waterworks could also fail as the turbines and other electrical apparatuses in those facilities might shut down.
Critical infrastructure can be owned or operated by both the public and the private sector but, in any case, the public sector has a fundamental role to play in making it secure.
Definition and criteria for identifying critical infrastructure
Critical infrastructures are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in European Union (EU) countries.
Critical infrastructure includes:
- energy installations and networks;
- communications and information technology;
- finance (banking, securities and investment);
- health care;
- water (dams, storage, treatment and networks);
- transport (airports, ports, intermodal facilities, railway and mass transit networks and traffic control systems);
- production, storage and transport of dangerous goods (e.g. chemical, biological, radiological and nuclear materials);
- government (e.g. critical services, facilities, information networks, assets and key national sites and monuments).
The communication also suggests three criteria for identifying potential critical infrastructure: the extent of the geographical area that could be affected, magnitude and effects with respect to time.
EU countries must list the infrastructure critical to them, according to an EU harmonised formula and in conjunction with the organisations or persons in charge of security.
As regards security management, the first thing to note is that it is impossible to protect all infrastructures against the threat of terrorist attacks. However, by applying risk management techniques, attention can be focused on areas of greatest risk. Security management is a deliberate process of determining the risk and deciding upon and implementing actions to reduce risk to a defined and acceptable level, at an acceptable cost.
Progress so far in protecting critical infrastructure at European level
As a complement to the measures that have been taken at national level, the EU has already adopted a number of legislative measures setting minimum standards for infrastructure protection in the framework of its different policies. This is notably the case in the transport, communication, energy, occupational health and safety, and public health sectors.
A further step towards communication security is being made with the creation of the European Network and Information Security Agency (ENISA). In addition, in sectors like aviation and maritime security, inspection services have been created within the Commission to monitor the implementation of security legislation by EU countries.
European Programme for Critical Infrastructure Protection
The EU must focus on protecting infrastructure with a transnational dimension. A European Programme for Critical Infrastructure Protection (EPCIP) will be set up with a view to identifying critical infrastructure, analysing vulnerability and interdependence, and coming forward with solutions to protect from, and prepare for, all hazards. The programme should include helping industrial sectors to determine the terrorist threat and potential consequences in their risk assessments. EU countries’ law enforcement bodies and civil protection services should ensure that EPCIP forms an integral part of their planning and awareness-raising activities.
A Critical Infrastructure Warning Information Network (CIWIN) that brings together critical infrastructure protection specialists from EU countries should be set up as soon as possible. This infrastructure warning network should assist the Commission in drawing up the programme.
In conclusion, the goal of EPCIP and the duty of the Commission would be to ensure that there are adequate and uniform levels of protective security on critical infrastructure, minimal points of failure and tested rapid reaction arrangements throughout the EU.
Background and follow-up
On 17 and 18 June 2004, the European Council asked the Commission to prepare an overall strategy to enhance the protection of critical infrastructure. In response, the Commission published this communication on 22 October 2004.
The Commission’s intention to propose a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) was accepted by the European Council of 16 and 17 December 2004, both in its conclusions on prevention, preparedness and response to terrorist attacks and in the Solidarity Programme, adopted by the Council on 2 December 2004.
Throughout 2005, intensive work was carried out on the EPCIP. On 17 November 2005, the Commission adopted a Green Paper on a European Programme for Critical Infrastructure Protection.
On 15 September 2005, a decision on the financing of a pilot project containing a set of preparatory actions with a view to strengthening the fight against terrorism was adopted.
Lastly, the Commission presented on 12 December 2006, a proposal for a directive on the identification and designation of European critical infrastructure and a common approach to assess the need to improve their protection. On the same day, it adopted a communication on a European Programme for Critical Infrastructure Protection. These documents give a clear idea of how the Commission proposes to address the issue of critical infrastructure protection in the EU.
Green Paper of 17 November 2005 on a European programme for critical infrastructure protection [COM(2005) 576 final – Not published in the Official Journal].
Communication from the Commission to the Council and the European Parliament of 20 October 2004 – Preparedness and consequence management in the fight against terrorism [COM(2004) 701 final – Not published in the Official Journal].
Communication from the Commission to the Council and the European Parliament of 20 October 2004 – Prevention, preparedness and response to terrorist attacks [COM(2004) 698 final – Not published in the Official Journal].
This directive sets up a procedure for identifying and designating European critical infrastructures (ECIs) *. At the same time, it provides a common approach for assessing these infrastructures, with a view to improving them to better protect the needs of citizens.
Member States must go through a process of identifying potential ECIs, with the help of the Commission if required. Member States should make use of a series of criteria to identify these potential ECIs. The cross-cutting criteria take into account possible casualties and economic and public effects, while the sectoral criteria consider the specificities of each ECI sector. This directive currently concerns only the energy and transport sectors and their subsectors as identified in Annex I. Additional sectors might be added with the review of the directive.
Each Member State should go through a cooperative designation process for potential ECIs located on its territory. This process involves discussions with other Member States, which could be significantly affected in case of the loss of service provided by an infrastructure. In order for an infrastructure to be formally designated as an ECI, the Member State on whose territory it is located must give its assent.
The identification and designation of ECIs by Member States must be completed before 12 January 2011, after which they are to be reviewed regularly.
The Member State on whose territory an ECI is located must inform the Commission annually of the number of potential and designated ECIs for each sector.
Member States must ensure that an operator security plan (OSP) or an equivalent measure is in place for each designated ECI. The purpose of the OSP process is to identify the critical assets of the ECI as well as the existing security solutions for protecting them. The minimum content to be covered is defined in Annex II of the directive. The OSPs must be reviewed regularly.
Member States must also ensure that a security liaison officer or equivalent is designated for each ECI. The officer serves as the contact point between the owner/operator of the ECI and the Member State authority concerned. The purpose is to allow for the exchange of information regarding the risks and threats relating to the ECI.
Within a year from designating an ECI in the subsectors, Member States are to conduct an assessment of the threats relating to it. In addition, Member States are to report to the Commission every two years on the risks, threats and vulnerabilities the different ECI sectors are facing. The need for additional Community measures to protect ECIs will be assessed on the basis of these reports.
To support the owners/operators of ECIs, the Commission provides access to best practices and methodologies regarding the protection of critical infrastructure. Furthermore, it supports the related training activities and exchanges of new technical information.
Any sensitive information regarding the protection of ECIs may be treated only by persons having the appropriate level of security clearance and only for the purposes the information was originally intended.
A European critical infrastructure contact point (ECIP contact point) is to be appointed in each Member State. Their purpose is to coordinate any ECI-related issues among Member States and the Commission.
On 12 December 2006, the Commission adopted the communication on a European Programme for Critical Infrastructure Protection (EPCIP), which sets out an overall framework for critical infrastructure protection activities at EU level. The process of identifying and designating ECIs is one of the key elements of EPCIP.
The Council conclusions of April 2007 reaffirmed Member States’ responsibility in managing the protection of critical infrastructures located on their respective territories. Simultaneously, the Council welcomed the Commission’s efforts in developing a European procedure to identify and designate ECIs and in assessing them with a view to improving their protection.
- Critical infrastructure: an asset, system or part thereof located in Member States that is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact on a Member State as a result of the failure to maintain those functions.
- European critical infrastructure (ECI): critical infrastructure in Member States, the disruption or destruction of which would have a significant impact on at least two Member States.
Where is Romania?
Not close to Closure on CIP!
Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.
Reducing the vulnerabilities of critical infrastructure and increasing their resilience is one of the major objectives of the EU. An adequate level of protection must be ensured and the detrimental effects of disruptions on the society and citizens must be limited as far as possible.
The European Programme for Critical Infrastructure Protection (EPCIP) sets the overall framework for activities aimed at improving the protection of critical infrastructure in Europe – across all EU States and in all relevant sectors of economic activity. The threats to which the programme aims to respond are not only confined to terrorism, but also include criminal activities, natural disasters and other causes of accidents. In short, it seeks to provide an all-hazards cross-sectoral approach. The EPCIP is supported by regular exchanges of information between EU States in the frame of the CIP Contact Points meetings.
A key pillar of this programme is the 2008 Directive on European Critical Infrastructures . It establishes a procedure for identifying and designating European Critical Infrastructures (ECI) and a common approach for assessing the need to improve their protection. The Directive has a sectoral scope, applying only to the energy and transport sectors.
The Directive also requires owners/operators of designated ECI to prepare Operator Security Plans (advanced business continuity plans) and nominate Security Liaison Officers (linking the owner/operator with the national authority responsible for critical infrastructure protection).
The Commission has funded over 100 diverse projects under the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks programme (CIPS), during the 2007-2012 period. The programme is designed to protect citizens and critical infrastructures from terrorist attacks and other security incidents by fostering prevention and preparedness, namely by improving the protection of critical infrastructures and addressing crisis management. The key objective is to support CIP policy priorities by providing expert knowledge and a scientific basis for a better understanding of criticalities and interdependencies at all levels.
The Commission has developed a Critical Infrastructure Warning Information Network (CIWIN), providing an internet based multi-level system for exchanging critical infrastructure protection ideas, studies and good practices. The CIWIN portal, which has been up and running since mid-January 2013, also serves as a repository for CIP related information. This initiative seeks to raise awareness and contribute to the protection of critical infrastructure in Europe.
A European Reference Network for Critical Infrastructure Protection (ERN-CIP) has also been created by the Commission to ‘foster the emergence of innovative, qualified, efficient and competitive security solutions, through networking of European experimental capabilities’. It aims to link together existing European laboratories and facilities, in order to carry out critical infrastructure-related security experiments and test new technology, such as detection equipment.
Taking into account the developments since the adoption of the 2006 EPCIP Communication, an updated approach to the EU CIP policy has become necessary. Moreover, Article 11 of the Directive 2008/114/EC on the identification and designation of European Critical Infrastructures refers to a specific review process of the Directive. Therefore, a comprehensive review has been conducted in close cooperation with the Member States and stakeholders during 2012. The preliminary results of this review have been summarised in a Commission Staff Working Document [2 MB] . Based on the results of this review and considering other elements of the current programme, the Commission adopted a 2013 Staff Working Document on a new approach to the European Programme for Critical Infrastructure Protection [128 KB] . It sets out a revised and more practical implementation of activities under the three main work streams – prevention, preparedness and response. The new approach aims at building common tools and a common approach in the EU to critical infrastructure protection and resilience, taking better account of interdependencies.
COMUNICARE A COMISIEI CĂTRE PARLAMENTUL EUROPEAN, CONSILIU,
COMITETUL ECONOMIC ȘI SOCIAL EUROPEAN ȘI COMITETUL
privind protecția infrastructurilor critice de informație