1. What is EISAS- European Information Sharing and Alert System?
EISAS stands for European Information Sharing and Alert System. ENISA has been asked by the European Commission to deliver a feasibility study on a Europe-wide sharing system for NIS related information to end-users/citizens and SMEs, to raise IT security awareness and close gaps in the coverage with such information.
2. Why is there a need for a feasibility study on a European Information Sharing and Alert System?
In everyday life, business, economy, and citizens at work or at home, are dependent on using computers, mobile phones, as part of the Digital Economy and Information Society. Given this importance for society and the citizens, the European Commission’s identified the need to address the matter of “effective responses to existing and emerging threats to electronic networks” in Europe. Subsequently, the Commission requested ENISA “to examine the feasibility of a European information sharing and alert system "EISAS", as a follow-up to its communication COM(2006)251.
3. What would the purpose of EISAS be?
An EISAS system could potentially assist the public authorities in the Member States and at EU-level in swiftly and properly informing citizens and SMEs on how to contribute, as end users, to their own safety and security.
4. Why is it ENISA making this study of a European Information Sharing and Alert System? (Who has requested ENISA to do this study?)
ENISA is an Expert Agency in Network and Information Security. As such, ENISA is responding to a request from the European Commission to ‘examine the feasibility of a European information sharing and alert system (EISAS)’. ENISA was thus asked by the Commission to analyse the current state of affairs in both the public and private sector, to identify possible sources of security information that potentially could contribute to a European Information Sharing and Alert System (EISAS). In that sense, this request clarifies the role, mission, and scope of ENISA: to assist the Member States in enhancing Network and Information Security (NIS) in and for Europe.
5. What kind of information could be shared via a EISAS?
Three main categories of information can be distinguished:
Good NIS Practice: this self-explanatory term designates NIS information with a long-term validity that is not subject to frequent changes (like for example a description of how to choose a good password, or how to identify phishing emails). It is assumed that this kind of information is valid (to some extent) for all citizens and SMEs in all Member States and is the most easy kind of information that can be shared with this target audience and, after slight modifications like translations, can also be exchangeable between separate ISAS. This term replaces the term static information from the ToR;
Alerts & Warnings: this term designates NIS information about short- or middle-term threats and as such has a short- to mid-term validity. To follow-up the examples from the previous category, this could, for example, be a warning about an actual phishing-email with a specific content, aimed at customers of a specific bank.
The example also shows that probably this kind of information may not in all cases be valid for all kinds of citizens and SMEs in all Member States, and so it is probably not so easy to generally share it with the whole target audience. A further assumption is that Alerts & Warnings should always be “backed up” by Good NIS Practice information, to give citizens and SMEs a rule of action to react to the alert or warning. It seems that Good NIS Practice information in general should build the base stock of every ISAS, before the Alerts & Warnings are shared. This term replaces the term dynamic information from the ToR;
Real Time Information: this term designates information with an immediate character like netflow data or other output from sensor networks. In an aggregated and visualised format this information is of utmost importance for CERTs, as it gives a snapshot of the actual condition of the network. It can already now (based on the findings of the EWIS project) be predicted that real time information is not easy, if at all, to digest by citizens and SMEs (in analogy would be the weather forecast on TV, where meteorologists analyse the raw meteorological data and aggregate it into a format that is understood by the viewers).
So, an ISAS that only shares real time information probably does not aim at these target groups. However, as some Member States run such systems and contributed them, during the survey phase, they are included to the inventory of existing systems in the Member States, but a priori marked as not suitable to reach out to citizens and SMEs.
6. How could information be disseminated through EISAS?
The information could be disseminated by many different means. A basic channel would be a web portal. Other communication channels include mailing lists, RSS feeds, SMS services, phone calls and multiplication through mass media, such as newspapers, radio, television and “new (on-line) media”. This is only preliminary information, as this question will be addressed in the final draft study report.
7. What alert & warning systems exists already today in Europe?
There are many systems and initiatives across Europe and in the Member States with the goal of sharing NIS-related, appropriate and timely information on vulnerabilities, threats, risks and alerts as well as on good practices. A EISAS will have to take these existing systems into account and, if feasible, include them into its functioning. It’s important to note that a EISAS must not compete with any national system, but complement them in a reasonable manner.
8. What might be a goal for EISAS?
The main goal of a European Information Sharing and Alerts System would be to raise awareness on NIS issues among those European citizens and SMEs that do not have access to adequate information. The expected result of the Commission’s request is a recommendation whether, and if so, how an EU-wide, multilingual system could be realized by taking into account existing MS’ systems.
9. What steps are in the study process?
Many activities have to be concluded in order to fulfil the request:
1. The first step is to analyze existing information sharing systems and possible sources of NIS-related information. This includes e.g. vendors, independent organizations advisories, web portals containing recommendations and best practices, and so-called “real time” network examiners.
Assessment of the gathered information.
All these systems and actors have to be carefully analysed, whether they could contribute to a potential pan-European system as a source of information. Or, if perhaps such a system even could be built on the basis of some of them. Is it at all feasible, and if so, how? What are the existing options and best practices in designing such a system?
Assessment of the added value.
The last step of the feasibility study is the assessment of the potential added value of a European Information Sharing and Alert system. In other terms, it is necessary to check if it can contribute (and, if so how) to the overall security culture in Europe. For this aim, some indicators to estimate the impact will be proposed and an analysis of this impact will be led.
10. What will the result of the assessment be?
The assessment will lead to
- The examination of the feasibility of a EISAS
- The development of possible scenarios.
- The analyses, assessment and conclusions of the added value of such a system. Would such a system contribute (and, if so how) to the overall network and information security in Europe?
11. Possible scenarios. What could some possible scenarios of the EISAS study be?
It is already possible to outline some possible scenarios (PRELIMINARY INFORMATION!):
A European system could consist in a portal grouping links to all known national initiatives.
A much more advanced form of system would be the formation of a separate information portal, processing data received through other existing systems and presenting it in a unified form. However, previous experiences should be kept in mind – there already were some initiatives for the creation of such a system. Until now, on the other hand, none of them could be considered as fully successful.
Another scenario includes a framework that could allow a creation of national systems in interested Member States, with the knowledge gathered during the study and with facilitation by experts. This could be seconded by other Member States, who may follow it, study it, not participate actively, but an option to “opt-in” and possibly join the system later.
12. What are the steps of the feasibility study?
- The European Commission identified that the public authorities in the Member States and at EU-level have a key role to play in properly informing citizens, to enable them to contribute to their own safety and security, in its communication and Network and Information Strategy (COM(2006)251).
- The Commission sent a formal request to ENISA, “to examine the feasibility of a European information sharing and alert system (EISAS)”.
- The Terms of Reference for this request were agreed upon in the summer of 2006. In this document, the Agency was advised by the Commission to form an Expert Group. The Expert Group consists of security specialists nominated by the Member States, who are running their own information sharing systems. This group has been established and it is assisting ENISA in all steps of the process.
- A preliminary report was presented and discussed in Brussels for discussion with the Member States in April 2007. A new draft was presented in Berlin, June 2007, after which further minor amendments and modifications were made, involving the stakeholders.
- The final, adjusted report was presented in the beginning of 2008.
- The Commission may, if they so conclude, use the study as an input for a potential proposal to the European Parliament and the Council regarding an EISAS.
13. What is the timeline of the EISAS study?
The work on the request is an ongoing issue and has already come far. In April 2007, the first, preliminary results were disseminated to and discussed with the Member States, at an open validation workshop taking place in Brussels. This meeting constituted an opportunity to assess the work done so far and to make some adjustments. The final draft study was delivered in June, at the security conference hosted by Germany during its EU Presidency.