ENISA wants expanded responsibilities
At the opening of the first Summer School on Network and Information Security (NIS), MEP Jorgo Chatzimarkakis of the FDP called for more personnel and expanded responsibilities for the European Network and Information Security Agency (ENISA). At the opening of the NIS in Heraklion, Chatzimarkakis and Lord Toby Harris made an appeal to place network security much higher on the political agenda.
Chatzimarkakis expressed shock that, despite attacks on the IT infrastructures of entire countries, such as the cyberwar attacks upon Estonia and more recently Georgia, politicians failed to see the urgent need for action. He thought it especially important to win over the larger member states with better IT security postures.
Lord Harris estimated that only ten MPs in both the House of Lords and the Commons were interested in the subject of network security, and criticised the Centre of the Protection for National Infrastructure (CNPI) as too slow to react. The MP indicated possible conflicts between the national responsibility for critical infrastructures and the responsibility of the EU.
According to Chatzimarkakis, who had a role in the ENISA’s controversial founding charter, EU bodies would begin work on a draft of ENISA 2.0 as soon as the telecommunications directive was passed in Brussels. The Commission’s initial proposals for the Telecommunications Package had slated ENISA to be a component of a new central EU regulatory authority for telecommunications.
According to Chatzimarkakis and statements by the head of ENISA, these proposals are no longer on the table. ENISA's initial mandate, which expires in 2009, has, for the time being, been extended to 2012. By then, ENISA 2.0 has to take shape. Chatzimarkakis told heise online that, "15 or 20 more employees would be very good for ENISA." The additional employees – bringing the total at ENISA to nearly 70 – would be technical experts. Presently there is still not a good balance between technicians and administrative personnel. ENISA currently has an annual budget of 8 million euros.
In a discussion with heise online, ENISA head Andrea Pirotti said that he thought that expanding ENISA's responsibilities made good sense. Under the present mandate, ENISA's responsibility for all network security issues is limited to the domestic market. The mandate does not include the areas of legal and law enforcement cooperation under the control of the member states. The agency cannot do much about cases like the attack on Estonia.
Chatzimarkakis underscored that the think-tank style of the agency would be preserved, even with the expansion of responsibilities. "I do not envision any operative responsibilities." ENISA's principal work, according to Pirotti, focuses on making network security recommendations, network risk analysis, cooperation with member state institutions, and providing support on security issues, particularly to small and mid-sized companies.
The decision to base its headquarters on the island of Crete, making it quite literally isolated, has sparked numerous discussions since ENISA's creation. Chatzimarkakis said that the distance from the lobbyists in Brussels was sometimes quite an advantage. However experts often have to leave Heraklion in order to present ENISA positions on security issues effectively and then the distance does become a problem. The Greek government has now announced that an additional office will be set up in Athens. From there, the hop to Brussels can be managed in a day.