52002AE1157

Opinion of the European Economic and Social Committee on the "Proposal for a Council Decision adopting a multi-annual programme (2003-2005) for the monitoring of eEurope, dissemination of good practices and the improvement of network and information security (MODINIS)"

(COM(2002) 425 final - 2002/0187 (CNS))

(2003/C 61/29)

On 19 September 2002, the Council decided to consult the Economic and Social Committee, under Article 157 of the Treaty establishing the European Community, on the above-mentioned proposal.

On 17 September, the Committee Bureau asked the Section for Transport, Energy, Infrastructure and the Information Society to prepare the Committee's work on the subject.

At its 394th Plenary Session on 24 October 2002, and given the urgency of the procedure, the European Economic and Social Committee appointed Mr Retureau as rapporteur-general and adopted the following opinion unanimously.

1. Introduction

1.1. The MODINIS programme is a continuation of the objectives of the Lisbon Council of 23/24 March 2000 (making the EU the most competitive knowledge-based economy and using the open method of cooperation to monitor progress) and of the Feira Council of 19/20 June 2000, which adopted the eEurope action plan and the long-term perspectives for the knowledge-based economy encouraging the access of all citizens to the new technologies.

1.2. The Council Resolution of 30 May 2001 on the eEurope Action Plan: Information and Network Security(1) and the Council Resolution of 6 December 2001 on a common approach and specific actions in the area of network and information security(2) called upon Member States to adopt appropriate specific actions and approved the strategy put forward by the Commission to improve network and Internet security proposing the creation of a European cyber-security task force, including in particular the improvement of the early warning system.

1.3. The present draft decision concerns the monitoring of the eEurope Action Plan, dissemination of good practices and the improvement of network and information security (Article 1 of the proposal).

1.4. It puts in place a multi-annual programme intended:

- to measure and compare the performances of the Member States against each other and against the best in the world, using primarily statistics and information already available;

- to put in place a European mechanism for exchange of experience on best practice;

- to analyse the economic and social consequences of the Information Society with a view to identifying the best responses in terms of competitiveness and cohesion;

- to support efforts to improve network security and to foster the development of (high-speed) broadband rollout.

1.5. The activities of the programme are cross-sectoral and complement Community actions in other fields and under other programmes, which should not be duplicated.

1.6. The programme provides a common framework to promote interaction at the various levels: Community, national, regional and local.

1.7. The actions to be undertaken in pursuit of these objectives include the following:

- collection and analysis of data on the basis of new indicators, focusing on information relating to the objectives of eEurope 2005;

- studies on good practices serving implementation of eEurope 2005;

- organisation of initiatives (seminars, workshops, etc.) particularly to promote cooperation and exchanges of good practice;

- support of the Information Society Forum (network of web-based experts) as a source of advice for the Commission on implementing the Information Society;

- financing a range of initiatives on network and information security, particularly in wireless communications, and supporting the cyber-security task force;

- support efforts to enhance security at the various levels by promoting exchanges of experience (training, workshops, etc.).

1.8. The Commission will award appropriate contracts for the implementation of these concrete measures, itself helping with the collection and dissemination of information, the development of web services, the organisation of meetings of experts, seminars and conferences and carrying out preparatory work on the information and warning system in the area of network and information security (Article 3).

1.9. The programme will have a budget of EUR 25 million over the period from 1 January 2003 to 31 December 2005, distributed annually among the Member States (Article 4). The Commission, assisted by a committee composed of representatives of the Member States, will draw up a work programme each year (Articles 5 and 6).

1.10. Community aid will be subject to prior appraisal, monitoring and subsequent evaluation procedures. The Commission will conduct an ongoing evaluation of the programme to assess to what extent it meets the objectives, informing the committee of progress. At the end of the programme, the Commission will produce an evaluation report.

2. General comments

2.1. The Committee has expressed its support and encouragement for all initiatives to promote the Information Society in a number of opinions. Such initiatives include the eEurope Action Plan, network and information security policy(3), the fight against computer-related crime(4), the need to develop a knowledge-based society without discrimination(5) and the right to access the Internet securely in terms of the protection of personal data and the security of commercial transactions and IT services(6).

2.2. Benchmarking provides a common mechanism for analysis and reliable comparison provided the indicators are well chosen and the information collected is relevant. The Committee feels that a common method for achieving this will undoubtedly bring essential added value at the Community level.

2.3. The Committee also shares the Commission's view that, to fully realise the objectives of a competitive knowledge-based society, the development of high-speed access is a key requirement for Europeans and should be viewed as a service of general interest, readily accessible throughout the Community at affordable cost. This means it has to be eligible for Structural Fund support and EIB aid for appropriate investment. The Committee therefore endorses the priority given to broadband networks in the programme.

2.4. The Committee wonders whether the programme funding is commensurate with the considerable number of measures proposed which cover all countries, range from European to local level and are horizontal in nature. But given the delays in getting the programme up and running, allocations not taken up in the first year should be carried over to the next two years, and this programme should be seen as experimental, bearing in mind that the prospects for development of the Information Society are long-term, that technological change is rapid and that the full potential in terms of access and use has not yet been achieved, especially in regions which are disadvantaged in various ways.

2.5. The Committee shares the Commission's view on the need to avoid duplication, given the considerable number of programmes and measures already implemented and funded by the Community.

2.6. The work programme drawn up by the Commission with the assistance of a committee composed of representatives of the Member States could be submitted for as wide a range of consultation and expert opinion as possible, for example through the Forum, which could suggest new projects or directions based on new developments, or by urging the Member States to introduce consultative procedures on the themes of the programme in order to address the proposals and the needs expressed by users, experts and the network economy more effectively.

2.7. While prior and subsequent evaluations, as well as monitoring, are essential, the Committee would nevertheless suggest that the methods employed should not be so bureaucratic as to delay, or even cripple, proposals for initiatives and measures submitted by associations or small groups of experts with no major financial resources of their own. Access to the programme must not be limited to institutional bodies with their own or external funding or permanent teams; on the contrary, the programme must make it possible to mobilise all the creative forces in a strategic field, quickly and across a wide spectrum, for the present and future of the Union.

2.8. Finally, the Committee would support and encourage this programme, the development, progress and results of which it intends to follow with interest.

3. Specific comments

3.1. The Committee is particularly concerned by security issues associated with the development of wireless networks; according to a recent survey, nearly 80 % of French companies using these technologies are not sufficiently aware of the security loopholes found in such communication technologies when systems for connection identification and effective encryption of data transmitted via current technology are either non-existent or inadequate. By way of example, in the La Défense area of northwest Paris, where the head offices of the largest companies are located, around 40 % of wireless connections are not yet secured effectively(7).

3.1.1. While wireless connections offer great flexibility of use, they use waves which may go beyond the confines of the buildings where they are used and which may be picked up from the outside with very simple equipment, thereby giving access to hostile intruders who "hunt" for non secured connections from vehicles in the street (a practice known as "wardriving").

3.1.2. In addition, Community and public sites are sometimes defaced by crackers who post more or less coherent messages; this can undermine confidence in eAdministration. Users' misgivings with regard to the eEconomy should also be taken into account so that particular attention is focused on making electronic commerce secure as a means of promoting this form of trading within the internal market.

3.1.3. The programme should include a whole range of concrete measures to promote a substantial increase in society's awareness of security issues, whether they relate to problems specific to each technology, network architecture or software, the protection of personal information or information storage procedures, so that networks and stored information can withstand accidents, natural disasters, various kinds of hostile attack and crime, like economic espionage, piracy or terrorism. Otherwise we may be jeopardising the future of businesses or the durability of data that is essential to the functioning of the economy and administration. A range of appropriate means should be employed to create a real security culture. Such a culture must be based first and foremost on the training and accountability of all stakeholders in the Information Society.

3.2. The security culture should be conceived in a way which is fully compatible with the freedom of information, communication and expression, economic, social and cultural freedoms and generally with the whole range of human rights. The Committee is concerned by various legislative approaches adopted recently in a number of countries, particularly in the aftermath of the 11 September terrorist attacks on the USA, which are proposing, or seek to implement, measures which may be effective but which, in some cases, as far as the internet is concerned, go too far in undermining legal rights and may impose a disproportionate financial and material burden, as well as excessive penalties, on providers of access, data storage space or site hosting. At the same time, the effectiveness of such measures is debatable as they are not targeted, but rather seek to monitor all communications over long periods (six months to a year). A knock-on effect of this could be a substantial increase in users' connection costs, a development which would be counterproductive for the expansion of the Information Society, while those with criminal intent would take steps to evade any surveillance, in most cases successfully (the necessary technologies already exist).

3.3. In the Committee's view, an important priority for the programme and one of the key objectives of the Information Society should be to put greater effort into finding the most effective means of reconciling the need for information and network protection, and, more generally, the security of people and property on the one hand, with civil liberties and users' rights to cheap and totally secure broadband access on the other.

3.4. Finally, the Committee suggests that consideration be given to the feasibility of carrying out a very concise, periodical assessment of all the efforts undertaken by the Community and the Member States to promote the various aspects of the Information Society, a kind of logbook of the initiatives, programmes and actions conducted at the various levels, their overall cost and the progress made, including investment in broadband networks with the assistance of Community funds and other public funds.

Brussels, 24 October 2002.

The President

of the European Economic and Social Committee

Roger Briesch

(1) Council Resolution on Information and Network Security, see http://register.consilium.eu.int/ pdf/en/01/st09/09799en1.pdf

(2) Council Resolution on a common approach and specific actions in the area of network and information security, OJ C 43, 16.2.2002.

(3) ESC Opinion on the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach, OJ C 48, 21.2.2002.

(4) ESC Opinion on the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, OJ C 311, 7.11.2001.

(5) ESC Opinion on Public sector information: a key resource for Europe - Green Paper on public sector information in the information society, OJ C 169, 16.6.1999.

(6) ESC Opinion on the Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communication sector, OJ C 123, 25.4.2001.

(7) Source: SVM magazine, October 2002.