http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&do c=SPEECH/99/122|0|RAPID&lg=EN ---------------------------- CUT ----------------------------------- Speech by Mr Erkki LIIKANEN Member of the European Commission for Enterprise and Information Society Trust and Security in Electronic Communications : The European Approach Information Security Solutions Europe (ISSE 99)Welcome Address Berlin, 4 October 1999 DN: SPEECH/99/122 Date: 1999-10-05 TXT: EN PDF: EN Word Processed: EN SPEECH/99/122 Speech by Mr Erkki LIIKANEN Member of the European Commission for Enterprise and Information Society Trust and Security in Electronic Communications : The European Approach Information Security Solutions Europe (ISSE 99) Welcome Address Berlin, 4 October 1999 1. INTRODUCTION Ladies and gentlemen, To start with, I would like to congratulate The European Forum for Electronic Business and Teletrust for organising this conference. A comprehensive European event on security held on a yearly basis was much needed in Europe. I therefore wish that ISSE will become a major event in Europe when it comes to discussing information security issues, not only amongst the converted, but also, and hopefully increasingly, the laymen. The very launch of this event, and the broad audience it attracted on its first edition, already demonstrates a few things: First, that there is a growing interest for information security issues in Europe. This is a direct result of the rapid growth of the Internet and electronic commerce in Europe. The latter is good news for Europe considering the growing importance of the networked economy in terms of growth and employment. Second, that European Union policies have been successful. I don't mean to take all the credit for the take-up of the Internet and electronic commerce in Europe especially since our conviction is that the development of the information society must, and can only be market-led. Yet it is clear that the liberalisation of telecommunications in the Union has created the right conditions for the expansion of the Internet and electronic commerce. 2. WHY IS CRYPTOGRAPHY SO IMPORTANT? Cryptographic technologies are at the heart of information security. A few years ago, cryptography was still an arcane topic restricted to a closed circle of people in the known. It is only recently, with the growth of the Internet, that cryptography and on-line security has made it to the headlines. Why? Simply because cryptography is the preferred, if not only, means to ensure authenticity and confidentiality in electronic communications. Without it, there will be no safe electronic communications. The bottom line is: no security, no trust, no notable shift towards commercial and financial transactions on the Internet! And all the impressive forecasts we have seen regarding the growth of electronic commerce will remain pie in the sky. With close to 200 million Internet users, there is already, today, a strong market basis for security products and services. This is clearly indicated by the multiplication and the impressive growth figures of cryptographic companies. For the time being, the security market largely remains a corporate one. This is no surprise since business-to-business activities carried out over proprietary networks still account for over 85% of the total electronic commerce market. But the security market will only really explode once it becomes a mass market. The odds are, that the Internet will be everywhere in Europe in a matter of five years or so. We can expect half of the European population to be hooked on the Internet by 2005. Not only that there will be a computer connected to the Internet in half of Europe's homes. But access terminals become increasingly diversified and include, not only the computer, but increasingly the digital TV set- top box, the personal assistant or the mobile phone, and very soon cars and even home appliances. But then again, who will routinely shop on-line if the credit card number cannot be transmitted safely? If there is no guarantee that the orders placed will be not fed into a marketing database to create a highly detailed buyer's profile? The same applies to simply surfing the Net. For how much longer will Internauts accept to leave footprints on every Web site they visit, allowing outsiders to track down their every move and interest? How many people will be discouraged from getting on-line by the fear of loosing their privacy? This means that all along the chain of Internet services, there is an essential need for security features. Since the technology is there, this doesn't seem to be a problem, only a breath-taking business opportunity for the cryptographic industry. But actually no! The situation can be compared to telecommunications services in Europe: Their growth is directly linked to the creation of a fully liberalised and coherent EU-wide market. Take mobile phones for example: The GSM technology may be great, but there wouldn't be 100 million GSM users in Europe today if it hadn't been for a comprehensive EU policy. In the same spirit, we are now working towards an Internal Market for cryptography. 3. WHAT DOES THE COMMISSION DO ABOUT IT? More and more EU-based companies, including a growing number of SMEs, now think in terms of a Europe-wide market. This means that, at a time when companies increasingly rely on electronic communications to carry out their day-to-day business, incompatible national solutions in the field of cryptography create impediments that lessen the benefits of the Internal Market. Not to mention the problems creates for the cryptographic industry itself, whether it concerns, for instance: suppliers of encryption products engaged in intra-Community trade; or service providers that have to provide their clients with certificates that are legally valid throughout the Union. The Commission has addressed these issues in a pragmatic way, establishing a distinction between authentication and confidentiality, even though they both rely on the same cryptographic technologies. For authentication, we have tabled a draft Directive on electronic signatures which will secure the Internal Market for certificates and certification services. The aim is to have the European rules transposed into the national legislation of the 15 EU Member States by the end of the year 2000 Things get more sensitive when it comes to confidentiality. The scrambling of electronic communications has raised some legitimate public security concerns. Hence some reflections on how to ensure lawful access to encrypted data. Most of the proposed schemes have proved impracticable, a view the Commission has expressed in a policy paper in October 1997. This has been confirmed by the findings of EU-funded research projects in the field of cryptography. Member States are now increasingly sharing this view. The French government in particular has pledged to lift all restrictions to the use and supply of encryption products. Notwithstanding these developments, the Commission, under the Amsterdam Treaty, will work with Member States to ensure that, in a liberalised domestic environment, public safety will be fully guaranteed. What would then remain are export controls: For external trade, encryption products are controlled in accordance with the Wassenaar Arrangement. But there are also controls on shipments of encryption products within the Internal Market. We would like these intra-Community controls to be strictly limited. Indeed, create to burdens for European companies industry red tape, delays, uncertainty, etc. which put them at a competitive disadvantage. We hope Member States will soon come to an agreement on the new Dual Use Regulation, which aims to lift almost all controls on intra- Community shipments of encryption products. 4. WHAT ELSE CAN WE DO? Finally, I would like to focus on two other crucial issues. The first issue concerns the European cryptographic industry. It is a strong industry, it has state-of-the-art technology, and it has therefore the potential to impose itself on world markets. It would certainly highly benefit from improved regulatory conditions, but there is another major obstacle to its expansion. Currently, the desktop computing market is dominated by a few systems. This wouldn't be a problem in itself if those weren't proprietary systems. Building security solutions for systems when one has no access to the source code is certainly a major challenge. In fact, it means that there is a whole range of security products which European industry cannot supply. The solution to this problem certainly lies in non-proprietary and open source systems. This is the key to unlocking the potential of the desktop computing security market. This would also clearly be in the end users' interest. Not only would users enjoy a wider choice of security solutions, but they would also have a greater safety guarantee. How can governments, and in particular the Commission, contribute to promoting non-proprietary systems? One way is to raise awareness about them and their benefits Another could be to ensure that public tenders for computer equipment no longer specify particular systems. This issue is also closely linked to technology developments. Ultimately, the market will chose the more appropriate technological solutions. That is another area were we can help, notably under the Fifth Framework Programme, through our Information Society Technology Programme. Let me share with you my views on a second issue. I said earlier that the explosion of the cryptography market is pending a widespread take- up of the Internet by the wider public and SMEs. Awareness is one requirement, to which I hope ISSE will contribute. The other is trust! In many other sectors of the economy, consumer trust is achieved through quality labels, for instance for foodstuff, toys or electric appliances. These can be industry-led or based on government rules; they can be attributed nationally or at European level. If security devices are to enter every home, they would certainly benefit from labels demonstrating that they are in conformity with quality requirements. This would greatly enhance consumer trust and confidence by allowing consumers to immediately identify safe information security products and services. 5. CONCLUSION Ladies and gentlemen, What I wanted to do today is to demonstrate that the Commission is fully committed to the development of Internet security. I also wanted to show that, whether you are suppliers or users, we are trying hard to understand your needs. Finally, I wanted to get a few messages across and point at a few directions which we must further investigate. Let me wrap them up in a few words: 1. Security is the key to securing users trust and confidence, and thus to ensuring the further take-up of the Internet. This can only be achieved if security features are incorporated in Internet services and if users have sufficient safety guarantees. 2. Securing the Internal Market is crucial to the further development of the European security market, and thus of the European cryptographic industry. This requires an evolution of mentalities: Regulation in this field transcends national borders. Let's "think European". 3. European governments and the Commission now have a converging view on confidentiality. We see this in Council, in Member State policies and in the constructive discussions we have. We must take this debate further and focus of the potential of encryption to protect public security rather than mainly seeing it as a threat to public order. 4. Finally, the promotion of open source systems in conjunction with technology development is certainly one important step towards unlocking the potential of the desktop security market for the European cryptographic industry. I wish you all a great conference. ---------------------------- CUT -----------------------------------
