<nettime> SPEECH/99/122 by Mr Erkki LIIKANEN on EU Crypto

[t byfield <tbyfield@panix.com>]

----- Forwarded [from cryptography-digest V1 #317]

http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&do
c=SPEECH/99/122|0|RAPID&lg=EN

- ---------------------------- CUT -----------------------------------

Speech by Mr Erkki LIIKANEN Member of the European Commission for
Enterprise and Information Society Trust and Security in Electronic
Communications : The European Approach Information Security Solutions
Europe (ISSE 99)Welcome Address Berlin, 4 October 1999


 DN: SPEECH/99/122     Date: 1999-10-05


     TXT: EN
     PDF: EN
     Word Processed: EN

SPEECH/99/122 

Speech by Mr Erkki LIIKANEN 

Member of the European Commission for Enterprise and Information Society

Trust and Security in Electronic Communications : The European Approach

Information Security Solutions Europe (ISSE 99) Welcome Address

Berlin, 4 October 1999

1. INTRODUCTION

Ladies and gentlemen,

To start with, I would like to congratulate The European Forum for
Electronic Business and Teletrust for organising this conference. A
comprehensive European event on security held on a yearly basis was much
needed in Europe. I therefore wish that ISSE will become a major event in
Europe when it comes to discussing information security issues, not only
amongst the converted, but also, and hopefully increasingly, the laymen. 

The very launch of this event, and the broad audience it attracted on its
first edition, already demonstrates a few things:

First, that there is a growing interest for information security issues in
Europe. This is a direct result of the rapid growth of the Internet and
electronic commerce in Europe. The latter is good news for Europe
considering the growing importance of the networked economy in terms of
growth and employment. 

Second, that European Union policies have been successful. I don't mean to
take all the credit for the take-up of the Internet and electronic
commerce in Europe especially since our conviction is that the development
of the information society must, and can only be market-led. Yet it is
clear that the liberalisation of telecommunications in the Union has
created the right conditions for the expansion of the Internet and
electronic commerce. 

2. WHY IS CRYPTOGRAPHY SO IMPORTANT? 

Cryptographic technologies are at the heart of information security.  A
few years ago, cryptography was still an arcane topic restricted to a
closed circle of people in the known. It is only recently, with the growth
of the Internet, that cryptography and on-line security has made it to the
headlines. 

Why? Simply because cryptography is the preferred, if not only, means to
ensure authenticity and confidentiality in electronic communications.
Without it, there will be no safe electronic communications. 

The bottom line is: no security, no trust, no notable shift towards
commercial and financial transactions on the Internet! And all the
impressive forecasts we have seen regarding the growth of electronic
commerce will remain pie in the sky. 

With close to 200 million Internet users, there is already, today, a
strong market basis for security products and services. This is clearly
indicated by the multiplication and the impressive growth figures of
cryptographic companies. For the time being, the security market largely
remains a corporate one. This is no surprise since business-to-business
activities carried out over proprietary networks still account for over
85% of the total electronic commerce market. 

But the security market will only really explode once it becomes a mass
market. 

The odds are, that the Internet will be everywhere in Europe in a matter
of five years or so. We can expect half of the European population to be
hooked on the Internet by 2005. Not only that there will be a computer
connected to the Internet in half of Europe's homes. But access terminals
become increasingly diversified and include, not only the computer, but
increasingly the digital TV set- top box, the personal assistant or the
mobile phone, and very soon cars and even home appliances. 

But then again, who will routinely shop on-line if the credit card number
cannot be transmitted safely? If there is no guarantee that the orders
placed will be not fed into a marketing database to create a highly
detailed buyer's profile? 

The same applies to simply surfing the Net. For how much longer will
Internauts accept to leave footprints on every Web site they visit,
allowing outsiders to track down their every move and interest? How many
people will be discouraged from getting on-line by the fear of loosing
their privacy? 

This means that all along the chain of Internet services, there is an
essential need for security features. 

Since the technology is there, this doesn't seem to be a problem, only a
breath-taking business opportunity for the cryptographic industry. But
actually no! The situation can be compared to telecommunications services
in Europe: Their growth is directly linked to the creation of a fully
liberalised and coherent EU-wide market. Take mobile phones for example:
The GSM technology may be great, but there wouldn't be 100 million GSM
users in Europe today if it hadn't been for a comprehensive EU policy. 

In the same spirit, we are now working towards an Internal Market for
cryptography. 

3. WHAT DOES THE COMMISSION DO ABOUT IT? 

More and more EU-based companies, including a growing number of SMEs, now
think in terms of a Europe-wide market. This means that, at a time when
companies increasingly rely on electronic communications to carry out
their day-to-day business, incompatible national solutions in the field of
cryptography create impediments that lessen the benefits of the Internal
Market. Not to mention the problems creates for the cryptographic industry
itself, whether it concerns, for instance: 

suppliers of encryption products engaged in intra-Community trade; 

or service providers that have to provide their clients with certificates
that are legally valid throughout the Union. 

The Commission has addressed these issues in a pragmatic way, establishing
a distinction between authentication and confidentiality, even though they
both rely on the same cryptographic technologies. 

For authentication, we have tabled a draft Directive on electronic
signatures which will secure the Internal Market for certificates and
certification services. The aim is to have the European rules transposed
into the national legislation of the 15 EU Member States by the end of the
year 2000

Things get more sensitive when it comes to confidentiality. The scrambling
of electronic communications has raised some legitimate public security
concerns. Hence some reflections on how to ensure lawful access to
encrypted data. 

Most of the proposed schemes have proved impracticable, a view the
Commission has expressed in a policy paper in October 1997. This has been
confirmed by the findings of EU-funded research projects in the field of
cryptography. 

Member States are now increasingly sharing this view. The French
government in particular has pledged to lift all restrictions to the use
and supply of encryption products. 

Notwithstanding these developments, the Commission, under the Amsterdam
Treaty, will work with Member States to ensure that, in a liberalised
domestic environment, public safety will be fully guaranteed. 

What would then remain are export controls: 

For external trade, encryption products are controlled in accordance with
the Wassenaar Arrangement. 

But there are also controls on shipments of encryption products within the
Internal Market. We would like these intra-Community controls to be
strictly limited. Indeed, create to burdens for European companies
industry red tape, delays, uncertainty, etc. which put them at a
competitive disadvantage. 

We hope Member States will soon come to an agreement on the new Dual Use
Regulation, which aims to lift almost all controls on intra- Community
shipments of encryption products. 

4. WHAT ELSE CAN WE DO? 

Finally, I would like to focus on two other crucial issues. The first
issue concerns the European cryptographic industry. It is a strong
industry, it has state-of-the-art technology, and it has therefore the
potential to impose itself on world markets. It would certainly highly
benefit from improved regulatory conditions, but there is another major
obstacle to its expansion. 

Currently, the desktop computing market is dominated by a few systems.
This wouldn't be a problem in itself if those weren't proprietary systems.
Building security solutions for systems when one has no access to the
source code is certainly a major challenge. In fact, it means that there
is a whole range of security products which European industry cannot
supply. 

The solution to this problem certainly lies in non-proprietary and open
source systems. This is the key to unlocking the potential of the desktop
computing security market. This would also clearly be in the end users'
interest. Not only would users enjoy a wider choice of security solutions,
but they would also have a greater safety guarantee. 

How can governments, and in particular the Commission, contribute to
promoting non-proprietary systems?

One way is to raise awareness about them and their benefits

Another could be to ensure that public tenders for computer equipment no
longer specify particular systems. 

This issue is also closely linked to technology developments.  Ultimately,
the market will chose the more appropriate technological solutions. That
is another area were we can help, notably under the Fifth Framework
Programme, through our Information Society Technology Programme. 

Let me share with you my views on a second issue. I said earlier that the
explosion of the cryptography market is pending a widespread take- up of
the Internet by the wider public and SMEs. Awareness is one requirement,
to which I hope ISSE will contribute. The other is trust! 

In many other sectors of the economy, consumer trust is achieved through
quality labels, for instance for foodstuff, toys or electric appliances.
These can be industry-led or based on government rules; they can be
attributed nationally or at European level. 

If security devices are to enter every home, they would certainly benefit
from labels demonstrating that they are in conformity with quality
requirements. This would greatly enhance consumer trust and confidence by
allowing consumers to immediately identify safe information security
products and services. 

5. CONCLUSION

Ladies and gentlemen,

What I wanted to do today is to demonstrate that the Commission is fully
committed to the development of Internet security. I also wanted to show
that, whether you are suppliers or users, we are trying hard to understand
your needs. Finally, I wanted to get a few messages across and point at a
few directions which we must further investigate. Let me wrap them up in a
few words: 

1. Security is the key to securing users trust and confidence, and thus to
ensuring the further take-up of the Internet. This can only be achieved if
security features are incorporated in Internet services and if users have
sufficient safety guarantees. 

2. Securing the Internal Market is crucial to the further development of
the European security market, and thus of the European cryptographic
industry. This requires an evolution of mentalities: Regulation in this
field transcends national borders. Let's "think European". 

3. European governments and the Commission now have a converging view on
confidentiality. We see this in Council, in Member State policies and in
the constructive discussions we have. We must take this debate further and
focus of the potential of encryption to protect public security rather
than mainly seeing it as a threat to public order. 

4. Finally, the promotion of open source systems in conjunction with
technology development is certainly one important step towards unlocking
the potential of the desktop security market for the European
cryptographic industry. 

I wish you all a great conference. 

----- Backwarded [from cryptography-digest V1 #317]


#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net