The European Commission has decided it cannot leave something as important as the security of information systems and telecommunications networks to the vagaries of market forces. It argues, in a Proposal which has been put to Member States of the European Union, that legislation and other harmonisation initiatives need to be commenced.
The Proposal states that this step is necessary because: “Governments have realised the extent to which their economies and their citizens are dependent on the effective working of communication networks” and because several Member States of the Union have begun to review their security arrangements(Downs 1998).
In addition, the Internet: “has created global connectivity” and thereby has: “significantly reduced the costs of accessing valuable economic information for remote attackers.” However, as: “networks are now mainly privately owned and managed”, many customers “remain ignorant of the security risks they run”, as private bodies are unlikely to discuss their security concerns, in public, for fear of losing customers.
For these reasons, the Commission argues that Governments must intervene to establish the parameters for their national IT security infrastructure and that such interventions will need to be harmonised if they are not to create a barrier to e-commerce.
To ensure security standards are used, and where appropriate, established. The Proposal notes that: “ security products must be compatible with international standards” which are widely used by all member States of the European Union and recognised by all the major economic players in the global economy. The Proposal notes because a: “significant part of today's communication is cross border” that any security solution must take account of the globalization of telecommunications networks.
To ensure that the legislative framework is fully developed and consistent. The Proposal notes that currently: “the European telecommunications and data protection framework contains provisions for operators and service providers to ensure a level of security appropriate to the involved risks”, but this may need to be extended to fill in any gaps(Thomas 1997).
To ensure that the interests of the national security are satisfied. The Proposal notes that in addition to traditional national security concerns (e.g. assisting the police to counter organised crime), new national security issues arise because: “information systems and communications networks have become a critical factor for other infrastructures” (e.g. water and electricity supply), “and other markets” (e.g. the global finance market).
In addition to these positive assertions for intervention, the Proposal argues that a laissez-faire approach to information security presents significant risks to the European -wide e-economy.
The Proposal states that security issue cannot be left to market forces because:
(1) Market actors are not responsible for all the liabilities which relate to their security behaviour. For example: “like a careless car driver who is not held liable for the costs of the traffic jam that occurred as a result of his accident”, a user and a service provider who adopt a low level of security: “do not have to pay third party liability” ...