 Let me start with an observation before I go into my slides. I think as a community, we talk a lot, but we don't communicate well. I learned this from my wife, actually. But the good news is, after 22 years, I'm starting to get it right, apparently. It's a really, really difficult thing to do. I was having a discussion in the coffee break. It's very easy to start to collaborate with someone. Today, for instance, it's a one-way message. It's very easy for me to plan my presentation and to deliver it to you. But security is about A to Z. And if you don't get right away from A to Z, then you've only partially solved the problem. And through years of trying to collaborate and engage with other parties throughout Europe, we have really discovered in Inessa how much effort you have to put into the process. So I think the reason I'm saying all this is because this is what Inessa is all about. It is about collaboration. And every project that Inessa does is our project in the sense of us. And you play a major role. Most of the work, if not all of the work that Inessa publishes is, in fact, your work. And so Inessa has gone quite a long way down this path of collaboration. We still find it extremely difficult. For instance, our next challenge is going to be some level of international collaboration outside Europe, as this is now allowed in our new mandate. It is extremely difficult to be able to plan it in such a way that you really deliver the results. So what I'm going to talk about in my presentation today is all about collaboration. And if I were to summarize Inessa, it is we are there to create an effective network and information security community throughout Europe. I'm going to make one more last comment about Inessa, and then I'm going to skip the opening slides. So sometimes I appreciate if you're not working in the European communities, it's sometimes difficult to separate the different instances and to understand what they do. And Inessa is extremely complementary to the commission. The commission is an executive body. It produces new European legislation. Of course, Inessa feeds into this process by working together with operational communities and giving information, which helps make good policy. But over the last few years, and under the new director, we really tried to focus more on policy implementation, because this is where the real challenge is. We have some great legislation, but if it's not implemented correctly, we don't get the benefits from it. And implementing policy needs to preserve the economic interests of those who are working with security. We do not want to penalize European firms by doing this badly. So that's what this talk is all about. Let's move on. Let's talk a little bit about the EU cybersecurity strategy. What it is. Ooh, that's not very good. I better tell you then. You should know about this, honestly. The EU cybersecurity strategy is probably the most important piece of policy that has come out in the last five years on a European basis. And it will change things. It comes with an associated proposal for a directive, which will become law. So you need to know about it. And if you don't like it, you need to try and change it. It's important. What does it say? The European cybersecurity strategy actually has five objectives that are there in front of you. The ones in red are where Anissa has been explicitly asked to contribute. And our contribution is to help implement this stuff. So I'm obviously going to concentrate on the stuff we do, but please read this. It's extremely important. It's a great piece of legislation because it brings together three strands of activity that were essentially a part in the past, which are the open market activities, the stuff we all do as private or public sector. The law and enforcement activities, which Olivier has just talked about. And the third aspect is the military and defence and international relations activities. So it's nice to have a coherent document looking at all this. Now I'm going to skip over this. I'm going to give you the slides afterwards. That will help you understand in more detail what we do. And I would really like to spend the rest of the presentation explaining what Anissa does and how it does it. And my plea to you is, if you are interested, then please talk to us. You can either talk to me personally or you can send a message to the agency. Because, again, our goal is to involve you in our work. So in terms of critical information infrastructure, let me start with this. Every year we produce an Anissa threat landscape. We don't do this work ourselves. Again, it's very illustrative of the way we work. We go right the way through the globe trying to find out who's done what on risk and threat analysis. And we put it all together in a form which is appropriate for our stakeholders. So it encompasses a lot of experience and a lot of results. And hopefully it gives our stakeholders those results in the way which is most useful for themselves. And this is what it looks like. This is one of the graphical tools that we use in developing this. It tells you what the top threats are and how they're evolving. And then it splits it out by service and in all kinds of nice ways that you can make the most of it. So please go and have a look at our website. Everything is free as a public institution, of course. And you might be surprised. You will find a lot of practical stuff there. Now, a word of warning with this. I think whenever we talk about data, and especially in this business, we always make the assumption that data is predictive. This is not actually always the case. So be very careful when interpreting data. And also be very careful about the variables around the data that you're analyzing. For instance, one of my staff said to me the other day, why don't we use the overall number of incidents in Europe as an indicator of how well we're doing? But that doesn't mean anything on its own. If you double the number of systems you're using, logically, you would expect to see a doubling of the number of incidents, even if you were a status quo. So analysis of the data is very important. And if you look at the way that security has developed over the last few years, it tends to be black swan events such as Stuxnet, low probability high impact, which have dominated and changed the industry. So data is good, but let's not use it blindly. Cyber exercises is probably our flagship project. We work together with the Member States, and all the Member States play in this. It's like a European equivalent of Cyberstorm, and we do a very practical exercise every two years, involving operational communities and seeing how they will react to a cybersecurity incident. The next one is next year. We've already had two. They've been very successful in the sense that we've done very badly. And that's a good thing, because when you do badly, you learn a lot. So the first exercise tested three things. In an incident, who would you phone? What do you know about their decision-making mandate, and how would you exchange data? Now think about it. If someone attacked you in Ireland tomorrow, and it was from, say, Portugal, would you know who to phone? Three years ago, no, you wouldn't. Even more importantly, you do not want to phone someone in the middle of a cybersecurity event, spend half an hour talking to them, and realize they can't help you with your problem. That would be a disaster, right? And then finally, when you exchange information, you have to do it over the right channels using the right tools. So we did badly, but the good news is that in the intervening time, we have done a lot. And now we have, for the first time, a pan-European set of standard operating procedures for dealing with a cybersecurity event. And let's not forget, if there was a cybersecurity event tomorrow in Europe, there is no central coordination. It is multilateral. This is sovereign state decision-making and subsidiarity. So 28 member states will have to talk to each other multilaterally to sort it out. That shows you the importance of having good procedures. We do work in securing new technology. I should more correctly say new business models. The one on the left, for instance, is cloud computing. Cloud computing is more a change in business model than it is in technology. And the way to look at this, incidentally, is to look at all the aspects, not just the technological ones. Most of the problems are in things like SLAs, legal restrictions, knowing who's doing what with your data. The technological aspects are difficult, but not the most difficult thing in cloud computing. So we do a lot of this kind of work. The one on the right is smart grid security, which is becoming much more important. Industrial control systems in general are becoming much more important. And here again, your work, not ours, we work together with the community to produce very practical guidelines for how you deal with the most current risks. We give input into member cybersecurity strategies. This is a great evolution. So all the people on this slide have produced what is called a national cybersecurity strategy. So they explain how they deal with big events at a national level, including political events. How do you escalate things? Which communities do you bring in? What is the order and the timescale of doing things? It's great to see so many countries on this. And we can now use all these as examples if you like to encourage a certain homogeneity of approach across Europe. And that's important because security is, of course, cross-border, as we all know. You don't do security within national boundaries. That doesn't make any sense whatsoever. So the more we can rely on a commonality of approach, the better we will be at dealing with these large-scale incidents that affect many member states. What Anissa did here was we produced a deliverable in 2012 that basically summarized what we learned from you, the different member states, and your experiences in doing this. And that's what it describes. Now, again, I'm not going to read it out to you. You can all read yourselves. But I will concentrate on one thing here, the development life cycle. And again, I would like to make a point. My personal history, I was 18 years as a chief information security officer in the financial sector. And what I can tell you is one of the things we do very wrong is documentation. We produce lots of it, and we don't keep it up to date. So it's useless. In fact, it's worse than useless. It's harmful. If you have a 300-page document which is not up to date, the tendency is to believe it and do the wrong thing. We need to go to smaller, more compact forms of documentation that are kept up to date, and more importantly, are read and acted upon. And this is as true for a national cybersecurity strategy as it is for a piece of documentation in a company. So the development life cycle is absolutely fundamental here. Keep the thing alive. Make sure that it is brought up to date to evolving conditions so that it reflects reality. And you'll find lots of other stuff like this in the document. Now, when I say this, you're all probably thinking, yeah, we've heard all this before, of course. And I know you've heard it all before, but my question is, are you doing it? Can you really say your documentation is short and sharp and everyone has read it and updated it? My experience over 18 years, I couldn't. And I tried like hell to do it. So these are the challenges that are waiting for us. It's a change in mindset. I've talked a lot about collaboration. Let me talk about it explicitly. We do a lot in terms of assisting operational communities. So this is a sort of map of some of the communities we deal with. I would like to single out the CERT communities, Computer Emergency Response Team. They are pretty much the only frontline response mechanism worldwide. We are very tightly integrated into their network. We have a high degree of trust with this community. And we do a lot to support them. And we do a lot to ensure that these communities help support other communities. So with the EC3, for instance, we have been working to make sure that CERT communities work well together with EC3. And this is going very well. And that, you know, they learn to adapt to new conditions to deliver their services. We're doing a similar thing with the European External Action Service. We also work together on an occasional basis with Interpol, FinancialISAC, C-POL, NATO from time to time. We exchange information, which is the limit of what our mandate can achieve. But all the while, we try to focus on clear objectives and deliverables. I'm saying another thing very briefly. Everybody is talking about sharing information. And everybody is saying, we need to share more information. No, absolutely not. We need to share less information. But it needs to be structured information. It needs to be the right information. And it needs to be used to solve the problem at hand. We live in a world of data pollution. Too much information doesn't do anyone any good. If I go to the Internet and say, when should I plant my geranium? And I get every month from January to December, I'm not any wiser. And sometimes it can be a little bit like that, to be quite honest. What about national governmental certs? These are special certs. These are certs with a political mandate that could, in theory, you know, kill the network or do very... things with a high impact at the national level to make sure things go right. So these guys are key in any pan-European response mechanism to a cybersecurity incident. We've done a lot of work supporting this community. When we start in 2005, there were only a handful. Now almost every country has one. I would like to concentrate on this idea of baseline capabilities. Now they all exist. The challenge is to make sure that across the different member states, these certs are delivering services in a similar way. Because, again, if you do have a problem and you phone up a cert in another country and they're doing completely different things in a completely different way to you, well, how are you going to get your act together? How are you going to solve the problem? So the concept of baseline capabilities is extremely important for future development, for moving to a high level of maturity. We've released this a couple of years ago. We keep it up to date. We work a lot with the community to keep it active. Very quick example of the kind of stuff we do. So we actually help to train certs. We provide training material which is produced by ourselves with the certs. Again, very strong collaboration. An example is on the slide. And we sometimes go out there ourselves and help certs to learn from what other certs have taught ourselves. This is again learning by doing. It's similar to the Pan-European exercise and I think it's a great way to build capabilities throughout the member states. This I've already talked about. This is working together with the law and enforcement community. So I'm very happy to be a member of the program board of EC3. We have a lot of communication together. Our experts talk to each other. I won't go into the details. I'll lead you to look at the slide because I would like to move on to the last point which is extremely important. And if you read nothing else in the directive, read this. So this is something that is big worldwide. Security and data breach notification. They're two different things. Security breach notification is when you have an incident that affects your security. Easy enough. Data breach notification actually came from a California state bill over 15 years ago which was legislation even though the U.S. approach is voluntary. And this is about if you have an incident, the fact that you have to inform all the people, your client's suppliers, whoever, whose data has been affected by this incident. They're different. They have different goals and objectives but we should try and come up with rationalized processes for dealing with both of them. Now what have we done here? We've supported the member states in implementing a thing called Article 13A which is obligatory for the telecoms community since 2011. All 27 member states, probably 28 by now, are compliant with this. They've transposed it to international law and I'm going to show you some data in a minute. The great thing is that all member states converged on a common solution which had some very hard decisions in their thresholds, impact, timings. So this shows you the power of a strong collaborative approach and now we have a common method for reporting these incidents across Europe. Second example, a little less optimistic, I'm afraid, is Article 4 which is a data breach notification. Here the number of communities involved is enormous. It's a much more difficult job. The good news is we are making a lot of progress. I'm going to finish with two slides just to show you what comes out of this because what you should say to me, Steve, it's great to collect data, but what the hell do you do with it? What do we do with data collection business? What do we get back again? Well, this is the very first baby report which came out in 2011 and it already tells us some quite interesting things. Look at the incidents here. Most affected mobile coms, perhaps not surprising. It's a younger technology. It has to mature to the level of fixed line, but look what it was caused by. Not cyber attacks, sir. It was caused by more mundane things like hardware software failures, 20% natural disasters, 20% involved power cuts. So this is where we are suffering at the moment and this is where we need to concentrate in order to get one step better. Now, I'm not saying ignore cybersecurity incidents. Quite the opposite. But this is the side of cybersecurity that you may see less and yet it's fundamentally important for the operation of our network. So this data has already been quite useful. Now let's look at 2012. It's actually saying the same thing. Already we are seeing a trend starting to emerge. Most incidents are caused by system failures, hardware and software, third party failures. Malicious actions are a bit bigger. That's interesting. 8%. Natural disasters down to 6%. But hardware and software failures are something that we really need to look out for. So I said that data wasn't predictive. This data I think is predictive. It tells us something which is very important and which we can work on. The good news is this gets filtered back to what the strategy is trying to achieve and this is trying to achieve with its different projects and so we achieve high levels of security throughout the EU. So I would like to leave you with that. Hopefully I stuck to my 15 minutes and I would also like to thank you because again, we do everything we do through your knowledge. It's this link with the operational communities, your experience which makes in this a valuable and if we didn't have it we wouldn't have much to sell. My team is only 40 people strong and I'm very proud of them. You can't do a lot with 40 people but with 27 member states you have a highly scalable and agile approach and this I think is what Anissa can offer to you in the future. Thank you very much.