Under a European Union (EU) proposal, sectors using telecoms networks – energy, transport, banking, healthcare, and key internet companies – would have to manage risks; and report ‘significant’ incidents. So said EU figures at the launch of the EU’s Cybersecurity Strategy on February 7.
Cecilia Malmström, EU Commissioner for Home Affairs, described the EU Cyber Security Strategy as a landmark in the fight against the growing criminal activity online which undermines the confidence of internet users. She said: “We will not be able to reap all the potential benefits of the online economy if we cannot protect our citizens and provide them with a safe and secure Internet environment.” She described how you can order cybercrimes, such as ”rent a hacker”. “You do not even have to know how it works. There are lists including costs for different actions. If you want to hack someone’s Facebook account it costs 130 USD. Hacking mobile phone text messages can even be a lot cheaper. If we want to be credible in our efforts to fight cybercrime we need better legislation, more resources and better coordination.”
Jarno Limnell, director of cyber security, Stonesoft, said that increasing regulatory and legal requirements are not the right way to solve cyber threats and risks. He said: ““The rules proposed by the European Union reflect the misunderstanding that currently prevails in Europe, namely that everything, in this case cyber threats, can be solved by creating more statutes, directives and restrictions. This is neither the right nor the most efficient way to improve European cyber security.
“Instead, what is needed is for each European country to have an authoratative cyber agency, such as CERT, with very skilled personnel, who take cyber security threats and challenges seriously. However, at the same time – with regards to the proposed rules and regulations – from a constitutional point of view, the same agency should act as both as an investigator and as a punisher. Each country should have a clear policy stating that all companies with responsibilities towards a nation’s critical infrastructure, ie the assets, systems, and networks, whether physical or virtual, which are vital to the country’s operations, should be obliged to report any cyber incidents to the national cyber agency. Should the companies neglect this obligation, they should be punished on a national basis.
However, and this is important, these incidents should not be reported in public, since understandably all companies are fiercely protecting their brands. Instead, reporting has to be done discreetly, based on mutual trust between the national cyber agency and the companies. That way the companies will be “safe”, which will help ensure their willingness to report any cyber incidents they encounter, and, even more important, the cyber agency will receive correct information so it can acquire awareness about the current cyber situations. This would put an end to our life in an illusion of security.
“There has to be situational awareness on cyber threats and the current circumstances and it is crucial that this attentiveness be as high as possible. Otherwise, we will keep on living in an illusion of security – which is the situation today; without situational awareness, we will never be able to increase our “cyber awareness”.
“In addition, I don’t think there should be pan-European rules for cyber security, i.e. the same rules in all countries. Instead, national solutions and procedures are needed, as the situation varies a lot between different countries in the European Union – despite the fact that cyber is borderless and beyond traditional limitations, such as time.”
The EU move has been welcomed by some others in the IT security sector, though some warned that a need to notify the authorities of breaches needed to be well thought through, to avoid unintended consequences, such as over-notifications; and felt such moves best be global.
Mark Brown, Director of Information Security at Ernst & Young said: “The European Commission’s move confirms that cyber security is a growing problem for businesses and governments alike. With 88 per cent of organisations in the UK reporting an increase in cyber attacks, according to our latest Global Information Security Survey, the damage of a breach, not just to individual companies, but the economy as a whole, becomes clear.
“As the world becomes more interconnected so does the way in which it operates and the sharing of information. A new, unified approach that cuts across borders, national infrastructure and capability, as well as across organisations in different countries is needed now more than ever.
“The Commission is right to extend the obligation to report significant cyber incidents beyond telecoms companies to include organisations in the energy, transport, health and eGovernment sectors. But, even that doesn’t go far enough. Services from the online economy that touch the lives of millions of people are now available in every sector. It is by collaboration and transparency across the business life cycle – from investors right through to customers that awareness can be raised and future incidents can be prevented, while exploiting the full benefits of the online economy.
“This step can only be seen as the beginning of a long and challenging journey. The Commission needs to work with the 27 member states to ensure that the countries lacking the necessary tools to fight cyber threats catch up with those that already have a high level capability in place and that eventually a common reporting mechanism is in place. Businesses also need to understand that the cost of keeping silent and doing nothing to counter cyber threats is far greater than the cost of having a strategic security framework in place.”
Paul Ayers, VP EMEA of data security product company Vormetric, commented: “In a move that harmonises an otherwise disjointed approach in the fight against cybercrime, these new and welcome proposals serve to not only emphasise the dangers posed to the security of the international community, but also act as a crucial reminder to businesses that the onus for effective data protection lies with them.
“Cybercrime is a highly-sophisticated and destructive industry targeting organisations of all shapes and sizes. It can damage brands and result in painful compliance penalties. It is no wonder that many businesses have been anticipating the arrival of more stringent data protection legislation – these new proposals are indicative of things to come and set new parameters for businesses endeavouring to operate in a compliant manner on the international stage.
“While the litany of highly visible data breach incidents in 2012 galvanised many organisations to revaluate their security measures, some businesses clearly have a considerable way to go. As the custodians of their customers’ data, any organisation touching sensitive information must look to place security controls around sensitive data, as this ultimately is the target of attack. In the face of tougher monetary penalties and legal sanctions for security negligence, encryption of all data is no longer a reasonable expectation – but an absolute necessity.”
The EU admitted that cyber-security incidents are increasing in frequency and magnitude, becoming more complex and knowing no borders. The EU officials launching the strategy pointed to the case of the Dutch certification company Diginotar which did not report that their systems were hacked, nor did they revoke the digital certificates. That resulted in certificates being fraudulently issued and circulating online; undermining trust in the system.
The European Commission, with the High Representative of the Union for Foreign Affairs and Security Policy, has published a cybersecurity strategy alongside a Commission proposed directive on network and information security (NIS).
The cybersecurity strategy – “An Open, Safe and Secure Cyberspace” – was described as the EU’s vision on how best to prevent and respond to cyber disruptions and attacks; and ensure the digital economy can safely grow. Specific actions are aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber-security policy and cyber defence. The strategy gives five priorities:
Achieving cyber resilience
Drastically reducing cybercrime
Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP)
Developing the industrial and technological resources for cyber-security; and
Establishing a coherent international cyberspace policy for the European Union and promoting core EU values.
The EU points to its recently established European Cybercrime Centre (IP/13/13), proposing legislation on attacks against information systems (IP/10/1239) and the launch of a Global Alliance to fight child sexual abuse online (IP/12/1308). The strategy also aims at developing and funding national ‘cybercrime centres of excellence’ to offer training.
The proposed NIS Directive would require all Member States, key internet enablers and critical infrastructure operators such as e-commerce platforms and social networks and operators in energy, transport, banking and healthcare services to ensure a secure and trustworthy digital environment throughout the EU. The proposed Directive lays down measures including:
a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents;
b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews;
c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.
Neelie Kroes, European Commission Vice-President for the Digital Agenda said: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It’s time to take coordinated action – the cost of not acting is much higher than the cost of acting.”
Catherine Ashton, High Representative of the Union for Foreign Affairs and Security Policy/Vice-President of the Commission said: “For cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. The EU works with its international partners as well as civil society and the private sector to promote these rights globally.”
And Cecilia Malmström, EU Commissioner for Home Affairs said: “The strategy highlights our concrete actions to drastically reduce cybercrime. Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3.”
David Hoffman is Intel’s Director of Security Policy and Global Privacy Officer; and Raj Samani is McAfee’s EMEA Chief Technology Officer. They and Christoph Luykx blogged that they too welcomed the EU move and said it further paves the way for a strong coordinated response against these 21st century threats. “Digital threats are very real and ever growing. McAfee labs routinely collect an immense amount of data on cyber threats, and publish statistics that highlight the threat to all citizens from nefarious actors.
“The EU’s proposals highlight the responsibility of private actors in the overall securing of our Global Digital Infrastructure. We agree that private organisations bear responsibility in ensuring that the products and services they bring to the market have been designed with security in mind and industry standards of care have been met. Like many responsible companies, we have a strong ‘security development lifecycle’ in place to ensure our products are being evaluated against possible threats. We should however avoid specific regulatory mandates for specific solutions or processes that would slow innovative technological solutions and hamper industry and government’s ability to respond to the dynamic threat environment.”
