In a month that has seen US politicians claim that is “losing the war” against international cyber attacks, and yet more household names report hacks on their systems, Datonomy has been looking at the practical obligations that the EU’s proposed new Directive on Network and Information Security could bring for businesses, and considering similar measures which are coming into force in Asia.
As if the escalating levels of threat are not enough (take your pick of this month’s news coverage – how about the “Eight billion hacking attacks a day” headline from ITV here ) governments around the globe are proposing new legal obligations and sanctions to compel organisations to get their cyber defences in order and notify the authorities when their systems have been compromised.
The EU officially unveiled its cyber strategy and Directive on Network and Information Security at the start of the month. This was followed on 20 February by the latest progress report from the UK Government (which adopted its own cyber strategy in 2011), including theestablishment of the UK’s Computer Emergency Response Team (CERT).
The Datonomy team have been analysing the NIS Directive – see this article for our full analysis, which includes a comparison with the EU’s proposed security and data breach notification obligations under the draft DP Regulation. For Datonomy readers advising organisations on information security and crisis management, this is another important piece of the regulatory jigsaw.
If it is adopted, NIS would apply to public administrations and “market operators”. Market operators are split into two categories
a) “Providers of information society services which enable the provision of other information society services”. These include: “e-commerce platforms; Internet payment gateways; social networks; search engines; cloud computing services; application stores”. That list is described as non exhaustive.
b) “Operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health”. These are detailed more fully (and again, non-exhaustively) in Annexe II to the Directive.
The new obligations on these organisations would include the following.
- Obligation to take “appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations.” This obligation is elaborated on as follows: “Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular…to prevent and minimise the impact of incidents …and ensure the continuity of the services” – Article 14 (1).
- Obligation to notify to the competent authority of “incidents having a significant impact on the security” of the core services they provide – Article 14 (2).
- Compliance with “binding instructions” from the competent authority – Article 15(5).
- Use of technical standards and specifications is to be promoted by Member States, to promote consistency – Article 16.
- Obligation to provide information (to the competent authorities) needed to assess the security of their networks and information systems, included documented info security policies – Article 15(2) (a).
- Obligation to undergo security audits by the national authority or an independent body, with the results made available to the competent authority – Article 15(2) (b).
The devil of the new regime will be in the detail – for example with regard to national guidance to define the circumstances in which incidents need to be reported, and the nature of the “binding instructions” which national cyber crime authorities will have the power to issue. Technical standards and benchmarks will undoubtedly have a key role to play in helping define whether a business has done enough to comply. It is unclear how far current technical benchmarks like ISO 27001 will apply, or whether further standards will need to be developed.
Further afield – Singapore’s “nimble and comprehensive response” to cyber crime
So, as Datonomy’s European correspondents add another Directive to their watch list (a year or two for the EU institutions to agree on and adopt the proposal, and a further 18 months for Member States to transpose the rules?) our correspondents in Asia report that the Singapore Government have already adopted what are essentially very similar proposals. You will need to be a subscriber to the excellent Ecommerce Law & Policy to read the analysis by Matt Pollins and Rob Bratby of Olswang Asia in full, but here are some headlines. The rules have been introduced by amendments to Singapore’s Computer Misuse Act, giving the Government power to compel organisations to take a range of proactive and reactive steps to combat cyber crime. The powers come into play whenSingapore’s defences, international relations or “essential services” are under threat. In other words, a similarly broad spectrum of businesses and sectors are potentially caught. The new regime will have teeth: fines of up to $ 50,000 and even prison terms for senior management, for ignoring the rules. But like the proposed EU regime, much of the devil is likely to be in the detail of the very broadly drafted legislation.
Datonomy will of course be tracking legal developments both in Europe and Asia. Looking back at the past month’s tech news headlines, though, this Datonomist cannot help but think that it is the escalating practical threat and implications of a cyber attack, rather than the prospect of further (and possibly far off) new legal obligations that will galvanise organisations to review their information security.