With recent reports of ever more daring cyber-attacks on the banking system, and claims that cyber criminals are exploiting weaknesses in the supply chain to hack major corporations, Datonomy looks at the current EU proposals on reporting security incidents which are aimed at tackling the problem – and the concerns and flaws identified by industry and by legislators.
What’s new? Some recent developments on the NISD
Datonomy readers will be familiar with the proposal for a new EU Directive on Network and Information Security (NISD) unveiled by the Commission in February, and set for its first reading in the European Parliament in early 2014. The aim of the new measures is to boost security by imposing new standards, and auditing and reporting requirements on market operators – including key infrastructure providers (e.g. energy companies) and, more controversially, ecommerce platforms and social networks.
Our earlier summary of those proposals can be found here. But what do organisations in those sectors think of the proposals? To inform its negotiating stance in Brussels, the UK Government has been taking soundings (from May to June The Department for Business Innovation & Skills (BIS) held a Call for Evidence, seeking information about the impact the NISD could have on UK Stakeholders) and on 6th September, BIS published a summary of these responses.
The consultation drew responses from 88 organisations in the various sectors targeted by the new rules, including Media, Banking, Transport, Energy, Health, Telecommunications, Providers of Information Society Services, Aerospace and Defence. Their concerns and comments make interesting reading for other organisations in those sectors who are keen to future proof their systems (and supply chain arrangements) for potential new obligations and sanctions – and, of course, for compliance and cyber security professionals, whose services will be in even greater demand if the proposed regime comes into force.
Over the Summer the draft Directive has also come under scrutiny from the EU institutions, with many of the same concerns, interestingly, echoed in the draft report by Andreas Schwab, the proposal’s Rapporteur, and during a debate in the European Council in June.
In addition, earlier this month, a major briefing note was published by one of the European Commission’s DGs. Datonomy readers with an appetite for all 172 pages of this report will find analysis of security breach trends, as well as further critique of the NISD’s proposals.
What are the key issues and concerns?
The overarching theme in all these documents is scepticism about whether the proposed breach notification requirements are proportionate or indeed effective in terms of encouraging information sharing and/ or reducing organisations’ vulnerability to attack.
The BIS Summary of Reponses categorised evidence into 14 key aspects of the Directive. To spare Datonomy’s busy readers having to read all 49 pages, some of the main themes stemming from the responses are as follows:
EU harmonisation – but what about the global picture?
Whilst there was overall support for a harmonised and non-fragmented regime for cyber-attack reporting, many respondents stressed the need for the measures to stretch further than the EU, as cyber security is a global issue.
Which businesses would be caught?
The proposed reach of the new obligations is one of the most controversial dimensions of the NISD. Stakeholders sought clarification on the ‘extremely broad’ definition of ‘Market Operators’ in Annex II of the Directive, and why these sectors have been targeted. This was foreseen by the European Council in June 2013, who perceived the need for ‘detailed discussions’ relating to the definition of ‘market operators’. In general, stakeholders wanted the scope to be narrowed, so that businesses that in fact do not have an impact on critical infrastructure are not unintentionally (and unnecessarily) caught. Schwab agrees and suggested this should be ‘limited to infrastructures that are critical in a stricter sense’, and consequently suggested removing providers of ‘information society services’ (ISS) from the obligations. The focus should remain on energy, transport, health and finance.
The current draft of the NISD includes all the following players within a non-exhaustive indicative list of ISS: ecommerce platforms; internet payment gateways; social networks; cloud computing services; and app stores. It is inclusion of this potentially diverse range of businesses that has attracted the most criticism. Objections include the complexity of Internet and cloud value chains; the risk of generating data which is disproportionate to the benefits to be gained; and the stifling of innovation. One stakeholder however argued that the ambit should be wider – and that software developers and hardware manufacturers should not escape the new obligations.
Mandatory vs. voluntary reporting of cyber incidents
The strongest recurring theme was animosity for mandatory reporting. The Explanatory Memorandum for the proposed Directive argues that ‘the current situation in the EU reflecting the purely voluntary approach followed so far, does not provide sufficient protection against NIS incidents and risks’. However, stakeholders object to the idea of mandatory reporting for a number of reasons.
Firstly, many organisations already have reporting mechanisms in place, and so insisting on further mandatory reports would create perceived unnecessary work and potential for duplication in reporting, and would therefore be inefficient. Comments included:
‘within the UK there are already a number of effective information sharing forums, both formal and informal, which should be encouraged and not subject to greater regulatory pressure’.
The Report from the Economic and Scientific Policy Department of the European Parliament, on behalf of the Committee for Industry, Research and Energy states that the obligations burden those ‘already talking to regulators and perhaps already sharing certain types of cyber security information as part of their obligations towards sector-specific regulators’.
Schwab’s report also addressed this, and states that the proposal for National Competent Authorities ‘does not adequately take into account already existing structures’, and therefore the designation of more than one competent authority per Member State should be allowed.
Moreover, Stakeholders would prefer a voluntary trust-based approach to reporting mechanisms of NIS incidents. They fear that a mandatory obligation would actually decrease the amount of notifications, and encourage a ‘tick-box’ mind-set, and a ‘compliance culture’. One stakeholder said:
‘…it’s vital that the companies do not adopt a ‘tick-box’ approach to security and understand that truly effective cyber security is a combination of having the right people, processes and technologies in place’.
The Debate in Council also addressed ‘why a legislative, rather than a voluntary approach’ was being used, and the fact that Member States required further justification of this.
Another criticism levelled at the Directive is that mandatory reporting would penalise and disincentivise organisations with more advanced NIS systems, who by definition will detect, and therefore need to report, more attacks.
Schwab also commented on this, stating that ‘potential sanctions should not disincentivise the notification of incidents and create adverse effects’, and therefore, where a market operator has failed to comply with the Directive, but not intentionally or by gross negligence, there should be no sanction.
When should notification be triggered? The meaning of ‘significant’ – a sectoral test?
Stakeholders identified the threshold for the obligation of reporting to be triggered as another key measure in the Directive, and required clarification to the meaning of ‘significant’. Without clarification, stakeholders could not assess the impact the Directive could have on their businesses.
‘Significant’ is too broad a term; one stakeholder suggested narrowing the definition to ensure a breach would have to be ‘an incident that is not a routine or accidental breach of information technology compliance management policies but is anomalous and has the ability to create significant harm’. However, to exclude accidents would be to invalidate the aim of the proposed Directive given in the explanatory memorandum, which references the increase in the number and severity of incidents, including human mistakes. Schwab suggests adding a clear criterion for incidents which must be reported, which, if taken into account, and depending on the definition, may help resolve some concerns.
In addition, stakeholders thought that the definition of a ‘significant impact’ should be determined sector by sector, in order to ensure that ‘thresholds to trigger reporting of incidents are appropriate to the sector’.
Yet more new regulatory bodies?
Particularly with regard to developing a Computer Emergency Response Team (CERT) and a National Competent Authority (NCA), stakeholders were concerned about the framework being too slow, especially considering that it took three years for the US CERT to have effect. There are also concerns that introducing another regulator could add more ‘confusion and complexity’ to the reporting process.
Stakeholders were also concerned that the NCA could publicise security incidents which had been reported, without the permission of the reporting organisation. Comments reflected concerns about loss of reputation, and the lack of an opportunity to remedy their systems. This may, again, act as a disincentive to voluntarily report breaches, alongside the ability of the NCA to impose sanctions.
What are the next steps?
The Call for Evidence has certainly given the UK Government plenty of food for thought as it prepares to negotiate in Brussels. BIS states that it may require further evidence from stakeholders in the future, in order to negotiate an instrument that ‘does not overburden business…; that encourages economic growth and innovation; and that fosters positive and sustainable behaviour change’. Therefore, businesses in the affected sectors should look out for further opportunities to inform and influence these proposals. The UK already has a number of voluntary initiatives up and running as part of its 2011 Cyber Security Strategy.
The first reading for the Directive is scheduled for 4th February 2014, according to the Procedure File found on the European Parliament website here. If the initial responses from businesses and Parliament and the Council (the institutions with power to determine the fate of the proposals) are anything to go by, the Directive has a long way to go before it is adopted.
There is no denying that cyber security is an issue. In the last few days alone, this Datonomist has been reading coverage of a cyber-plot to ‘steal millions of pounds by hijacking London high street bank’s computers’ (four men are appearing in court on 27th September as a result), and a report by the insurers Allianz about how hackers are accessing the computer systems of the large corporations via access to their smaller suppliers.
Will the mandatory auditing and reporting requirements in the Directive ever become law, and if so who will they apply to? It is too early to say for sure. But in the meantime, security incidents which are getting ‘bigger, more frequent, and more complex’ will surely focus minds on improving information security throughout the supply chain – won’t they?