EU's Cybersecurity Plan Requires Members to Report Attacks
The European Union on Thursday announced a strategic plan designed to prevent and respond to cyberdisruptions and attacks. The heart of the plan: a requirement that all member states and key Internet enablers -- including some U.S.-based companies -- must report attacks.
Web-based companies and critical infrastructure operators such as e-commerce platforms, social networks and members of the energy, transport, banking and healthcare services, would have to report security incidents and adopt risk management strategies.
These actions are part of the EU's overall cyber security strategy for a free and open Internet.
Details of the EU Strategy
There are five priorities in the EU's cybersecurity strategy: achieving cyber resilience, slashing cybercrime, developing a cyberdefense policy and capabilities relating to the Common Security and Defence Policy (CDSP), developing the industrial and technological resources for cybersecurity, and establishing a coherent international cyberspace policy for the EU that promotes the Union's core values.
Member states will have to adopt a strategy and designate a national network and information security (NIS) authority that has adequate funds and human resources for its task. They will also have to create a joint early warning system on cyberthreats.
The European Network and Information Security Agency (ENISA) will work with standardization bodies and all relevant stakeholders to develop technical guidelines and recommendations for the adoption of NIS benchmarks and good practices.
The directive must be implemented within 18 months after its adoption by the EC and the European Parliament.
Who Will Be Affected?
Essentially, any company that offers service online will have to report cyberincidents.
That will include Apple, Google, Amazon, Sony, Microsoft, Facebook, Twitter, LinkedIn, DropBox, Picasa and Wordpress.
Although the EU has regulations in place to improve cybersecurity, its previous efforts have been on too small a scale and too fragmented, the EU argues in the NIS directive.
For example, existing EU rules require only telecoms companies and data controllers to adopt security measures, and only telecom companies have to report significant security incidents.
Reaction to the Proposals
The EU's proposal is too broad and sweeping, and could stifle innovation, argued Mark MacCarthy, spokeperson for the Software and Information Industry Association (SIIA). Requiring companies affected to meet security requirements laid down by member states and the EC could lead to mandates, which might be inflexible and therefore would not be able to cope with the always-changing cyberthreat landscape.
"In the voluntary world, if an old standard no longer works to deal with a new threat, companies and security firms develop new responses," MacCarthy told TechNewsWorld. "In the mandatory world, companies have to comply even if the measures are no longer relevant or effective."
Grounds for suspicion exist, however, when business alliances oppose legislation, "especially when they drop catch phrases such as 'will stifle innovation'," Randy Abrams, a research director at NSS Labs, told TechNewsWorld. "That said, there is always a danger of being overly prescriptive and inadvertently disallowing viable technological approaches. Informed analysis of the true nature of the regulations can be performed when the legislation is drafted."
Timely awareness of breaches lets those affected respond more quickly, but breach disclosures could increase the risk to organizations, said Scott Crawford, managing research director, security, at Enterprise Management Associates. However, the proposed EU directive "does take some of these into account."
Despite that, regulation "is like trying to correct astigmatism," Crawford told TechNewsWorld. "Rotate the lens one way and you've fixed the focus in one axis, but others may remain blurry. Rotate it the other way to fix that and you may have lost focus elsewhere." The EU is trying to strike a balance, he added.
The EU's guidelines would "definitely be a reference point [to the United States], especially as to whether they succeed or fail," Ken Baylor, a research vice president at NSS Labs, told TechNewsWorld. "If it does work in the EU, we will likely follow."
The EU did not respond to our request for further details.