Cybersecurity Policy and Legislation Criticized by Privacy, Network Security and High-Tech Sectors

Policy and proposed legislation to boost European network and information security were unveiled Thursday by EU officials. At the heart of the policy is the protection of fundamental rights on the Internet, said EU High Representative for Foreign Affairs and Security Policy Catherine Ashton at a press briefing. The EU is determined to promote and defend its values online but also believes there should be norms of behavior among countries to protect against cyberattacks, she said. Hewlett-Packard and European telecom network operators cheered the initiative, but some of the proposals drew criticism from privacy advocates, an IT security firm and high-tech industries.

The cybersecurity strategy (http://bit.ly/WR2tMc) priorities are: (1) Achieving cyber-resilience. (2) Drastically cutting cybercrime. (3) Developing cyberdefense policy and capabilities related to Europe’s common security and defense policy. (4) Developing the industrial and technological resources to protect cyberspace. (5) Establishing a coherent international cyberspace policy for the EU and promoting core EU values such as privacy and democratic, multistakeholder Internet governance.

To achieve cyber-resilience, public and private actors must develop capabilities and cooperate effectively, the joint strategy communication said. The EU has taken and is taking steps by establishing the European Network and Information Security Agency (ENISA), whose modernization is now being negotiated by the European Parliament and Council of Ministers, it said. E-communications providers already have to report significant security breaches, and data protection laws mandate security safeguards. But despite progress based on voluntary commitments, “there are still gaps across the EU,” in terms of national capabilities, coordination in cases of cross-border incidents, and private sector involvement and readiness, it said.

The proposed legislation, a directive on network and information security (NIS), calls for EU governments to meet several standardized minimum requirements, including setting up well-run computer emergency response teams; designating a national NIS authority; and adopting a national strategy and cooperation plan. It also envisions coordinated prevention, detection, mitigation and response mechanisms, and more engagement by private companies.

But private actors “still lack effective incentives to provide reliable data on the existence or impact of NIS incidents,” haven’t embraced a risk management culture, and aren’t investing in security solutions, the policy document said. The proposed legislation requires players in the energy, transport, banking, stock exchange, and enablers of key Internet services sectors, and public administrations, to report incidents with a significant impact on the continuity of core services and supply of goods relying on network and information systems.

Some company executives still deny that cyberattacks occur, and that attitude has to change, said Digital Agenda Commissioner Neelie Kroes at the briefing. Everyone needs to be open and transparent about such assaults, she said. Data breaches can lead to huge financial and reputational loss, but it’s only recently that companies have begun realizing that reputational damage is no excuse for failing to deal with cyberassaults, she said. The EU already has experience with breach reporting in the telecom sector, and now wants to make other industries aware of the need to cooperate and coordinate, she said.

The policy also calls for development of a single European market for cybersecurity products, setting of security standards, and an EU-wide voluntary certification scheme in the area of cloud computing, subject to data protection rules. More research and development in ICT security technology is needed. Europe’s cyberspace policy should be mainstreamed into EU external relations with other countries, particularly the U.S., and organizations such as the U.N., NATO and the Council of Europe, it said.

"The time to act is now,” the document said. The EC and High Representative “are determined to work together with all actors to deliver the security needed for Europe.” Ashton, Kroes and Home Affairs Commissioner Cecilia Malmström said they'll meet with all relevant players in a high-level conference and gauge progress in 12 months.

HP applauded the strategy. The lack of confidence in Internet security due to “the alarming number of costly attacks” is blocking widespread take-up of technologies such as cloud computing, said Richard Archdeacon, head of security strategy at HP Enterprise Security Services. “The security of an organization is only as strong as its weakest link and we need to focus heavily on prevention.” The proposed directive is a major contribution to better consumer trust and confidence in the digital era, said the European Telecommunications Network Operators’ Association. It welcomed the extension of the measure to “Internet enablers” such as e-commerce platforms, Internet payment gateways, social networks and search engines, as well as the plan to enforce breach reporting in other sectors.

But others urged the EC to go back to the drawing board. The focus on such an important issue and the attempt to collaborate more officially across EU members is good, but “the proposal has more than a few challenges,” said James Lyne, technology strategy director of security consulting firm Sophos.

One issue, raised by Ross Anderson, security engineering professor at the University of Cambridge Computer Laboratory, in a Jan. 16 European Digital Rights editorial, is the attempt to deal with cyberattacks via a network of military and intelligence agencies instead of by pulling together police forces, CERTs and service providers. There are already appropriate policy responses to cyberattacks, such as better, more harmonized consumer protection, more police cooperation, security breach disclosure and a policy that vendors should supply and certify network-attached devices to be safe by default, he wrote. The fact that the EU is considering following the U.K.- and U.S.-centric effort to militarize security in cyberspace is a “tragedy,” he said.

A second issue is the concept of a “single national competent authority” to coordinate and handle incidents, Lyne told us. The single component will prove a challenge in many jurisdictions, he said. It’s unworkable, Anderson wrote. Even in the U.K., where cybersecurity is already partly militarized, there are multiple players even in the public sector, such as the Serious and Organized Crime Agency, Government Communications Headquarters, Security Service and local police forces, he said. A law that encourages a single agency to take the lead in each country will undermine national constitutional arrangements for separation of powers and accountability, he said.

Another potential challenge is the proposal’s call for ENISA and other agencies to have access to “sufficient information,” a statement that “will rile privacy advocates,” Lyne said. ENISA and the national authorities in its network will have access to “sufficient information” from nearly everyone online if the definition of a market operator is broadened to enablers of Internet services, Anderson wrote. In effect, the measure will extend data retention powers from phone companies and ISPs to service providers such as webmail providers, computer game operators and social networks, he said. That would violate the constitutions of Germany and other countries and probably can’t be squared with the European Convention on Human Rights, he said. The draft “must be rewritten or abandoned."

The EC says the proposal is intended to provide direction and not be specific as to the method or implementation of network information security, Lyne said. That’s unfortunate, “as there are elements of the proposal which could cause harm if executed incorrectly.” One example is breach notification, he said. It can be carried out in many ways and can be useful, but also potentially damaging. A private breach notification scheme to build authority visibility to efficiently tackle security issues could be helpful, but to move from the current situation, where organizations often hide their breaches, to greater openness could work against recent efforts to create trust and cause concern and economic damage, he said.

The proposal “needs to be more clear on objectives” and more specific about how security defenses will be put in place if they are to introduce change, Lyne said. It’s not clear if the plan is to follow a more American-style adversarial system, with breach notification and wrist-slapping, or to proactively invest in security and data protection, he said. “I support the effort, nice try, but maybe have another go."

The strategy is too broad, said the Software & Information Industry Association and TechAmerica Europe. The regulatory approach is too prescriptive and could suppress the very innovation that will help businesses, governments and citizens anticipate and address changing cybersecurity threats, said SIIA President Ken Wasch. The performance requirements could easily lead to technical mandates and rigid regulatory standards and reporting obligations, he said. Its scope goes way beyond critical infrastructure, where harm from cyberattacks is the greatest, he said. In doing so, “it threatens to engulf a broad range of other industries, thereby wasting scare security resources on areas where the dangers are not urgent.”

TechAmerica Europe is also concerned about what it sees as the overly broad scope of the draft NIS directive, said Security & Privacy Policy Manager Christian Wagner. To be manageable and proportionate, the requirements should be narrowly targeted at sectors that operate truly critical infrastructures, he said. The “sweeping and indiscriminate” inclusion of enablers of Internet services fails to strike the “delicate, but indispensable, balance between the risk-based prioritization of assets and functions to be protected and the strong interdependences in cyberspace across sectors and across borders.”