- V3 Apps
The European Commission (EC) is considering forcing private sector firms hit by security attacks to report these incidents to strengthen the region's cyber security information sharing culture.
The plan was unveiled by the vice president for the digital agenda, Neelie Kroes, during a speech at the Information Security Forum Conference in Chicago on Sunday.
"I am considering extending to new sectors (enablers of key internet services, banking, energy, transport, health, public administrations) the obligations to adopt risk management measures and to report significant incidents to competent authorities that currently apply in the telecom sector," she said.
This would form a central tenant of the European Strategy for Cyber Security that Kroes intends to submit for consideration in the near future.
She said this was a key part of the proposals as she is concerned private sector firms are too reticent to share information.
"I understand that companies do not share information due to fear of reputational damages or liability. But the lack of information sharing slows down the capability to react," she said.
"In particular when an incident has repercussions outside the organisation and the other parties affected are unaware of an imminent threat or an incident that has already taken place."
The EC vice president cited the recently uncovered slew of attacks targeting critical infrastructure businesses as proof that the current attitude towards data breaches could have disastrous consequences.
"Incidents and attacks are clearly on the rise. The number of web-based attacks went up 36 percent in the year 2011 [...] If we want to preserve and promote the benefits of the digital world, we must put cyber security on the top of the agenda," she said.
"Cyber security is a shared responsibility of public and private players and our policies strive to address this. I believe however that we need to do more."
As a result she said both the public and private sector must do more to improve information sharing.
"Networks and infrastructure are mainly privately owned and run. However, the private sector clearly lacks adequate incentives to invest in security and to be transparent regarding the threats faced and the incidents occurred," she said.
"Governments can not only provide the right incentives but also lead by example by strengthening their preparedness," said Kroes.
The threat of enforced security reporting comes after European Union justice commissioner Viviane Reding raised the potential of mandatory data breach reporting 18 months ago.
This would come into force as part of the Data Protection Directive, which is currently under consultation.
The EC confirmed the proposals outlined by Kroes were independent from those of Reding.