The European Commission (EC) has agreed a draft law that will require better cooperation between nations to tackle cyber threats and force major companies in key sectors to disclose cyber security incidents.
The EC first proposed a law to tackle the growing rise of cyber crime in 2013, and negotiators in the European Parliament, the Council and the Commission have now agreed on the first draft of the law.
The agreement covers three core areas:
- improve cyber security capabilities in member states;
- improve member states' cooperation on cybersecurity;
- require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.
The last point is particularly notable as it essentially means firms ranging from Barclays and British Gas, to Google, Microsoft and Amazon would be required to report any security incidents.
Firms have often been extremely wary to do this, as it may not only damage customer trust, but also give their commercial rivals an insight into their operating practices.
However, because the EC agreement requires firms to release this information to the ‘authorities’ it may prove more acceptable, as firms could be able to share information with government in confidence.
Andrew Barstow, partner in charge of cyber security services for financial services across EMEA, from EY said the security sharing element of the law was definitely a good thing and comes as the mindset about security sharing is shifting.
“More and more businesses are coming to the view that actually they can be penetrated even if they have good security in place, so if someone can share information in advance of the threat, that’s a good thing,” he told V3.
“Secondly I think many realise there isn’t a competitive advantage now in cyber security, it’s far more about working collectively to stop cyber criminals and benefit everyone.”
The focus on improving cyber security capabilities will require all member states to adopt a network and information security (NIS) strategy that sets out strategic objectives, policy and regulatory measures regarding cyber security.
Finally, the need to improve cooperation is covered by the directive in the form of a ‘Cooperation Group’ that will “support and facilitate strategic cooperation and the exchange of information among member states and to develop trust and confidence amongst them”.
The EC will also oversee the creation of Computer Security Incident Response Teams, known as the CSIRTs Network, within the Cooperation Group to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks”.
Andrus Ansip, EC vice president for the Digital Single Market, said the agreement was a vital step in the battle against rising cyber security threats.
"Trust and security are the very foundations of a Digital Single Market. If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure," he said.
"The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions."
A step in the right direction
Bharat Mistry, cyber security consultant at Trend Micro, said that on the face of it the proposals were to be welcomed as it would help improve the response to cyber crime for all.
“The EU directive is certainly much needed as the sharing of security disclosures across key companies and across member states will provide a platform for threat intelligence/sharing that is not only local to one country but also cross industry verticals across the EU," he told V3.
"As with any attack be it physical or in cyber space – getting early intelligence and reconnaissance is critical – this is the differential between reactive to proactive security."
He also noted that it would make cyber security a boardroom issue, rather than just an “IT headache”.
Mistry noted, though, that while the proposals were good on paper implementing them in reality may prove more troublesome.
“However in reality there questions will still need to be raised with regards to how the information will be shared, how quickly disclosures have to be notified, what controls will be put in place that any shared information does violate an data privacy laws.”
The agreement will now need to be approved by both the European Parliament and the Council.
Once this is agreed, member states will have 21 months to implement the directive into their laws, and a further six months to “identify operators of essential services” that will be required to disclose any security incidents.
It is unclear at present how widespread the directive will be with regards smaller firms, as the the requirement for 'online marketplaces' to report security incidents could well cover small e-retailers.
This could prove onerous as many smaller firms may lack the necessary tools or skilled staff to tackle cyber threats.
Piers Wilson, head of product management at Huntsman Security, noted for example that the time it takes to spot a threat can be extremely long.
“Currently, the average time to detect an attack is over 200 days; meaning that by the time a successful attack is spotted and the relevant authorities notified, the damage is well and truly done," he said.
A fast, gorgeous but expensive display
Intel wants to get inside your car, despite missing out on mobile
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'