The policy document has introduced a Computer Emergency Response Team (CERT) in each country in order to promote better reliance in reporting online attacks and breaches.
CBR rounds up expert comments to the CERT initiative as part of the EU’s cyber security strategy.
Ilias Chantzos, Senior Director of Government Affairs at Symantec EMEA & APJ
Symantec welcomes the EU’s cyber security strategy and shares a commitment to its broad objectives. With cyber attacks having an impact on both organisations and individuals in Europe, Symantec has consistently highlighted the need for governments and policy makers to make information security a major public policy priority, both at national and a European level. The proposed strategy builds on some of the existing work that EU Member States have done and serves to reinforce the need to strengthen critical infrastructure and to work in a collaborative manner. The proposal is the start, not the end, of the democratic process within the EU, and it is definitely a step in the right direction.
Raj Samani EMEA CTO at McAfee
Whatever the regulatory response, we should ensure that such technological innovation continues to be at the forefront of efforts to out-innovate the malicious actors.
They need to be well thought through to avoid unintended consequences such as over-notifications. Forced notifications of vulnerabilities should be avoided. The system as proposed will need to be further fine-tuned to ensure it will be a workable system.
David Hoffman, director of security policy at Intel
When looking at issues of product assurance, secure development and evaluation, these should be addressed through existing methods such as the global evaluation methodology like the Common Criteria and the Common Criteria Recognition Arrangement or industry-led codes.
One part of the proposal that will draw significant attention is the introduction of a security breach notification system to further incentivize both public and private organizations. Such systems can play a role in increasing awareness and responsibility.
John Yeo, EMEA director at Trustwave
We’re supportive of improvement to how businesses handle personal data. It might be fair to say the proposed EU general data protection regulation is something of a curate’s egg. The notion of a single data protection law for all EU businesses storing online data is a sound one. The threat of harsher penalties for businesses that fail to protect private individual’s data will undoubtedly cause companies to take a closer look at the measures they have in place to secure sensitive data. Some of the loudest objections from a handful of multinationals do raise the question as to whether the measures they currently have in place are sufficient with respect to the protection of personal data. At least if you’re of the opinion that it’s not their data in the first place, instead that it’s yours and my data, and they’re just a temporary custodian.
The idea that the proposals will "save companies costs of up to 2.3 billion EUR per year and increase EU GDP by 4% by 2020" is not easy to digest. This may be the case for larger multinationals which will benefit from a harmonised regulatory landscape instead of having to comply with different regulations by country. However, the elephant in the room is the impact on the 23 million SMEs within the EU, of which only 8% export and according to the EU commission already, the most important individual business constraint reported by SMEs is the compliance with administrative regulations.
Will it have a significant impact on cybercrime? It’s a loaded question. What we do know from our own forensic investigations is that cyber-criminals are excellent at identifying and targeting the path of least resistance, expertly seeking out the highest criminal return for the least amount of effort. Whether that means focussing on particular industries with common vulnerabilities, or known vulnerable technologies, there will always be businesses with a lower than average security posture that make for worthwhile targets.
So who will be winners and losers from the proposed legislation? Security companies, lawyers and multinational organisations look set to benefit whilst SMEs will be burdened with more expense in an already strained economic climate and the cost of long legal processes and administrative bodies to monitor and enforce the regulation will hit the tax payer’s pockets. Overall my guess is that in the long term it will have a positive benefit but the intervening period could be long and arduous one.
Martin Sutherland, managing director at BAE Systems Detica
Implementing a cyber security strategy to formalise best practice for EU members and the businesses that European economies rely upon is an important step in combating cyber attacks that know no borders. The strategy will also support EU member initiatives already implemented, such as last year’s update to the UK government’s cyber security strategy.
One of the most noteworthy elements of the EU proposals is that operators of critical infrastructures in some sectors (such as FS and energy), as well as information society services (such as search engines) and public administrations must adopt risk management practices and report major security incidents on their core services.
It is vital that any legislation around risk assessment and breach disclosure should focus on the market behaviours that will be created; legislation on its own does not solve the problem and if not implemented carefully may drive negative behaviours. We need to be careful that positive outcomes and information sharing about the cyber risk is the result, rather than honest disclosure being driven underground by fear of reputational damage.
In addition, businesses must remember that legislation only provides the framework to best respond to cyber attacks. Firms need to take intelligent responsibility – that is the only way to respond to such an asymmetrical threat. It will be interesting to observe how the legislation, once ratified, affects market behaviour across Europe.
Dr. Guy Bunker, SVP of products at Clearswift
Sharing information can only help improve risk management and mitigation and should be applauded, but there does need to be a single point of reference – not many. Most countries have CERTs today (in many cases multiple CERTs) – one of the challenges is to share information both ‘internally’ between countries in a timely manner. Threats (and attacks) move rapidly, having information a week late is of little use. So there needs to be understanding of the structure and the communication channel. The information then needs to be disseminated down through all types of organisation and the levels of detail adapted accordingly. This is primarily to make the information about the risk of attack readily digestible by the smaller organisations which may not have the necessary expertise to understand all the gory details.
The key is that without ‘publicity’ others will not learn about the attack vectors being used and, therefore, won’t be able to put together a defence plan. That doesn’t mean that organisations should be named, but it is useful to know something general, such as there being a directed attack against a telco or a pharmaceutical company which attempted to steal IP or financial information. Understanding the threat means you can target your response to best address the risk. Security for everything, everywhere is not practical – from both time and cost perspectives. So a little understanding means you can spend the security budget wisely.
Mark Brown, director of information security at Ernst & Young
The European Commission’s move confirms that cyber security is a growing problem for businesses and governments alike. With 88%of organisations in the UK reporting an increase in cyber attacks, according to our latest Global Information Security Survey, the damage of a breach, not just to individual companies, but the economy as a whole, becomes clear.
As the world becomes more interconnected so does the way in which it operates and the sharing of information. A new, unified approach that cuts across borders, national infrastructure and capability, as well as across organisations in different countries is needed now more than ever.
The Commission is right to extend the obligation to report significant cyber incidents beyond telecoms companies to include organisations in the energy, transport, health and eGovernment sectors. But, even that doesn’t go far enough. Services from the online economy that touch the lives of millions of people are now available in every sector. It is by collaboration and transparency across the business life cycle – from investors right through to customers that awareness can be raised and future incidents can be prevented, while exploiting the full benefits of the online economy.
This step can only be seen as the beginning of a long and challenging journey. The Commission needs to work with the 27 member states to ensure that the countries lacking the necessary tools to fight cyber threats catch up with those that already have a high level capability in place and that eventually a common reporting mechanism is in place. Businesses also need to understand that the cost of keeping silent and doing nothing to counter cyber threats is far greater than the cost of having a strategic security framework in place.