Nine cyberattacks on UK transport infrastructure were not disclosed to the Department for Transport under mandatory reporting requirements, but were instead raised on a voluntary basis, according to an investigation by Sky News. The story calls into question the efficacy of the EU-mandated reporting requirements for cyberattacks on critical infrastructure. And having left the EU, experts warn, the UK may not benefit from an upcoming review of reporting rules.
NIS directive reporting rules: too narrow
Under the Security of Networks & Information Systems (NIS) directive, mandated by the EU in 2018, organisations that operate essential services, including transport, healthcare and energy, are required to report cybersecurity incidents that have a “significant impact” to their national technical authorities.
A Freedom of Information request by Sky News revealed that DfT received nine voluntary reports of cybersecurity incidents in the past three years, but none under the NIS directive. This suggests that other important cybersecurity incidents may go unreported.
Dr Tim Stevens, head of the Cyber Security Research Group at King’s College London, argues that, because it only requires critical infrastructure operators to report cyber incidents that have a significant impact, the NIS directive does not provide authorities with sufficient awareness.
“Why is it that they only have to report when something impactful happens rather than reporting breaches themselves?" he asks. "[I]f you wait for something bad to happen, like financial loss or loss of service, you could be waiting quite a long time and, in the meantime, your national technical authorities, which every country is required to have, don't have visibility over the state of the networks or the types of threats in the networks. And by the time something bad happens [it] is almost too late.
"There needs to be a mechanism that incentivises earlier reporting of significant breaches, even if they don't lead to impact in terms of continuity of service or financial loss," Stevens adds.
Chris Dickens, sales engineer at bug bounty operator HackerOne, believes the reporting requirements for critical infrastructure operators should go beyond incidents and breaches to include vulnerabilities. “The focus must switch to shoring up vulnerabilities before attacks take place," he says. "Transparency and responsible reporting of vulnerabilities is key to preventing incidents happening in the first place.”
Dickens recommends that critical infrastructure operators adopt responsible disclosure or vulnerability disclosure programmes (VDPs) that provide a clear process for anyone discovering vulnerabilities to report them to the organisation before others access or shut down critical systems. “Since UK transport systems are a key target for cybercriminals, the scrutiny provided by a VDP will support reducing overall risk,” he argues.
The limited number of incidents reported to the DfT reflects a "prevailing culture of security through obscurity" among infrastructure operators, Dickens adds. But “a lack of reporting is no defence against the risk of bad actors getting into systems in the first place,” he says.
Will the UK upgrade the NIS directive?
The European Commission acknowledged the shortcomings of the NIS directive last year and has adopted a proposal to revise it. "The digital transformation of society (intensified by the Covid-19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses," it said.
Its proposed upgrade, dubbed NIS2, would impose stricter security requirements on eligible organisations, would encourage more information sharing, and, crucially, would introduce "coordinated vulnerability disclosure for newly discovered vulnerabilities".
NIS2 would also expand the scope of the directive to include "important entities" such as providers of postal and courier services, waste management, food production, manufacturing and social networking services. Organisations that fail to comply would be fined at least €10m or up to 2% of their total worldwide turnover, mirroring GDPR.
The proposed NIS2 Directive is now subject to negotiations between the European Council and Parliament. Once finalised, EU member states will have 18 months to transpose it into law.
How the UK handles the shortcomings of the original NIS directive, if at all, remains to be seen. “The UK is now going to have to do this on its own," says Stevens. "And it's unclear precisely what the mechanism is going to be in a country that is regulation-averse to incentivise or require companies to report to the National Cyber Security Centre or to other parts of government."