The core of the problem is a focus on reporting breaches rather than attacks, whether successful or not. It is as though the sharing of accurate information on the impact of those V1s and V2s which reached London in 1944 and 1945 would be of any value other than to those tuning the target mechanisms. The value (to HMG and to Londoners) was in publicising systemically inaccurate information (right time, wrong location, to imply overshooting) so that the Germans unwittingly changed their aiming point from Buckingham Palace to Dulwich College (largest open space in South London if you include the Park, Woods and all the other sets of playing fields in the area).
The need is to make it very much easier to report attacks to those who will take action (e.g. the members of proposed CERT networks) and/or collate information as to their sources and nature so that action can be taken to halt them and to also "remove" the weaknesses which facilitated them, even if the perpretrators cannot be located or "deterred" (e.g. because they are state-aided or out of jurisdiction).
Experience from the United States indicates that mandatory reporting is now a significant source of weakness, facilitating futher attacks and abuses. Meanwhile the associated legal, regulatory and compliance costs are beginning to dwarf the information security budgets of many the organisations concerned and get in the way of that action which would be effective. I note that Chris Grayling, Minister of Justice, has estimated the cost of compliance with the various EU Data Protection Directives as £hundred of millions: yet for most of us our only contact is with incomprehisible waivers or the refusal of service, supposedly because of data protection. Meanwhile most on-line users have now been impersonated over the Internet by those who have got hold of our personal details, often from a public source (like the electoral register, a phone book or, in the case of Directors, Companies House).
Another problem is the extension of the Directive to cover "market operators" well beyond those where system failure might cause loss of life or sever economic disruption. If Facebook went down would productivity go down or up? It is rumoured that last week, after the publicity for PRISM, network traffic across Whitehall dropped sharply. If so, was it because thousands stopped using Facebook, Google and other US based services while at work?
A third is the mandatory sharing across the EU. There is serious controversy within, for example, Bulgaria over how the new head of their security services was appointed . There are enough problems within the UK over sharing between the various introverted rings of trust (which trust their members but not outsiders who may have their own "ring"). Creating mandatory pan-EU sharing may simply compound such problems.
That is enough negativity. Now for the positive side - using the opportuity to call for constructive action. The six point plan that I personally plan to put in the "other comments" section of my own submission to the BIS Consultation is:
1) 1) The Directive should define and cover critical infrastructure (e.g. telecommunications, electricity, gas, water and payment systems). it should exclude social networking, entertainment and other non-critical operations.
2) 2) The opportunity should be used to rationalise reporting systems, including a mandatory requirement on regulators to share and forward (e.g. to other regulators) reports to them rather than require duplication.
3) 3) The mandatory reporting of breaches is counter-productive. It penalises those who have processes in place to detect breaches. It should be replaced by a focus on the reporting attacks (including the methodologies used), whether or not they are successful.
4) 4) The focus should be on making it much easier to report attacks to those who will take action against predators and those who have aided and abetted them, not to regulators who will merely penalise the messenger. The only mandatory requirements should be on those to whom attacks are reported. This should include acting as a "first stop shop" and passing reports to those who may be in a better position to take action.
5) 5) The overall objective should be to facilitate action, not just intelligence.
6) It should be recognised that many of those involved in the EU
regulation and law enforcement are not themselves trusted or trustworthy and
no-one should be compelled to share sensitive information with organisations
who they do not trust.