EU cyber laws should target IT suppliers' security negligence

Cyber security has made its ultimate mainstream breakthrough. This week, a relatively minor hack targeted at Apple not only made the BBC 10 O’clock News, but warranted a lengthy studio discussion between presenter Sophie Raworth and a BBC security correspondent.

Attacks of varying sophistication and impact are becoming a near daily occurrence – and they are only the ones we hear about. Meanwhile, David Cameron hopes to export the UK’s supposed cyber security expertise, offering the government’s support to Indian officials during a trade visit, while China stands accused once more of extensive military-backed cyber espionage.

So the European Commission’s proposed directives on cyber security and data protection are nothing if not timely. But they are proving controversial.

As businesses come to understand the full implications, there is likely to be quite some uproar over plans to effectively police and regulate the data security of almost any firm that offers some form of electronic or online service, from social media to retailers to banks.

US internet firms are lobbying to water down the proposals, and European companies are pushing back on plans for mandatory data breach reporting. There will be other concerns yet, and it seems certain that before long we will be bracketing IT security providers alongside lawyers as the guaranteed beneficiaries.

But the problem ultimately remains one of the IT industry’s own making.

Security is still an afterthought too often. Few, if any, of the software and hardware systems that are used on a regular basis were designed with security in mind from the start. Security is still a feature to be added in, rather than a fundamental element of product strategy, architecture, design and development.

The need for regulation is in itself an indictment of the failure of technology providers. But much of the proposed rules will serve only to allow those suppliers to sell more products and make more money, instead of changing their behaviour.

The users of technology will bear the brunt and cost of compliance with the EU’s directives, not the providers of the technology upon whom they rely. This, surely, risks missing an opportunity to force change on a negligent IT industry.