EU cyber laws should target IT suppliers' security negligence

Cyber security has made its ultimate mainstream breakthrough. This week, a relatively minor hack targeted at Apple not only made the BBC 10 O’clock News, but warranted a lengthy studio discussion between presenter Sophie Raworth and a BBC security correspondent.

Attacks of varying sophistication and impact are becoming a near daily occurrence – and they are only the ones we hear about. Meanwhile, David Cameron hopes to export the UK’s supposed cyber security expertise, offering the government’s support to Indian officials during a trade visit, while China stands accused once more of extensive military-backed cyber espionage.

So the European Commission’s proposed directives on cyber security and data protection are nothing if not timely. But they are proving controversial.

As businesses come to understand the full implications, there is likely to be quite some uproar over plans to effectively police and regulate the data security of almost any firm that offers some form of electronic or online service, from social media to retailers to banks.

US internet firms are lobbying to water down the proposals, and European companies are pushing back on plans for mandatory data breach reporting. There will be other concerns yet, and it seems certain that before long we will be bracketing IT security providers alongside lawyers as the guaranteed beneficiaries.

But the problem ultimately remains one of the IT industry’s own making.

Security is still an afterthought too often. Few, if any, of the software and hardware systems that are used on a regular basis were designed with security in mind from the start. Security is still a feature to be added in, rather than a fundamental element of product strategy, architecture, design and development.

The need for regulation is in itself an indictment of the failure of technology providers. But much of the proposed rules will serve only to allow those suppliers to sell more products and make more money, instead of changing their behaviour.

The users of technology will bear the brunt and cost of compliance with the EU’s directives, not the providers of the technology upon whom they rely. This, surely, risks missing an opportunity to force change on a negligent IT industry.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The issue with "security breach notification" is what it actually means. The most serious breaches are those which are only discovered when customers are being systemically defrauded and a backwards investigation finds the source. But what happens when you cannot find one and do not know whether the fraud is only against your customers or is also against those of your peers as well and the breach is some-where else? Thus I am told the common factor in a current set of "converged frauds" (i.e. they mix on-line with mail intercept to collect the supposedly secure authentication devices) is that the victims are company directors and the information used to start the impersonation process is a matter of public record via Companies Houses. The Commission proposals have worthy objectives but are like fighting the battle of the Somme with troop training using the 1896 infantry manual instead of the 1911 manual. The result was slaughter, while the one General who had retrained all his replacements using the 1911 manual got all his day one objectives with hardly a man lost.