The objectives of the Network and Information Security Directive are laudable but the approach does not fit with the strategy supposedly behind them. Meanwhile the impact assessment is a collection of motherhood statements not an assessment of the cost of incident reporting, let alone the legal cost of deciding what “incidents” have to be reported to those who will take no actions other than publicise your vulnerability. You have until Friday 21st June to respond to the BIS consultation . I urge you do so, even though many of the questions are impossible to answer other than with a guesstimate. I only once managed to persuade a company to do an impact assessment on a new regulatory requirement. I was then told they would never do it again because of the internal firefight that resulted from allowing the Finance Director to see the full costs (as opposed to the usual massaged reports) of operating their new call centres.
The core of the problem is a focus on reporting breaches rather than attacks, whether successful or not. It is as though the sharing of accurate information on the impact of those V1s and V2s which reached London in 1944 and 1945 would be of any value other than to those tuning the target mechanisms. The value (to HMG and to Londoners) was in publicising systemically inaccurate information (right time, wrong location, to imply overshooting) so that the Germans unwittingly changed their aiming point from Buckingham Palace to Dulwich College (largest open space in South London if you include the Park, Woods and all the other sets of playing fields in the area).
The need is to make it very much easier to report attacks to those who will take action (e.g. the members of proposed CERT networks) and/or collate information as to their sources and nature so that action can be taken to halt them and to also “remove” the weaknesses which facilitated them, even if the perpretrators cannot be located or “deterred” (e.g. because they are state-aided or out of jurisdiction).
Experience from the United States indicates that mandatory reporting is now a significant source of weakness, facilitating futher attacks and abuses. Meanwhile the associated legal, regulatory and compliance costs are beginning to dwarf the information security budgets of many the organisations concerned and get in the way of that action which would be effective. I note that Chris Grayling, Minister of Justice, has estimated the cost of compliance with the various EU Data Protection Directives as £hundred of millions: yet for most of us our only contact is with incomprehisible waivers or the refusal of service, supposedly because of data protection. Meanwhile most on-line users have now been impersonated over the Internet by those who have got hold of our personal details, often from a public source (like the electoral register, a phone book or, in the case of Directors, Companies House).
Another problem is the extension of the Directive to cover “market operators” well beyond those where system failure might cause loss of life or sever economic disruption. If Facebook went down would productivity go down or up? It is rumoured that last week, after the publicity for PRISM, network traffic across Whitehall dropped sharply. If so, was it because thousands stopped using Facebook, Google and other US based services while at work?
A third is the mandatory sharing across the EU. There is serious controversy within, for example, Bulgaria over how the new head of their security services was appointed . There are enough problems within the UK over sharing between the various introverted rings of trust (which trust their members but not outsiders who may have their own “ring”). Creating mandatory pan-EU sharing may simply compound such problems.
That is enough negativity. Now for the positive side – using the opportuity to call for constructive action. The six point plan that I personally plan to put in the “other comments” section of my own submission to the BIS Consultation is:
1) 1) The Directive should define and cover critical infrastructure (e.g. telecommunications, electricity, gas, water and payment systems). it should exclude social networking, entertainment and other non-critical operations.
2) 2) The opportunity should be used to rationalise reporting systems, including a mandatory requirement on regulators to share and forward (e.g. to other regulators) reports to them rather than require duplication.
3) 3) The mandatory reporting of breaches is counter-productive. It penalises those who have processes in place to detect breaches. It should be replaced by a focus on the reporting attacks (including the methodologies used), whether or not they are successful.
4) 4) The focus should be on making it much easier to report attacks to those who will take action against predators and those who have aided and abetted them, not to regulators who will merely penalise the messenger. The only mandatory requirements should be on those to whom attacks are reported. This should include acting as a “first stop shop” and passing reports to those who may be in a better position to take action.
5) 5) The overall objective should be to facilitate action, not just intelligence.
6) 6) It should be recognised that many of those involved in the EU regulation and law enforcement are not themselves trusted or trustworthy and no-one should be compelled to share sensitive information with organisations who they do not trust.
I am now only an honorary advisor to the Digital Policy Alliance but understand they have plans to not only do a submission to BIS but to work alongside the Department in helping co-ordinate inputs from their members’ peers in other EU states. If you are serious about wanting to improve the quality of what happens in Brussels, as opposed to merely winging and/or leaving, I do remind you that the DPA is now more active, and more effectively active, in this space than it ever was when it was EURIM and I was the bottleneck. Lord Erroll and his team are busy broadening the base of support and turning it into a genuine “Alliance”.