Will the EU Cybersecurity Directive do more good than harm?

Cybersecurity is fashionable. Everyone must have an initiative: from the dozens of fragmented and competing schemes across the tribes of Whitehall, Washington or the Berlaymont , through the IGF and ITU, to the World Economic Forum at Davos. There may now be more international cyber co-ordinating initiatives than there are global criminal networks exploiting the chaos. The initiatives may all have admirable objectives but how many actually do any good? More importantly, how many of them actually do harm, by adding layers of regulation, reporting and delay that get in the way of removing vulnerabilities and taking out predators. The EU economy is already shrinking as wealth creating business is driven offshore by over-regulation and over-taxation. Do we really want to accelerate that process, driven by tick box compliance with regulations that may actually make us less safe?   

The EU Commission has very worthy objectives. But the plans, such as for reporting breaches, appear equivalent to using the 1896 infantry manual to train Kitchener’s Volunteers for the battle of the Somme. The reason given in 1916 was that the 1911 manual, with its instructions on how to attack entrenched positions with machine gun emplacements, was “too complicated”. The reason today appears to be that EU officials have collated the views of regulators, of compliance officers and of consultants who are not working to help protect paying customers against current and emerging threats. Stewart Room has tried to put the initiatives into business perspective for Computer Weekly readers but like the EU Impact assessment, he misses the impact of the directive in driving offshore those who are serious about the security of their organisations and that of their customers. It is not just the cost of compliance but the vulnerabilities that this can open up, from the ability of compliance officers and regulators to cross the Chinese Walls that protect aainst insider fraud, to requirements to share information with agencies who are not seen as trustworthy. The latter might well include the national intelligence agencies, who Ross Anderson, in a thoughtful piece on the proposals, regards as even more untrustworthy. In this case I partially agree, given the intimate links, between them and the cyberwarfare operations of the nation states.

The Russians showed the vulnerability of Internet-based systems in 2007, when they took out the Estonian economy and agian in 2008, when they took out the US supplied Georgian air defence system. Then the US thought it would be a good idea to take-out the Iranian centrifuges with a computer virus (Stuxnet). They delayed the programme by three months. They also appear to have legimitised cyberwarfare: leading to plague of attacks that is variously blamed on China, Russia, Iran, Israel, Terrorists and Organised Crime. Hence the desire for a global convention to prevent these escalating into World War 2 by mistake. Hence also the UK £650, most of it to expand our military cyberware and surveillance capabilities, and the current lobbying for more.  

Effective action to reduce the vulnerabilities (from insecure internet addressing routines to vulnerable operating systems and browsers) that enable those attacks could cripple cyber warfare capabilities on all sides. That is why governments prefer to let the snake oil salesmen promote awareness exercises to sell us extra layers of expensive monitoring, blocking and consultancy products and services which will make us feel better while not significantly improving our security – or impeding their cyberwarfare games.

Security vendors and regulators, for whom govenrment is a major customer, say the answer is to spend more on security and regulation and to co-operate in organising awareness campaigns to persuade others to do so as well. But where is the practical advice on what to do if victimised because mainstream anti-malware products have failed to protect? The inability to find anyone to report the problem to, let alone to get help from, merely increases the paranoia of those who watch the awareness videos

Attack is often the best form of defence but the idea of working together to track and trace common predators, using civil law (tort and contract) to coerce co-operation from those whose services they use, appears taboo. It smacks of “private justice” and “vigilantism”. The costs incurred by those who have to reimburse the victims of on-line banking scams (UK law is different to that of the US), are now rising sharply. But those costs are still probably less than the cost if the public loses confidence in the on-line world.

We spend £billions on ineffective Information Security which is commonly bypassed with insider help if we are believed to have data worth copying or funds worth stealing.  Meanwhile the budgets available to help enforce criminal law can be measured in “£millions.

We need to change the balance of effort and bring the banks and financial institutions alongside on-line retailers and transaction and communications service providers and law enforcement to create the frameworks necessary for effective co-operation to not only protect themselves and their customers but to take out the predators, wherever they are located, using whatever mix of civil and criminal law is most effective.

We also have to recognise that this will expose the schizophrenia of governments (“ours” as well as “theirs”), split between those who concern is crime preventation and those whose concern is with cyberwarfare and surveillance. But, as I have blogged elsewhere, that split goes back several millennia anyway.

First, however, we should seek to bring the indigenous (i.e. UK and EU) players together, via groups like the Digital Policy Alliance, working in co-operation with PICTFOR in the UK and the EIF in Brussels, to help politicians “scrutinise” the small print in proposals, like the Directive (and the accompanying regulations to strengthen the position of ENISA and EUROPOL), to ensure that they really do do more good than harm.

Otherwise yet more of our e-Commerce will go off-shore to those based in the US or Far East.

I emphasise the indigenous players because many of those based outside the UK currently have a win-win situation. They can work alongside their customers to help oppose that which would make the EU less competitive while also benefiting if they fail and their home markets and their customers elsewhere benefit. It is good when they help – but they have less “skin in the game” and we should not take their help for granted.

Enhanced by Zemanta