Mixed reaction to EC’s cyber security plan

The European Commission's cyber security strategy and proposed network and information security directive are met with mixed reaction

European cyber security statistics

  • There are an estimated 150,000 computer viruses in circulation every day, with 148,000 computers compromised daily.
  • According to the World Economic Forum, there is an estimated 10% likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250bn.
  • Symantec estimates that cyber crime victims worldwide lose around €290bn each year, while a McAfee study put cyber crime profits at €750bn a year.
  • The 2012 Eurobarometer poll on cyber security found that 18% of EU internet users are less likely to buy goods online and 15% less likely to use online banking because of these cyber security concerns.
  • According to the public consultation on NIS, 56.8% of respondents had experienced NIS incidents over the past year with a serious affect on their activities.
  • Eurostat figures show that by January 2012, only 26% of enterprises in the EU had a formally defined ICT security policy.

The European Commission (EC) has published a cyber security strategy alongside a proposed directive on network and information security (NIS), with mixed reaction from the IT industry.

The cyber security strategy for an “open, safe and secure cyberspace” represents the European Union's (EU) vision on how best to prevent and respond to cyber disruptions and attacks.

The aim of the strategy is to promote European values of freedom and democracy and ensure the digital economy can safely grow, according to the EC.

Specific actions are aimed at enhancing cyber resilience of information systems, reducing cyber crime and strengthening EU international cyber security policy and cyber defence.

The announcements are in response to the increasing frequency and magnitude of cyber incidents that can threaten safety and cause major damage to the economy.

The EC said previous efforts to deal with this problem have been too fragmented, and that efforts to prevent, cooperate and be more transparent about cyber incidents must improve.

Ensuring a secure internet

According to the EC, the EU international cyber space policy promotes the respect of EU core values, defines norms for responsible behaviour, and advocates the application of existing international laws in cyber space.

The policy is also aimed at assisting countries outside the EU with cyber security capacity-building and promoting international cooperation in cyber issues.

The EC said the proposed NIS directive is a key component of the overall strategy and will require all member states, key internet enablers and critical infrastructure operators to ensure a secure digital environment.

This includes providers of e-commerce platforms, internet payment systems, cloud computing, search engines and social networks, as well as operators of critical infrastructures in the energy, transport, banking and healthcare sectors.

These organisations are required to adopt risk management practices and report major security incidents on their core services.

The proposed directive requires member states to adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents.

Member states are also required to set up a mechanism for cooperation with each other and the EC to share early warnings on risks and incidents through a secure infrastructure.

Neelie Kroes, EC vice-president for the Digital Agenda, said the more people rely on the internet, the more they rely on it to be secure.

“A secure internet protects our freedoms and rights and our ability to do business. It is time to take coordinated action – the cost of not acting is much higher than the cost of acting," she said.

Catherine Ashton, high representative of the Union for Foreign Affairs and Security Policy and vice-president of the EC, said that for cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online.

“Fundamental rights, democracy and the rule of law need to be protected in cyber space. The EU works with its international partners as well as civil society and the private sector to promote these rights globally,” she said.

Cecilia Malmström, EU commissioner for home affairs, said the strategy highlights concrete actions to reduce cyber crime.

“Many EU countries are lacking the necessary tools to track down and fight online organised crime. All member states should set up effective national cyber crime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3," she said.

Stewart Room, partner at Field Fisher Waterhouse, said the new EU cyber security directive represents a real paradigm shift in the legal framework for network, communications and data security.

“For the first time all key players within the EU economy will be subject to a comprehensive legal obligation to be secure and to come clean about security failures,” he said.

According to Room, the directive provides a new understanding of what are critical European infrastructures, which will bring into scope huge parts of the internet as well as major utility organisations and financial services that cannot operate properly without secure networks and communications.

In the run-up to the publication of the strategy and proposed directive, IT industry representatives have expressed concern about the requirement for providers of critical infrastructures to report major security incidents on their core services.

A secure internet protects our freedoms and rights and our ability to do business

Neelie Kroes, EC vice-president for the Digital Agenda

Legal obligations raise concerns

Some sources in the IT industry have raised concerns particularly about how the new incident reporting obligations will work for industries such as financial services, which are already answerable to industry regulators concerning cyber incidents.

This raises several questions, they said, such as what would take precedence – the EU directive or industry-specific regulations?

In the light of the good work already being done by the UK’s Centre for the Protection of National Infrastructure (CPNI), there is concern that the proposed directive could “muddy the waters”.

Others have voiced concern that data breach incident reporting, which is not working particularly well in the US, will distract IT professionals from stopping attacks and mitigating their effects.

Earlier this week, EC trust and security policy officer Ann-Sofie Ronnlund told the ISSA London 2013 European Conference that obligations to report security breaches will apply only to “significant” incidents from a “societal point of view” and not every incident.

Ronnlund said the aim is not to overburden organisations with data breach disclosure obligations, but to promote a risk management approach to cyber security and ensure that incidents potentially faced by other European organisations are reported to get cooperation working smoothly.

Positive step to tackling the global security challenge

Not all reaction from the IT sector has been negative, however. IT services firm Huawei welcomed the EU proposals to step up cyber security across Europe.

Leo Sun, president of Huawei’s European Public Affairs and Communications Office said cyber threats do not stop at national borders, and neither can efforts to protect networks and systems.

“At Huawei, we believe an international approach in which all stakeholders take their fair share of responsibility is a prerequisite to tackling this global challenge,” he said.

John Suffolk, Huawei’s global security officer and former UK government CIO said the EC strategy comes at a crucial moment.

“The strategy provides the public and private sectors with the tools they need to move beyond debating the problem and take concrete steps to tackle security issues,” he said.

HP also welcomed the EC cyber security strategy.

“Forward-looking technologies offer tremendous potential for economic growth in Europe, with cloud computing alone expected to boost the European economy by €1tn by 2020, however a lack of confidence in internet security due to the alarming number of costly attacks is blocking widespread adoption,” said Richard Archdeacon, head of security strategy at HP.


Read more on Hackers and cybercrime prevention