Each year there are at least 50 million cyber attacks in the UK alone and this number is rising. Cyber security is a high profile agenda item; from warnings this month by Vince Cable of the vulnerability of essential services, to the recent request by David Cameron for China to enter into formal discussions on cyber attacks. It is clear this issue goes beyond immediate security threats; cyber security is a key economic concern and the UK and EU need to provide an appropriate framework of protection for companies operating in their jurisdictions.
Could the EU Directive for Network and Information Security provide the answer to this issue? Published a year ago, it seems apt to reflect on the potential impact of the Directive on the cyber security threat.
While the pending EU elections have cast some uncertainty as to whether the Directive will be implemented in its current form (or even at all) the Directive provides a good indicator of the approach the EU is likely to adopt.
The Directive’s approach
The aim of the Directive is to make the EU’s online environment the most secure in the world.
The Directive seeks to achieve this in a number of ways. Some of the key proposals include strengthening cross-border co-operation and information exchange; the requirement for each member state to produce a national cyber security strategy and establish a Computer Emergency Response Team; and a mandatory reporting of significant security breaches.
The UK’s consultation on the draft Directive indicates a general feeling that the existing non-regulatory approach in the UK is a more appropriate regime.
There is a concern that the mandatory requirements contained in the Directive would increase costs and, perversely, penalise those companies with better detection systems in place (as they would be more likely to detect a greater number of attacks).
One benefit is the proposed harmonisation of the current fragmented schemes across the member states, but does this go far enough? Cyber security by its nature is a global issue and there has been criticism of the proposed Directive for a perceived failure to align with international bodies including the US government.
The work of the EU-US Working Group on Cybersecurity and Cybercrime goes some way to bridging the approaches, but to fully alleviate the concerns about the Directive, this group, and other initiatives, will need to consider a joint approach to policy and not be limited to conducting joint cyber security exercises. In a comparison of the Directive with the Obama Administration’s Cybersecurity Executive Order, the US approach is deemed to be more favourable: it focuses on non-regulated systems and incentivising compliance from companies rather than creating a culture where companies could seek to subvert the requirements for fear of the associated reputational risks. Perhaps in order to succeed with its aims the EU should consider taking a leaf out of their American colleagues’ book.
The aims of the Directive are laudable but in our view there is a real risk that the imposition of more red tape and procedure will serve only to hamper businesses.
The Directive could have a negative effect on the economy as the increase in operational costs may result in EU-based companies becoming less competitive than their non-European counterparts.
There is a danger that the regime would have the effect of diverting companies’ resources towards satisfying compliance instead of improving security. Companies want to be provided with a proactive, preventative intelligence and response system but, as it stands, it is likely that the EU will not be dynamic and timely enough to deal with threats and provide the assistance companies require.
In our opinion, in order for the Directive to achieve its aim there needs to be harmonisation: in approach across member states and with the rest of the world; with the existing (and proposed) regulatory frameworks, in particular data protection requirements; and, finally, with the needs of the companies who will be required to operate under the Directive.
As it stands if – and this is a big if – the Directive is implemented in its current form, there is a real risk that such implementation will only serve to hinder instead of helping the fight against cyber crime.