Following on from E RADAR’s recent submission to government, Dr Daniel Dresner sets out his own wish-list for the draft EU Network and Information Security Directive.
So. We need a directive about Network and Information Security? Brussels says so. And yes, it is necessary. We needed Tufty, the late Jon Pertwee, and the Green Cross Man to tell us about road safety. You just need to look at reports from BIS, Verizon, or any of the maven’s in the field (love The week according to @neirajones (http://paper.li/neirajones/1369506964) to realise that we need help from wherever we can get it before stepping on the Information Super Highway. I still like that term – how many times have you started out for a particular website and find yourself still driving through information you’d never intended to look at? Is it just me with an attention span of…oh that’s nice.
So. What does the E RADAR team think about the proposals for the proposed directive? Actually, we think it’s got promise. Just like most entries in Eurovision, if they changed the words and the music they’d have a cracking song.
Network and Information Security Wish List
So what’s on our directive wish list? Here’s a taste:
1. Please, please, please standardise on the terminology. Criminals don’t care what cyber security means because they sneak off with the pickings whilst we get side-tracked onto reconciling two papers with the same objective but variable nomenclature. We can’t all be mavericks. It’s time to bring the definition of cyber back to its origins of cybernetics which imply command, control, and positive feedback. Let’s do the research to make sensible representations of cyber risk appetite.
2. Did you know that there are at least 43 ways of reporting incidents? Consolidation or the strong recommendation of a good-fit candidate is required.
3. The balance of risk and confidentiality must instil trust in both users and beneficiaries of on-line resources. It’s not about league tables of who has the most controls.
4. Reporting cyber security incidents is important but don’t lose the holistic cyber view promoted by standards like ISO/IEC 27001, PAS 555, and IASME. Harmonisation of standards is highly desirable to create a way of working that is appropriate to the risks faced.
5. There can be no doubt about the usefulness of reporting network and information security incidents in real time to allow appropriate countermeasures to be enabled by those with responsibility for doing so.
6. Let’s have a supporting framework for the directive to reward participants in the notification programme to encourage openness and disclosure of reputation-threatening incidents. Penalties should be meaningful (see the following point).
7. Penalties applied for avoidable breaches security, as defined by the derived legislation from the directive, should be proportionate to the organisation and the environment it operated in. Think ‘SSM’ – that’s the soft systems methodology, not another acronym to snigger at.
8. Classification incidents proportionately to the risk and impact. For example, lost media which is encrypted may pose little or no risk.
9. Please may we have a standard for impact assessment – which may be derived from HMG’s Business Impact Tables? (They’re rather good at getting the ‘does it matter?’ question across.
10. Let’s not create a new agency but build on what we have. Expanding the mandate of the Information Commissioner to be appointed as the ‘competent authority’. The Information Commissioner already has complementary responsibilities (for example, principle 7 of the Data Protection Act 1998). The authority should be answerable to parliament and not to government. (Resolution of potential and perceived restrictions of data protection conflicts will need to be resolved – a lot of silly business is said in its name.)
11. Learn lessons from fraud reporting ‑ such as that managed by the British Banking Association – to assure the quality of attack and incident reporting. (And perhaps that’s not a positive recommendation for existing systems of reporting.)
12. A directive is a model of the ideal and models attenuate the reality so resources outside the EU – for example cloud services – which will be affected by attacks and incidents must be included within the directive’s scope.
13. Include decent representation on the proposed EU cyber authority so that it involves not just corporates but also the trade representatives of – for example – smaller enterprises that form significant parts of the EU’s economy and are the channel for significant cyber attacks.
14. Please don’t encourage a cyber-injury compensation schemes that will inflate the genuinely useful emerging market of cyber insurance. You can’t get whiplash making a sudden move to switch off a server under attack. (Serious about what I do, not always about how it’s done. If you prick me, do I not leak?)
15. Reporting incidents – as we’ve said is part of a greater life cycle. It’s about time we realised that numbers just shock; we need to treat the numbers with the ointment of correction to reduce incidents in future. Let’s have a Directive that promotes a culture of forensic readiness as a priority to allow for effective responses to attacks and incidents.
16. Beware centralisation and the attempt to counter requisite variety with central control… At the very least, hub and spoke dynamic will be required to encourage further interaction and data sharing between organisations.
17. This is not group therapy for security officers and business creation scheme for cyber security consultants. Let’s give as many people as possible the opportunity to deal with the threat and take their own risks. Create a public information service where the cyber centre becomes as well used as the ‘Met Office’ is for weather reporting. Consider a risk and treatment bulletin at the end of national news broadcasts. (Yes. I know the forecast was sunshine, but at least I brought my brolly.)
18. Need to know is still a good principle and a check and balance when used properly. What we need is a release protocol for the information to filter out the secret and allow timely disclosure of threats that can be made public.
Now to turn these requirements in the living web of activity to throttle the web of defects and criminality that our systems are infected with.