Consultation Response – EU Network and Information Security Directive

E RADAR has submitted its response to the UK Government's consultation on the proposed EU Directive on Network and Information Security

Online business is global business. The revolution of digital technologies has changed society and our economy fundamentally. The ease of accessibility and searchability of information contained in computer systems, combined with the practically unlimited possibilities for its exchange and dissemination, regardless of geographical distances, has lead to an explosive growth in the amount of information available and the knowledge that can be drawn there from. Experts now estimate that over 90 per cent of the world's data was created in the last 2 years, mainly due to social media and mobile technology. Our reliance upon everything digital is now transforming the way we live on an almost minute-by-minute, second-by-second basis.

Cyber Warfare, network and information security

But with all opportunities come threats, including the emergence of new types of crime as well as the commission of traditional crimes by means of new technologies. The consequences of criminal behaviour can be more far-reaching than before because they are not restricted by geographical limitations or national boundaries. The recent spread of detrimental computer viruses all over the world has provided proof of this reality. Technical measures to protect computer systems need to be implemented concomitantly with legal measures to prevent and deter criminal behaviour.

Keeping commercial and non-commercial networks and information safe from misuse or deliberate attack is essential for protecting the integrity and confidentiality of organisations, citizens, customers and consumers around the world.

Network and information security is an international challenge. E RADAR supports the overarching principles set down on the Cybercrime Convention of 2001 to harmonise domestic cybercrime laws, cybercrime offences, investigation and prosecution procedures, and international co-operation.

Network and information security...

If Europe and particularly the UK is to become the world's centre for data management and compete against economies such as the US and China a robust, integrate and confidential reporting, feedback and actionable system must be put in place to deal with security breaches.

We therefore respectfully make the following observations and recommendations for the proposed EU Directive on Network and Information Security.

1. General approach

Policy-makers and those close to the subject may understand the role the directive plays in dealing with information and network security. But for most, particularly small and medium-sized businesses, the end-to-end process of how to manage and deal with online security often remains confused and unclear. And this is where network and information security matters – at a practical not policy level. There are numerous organisations, agencies, and standards bodies working in this field. We remain concerned that, if the directive is not implemented wisely, another 'quango type' agency will give rise to more confusion.

2. Terminology

Enterprise needs both legal certainty and laws which are technology-neutral. We ask that all definitions in the directive are standardised in line with other similar legal instruments. There is work to be done to bring the definition of 'cyber' back to its origins of cybernetics which imply command, control, and positive feedback.

3. Reporting and Feedback

CISPA, data breaches, network and information security directiveSome research is needed to make sensible representations of cyber risk appetite. The Directive should promote a culture of forensic readiness as a priority to allow for effective responses to attacks and incidents. We can learn lessons from fraud reporting such as that managed by the British Banking Association – to assure the quality of attack and incident reporting.

The balance of risk, integrity and confidentiality must instil trust in both users and beneficiaries of any on-line resources. We need to establish a supporting framework for the directive to reward participants in the notification programme to encourage openness and disclosure of reputation-threatening incidents. Penalties should be meaningful (see later point).

We estimate that there are at least 43 ways of reporting incidents (43 standards for the vulnerability or risk data to be formatted for the respective database). We propose that consolidation of reporting processes or the strong recommendation of a good-fit candidate is required.

The directive appears to focus too much on one-way reporting without providing for intelligence feedback - a holistic cyber view promoted by standards like ISO/IEC 27001, PAS 555, and IASME. Harmonisation of standards is highly desirable to create a way of working that is appropriate to the risks faced and how to deal with them.

There can be no doubt about the usefulness of reporting network and information security incidents in real time to allow appropriate countermeasures to be enabled quickly by those with responsibility for doing so.

Classification of incidents

The classification of incidents should be proportionate to the risk and impact. For example, lost media which is encrypted may pose little or no risk, or the level of encryption on lost devices may also vary considerably and impact upon seriousness of the breach. A standard for impact assessment – which may be derived from HMG’s Business Impact Tables – should be developed and promulgated.

Regulatory environment

4. 'Competent Authority'

It seems sensible in an age of government cuts and austerity to use an existing and well established regulatory body to implement the provisions outlined in the proposed directive.

Information Commissioner

Consider expanding the mandate of the Information Commissioner to be appointed as the ‘competent authority’. The Information Commissioner already has complementary responsibilities for information and network security under principle 7 of the Data Protection Act 1998. The proposed European Regulation on Data Protection also sets out a regime for managing data breaches which will eventually come under the remit of the Information Commissioner.

Reporting security breaches is also likely to give rise to potential and perceived restrictions over the disclosure of personal information. We believe the Information Commissioner is best placed to deal with any conflicts relating to disclosure and data protection.

Access and availability of guidelines

Government guidelines should remain consistent and easy to access.

We note the plethora of help and guidance on managing and securing (personal) information published by the Information Commissioner and readily available. For example, his guidance on Keeping Personal Information Online looks at the impact online technologies (e.g. cloud services) have upon processing data.

Stakeholder representation

The competent authority should allow for stakeholder representation that includes trade and professional bodies from business areas identified at high risk from cyber attack and.or have the most to lose from breaches in security.

As with the Technology Advisory Board under the Regulation of Investigatory Powers Act 2000 stakeholder representation will ensure a breach reporting regime is proportionate and fair.

Role of Parliament

In any case and to avoid conflicts of interest from data breaches originating from government organisations the competent authority should be answerable to Parliament.

5. Penalties

Penalties applied for avoidable breaches of security should be proportionate to the organisation's size and turnover. We note current criticism of the EU proposal to impose fines of up to 2% of global turnover for breach of data protection.

Raising awareness

6. Post Reporting

Information dissemination

A release protocol is required for the information to filter out the secret and allow timely disclosure of threats that can be made public.

We'd like to see the creation of a public information service where the cyber centre becomes as well used as the ‘Met Office’ is for weather reporting. For example, consider a risk and treatment bulletin at the end of national news broadcasts.

Compensation schemes

We would warn against the directive encouraging cyber injury compensation schemes at the expense of developing the new emerging market of cyber insurance.