Cyber security: is the draft NIS Directive doomed to change after the NSA scandal?
March 2014 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Following the Snowden leaks, on 11 December 2013 the European Union Agency for Network and Information Security (ENISA) released its ‘Overview of current and emerging cyber-threats’ (ENISA Threat Landscape 2013), which found that cyber threats have gone mobile and that the adoption of simple security measures by end-users could reduce the number of cyber incidents worldwide by 50 percent.
The report also provides a bird’s eye view of how things are progressing on this issue, indicating both negative and positive developments in 2013 with regard to the threat landscape. With regard to the negative trends of 2013, the report points out that: (i) threat agents have increased in sophistication, both in attack methods and tools utilised; (ii) cyber activities are not confined to a handful of ‘Evil States’ or complex multinational organisations – the capacity to tap into governmental and/or private targets and organisational data banks is quite scattered, and involves fewer technical capabilities than might be expected; (iii) cyber threats have gone mobile – attack patterns and tools targeting PCs developed a few years ago have now migrated to the mobile ecosystem; and (iv) two new digital battlefields have emerged: Big Data and the Internet of Things – M2M will soon become the Armageddon battlefield, as much of the bounty data will be migrating to this environment.
On the other side, ENISA points out a number of positive developments in 2013, including: (i) impressive law enforcement campaigns, capable of ensuring targeted successes – police arrests during the year included e-gangs responsible for the Police Virus, Silk Road and operators of Blackhole, the most popular exploit kit; and (ii) protective measures have been effective by virtue of worldwide sharing of information by independent agencies and authorities. The quality and number of sector specific reports as well as comparative data exchange on cyber threats have increased on a global scale, which is a crucial component of success.
ENISA also identified the next steps which need to be taken in view of implementing an effective ‘EU Cyber Security Strategy’. The proposed NIS Directive appears to be one such item.
In conjunction with the publication of the report, on 5 December 2013 EU Vice President Neelie Kroes underlined the necessity for Council and Parliament to make progress in upcoming negotiations regarding the adoption of the NIS Directive, designed to enhance public and private capacities, resources and processes to prevent, detect and handle cyber security incidents.
The proposed NIS Directive appears to be a key component of the overall cyber threat protection strategy, as it requires all Member States, key internet enablers and critical infrastructure operators such as telecoms companies and OTTs (large cloud computing service providers, social networks, e-commerce platforms, search engines, etc.) to maintain a secure and trustworthy digital environment throughout Europe.
The proposed Directive does not set new privacy obligations on operators (e-Privacy Directive framework no. 2009/136/EC) but rather addresses specifically the topic of systemic cyber attacks capable of compromising data systems. In particular, it requires operators of critical infrastructure, particularly in strategic economic areas (e.g., financial services, transport, energy, communications and health) to secure systems in order to enhance the offering of typical information society services (such as app stores, e-commerce platforms, internet payments, cloud computing, search engines, social networks, etc.). The expectation placed on operators is to address and adopt risk management practices and report major security incidents in the delivery of their core services, to ensure a transparent referral mechanism among all institutions and operators involved.
Under the proposed Directive, EU Member States must ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems they control, manage or utilise as part of their operations. Operators are required to assess the risks they face and adopt appropriate and proportionate measures to ensure the objectives of NIS, and required to report to competent authorities any incidents seriously compromising their networks and information systems, and which significantly affect the continuity of critical services and the supply of goods.
For EU Vice President Kroes, Europe’s economic recovery depends on the resilience of the ICT systems and networks underpinning modern society. Recent revelations on the NSA have also confirmed the importance of enhancing the security of the European value chain and fostering trust. She highlighted that proposed obligations under the NIS Directive regarding notification by market operators leave room for essential flexibility and will be proportionate.
The EU’s vision, objectives and goals must thus be reached by means of a safe network environment, and the transparent use of related applications and systems. ‘EU cyberspace’ (if we can imagine virtual space as having a geographical identity and confinement) must be protected from incidents, malicious activities and misuse. Governmental agencies (first and foremost, national NRAs) must have a significant role in ensuring a free and safe cyberspace accessible to all internet users.
It is expected, therefore, that the adoption of the Directive will force Member States to strengthen their response to cyber crime, and contribute in an integrated fashion to improving cyber security in general for citizens. This homologation exercise across different regulations appears quite complicated, as security levels differ and many nuances exist among EU Members on fundamental aspects such as the general obligations placed on operators, site sharing principles, code sharing, transparency implications, M2M data treatment recognition, and safety principles for non-traditional operators in general.
A recent report, titled ‘2013 Italian Cyber Security Report – Critical Infrastructure and Other Sensitive Sectors Readiness’, issued on the 9 December 2013 by the Cyber Intelligence and Information Security Research Center of the Rome University, highlights what needs to be done in Italy in this respect. The report highlighted a negative development trend on the increase of cyber attacks. The National Association of Leading Information Technology Companies estimated that 40 percent of attacks require at least four days to be resolved. In 90 percent of cases the attack is successful due to incorrect configuration of the security system and a lack of protective skills. However, despite the weak nature of attacks, the costs incurred by the private sector and the government alike to ensure protection appear high. In this regard, on a worldwide scale Gartner predicts such costs will increase from $55bn in 2011 and $60bn in 2012 to $86bn by 2016 – an estimate which appears quite conservative after the NSA scandal. It is clear (on a national or EU level) that cyber security is only one side of the coin regarding data protection and privacy online; much of the current debate surrounds protective measures deemed necessary in light of the Snowden leaks.
In fact, on the heels of this scandal, on 18 December 2013 the Italian Government, following a proposal from the Committee for the Security of the Italian Republic (CISR), adopted two documents detailing the blueprint of the national cyber security plan. An effective, nation-wide cyber security strategy has been set forth to protect critical infrastructure and identify measures and actions to bring down cyber threats, arising from a new socio-technological context and interdependencies produced by cyberspace in general. Italy still lacks a clear operational directive for the implementation of a national computer emergency response team (CERT). In fact, although the identification of a national CERT at the MISE was introduced by Legislative Decree 28 May 2012, n. 70 (to comply with the transposition of Directive 2009/140/EC relating to electronic communications), to date there is no operating structure of this type.
Under the new pressure of the NIS Directive, the relevantrequirements will lead to more consistent risk management measures on a European level, including improved response and systematic reporting of incidents. All of this will create more transparent privacy principles, as well as equal and stable conditions for anyone trying to compete in the delivery of online services in Europe, ensuring a protected area in the delivery of Information Services for the single EU market.
Fabrizio Cugia di Sant’Orsola is a founding partner, and Chiara Reali and Silvia Giampaolo are lawyers, at Cugia Cuomo& Associati. Mr Cugia di Sant’Orsola can be contacted on +39 06 960 38 103 or by email: email@example.com. Ms Reali can be contacted on +39 06 960 38 104 or by email: firstname.lastname@example.org. Ms Giampaolo can be contacted on +39 06 960 38 100 or by email: email@example.com.
© Financier Worldwide
Fabrizio Cugia di Sant’Orsola, Chiara Reali and Silvia Giampaolo
Cugia Cuomo & Associati