As October – traditionally declared by the European Network and Information Security Agency (ENISA) as “cybersecurity month” – draws to a close, Europe is at an important crossroads with regard to cybersecurity. EU Member States are in the final stages of discussing their approach to the draft Network and Information Security (NIS) Directive. The Commission proposed this Directive – the first pan-European cybersecurity framework – in February 2013. The European Parliament subsequently made some important improvements in its amended version in March 2014.
Microsoft has welcomed the EU’s efforts to strengthen network and information security in Europe and has called for speedy adoption of this Directive. It is Microsoft’s core belief that regulation can play a critical role in the realm of security. Significant security incidents in recent years have shown that the market itself unfortunately will not take care of (cyber)security at the appropriate levels. Not all regulatory approaches will improve security, however. The key to finalizing this Directive in an effective way is to do so with a clear sense of risk management and prioritization.
The original European Commission draft unfortunately suffered from the overly ambitious approach to protect all services equally – from online games such as “World of Warcraft” to nuclear power plants. Such an approach is bound to fail. The European Parliament fortunately recognized this lack of a risk management approach and introduced key amendments in this regard. The European Council is currently in the final stages of trying to come to a joint position as key Member States have widely divergent opinions regarding prioritization and intended outcomes. One group of Member States intends to focus this Directive on the highest end of the risk/threat spectrum, namely the protection of core critical infrastructures such as energy, transport, banking, etc. Another group of countries is pursuing a much broader approach, focused on regulating the broadest possible number of online services including social media, cloud services, application stores. There are three specific challenges with the latter approach:
1) Broad regulatory scope + minimum harmonization = uneven cybersecurity patchwork for Europe. Unlike traditional critical infrastructures which tend to be based and operated in one or perhaps a couple of Member States, so called “information society services” often operate either in most EU member states or even globally. At the same time, the Directive is “minimum harmonization” meaning Member States are free to broaden scope and include additional requirements for all operators as they see fit. As such there is a significant potential for an uneven cybersecurity regulatory patchwork emerging where services which operate across Europe will face different requirements in each Member State. That drives up compliance cost without any tangible security benefit.
2) Broad regulatory scope + limited security resources = less security. Just as in the offline world, there is no absolute security in cyberspace. As long as (ever more complex) ICT products and services are made by humans there will be vulnerabilities. The answer is not to do ignore this challenge. Security, in the face of ever more advanced threats in cyberspace is an imperative. Effective security, however, requires effective risk management. Specifically, this means that risks must be prioritized. Those Member Stats that are trying to protect all services equally – both the core critical infrastructures and services of digital convenience – will create a cybersecurity environment in Europe that is in effect less secure. The simple fact is that both public and private sector do not have sufficient resources to protect everything equally as there simply aren’t enough IT-security professionals in the world today. This gap by the way is a significant economic opportunity for Europe although it would require significant focus on computer science education.
3) Broad regulatory scope + incident reporting = data protection concerns. Those Member States advocating for a broad regulatory scope of the Directive by directly pulling in the information society services underlying core critical infrastructures fail to recognize the significant data protection concerns that come with such an approach. The incident reporting requirement for “information society services” will mean that all covered IT vendors would be required to individually report incident data (which will include customer data) to national authorities in an unprecedented scale. The trouble with such an approach is that these IT vendors do not have an understanding of how their customers’ (critical infrastructure) services function and typically have very little context of how an incident with their systems is affecting the operator’s core infrastructure services (i.e. will the short outage of an app store cause a vital critical infrastructure function to stop working?); and finally it is completely unclear how governments, some with very limited and just emerging capabilities, would be able to handle such a massive scale of in many cases random and double-reported incident data, both from an analysis and confidentiality standpoint. The answer very clearly lies in the approach that only core critical infrastructures should be required to report incidents to national authorities. Their underlying ICT vendors, however, should be reporting relevant incident data to these critical operators which should be established by contractual agreements. The critical infrastructure operator themselves aggregate this information and report it up to the national authorities through existing regulatory channels.
Microsoft continues to believe that there are many very good elements in the draft Network and Information Security (NIS) Directive. Europe has a significant chance to become a leader in this critical space. European industry is united in this assessment across competitive boundaries as a recent op-ed by Digital Europe shows which raises similar points.
The future of European cybersecurity is up for grabs. But the way to demonstrate leadership is not by “making the perfect the enemy of the good.” The 28 Member States in the Council of the EU now have a significant task ahead of them in finishing these deliberations successfully. They also have a responsibility to focus on protecting public safety, national security, and economic well-being. Sound risk management, with clear priorities and focus on defined outcomes is the way to go.