Some thoughts on the EU cybersecurity directive
The new EU cybersecurity directive aims to improve cybersecurity by establishing a central authority for network and information security. The question is whether this is the right approach to improve cybersecurity.
Last week the European Commission presented a proposal for a directive (.pdf) on cybersecurity. The directive aims to improve network and information security by requiring Member States to implement a national cybersecurity strategy, a cybersecurity cooperation plan, a competent national authority on cybersecurity and a Computer Emergency Response Team (CERT). The directive also seeks to expand security breach notifications for IT incidents in relation to critical infrastructures and to create a infrastructure for confidential information sharing.
The directive raises some interesting questions about how cybersecurity is best dealt with.
Personally I am convinced cybercrime and cyberespionage incidents are rising exponentially, making it necessary for states to take action. A Washington Post article from a few days ago about Chinese espionage is illustrative of this fact. Our IT systems are often not protected adequately and we are rightfully concerned about the IT protection of critical infrastructures.
In its quest to improve cybersecurity, the Commission envisions a critical role for national cybersecurity centres. The promotion of public private partnerships, mandatory security breach notifications for critical infrastructures (which is defined quite broadly, see art. 3(8)(b)), secretive information sharing (see art. 9) and powers for cybersecurity centres to compel security audits and information from “market operators and public administrations to provide information needed to assess the security of their networks and information systems” (art. 15), are all examples of measures proposed in the directive. Other than the proposed enforcement powers for cyber security centres, not much would change for the cybersecurity policy of the Netherlands. The directive proposes many measures that are already carried out or proposed in our own cybersecurity strategy, such as the security breach notification for critical infrastructures, governmental involvement in major cybersecurity incidents and the vigorous promotion of public private partnerships and information sharing.
The idea is that when cross-border incidents arise, cyber security centres notify other centres about the “cyber threat” to prevent more damage and possibly take coordinated action. By sharing information in public private partnerships the overall level of cybersecurity is improved and the relevant parties can respond to the incident in a coordinated manner. Because much of the IT infrastructure and important data is in private hands, cooperation from private companies is required. However, not all companies may wish to share private data, including client data, with cyber security centres and thereby automatically involve law enforcement authorities and security services. Because of the proposed establishment of a central authority for network and information security some even fear the “militarization of cyberspace”. From a more cynical perspective, one may fear a bureaucratic toothless institution with conflicting powers and tasks overlapping those of other agencies. We could also consider other measures. For example, I support the plea (in Dutch) of Bart Schermer to actually provide the instruments to our privacy watchdog to enforce the requirement of “sufficient technological and organizational measures” to adequately protect personal data.
No panacea for cybersecurity
I believe we should be careful to place cybercrime-, cyberespionage-, cyberterrorism-, and cyberwarfare issues all under the umbrella term of “cybersecurity”. Issues relating to these different fields (of law) need attention on their own merits and may require different actions from our legislator. We should realize that cyber security centres and information sharing is no panacea for cybersecurity.