Yesterday's announcement by the European Commission on cyber security has been welcomed for creating a unified approach that cuts across borders and encouraging teams to collaborate and share data.
As announced by SC Magazine yesterday, the strategy will aim to: achieve cyber resilience; drastically reduce cyber crime; develop cyber defence policy and capabilities related to the Common Security and Defence Policy; develop the industrial and technological resources for cyber security; and establish a coherent international cyber space policy for the European Union.
Mark Brown, director of information security at Ernst & Young, said: “As the world becomes more interconnected so does the way in which it operates and the sharing of information. A new, unified approach that cuts across borders, national infrastructure and capability, as well as across organisations in different countries is needed now more than ever.
”This step can only be seen as the beginning of a long and challenging journey. The commission needs to work with the 27 member states to ensure that the countries lacking the necessary tools to fight cyber threats catch up with those that already have a high level capability in place and that eventually a common reporting mechanism is in place. Businesses also need to understand that the cost of keeping silent and doing nothing to counter cyber threats is far greater than the cost of having a strategic security framework in place.”
Speaking to SC Magazine, Brian Honan, head of the Irish computer emergency readiness team (Cert), said that following other initiatives at the European level in dealing with cyber crime, such as the opening of the Europol European Cyber Crime Centre in the Hague, this had a number of other positive moves - such as the requirements for certain companies, especially those with responsibilities in the critical network infrastructure area, to take a risk-based approach to security and to report major security incidents.
He said: “The requirement for each member state to have a Cert is another positive move, but is simply a reaffirmation of earlier EU directives. These requirements reinforce how important information sharing is in order for us to tackle online threats such as crime, sabotage and espionage. However, it should be remembered that there are a lot of good information sharing initiatives in place already, such as TF-CSIRT and First, and I would hope that the new EU strategy will not undermine the good work that those initiatives are doing.
“It is also important that the national Certs have the proper capabilities and resources in place. By making something mandatory there is the risk that it will simply be done in order to pacify a requirement rather than be an effective tool.
“While there are areas of the strategy that I do not fully agree with, all in all I welcome the EU cyber strategy and hope that the governments of the various member states engage with it in a positive and constructive manner.”
Stewart Room, partner at Field Fisher Waterhouse, said that the impact of this reform will be massive, as the internet is essentially now recognised as part of critical infrastructure, just like utilities.
“Until now, cyber security law has focused on telcos and ISPs, the trunk and access layers of e-comms if you like, but the change brings in ‘over the top providers'. No doubt the EU will play down the cost of implementing the law, but such pleas should be resisted - the cost will massive to the internet ecomony. Yet, the experts are telling us through this directive that it is a price worth paying,” he said.
“Of course, news about Certs and national strategies isn't news for the UK, as the UK's been on top of this for a few years now. But on the big question, what's the difference between Facebook and the National Grid, the answer, for cyber security purposes, is absolutely nothing.”
Martin Sutherland, managing director of BAE Systems Detica, welcomed the strategy but stressed that in terms of risk assessment and breach disclosure requirements, it is imperative that the strategy drives positive behaviour and information sharing about cyber risks rather than deterring honest disclosure for fear of reputational damage.
He said: “Implementing a cyber security strategy to formalise best practice for EU members and the businesses that European economies rely upon is an important step in combating cyber attacks that know no borders. The strategy will also support EU member initiatives already implemented, such as last year's update to the UK government's cyber security strategy.”