EU to impose compulsory cyber defence rules
The European Commission is planning to force energy, transport and financial companies to invest more in their cyber security and to report on breaches suffered, two EU officials said.
“The European Commission will propose by the end of the third quarter of 2012 a new obligation for security breach notifications for the energy, transport, banking and financial sectors,” said an official working at the Commission's digital agenda department.
The official said that companies have an interest in beefing up their protection against cyber attacks, but that they were not doing enough to defend their infrastructure.
“When they suffer a security breach, they usually do not report it,” the official explained, saying the Commission was looking at ways of obliging companies to notify those.
“The obligation to report would worsen the reputational damage suffered by companies which undergo security breaches. This should lead them to invest more in security to lower their vulnerability,” the official said.
Following the ICT model
A second official, from the Commission directorate in charge of Justice and Home Affairs, confirmed plans to extend security breach notifications to new industries, other than telecommunication companies and internet firms which in Europe are already subject to reporting obligations.
The EU directive on e-Privacy states that “in case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk.”
This e-Privacy directive is currently the reference on cyber security, but it is likely to be soon complemented by more stringent rules. At the beginning of the year, the European Commission pushed forward a new legislative proposal to impose reporting obligations on data breaches for ICT firms, on top of the current security breaches.
Viviane Reding, the EU Justice Ccommissioner who is also in charge of privacy issues, proposed in January a 24-hour reporting obligation for telecoms and Internet companies when they suffer data losses.
Involving the private sector in the pursuit of stronger cyber security is necessary as it owns 90% of critical infrastructure in the EU, according to Europol, the EU law enforcement agency.
National and European institutions will also have to increase their cooperation to fight cyber crime. The Commission has recently proposed the establishment of a European cyber crime centre which is expected to become operational in January 2013.
But cooperation among the myriad of security agencies in the continent is far from guaranteed. “There is enough crime that we do not have to compete for it,” said Troels Ørting of Europol, the designated director of the European cyber crime centre.
The likelihood of terrorist attacks on critical cyber infrastructure is seen as an increasing threat.
In 2007, Estonia suffered the most serious cyber attack ever seen in Europe following the relocation in Estonia of a Soviet-era war memorial.
Critical servers in Estonia went down temporarily, preventing citizens from accessing online bank accounts, government ministry websites and other public services available on the Internet. Russia was blamed for this attack but no official confirmation has ever been made.
The Estonian cyber-war set the global community on alert, with NATO promising to help protect its members from a new and little-understood threat.