While viewed as a “step in the right direction”, the EU’s new cybersecurity strategy is criticised by experts for its lack of clarity on ensuring the safety of cloud computing.
The European Commission released its cybersecurity strategy yesterday (7 January) to address concerns and promote greater internet safety.
But the obligation put on EU member countries to report cyberattacks are “vague” and appear to do little to protect EU citizens' data stored outside the EU, Wim Nauwelaerts, a privacy and data security lawyer with Hunton & Williams firm, told EurActiv.
The EU-wide strategy aims at establishing cross-border cybersecurity rules and practices, and coordinated attack response. Companies and public bodies will also have to report significant attacks to the Commission, which took the unusual step of publishing a list of companies to which this may apply, including Google, the retailer Amazon, eBay and a number of telecoms and cloud service providers.
It also contains a legislative proposal obliging member states to designate a national competent authority for network information service, and set up a functioning computer emergency response team.
Catherine Ashton, the Commission vice president in charge of foreign policy, said the EU executive had to agree norms and enhance dialogue with governments outside Europe to ensure the “protection of fundamental rights online and offline”.
The new EU rules, pending the European Parliament and Council’s approval, would require member states to report to the Commission cyber attacks in data sites within their “control”, even if they are outside the EU.
The responsibility for the safety of an EU citizen’s data kept in an off-site data storage centre “has to come back to one national authority”, said an official from the office of Neelie Kroes, commissioner for the digital agenda.
Therefore, the national authority covering a German company or public body using a data storage centre in Singapore will be responsible for ensuring the safety of the service for citizens within their jurisdiction, he told EurActiv.
To Nauwelaerts, who is also a cloud computing advisor, this opens up a regulatory can of worms.
“As it stands right now it’s going to raise a number of legal issues”, he said.
“We are going to have to export European rules in that respect… If they are only from Europe I’m not sure they are going to solve global problems.”
Under the strategy, member states will have to audit “critical infrastructure”, including off-site cloud storage facilities “for all services, no matter if they are in Europe,” the EU official said.
“I am skeptical about how to put that in practice,” Nauwelaerts said, adding that overall he supported the cybersecurity initiative.
“How do you define control? ... How do you continue to exercise ‘control’,” he said. “This is a complex legal issue and topic of debate in the privacy and data protection field.”
The EU body using the service provider in another country would have to ensure that they abide by the EU’s standards, or risk failing to comply themselves.
“This requires a robust contractual framework between the EU [private or public] body and the service provider in other countries”, he said.
The EU strategy does not call for the creation of new international legal instruments for cyber issues.
Currently, an international convention on cybercrime exists, providing a model for drafting national legislation and a basis for international cooperation. But as yet only 39 states have ratified the agreement, named the Budapest Convention.
The strategy calls for the creation of a coherent EU international cyberspace policy, which “will be aimed at increased engagement and stronger relations with key international partners and organisations.
“It will promote achieving a high level of data protection, including for transfer to a third country of personal data", the Commission said.
"Surprisingly, the strategy does not call on all member states to develop and adopt their national cyber security strategies without delay. More than half of the member states still lack state level cyber security strategies. Foreseen obligatory Network and Information Security (NIS) strategies will cover a big part, but not everything in cyber space," Tunne Kelam MEP (European People's Party) said.
"The European Parliament asked for a comprehensive cyber security strategy that would build on a multi-stakeholder approach and go from network security to cyber defence. I especially welcome that the strategy emphasises the need to mainstream cyber space into external actions and the Common Foreign and Security Policy,” he added.
"Vagueness leaves room for undesired consequences" says Marietje Schaake, a Dutch MEP (Alliance of Liberals and Democrats for Europe), and rapporteur for the recently adopted first Digital Freedom Strategy in EU foreign policy. "I welcome the Commission's initiative as a first step in starting a debate, but we can not lose time in addressing the most difficult questions. The EU needs clear common security and defence standards, including a vision on whether or not to develop offensive capacities, on liabilities and on chains of command ensuring democratic oversight and preventing the privatization of defence capabilities. Increasingly private actors are responsible for critical infrastructures and services online, but the state has ultimate responsibilities of ensuring freedom and security.”
DigitalEurope, the European digital technology industry association, said: “Member states are building communities and trust through local, regional, or sector specific private public partnerships, yet we see a general change in approach in the draft Network and Information Security Directive from working hand-in-hand with industry, to top-down, unidirectional reporting obligations and requirements. These could divert resources from effective security measures and would also undermine the benefits that companies gain from bi-directional exchange, which allows for the understanding of new threats and improves incident response. If the scope of the proposed incident reporting mechanism is too wide and burdensome, it could weaken trust at a time when we need to build on real-time information sharing and collective response. We are also concerned that the measures imposed on market operators could lead to interference with the design and manufacture of ICT products, which would stifle innovation and lead to a balkanisation of the network.”
“The strategy comes at a crucial moment, providing the public and the private sector with the tools they need to move beyond debating the problem and take concrete steps to tackle security issues,” said Huawei’s global security officer, John Suffolk. “The time has come to stop talking about the threat, stop talking about the challenges and start talking about the actions we have taken and will take.”
Richard Archdeacon, head of security strategy at HP Enterprise Security Services said: "Forward looking technologies offer tremendous potential for economic growth in Europe, with cloud computing alone expected to boost the European economy by 1 trillion euros by 2020. However a lack of confidence in internet security due to the alarming number of costly attacks is blocking widespread adoption."
Pastora Valero, chair of AmCham EU’s Digital Economy Committee stated, ‘There is much to welcome in today’s announcement and we look forward to continuing our work with our government partners to improve awareness, preparedness and response to cyber incidents. We need to take care, however, that the legal framework is crafted in a way that encourages information sharing as opposed to introducing measures in good faith that actually weaken overall security’.
Thomas Bouè, Director of Government Affairs for BSA said: “Together with the proposed Directive on Network and Information Security, it will help promote a high level of cybersecurity in the EU.
“But the Directive also includes a number of elements that could undermine the Directive’s laudable goals. Specifically, the scope of the Directive should be narrowed to apply only to providers of truly critical services. The Directive would also benefit from clearer and more precise specification of the trigger, threshold and substance of the notification requirements to ensure consistency across the EU. Finally, to ensure that security services and other providers have the flexibility to develop technologies that can respond to fast-changing cyber-threats, the Directive should state explicitly that it does not contemplate technology mandates.”