EU countries diluted new rules regulating information-sharing on cybersecurity breaches, a top European Commission official said today (26 April), which made it impossible to monitor hackers’ assaults on member states’ critical infrastructure.
EU countries must still cooperate much more on cybersecurity after the bloc passed its first ever law regulating how they inform each other about security breaches, said Jakub Boratyński, head of the security unit at the Commission’s technology arm DG CONNECT.
Boratyński said the new cybersecurity rules agreed in December are a lot weaker than the EU executive wanted.
The network and information security (NIS) directive, the first-ever EU-wide cybersecurity law, will go into effect in 2018.
Negotiations on the directive were hampered by EU countries’ wariness over exchanging sensitive information with all 28 member states about security breaches in critical infrastructure such as banking and energy grids.
But there is still room for EU countries to step up their game and share more information about cybersecurity attacks, Boratyński added.
“There is a possibility for this to grow and to advance. I would not expect this to be immediate, unless we have some major defining moment, like a major anti-terrorism policy like we had in the wake of the recent attacks,” Boratyński said at a Brussels conference.
“If you look at the original Commission proposal, we wanted very ambitious information sharing between member states, which would ensure assessment of risks, threat intelligence and coordination of response to attacks. That approach was not taken on board,” Boratyński added.
“What we will have at the end is a network of CSIRTs, national computational response teams.”
Under the new rules, cybersecurity experts from EU member states will exchange details of security threats, attacks and how authorities responded—although those meetings are voluntary.
One Commission official said that the terrorist attacks in Brussels and Paris over the last few months would likely not push EU countries to step up their work together on cybersecurity.
“If you look at the recent terrorist attacks, the cyber element is irrelevant,” the official said.
“So far we do not have cases when terrorists were behind an attack on critical infrastructure.”
Commission officials pointed to how EU countries share law enforcement data with Europol as an indicator of how the executive wants them to eventually share more cybersecurity information.
“Cybersecurity is at an earlier stage,” one official said, referring to an “incremental process”.
Some EU countries do share details of cybersecurity breaches with other member states, but larger, wealthier member states are less willing to exchange information with smaller countries.
Four months after the NIS directive was rubberstamped, there are still more cybersecurity rules coming.
The Commission will propose a so-called implementing act this autumn to clarify details in the new rules, including security measures and specifics on how breaches will be notified to authorities.
Boratyński said one of the most difficult parts of the fraught negotiations was getting member states to agree that cloud computing services are critical infrastructure, meaning security breaches on clouds will have to be reported to authorities.
“We have thousands of European companies that rely on clouds the way they rely on electricity and other essential services,” Boratyński said.
“It’s the new frontier of cybersecurity and we simply need to get it right,” he added.
An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a directive with measures to ensure harmonised network and information security across the EU.
Member states and the European Parliament agreed on the directive in December 2015, which will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.
- autumn 2016: European Commission to propose implementing act in NIS directive, including new security measures and details of how security breach information is notified to authorities
- Council of the EU: NIS directive (final text as of April 2016)