EU Proposals To Force Cyber Attack Transparency On Businesses

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Exclusive: European Commission hopes to enshrine transparency around cyber incidents in law

The European Commission wants to impose obligations on public and private organisations to report and share information on cyber attacks that cause serious damage, TechWeekEurope has learned.

A draft proposal for the Cyber Security Strategy of the European Union has been making its way around Brussels, but has not been released to the press yet. It will be officially unveiled by Neelie Kroes, EU Digital Agenda vice president, and her team later this year, possibly before the end of the month.

But an internal Commission document seen by TechWeekEurope said a proposed directive would force businesses and government bodies to report “incidents with a significant impact”. The EC believes this “will enhance the ability to respond to incidents and foster transparency”.

The document hints at broad aims within the strategy. Under a subheading asking what will change after adoption of the directive, the document read: “There will be a high level of cyber security across the EU in terms of increased capabilities, preparedness, cooperation, information exchange and awareness at national and EU level, both in the public and the private sectors.”

Cyber attack transparency

This differs from the European Commission’s controversial proposed directive on data protection, laid before the public last year. That directive includes a rule stipulating that organisations should report a data breach incident within 24 hours. But such a breach does not have to relate to a cyber attack or incident, only to cases where citizen information has been exposed

The directive under the Cyber Security Strategy would, this publication understands, relate to any kind of severe cyber incident, even those where no citizen data has gone missing. As long as it is deemed serious enough, the list could include distributed denial of service (DDoS) attacks, cyber fraud and even events caused by natural disasters.

The ultimate aim is to create an information sharing environment, so if something cataclysmic happens, nation states will have more to work with during recovery.

“This is about system problems,” a spokesperson from Neelie Kroes’ office told TechWeekEurope.  “This reporting requirement is more like ‘Hurricane Sandy wiped out my power station and now electricity and Internet are down – who do I call to help?’”

“We don’t tell the countries exactly what incidents must be reported – that will have to be agreed at a later stage in the debate.”

The spokesperson was clear that global technology companies would certainly not be exempt from the requirement to report incidents.

“We need to protect critical infrastructure and IT systems are often the critical infrastructure. It would be nonsense to try to increase our understanding of these threats and to deal with them more efficiently without formalising a responsibility on the companies,” he added.

A positive step?

The obligation to open up on attacks and other incidents is something that will please those looking for greater transparency around cyber attacks. There is a consensus in certain circles that opening up about attacks will help nations better prepare for future attacks. They argue that, given the sophistication of cyber crooks today, everyone can be hacked, meaning there is no shame in confessing.

“The obligation to report security incidents with a significant impact is a welcome move. Knowing what type of incidents are happening allows us to better identify our potential weak points and can enable us to focus on how best to protect our data and systems,” said Brian Honan, founder of the Irish Reporting and Information Security Service, Ireland’s first CERT.Justice, legal, Europe © Lisa S. Shutterstock 2012

“It would also enable any individuals whose personal data has been compromised as a result of a breach to take the necessary steps to mitigate any risks posed to them.”

The EC wants to do away with secrecy around security. Major organisations have kept quiet on incidents, such as Coca-Cola, which kept quiet on an alleged hacking incident for over three years before Bloomberg reported on it.

Other companies, however, are concerned their reputations could be tarnished if they admit their network was breached. Many worry their share price could take a battering if confidence in their security diminished.

The Commission’s proposals, which some expect to be made public next week, will also include requirements to carry out risk management for “public administrations and key private players” to “create a strong incentive to manage and dimension security risks effectively”.

Given the reaction to the data protection proposals of 2012, where the US government and major corporations have lobbied hard to get the EC to back down from some of its stricter proposals, the latest batch of obligations could receive harsh criticism.

The proposals would make Europe a more open environment than the US, where the Securities and Exchange Commission only requires firms to report any material losses from attacks, and where companies largely ignore calls to be more transparent.

What do you know about online security? Try our quiz and find out.