IT Sector Urged to Fight for Changes in EU Draft or See Internet Policy Waylaid by Euroskeptics
A U.K. government request for input on a draft EU measure on network and information security sparked a warning Friday from a conservative think tank that failure by the information technology industry to respond could leave important Internet issues in the hands of the euroskeptic U.K. Independence Party (UKIP). The Department for Business, Innovation and Skills (BIS) consultation document (http://bit.ly/Zi7eSG) seeks comment on a Feb. 7 European Commission legislative proposal (http://bit.ly/123IEH0) aimed at ensuring a “high common level of network and information security.” The directive would require EU countries to develop national cybersecurity strategies, establish computer emergency response teams, and share information with each other. It would mandate that public and private operators of critical infrastructures take steps to manage security risks and report incidents “that have a significant impact on the security of core services they provide” to national regulators.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"The UK shares the Commission’s desire to improve levels of network and information security across the EU” and supports the broad objectives the directive seeks to achieve, BIS said Wednesday. “We need to ensure that the proposals create the right incentives for the private sector to share information, best practice and good governance.” The directive will cover providers of information society services which enable the provision of other information society services -- e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services and app stores -- and operators of critical infrastructure essential for the maintenance of vital economic and societal services such as energy, transport, banking, health and stock exchanges, the consultation document said.
BIS wants input on: (1) An organization’s current threshold for deciding whether a network or information breach is classified as an “incident.” (2) How many such incidents the organization reports in a particular time frame. (3) The average cost of dealing with a breach. (4) What additional costs for significant incidents the directive might create. (5) Whether the proposed measures could decrease the number of significant incidents a business might expect to have in a year. Comments are due June 21 -- cybersecurity@bis.gsi.gov.uk.
The proposal had drawn criticism from organizations such as the Software & Information Industry Association, TechAmerica Europe and security consulting firm Sophos (CD Feb 8 p11). In a Friday posting on computerweekly.com’s “When IT Meets Politics” blog (http://xrl.us/bo5est), Philip Virgo, executive chairman of the U.K. Conservative Technology Forum, a think tank and policy advisory body, said there’s “almost unanimous agreement with the objectives” of the directive, but there’s “almost unanimous condemnation of the means."
Reporting cyberattacks, whether they're successful or not, must be made easier, and in a format which allows rapid “collation and response” as well as intelligence, wrote Virgo. He is a consultant to the U.K. Digital Policy Alliance of lawmakers and industry representatives. Reporting of breaches, which may not actually be known until long after the event, “is of historic interest only and diverts effort,” he said. Mandatory public reporting, as opposed to simply wanting those known to be at risk via channels they can trust, “is worse than useless,” he said. It’s not just job-creation for lawyers and compliance officers, it gets in the way of good practice in tackling threats as they emerge, he said.
The BIS consultation is “very important,” and interested parties should respond, Virgo said. The timing of the consultation is also key, because the draft directive isn’t likely to be scrutinized by the current crop of European Parliament members (MEPs), he said. Elections take place in 2014. “We are moving into a period of interregnum when [EC] initiatives will gather momentum while the politicians are away,” said Virgo. “There is nothing quite so dangerous as ignorance in motion and this Directive will be up to speed when the new crop of MEPs arrives, to be manipulated at will.” The problem is that half of the new lawmakers from the U.K. are likely to be EU-hating UKIP members or will have done deals with them, he said. And many other EU countries will also have elected members of similar “a plague on all your houses” parties, he said.
Virgo called for industry interception of the MEP selection process to educate new legislators who will vet the cybersecurity directive. That could also help educate EC officials about how to change in order to enable the EU to “survive the pressure for ‘democratisation not bureaucratisation,'” he said. The directive could be the touchstone, since most Internet users seem to agree on the need for better online security, he said. “Unfortunately,” he added, the draft “is not the ’something’ that should be done.” The Internet Services Providers Association, London Internet Exchange and Google didn’t comment.