"To respond to online security breaches in real-time
conditions, a well-functioning network of Computer Emergency Response Teams (CERT) should be established in Europe." This is one of the provisions of the new cybersecurity strategy proposed by Neelie Kroes, European Commission vice president for the Digital Agenda, and Catherine Ashton, high representative of the Union
for Foreign Affairs.
The proposed directive lays down measures, including:
(a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents;
(b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews;
(c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.
Most of the European member states already have a cybersecurity
entity. In the UK is the Office of Cybersecurity (OCS), in Germany the National Cyber Response Centre, and in Spain the Cybersecurity Unit of the "Guardia Civil." Those entities have experts from the military, intelligence services, and the police. If necessary, most cybersecurity agencies are equipped to launch a cyberattack
in response to intrusions into their countries' infrastructure. All those entities need to coordinate with the European Network and Information Security Agency (ENISA), which has the status of "European Agency," with full enforcement powers.
"The more people rely on the internet the more
people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It's time to take coordinated action -- the cost of not acting is much higher than the cost of acting," said Neelie Kroes
One of the issues of this new directive is the notion of "competent authority." It is unclear whether these authorities need to be public organizations or, if necessary, a member state can hire a private firm. That could be of significance for smaller countries such as Malta and Luxembourg, with limited resources to combat cyberattacks.
But, from CIOs' perspective, the most important provision is
the need to report "major security incidents" to the authorities within a short period of time. Until the directive gets finally approved, the definitions are not clear, but CIOs of Internet companies, services, transport, energy, and health need to start revising their "risk management practices" and reporting systems.
While a similar provision was already included in the Framework
Directive for e-communications, the new requirement to report major security incidents could have a significant impact in some organizations, especially where consumer confidence is required. Planning for compling without creating panic among customers or stockholders is essential. As well as creating a plan for working effectively with government entitis across the EU. Given the cross-functional nature of the problem (legal, security, marketing, and other departments are involved), it might be a good idea to get going even before all the details are known.