Fighting back: EU to take on the hackers
There are concerns surrounding the Network and Information Security Directive. Nathalie Dreyfus of Dreyfus & Associates examines the potential consequences of the draft legislation...
Ever since the alarming proliferation of cybercrime, which equates to an estimated annual cost of more than $400 billion, and the recent spate of hacking cases around the world, cyber security has clearly evolved into a global issue. The threat posed by cybercrime, cyber espionage and attacks against critical online infrastructure is developing apace. To remedy a potential loss of confidence in the digital economy, it is important to create awareness among EU member states, companies and individuals, by taking appropriate measures.
The EU therefore took up the matter in 2013 with a view to proposing a directive to increase the level of cyber security in member states and to establish a comprehensive strategy in this regard. The Network and Information Security (NIS) Directive was approved on 13 March 2014 at the European Parliament, with a strong majority of 521 votes against 22. It is now being discussed at the European Council.
This draft directive focuses on entities with the highest risk, namely critical infrastructure operators, where an incident can have far-reaching consequences for public health, the economy and security. But given the importance of digital industries in our societies, some EU member states would be in favour of extending the scope of the directive to the digital sector to ensure the stability of the European economy. Big companies offer services, such as email or cloud, which are becoming progressively indispensable to the smooth running of the economy. Like hosting companies, they control and manage increasingly sensitive information and data.
It has become paramount to safeguard their infrastructure and their information systems, as evidenced by the recent Sony Pictures case.
Sony Pictures was robbed of nearly all of its data, much of it sensitive, confidential and personal. While it is unclear whether this cyberattack originated from North Korea or elsewhere, it was nonetheless considered as being the largest attack ever against a private stakeholder. Consequently, the FBI issued warnings to all major US companies on the plausible operating mode of the hackers.
This hacking entails significant financial and legal ramifications for Sony Pictures. Apart from the leak of several films and its business strategies, employees also sued against the company’s information system for failing to secure their personal data. This example is emblematic of the failure and negligence of companies in matters of IT security.
NIS Directive: new security obligations
The aim of this draft directive, which is established on the principles of security of member states and economic stability, is to reduce cybercrime. From the outset, the draft directive sets out, that “computer networks, systems and services play a crucial role in society”, adding that “the magnitude, frequency and impact of security incidents are growing and represent a major threat to the operation of computer networks.”
Therefore, the directive requires member states to designate a central authority to develop their national cyber security strategy. This authority is to monitor and ensure the consistent application of the directive in its territory, for instance, the National Agency for the Security of Information Systems (ANSSI) for France. Indeed, the EU Agency for Network and Information Security (ENISA), which will have a coordinating role, noted that 17 member states already have national cyber security strategies at their disposal. In fact, the directive aims to establish cooperation between national authorities to tackle potential threats to several member states.
Furthermore, the NIS Directive contains a non-exhaustive list of critical infrastructure operators, including operators in the energy, banking, health, transport and financial services sectors. These critical infrastructure operators are subject to a series of security requirements such as incident reports. In fact, the directive imposes reporting requirements of incidents and security breaches having a “significant impact”.
Member states do not all agree on the meaning of these obligations and the directive seeks to establish what exactly a “significant impact” is that should trigger a reporting procedure. Under the directive, this impact would depend on the number of users affected by the service, the duration of the incident and the geographical area. For now, the amended definition in Section 8(a) of Article 3 reads: “[An] incident which has a significant impact: an incident that affects the security and continuity of a network or system information and which causes significant disruption of key economic or societal functions.”
As a last resort, the NIS Directive would impose several obligations, namely that of reporting all incidents detected in networks, training safety managers, responding to audits of a national regulatory body, but also to identify “connection points of vital importance”. The directive specifies, under Article 11, that “all member states and all market participants should have sufficient means, both technical and organisational, to be able, at any time, to prevent and detect incidents and risks relative to networks and computer systems and take the necessary intervention and mitigation measures”.
In addition, it should be noted that, with regard to security obligations imputed to critical infrastructure operators, some countries, such as France, have already leapt ahead. Indeed, the French ANSSI already deals with the compliance of similar security obligations incumbent upon large banks and telecom operators, but not on private digital stakeholders, yet.
Extension of obligations to digital stakeholders: significant consequences and concerns
The requirements for critical infrastructure operators could apply to other stakeholders in the private digital industry. In its annex, the directive mentions: ecommerce platforms, internet payment gateways, social networks, search engines, IT cloud services, as well as online application stores.
Specifically, it should be companies that often have the status of hosting providers, such as Google, Amazon, Microsoft, OVH and Dailymotion, which should be covered. However, during the debates, small- and medium-sized enterprises have not been formally rejected.
In addition, only the most important services would be concerned, specifically, those which would have a major economic impact. For example, while the Amazon cloud service would be concerned, its ecommerce site would not be. This is the subject of a heated debate, and for now, member states remain divided as to whether to include or not some digital industry players such as cloud providers, in this European legislation.
While the concerned companies consider these measures as being disproportionate, several member states seem to favor the extension of said security obligations to private digital industry stakeholders. For example, French Prime Minister Manuel Valls and his German counterpart, Chancellor Angela Merkel, are agreeable to the extension. Indeed, the German government has even prevised European regulations since it has recently passed a bill, on 17 December 2014, concerning cyber security, thus revamping its legislation to force companies to invest in IT security.
But not all member states concur on this issue, and the affected companies even less so. The latter consider that security obligations, if they must be complied with, could constitute a significant financial burden. Therefore, the very competitiveness of these companies would be weakened, especially SMEs. Such an intervention by a public authority through a state central authority is prey to sharp criticism. Some question the legitimacy of the state to infiltrate the information systems of a private company.
In France, the AFDEL, a French association of internet software and solutions vendors, urged not to extend the field of critical infrastructure operators provided for in the directive to “companies of the information society”. While supporting the project and its objective of strengthening cyber security in Europe, it asserts that this extension could damage the competitiveness of enterprises. Thus, for the AFDEL, the qualification of “critical infrastructure” for all digital business is not justified and it would be disproportionate to impose additional administrative obligations, such as mandatory reporting of security incidents to the national agencies responsible for cyber security. Similarly, SYNTEC, the professional union of digital service companies, software vendors and consulting firms in technology, warned against a “dangerous evolution” of the text.
Real debate, and even tension, Presently exists between EU member states and private stakeholders on this issue. Currently, the NIS Directive has not yet reached the European Council for a first reading. Council meetings are not materialising due to disagreements between ministers of each of the member states of the transport, telecommunications and energy cluster.
Should obligations be levied on digital industry stakeholders, they will have to implement them. Any company failing to comply with the new European legislation may be penalised or incur severe liability in cases of computer attacks due to lack of security. Forthcoming developments are to be followed minutely and will involve all internet stakeholders.