Systemic threats may ideally require systemic solutions, but to what extent will new legal provisions make a real difference in the future in the way organisations share, receive, and use cybersecurity information?
Last year, I wrote a post outlining efforts across both sides of the Atlantic to move forward cybersecurity policy in legislation. As expected, further legislative developments were cemented last month in the US and the EU.
In the US, the Cybersecurity Information Sharing Act of 2015 (CISA) (see H.R.2029 at page 1278) became law. It represents a compromise between a bill passed by the Senate, and two other cybersecurity information sharing bills passed by the House of Representatives (the National Cybersecurity Protection Advancement Act (NCPAA) and the Protecting Cyber Networks Act (PCNA)).
The main goal of CISA is to encourage private organisations to share information with the government about cybersecurity threats (the incidents their systems have faced and the related security vulnerabilities), and to help strengthen the mechanisms via which such information is disseminated to other organisations to help them improve their cyber defence mechanisms. Improving the timeliness of this dissemination is another aim of CISA. To support this initiative, the Department of Homeland Security is now required to create a data sharing portal and disseminate guidelines about its workings.
Questions had previously been raised about some provisions in the bills, including whether there were adequate privacy protections, as well as the extent of liability safeguards to address organisations’ concerns about the possibility of being sued by their customers for their participation in information sharing. Many of these concerns have been allayed in CISA through the following key provisions. First, organisations must take reasonable efforts to identify and remove any unrelated personally identifiable information (PII) from the data they plan to submit to the portal. Second, liability protection is established for organisations engaged in monitoring and sharing cybersecurity information under CISA. In particular, antitrust liability is excluded and any applicable legal privilege or proprietary protection attached to shared data (such as trade mark protection) will not be deemed waived by virtue of its submission to the portal.
In the EU, the Council of the EU and the European Parliament announced in separate press releases (here and here, respectively) that they had reached an agreement on the text of a new information security Directive, more formally known as the Network and Information Security (NIS) Directive. (See also the press release by the European Commission on this agreement). Initially proposed by the Commission in 2013, alongside a Communication setting out an EU cybersecurity strategy of which its proposal formed a key part, the introduction of the Directive will mark an important step towards the first comprehensive cybersecurity legislation in the EU. It is hoped to usher in the vision of high-level common standards of protection and harmonised obligations across a secure and trusted Digital Single Market.
The Directive aims to increase cooperation between EU Member States on cybersecurity. It will also impose security obligations upon operators of “essential services” and digital service providers (the former will have more stringent obligations than the latter), notably the reporting of certain security incidents to competent authorities and the taking of measures to protect against known cyber risks and mitigate their potential for adverse effects. (In determining what “essential services” are, the final text of the Directive will list a number of critical sectors in which operators of essential services are active, such as energy, transport, finance and health. Within these sectors, it will be left to Member States to identify the operators providing essential services based on clear criteria set out in the Directive. By contrast, providers of digital services have been agreed already to include those active in e-commerce platforms, search engines and cloud services (with the exclusion of small companies)).
Finally, the Directive introduces breach notification requirements to expand upon and complement those to be found in the new General Data Protection Regulation (GDPR), waiting for formal adoption, governing the protection of personal data. In particular, the new Directive will require operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service to complement the GDPR’s breach reporting obligations (Articles 31 and 32).
After formal approval of the compromise text into law, Member States will have 21 months to implement the NIS Directive into their domestic legislation.
In conclusion, the provisions of CISA and the NIS Directive highlight the year-on-year increasing importance being given to the issue of cybersecurity (reflecting similar legal and policy initiatives on the rise in jurisdictions across the globe). A major part of both visions is utilising knowledge-sharing about cybersecurity threats by the private sector, as well as imposing obligations to mitigate potential adverse effects (albeit, to note, the reporting provisions in CISA are voluntary only). They also highlight the importance being given to the need for a unified and co-operative approach between the authorities and organisations. Crucial for achieving this – in as close to real-time as possible – is not just the setting up of co-operation networks, but also constructing and managing information-sharing infrastructure to allow for the secure exchange of sensitive and confidential information. The development and encouragement of the use of industry standards and specifications to reduce cyber risks is perceived as another part of the solution (as mentioned in my previous post).
As legislators and policy-makers do more to encourage companies to share cybersecurity threat information with government agencies routinely and rapidly (as part of establishing early warning systems to alleviate systemic risk), both pieces of legislation are ambitious. While undoubtedly industry will welcome there being more focus on cybersecurity, there are likely to be concerns about the broad scope of some of the provisions, particularly those on incident reporting as these are expanded to include more and more of the private sector. Furthermore, it will be useful to monitor over the coming years to what extent new legislation makes a real difference in the future in the way organisations share, receive, and use cybersecurity information. The prospect of unwelcome public disclosure following notification may deter information-exchange from being accepted whole-heartedly into the corporate ethos where this is not yet a legal duty.
(To note, the voluntary nature of CISA and its light-touch liability regime compared to the NIS Directive appears a big difference. The mandatory nature of some of the obligations in the NIS Directive have been criticised, including by UK government officials – see e.g. here. On the other hand, some has previously questioned whether the US regime and its light-touch liability regime would really be voluntary when considered in the round of the governmental incentives to be given to those who share data, and the lack of this support for those that don’t participate. Is this a sign of a general trend of governmental persuasiveness through fears of exclusion to come?)
Finally, last month the European Commission also published a Roadmap outlining different policy options that could help the European cybersecurity industry, together with a call for comments in a Consultation on establishing a public-private partnership (PPP) on cybersecurity this year. In particular, the Commission seeks feedback on EU cybersecurity threats; the state of the cybersecurity European market; and, where to focus efforts for setting up the PPP and its technical priorities for research and innovation. The deadline for comments is 11 March 2016. This EU proposal follows the lead of a similar US initiative that came into being by virtue of the enactment of the Cybersecurity Enhancement Act of 2014. It provides for an ongoing, voluntary PPI to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.