Cyber threats know no borders even if the law does…so how are cyber policies evolving in 2016 to deal with the increasing complexity and scale of cyber-incidents now faced by countries, businesses, and individuals?
As anticipated in my post from January this year, a bolstering of cyber security legislation is squarely on the legislative and policy agendas of both the EU and the USA this year. The purpose of this post is to give an update on newly adopted legislation, as well as related legal developments in the cyber security and cyber crime policy field.
In the EU, the adoption of the new EU Directive on the Security of Network and Information Systems (‘NIS’) Directive – formally, Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union – was voted in by the European Parliament on 6 July following a second reading (as reported here and here). Its text was subsequently published in the EU’s Official Journal on 19 July here, which means that the Directive enters into force 20 days later – that is, today (8 August).
Each EU Member states now has 21 months to transpose the provisions of the NIS Directive, as well as publish the relevant domestic laws, regulations and administrative provisions deemed necessary for its implementation, by 9 May 2018. The European Commission will then review these periodically to ensure the effective functioning of the Directive, the results of which it will set out in reports to the European Parliament and to the Council from 2021 onwards.
As a reminder, the NIS Directive aims to ensure a high-level common standard of network and information security across the EU. It does this by introducing measures to support and facilitate cooperation between EU Member States, in particular through information exchange on cyber security threats. Each Member State will also be required to designate one or more national authorities to this end, as well as setting out a national strategy to deal with cyber threats and establishing Computer Incident Response Teams (CSIRTS) responsible for rapid reaction to cyber threats and incidents.
The Directive also lays down harmonised security obligations – such as risk management and breach reporting obligations – for two groups of organisations. These are 1) operators of essential services (e.g. key network infrastructure owners, including operators in sectors such as energy, transport, health, and finance); and 2) digital providers (e.g. e-commerce platforms, search engines and cloud services). However, the first group will have more onerous compliance obligations to fulfil under the NIS Directive, in recognition of the degree of risk that any disruption to their services may pose to the economy and society are large. To that end, the Commission will monitor the consistency of approaches taken by each Member States in determining domestic operators of essential services (which they must identify no later than 9 November 2018) and report back to the European Parliament and the Council on this issue during 2019.
As the original Commission proposal for the NIS Directive (way back in 2013) was accompanied by a Communication setting out an EU cyber security strategy of which its proposal formed a key part, it is no surprise that the Commission has marked this pivotal adoption of the first comprehensive cyber security legislation in the EU by releasing another Communication on cyber security. This new Communication sets out measures “to improve Europe’s cyber resilience and to help foster a competitive and innovative cybersecurity industry in Europe” (for background, see the accompanying Commission fact sheet). In short, it advises that cyber-incident cooperation needs to be improved across the EU. Supra-national proposals by the Commission set out in its Communication include: setting up a high-level advisory group at EU level; pooling information and expertise in an information hub (this would be facilitated by ENISA, whose 2004 mandate to contribute to the overall goal of ensuring a high level of network and information security within the EU is currently under review by the Commission – for more on the review, see here); setting up trusted channels for voluntary reporting of cyber thefts; introducing a cyber security training platform; and, developing a cyber security ‘Smart Specialisation Platform’ to “help coordinate and plan cybersecurity strategies and set up a strategic collaboration of interested parties in regional ecosystems”.
The Commission also plans to study risks from cyber-incidents in interdependent sectors within and across national borders and assess the need for additional rules or guidance on ‘risk-preparedness’ for critical sectors. This phrase refers to the fact that, in the light of the prevalence of cyber-attacks, it is important that companies and entities not just focus their efforts on trying to prevent such attacks, but also prepare themselves for this eventuality. In other words, despite increased levels of investment, organisations should still expect to be attacked and sometimes breached, and they should constantly be vigilant – in a state of readiness – to respond to this threat.
On the industrial side, the Commission also encourages the development of resources for cybersecurity (commercial and technological) as part of its aim to promote a single EU market in online network security products and service solutions, which it hopes can act as market differentiators. To this end, a decision on public private partnerships in cybersecurity is expected shortly and that the Commission has estimated in a recent press release that €1.8 billion investment in cybersecurity research investment will be triggered by 2020 (a quarter of which the EU will contribute directly).
On the other side of the Atlantic, on 26 July the US government released a Directive on Cyber Incident Coordination of Emergency Responses to Cyber-Attacks (here). Formally entitled ‘PPD-41’, this federal legislation is a Presidential Policy Memorandum which, inter alia, further streamlines the US government’s response to major cyber-incidents and provides more clarification on the coordinating roles and responsibilities of federal agencies in this respect. This is intended to complement the ‘CyberSecurity Information Sharing Act of 2015’ (CISA) – here, at page 1728 – designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes”, as mentioned in my previous post.
In particular, PPD-41 provides guidance to organisations within the private sector that have experienced a ‘significant cyber incident’ (defined as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people”) attack on how they can obtain federal assistance. A colour-coded ‘cyber incident severity schema’ has also been published to help organisations determine where cyber incidents they have experienced sit in a ranking of severity and what help they will receive. For example, determinative ranking factors include the potential consequences of an attack, as well as attackers’ suspected intents. (To note, the design of the schema is not short of critics, for example, see here).
What the news from the EU and the USA share broadly in common are further evidence of moves by central agencies to codify their roles in terms of prioritising the importance now placed on cyber security and coordinated strategies at a federal level. They both also acknowledge the evolving scale and complexity of digital threats faced by countries worldwide, which in turn require more creative solutions by governments. In particular, technical challenges are evolving at such a rapid rate that solutions which work this year cannot be assumed to work next year. Consequently, not only must businesses coordinate more with government to tackle cyber-threats, including through increasing reporting of cyber-incidents, but they must also do more to demonstrate a ‘living’ corporate ethos that accepts cyber risk as an inevitable part of being active in the digital economy today for which they are ready. In other words, private organisations – in particular, those operating network infrastructures – are being encouraged strongly using policy ‘carrots’ but also legislative ‘sticks’ to do more to show ‘risk readiness’ to the prospect of significant attacks as a matter of public interest.
While increased trust in cyber security is crucial for a strong digital marketplace, there also seems to be a feeling that stronger cyber security regulation can provide a big advantage over other countries. To this end, it is also useful to consider the impact of the Brexit vote on the UK’s future cyber security policy. Although there is no date for the UK to leave the EU, at present it seems likely that this will not be before May 2018, and therefore the UK will have to implement the NIS Directive (as well as the GDPR – which complements the NIS Directive e.g. in terms of requirements around breach reporting – for which readiness is already being made by the ICO). Otherwise, given that the UK Government has already taken steps in anticipation of the NIS Directive (such as publishing its plans to establish a new National Cyber Security Centre), it is likely that legal standards of protection very close to the EU standard would be implemented instead to reduce the risk of cyber-attacks on UK businesses. And we should not underestimate the importance of international cooperation on cyber security issues. It would be a significant step backwards for the UK to fail to maintain a relationship of information sharing and broader cooperation with EU partners and cross-border agencies (including law enforcement institutions) that also see cyber security as a major threat. Indeed, many would argue that it is in the UK’s interest to help to develop the capability of overseas partners and cement strong operational relationships across national boundaries.
Finally, other news from the UK includes publication by the House of Commons Culture, Media and Sport Committee of a report entitled ‘Cyber Security: Protection of Personal Data Online’. In it, the Committee considers the 2015 cyber-attack on the UK ISP, ‘Talk Talk’, and sets out recommendations in light of the significant and growing problem that cyber-crime poses to individuals and business. These include suggestions to make security a major consideration in the design of new IT systems and apps (so-called ‘security by design’, also being promoted at the EU level) and a mandatory part of developer training, with staff being retrained periodically as necessary.
Also, in July, the UK National Crime Agency (NCA) and the Strategic Cyber Industry Group (SCIG) published the Cyber Crime Assessment for 2016. This report sets out an overview of cybercrime activity in the UK 2015 – with 2.5 million cyber incidents estimated to have taken place last year – while significant under-reporting of incidents in noted in the report. (Incidentally, in the results of its latest Crime Survey for England and Wales, the Office of National Statistics (ONS) included statistics on cybercrime offences for the first time, including those not reported through formal channels. The estimated number of fraud and cybercrime offences in the year ending March 2016, according to the ONS, is 5.8 million. This comprises around 2 million computer misuse offences and about 3.8 million fraud offences, the majority of the latter relating to bank account fraud.) In dealing with the current challenges for business in fighting cybercrime, the report includes recommendations to help businesses, which also prioritise private-public partnerships. In particular, the UK government has pledged to invest nearly £2 billion in the country’s cyber defences over the next five years. Amongst other things, this money is intended to fund new innovation centres to support talent and drive growth in digital sectors, enhanced capabilities (including rolling out specialist training) within law enforcement to respond to cybercrime, as well as a programme of active defence in collaboration with UK ISPs to enable them to implement a series of measures to block malicious sites and divert known malware.
So, cyber security experts, you can feel reassured…it seems clear that any tightening of the UK’s budget post-Brexit is very unlikely to extend to draining investment from the cyber domain. In fact, just the opposite is likely!