The growing importance of ensuring cybersecurity remains a central theme on which nations can build their digital transformation programs was made clear in the second half of last year when the European Union (EU) reached agreement on cybersecurity rules across all its members. Companies critical for the delivery of essential services across the energy, transportation, health and banking fields were instructed to ensure that their infrastructure is robust enough to withstand cyber-attacks and notify authorities if significant incidents occur.
The ruling marked the first time the EU has ruled directly on cybersecurity and is clearly a response to the exponential growth in cybersecurity incidents. The emphasis on critical national infrastructure is an overdue recognition that as software and control systems become increasingly integrated, cyber-attacks can have devastating and lasting impacts in both the cyber and physical worlds. As one of the largest economies in the world, this step by the EU is significant.
The interconnected nature of digital networks means a threat to one is a threat to all, and perhaps it is time regulators and government agencies everywhere also considered a closer level of cybersecurity cooperation than ever before.
The developments in Europe offer a positive example of what can be gained through closer alliance, and the types of measures that need to be put in place to achieve a greater cybersecurity posture.
The time to effect these changes is now. The internet is less than 30 years old and it was never built for security. It’s only in the last 20 years, as it has morphed into a platform for global commerce, that this has become a fundamental concern. The field of cybersecurity law is new and approaches to combating threats are still evolving. Inevitably, the effectiveness of any new regulations must lie in the details of their implementation.
In order to build digital resilience though, it’s just not enough to identify the key operators in the fields of critical infrastructure and try to raise their security standards. Requiring operators to report security breaches is only part of the battle; the point of any law or regulation must be to reduce the overall risk to public safety. Reporting a security breach may already be too late in the game. We need to protect the confidentiality and integrity of entire systems with preventive technologies and, should an incident occur, respond quickly to remediate vulnerabilities before they are compromised by adversaries.
New regulations need to mandate technological and procedural controls across the full spectrum of prevention, detection, response and recovery. Additionally, key regulations need to address industry-leading vendors of critical infrastructure with regards to the inclusion of security measures in their base infrastructure.
We believe in truly integrating cybersecurity operations with global and national regulations. We think a holistic approach to security ought to be followed, anticipating current and upcoming regulations and adapting them to the specific needs of governments and companies from the executive, to the procedural, and extending to technological implementation. Trust should be stamped through both hardware and software from inception with all systems hardened and, where appropriate, encrypted. Implemented correctly these bricks provide a strong defense.
It is worth watching and learning from the EU’s unfolding cybersecurity regulations as they pass through their final stages in the European Parliament. It is vital that they enhance the security of the EU’s nations, and the countries in the GCC that trade with them. These rules began life as a proposal in 2013 and are set to only be passed into law this year. In the same period, according to Moore’s law, computing power would have more than doubled. Any regulations that are implemented will need to walk the tightrope of being sufficiently robust to force companies into action, without being so specific that they are overtaken by the relentless advances of technology.
You can read more from DarkMatter at the RSA Conference blog, and please join us for RSA Conference Abu Dhabi, 15-16 November 2016. Register here: www.rsaconference.com/events/ad16/register