“We are raising the game with this directive,” Neelie Kroes told the Financial Times (requires subscription). “We are creating incentives for private companies to improve their track records in network security, and helping national governments to use the learning from this to improve overall national capabilities.”
The draft directive focuses on improved incident sharing between member states, and greater transparency on cyber incidents. While the proposed Data Protection Regulation will require companies to disclose an actual breach, this new directive is expected to go further and require companies to notify national cyber security authorities about ‘incidents.’
It states, “there are no appropriate obligations placed on all players managing critical infrastructure or providing services that are essential to the functioning of our societies to adopt risk-management measures and exchange information with relevant authorities.” The directive aims to change this be requiring disclosure, and sharing that information between the relevant authorities in each member state, supported by ENISA and the new Europol Cybercrime Center.
It is already attracting criticism, especially over the centralization of security responsibility into single national authorities. The German NetzPolitik.org warns, “A single cyber security authority doesn’t just present federal difficulties [Germany is a federation of 16 different states], it also undermines the principle of separation between the intelligence services and the police... [paraphrased slightly from a Google translation] The centralization of responsibility for cyber security, according to Ross [Anderson] leads to a further militarization of the Internet.”
Professor Ross Anderson of the University of Cambridge Computer Laboratory expands on this. “The Commission seeks to put ENISA at the heart of a network to act as an early warning system for bad stuff on the Internet, which is good. What is wrong is that instead of pulling together police forces, CERTs and service providers, ENISA seeks to set up a classified network of military and intelligence agencies.” Anderson believes that a single national authority is ‘wrong in principle and unworkable in practice.’
“A directive that encourages one single agency to acquire primacy in each Member State,” he says, “would undermine the constitutional arrangements that various states currently have for separation of powers and accountability (weak though these already are in some cases).” He is also worried about the potential loss of privacy. “ENISA and the national agencies in its network will have access to ‘sufficient information’ from almost everyone online, in effect extending the data-retention powers from phone companies and ISPs to service providers such as search engines, webmail providers, social networks and computer game operators. That is completely unacceptable as it would violate the constitutions of Germany and other countries.”
Commenting on the NetzPolitik article by email, he suggested, “The Germans actually care about privacy, and are starting to view this as an EU version of CISPA.”