European Union Digital Commissioner Guenther Oettinger is fed up with the never ending stream of high profile hacking attacks and has decreed that enough is enough saying “I will not sit back and let these criminals and cyber terrorists attack our businesses, intrude into our private lives and destroy trust in our digital economy and society”.
The last straw which has prodded Guenther into action was the VTech hack, which exposed thousands of children’s names and ages along with their parents addresses details. VTech aren’t alone of course, there’s been JD Wetherspoon, Talk Talk, Sony, Moonpig, Mumsnet, eBay, and of course Ashley Madison plus many lesser publicised incidents.
Now a European Commission proposal on a common level of network and information security in the EU has been agreed to improve cybersecurity in EU countries. Member States are obliged to have a national strategy, identify who will enforce this and set up a Computer Security Incident Response Team to handle incidents and risks.
The rules will help Member States and their Computer Security Incident response teams to cooperate across borders on cybersecurity issues and to share information about risks. Plus essential services – power, finance, transport, healthcare and digital infrastructure, online marketplaces, search engines and cloud computing services – are obliged to take appropriate security measures and inform the authorities when they have a cyber attack.
This all sounds great, and I’m sure that Guenther and his EU colleagues have the best of intentions, but they’ve missed one important point. Companies like Ashley Madison have been ruined after their security breach. Companies like eBay have lost millions (we’ll never know how much the password reset slowed sales) and frankly all the businesses mentioned above would rather have not been compromised.
These businesses don’t need an EU diktat to coerce them into compliance. There’s no point ordering them to ensure the safety of their infrastructure. Commercial sense means that most (sadly not all) are doing everything they possible can to protect their interests regardless of EU rules.
Frankly it looks like the announcement is designed to add support to the EU’s Digital Single Market strategy and in reality won’t prevent the next cyber attack from coming. The burden is placed on the companies and not on cyber law enforcement to prevent them in the first place, if that was even possible.
You’ll be pleased to know that smaller digital companies will be exempted from the rules.