Net cost: EU cybersecurity reform blighted by price tag concerns

Get short URL

Published time: February 07, 2013 18:20
Edited time: February 07, 2013 22:20

The EU plans to upgrade its cybersecurity regime in a bid to battle cybercrime. But one proposal, which could force 42,000 firms to report major online attacks, has been criticized for potentially harming both their bottom lines and reputations.

The European Commission’s (EC) "An Open, Safe and Secure Cyberspace" – outlines five priorities which may form the basis of its new cybersecurity strategy.

The priorities include achieving cyber resilience, reducing cybercrime, developing cyber defense policy, developing the industrial and technological resources for cyber security, and establishing a coherent EU-wide cyberspace policy while “promoting core EU values.”

Under the new draft law published on Thursday, the Commission hopes to implement its strategy by requiring each of the European Union’s 27 member states to set up a Computer Emergency Response Team (CERT) “to deal with hacking and malware crises, along with plans for how to deal with major incidents.”

The directive would also require 42,000 firms dealing in banking, transport, energy, health, the Internet and public administrations to inform a designated national network and information security (NIS) authority whenever their computers are hacked.

The proposal would further see the establishment of a cooperation mechanism among member states and the Commission “to share early warnings on risks and incidents through a secure infrastructure, cooperate and organize regular peer reviews.”

The latest draft law comes on the back of The European Cybercrime Center, which was opened in January to promote expertise and the sharing of information between EU countries on tackling cybercvrime.

Costly reforms?

While the proposals represent a major paradigm shift in the legal framework for network, communications and data security across the EU, its overall efficacy remains doubtful.

When questioned on how member states would be able to negotiate with other government’s such as China, where a large number of cyber-attacks originate, Neelie Kroes, European Commission Vice-President for the Digital Agenda, offered no comment during a press conference on Thursday, Tech Crunch reports.

Many businesses that may soon be required to divulge network attacks to a regulator, fear the changes are too vague, could result in extra costs, and might damage their reputations.

Specialists also say that data breach incident reporting, which has less than a stellar track record in the US, would keep IT professionals from actually preventing cyber-attacks and mitigating their effects, Computer World reports.

Others however welcomed the EC’s cyber security strategy, saying concrete steps needed to be taken if Internet security issues were not to trump the massive growth potential advances in the industry will soon provide.

“Forward-looking technologies offer tremendous potential for economic growth in Europe, with cloud computing alone expected to boost the European economy by €1 trillion by 2020, however a lack of confidence in internet security due to the alarming number of costly attacks is blocking widespread adoption,” the magazine cites said Richard Archdeacon, head of security strategy at HP, as saying.

Speaking in support of the new proposal on Thursday Catherine Ashton, High Representative of the Union for Foreign Affairs, said:

"For cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online.”

Ashton, who stressed that tackling cybercrime would necessitate coordination between civilian and military organizations, noted that NATO would also have a part to play.