Threats and Thresholds – Securing Europe’s Critical Services in Cyberspace

In February 2013, the European Commission proposed a Network and Information Security (NIS) Directive to boost cybersecurity across Europe. That same year, global web-based attacks increased by almost a quarter. And in 2014, according to one statistic, there were more than 42.8 million cybersecurity incidents around the world. However, the legislation intended to shore up Europe’s cyber defenses remains mired in negotiations where security considerations may not always be placed front and center.

I’ve written previously about the challenges faced in trying to finalize the NIS Directive. For months it has been trapped in talks between EU Member States and institutions unable to agree on what it should contain and to whom its obligations should apply. This is due to fundamentally different views on and approaches to the nature of network and information security in Europe.

Getting the scope right

First and foremost, it’s essential to get the scope of the Directive right. One of the sticking points has been the varying opinions about how to treat digital services. These are distinct from critical infrastructures – physical assets essential for the functioning of societies and economies – and naturally require different considerations.

This was finally acknowledged in June, when policymakers confirmed that such digital services would be “treated in a different manner” to essential services; allowing negotiations to move beyond the stalemate between national governments, and between Member States and the European Parliament. A twin-track approach, where digital service providers will be subject to lighter obligations, recognizes that the socio-economic risk emanating from, for instance, a cloud-based email service or social network outage is not the same as a national power grid being taken down by hackers.

It’s vitally important to enshrine this in legislation because critical infrastructures are increasingly at risk of costly, crippling cyberattacks.

In the U.S., 68% of critical infrastructure organizations have experienced at least one security incident in the last two years. And earlier this month, a report from think-tank Chatham House found that, around the world, nuclear power plants – a sector where the consequences of any outage are potentially devastating – are woefully underprepared for “deliberate digital disruption”.

By establishing more focused approaches to network and information security, national governments, industry and policymakers will be able to better prioritize risk. As opposed to trying to do too much with too little, critical security resources can be funneled towards services whose outage would be most damaging.

This will also give EU Member States the chance to build much-needed cybersecurity capacity which, as the BSA’s Cybersecurity Dashboard shows, is sorely lacking. For instance, fewer than 50% of EU member states have evaluated critical services needing protection from cyber incidents. By boosting overall cybersecurity step-by-step, countries can integrate their learnings into a broader set of responsibilities later on.

Getting the threshold right

A similarly nuanced approach should be taken to the setting of thresholds for reporting cyber incidents.

All across the world, hundreds of thousands of Internet users are exposed to cyber threats on a daily basis. The vast majority of these are mitigated before they can cause any damage, thanks to advanced cyber defenses deployed by technology companies, such as Microsoft’s own comprehensive process for more secure product design, development and deployment.

Cyberthreats are very real. But not every threat will result in a successful attack. Nor will every cyberattack have a serious impact. By according all threats the same level of attention we risk blurring the lines between those which are significant and those which are not. Establishing a clear scale of gravity for cyberthreats with the right thresholds for reporting will be essential to the success of the NIS Directive.

Getting the bigger picture

Finally, policymakers cannot afford to overlook the fact that cybersecurity doesn’t end at Europe’s borders. The digital world is borderless; efforts to harmonize cybersecurity should be too. Unfortunately, this isn’t currently the case. While the United States has adopted the NIST Cybersecurity Framework, seen as an interesting model by many countries worldwide, Europe pursues a vastly different approach. Some Member States intend to place their own, national solutions ahead of a common European approach to the detriment of the principles of a European Digital Single Market.

This is not to say that all countries should adopt exactly the same rules – allowances will always have to be made for regional differences. However, if we do not align on key elements such as the adoption of international security standards and baselines, this would have a negative impact on the overall level of online security as well as security innovation. We have the choice between creating a smart regulatory environment which shores up security and promotes a European start-up culture, or producing a new generation of auditors who must deal with 28 different national security standards. But audits do not replace effective security policies and controls, and red tape will not make Europe more secure.

As we head towards what could very well be the final negotiations on this particular piece of legislation, Europe stands on the threshold of an opportunity. With a phased, risk-based approach, and a commitment to harmonization, the NIS Directive could allow Europe to become a leader on global cybersecurity and to ensure its social and economic well-being for years to come. With the finishing line in sight, policymakers would do well to bear this in mind.