BRUSSELS – Questions linger over whether the outgoing European Commission can steer the EU’s proposed Network and Information Security (NIS) directive to completion by the desired timetable. According to officials close to the issue, it will be a very tight deadline to get this done by 1 November as planned. It lies with Neelie Kroes, the Digital Agenda Commissioner to do that but it will probably fall back to at least the end of 2014.
Sigrid Johannisse, Kroes’s advisor on innovation, ICT applications and security, said her Commissioner is “in a hurry” to push the NIS directive forward as much as possible. Addressing a 30 June policy debate here on critical infrastructure protection in the cyberage, she said EU negotiators have reached agreement on chapters one (general provisions) and two (national frameworks on network and information security). “We think that we can agree on chapter four [security of networks and information systems of public administrations and market operators], but the hardest part is chapter three [cooperation between competent authorities],” she told the meeting.
The NIS directive has three objectives, namely to:
- create the same level of cyber security across the EU, with all member states having a cyber-security strategy in place;
- foster cooperation between the member states on cyber security and related issues;
- provide a forum where industry can cooperate on the same level.
Asked if the EU’s Council, which directly represents national capitals, was reluctant to include public authorities in the directive, Johannisse answered that “this is an important ‘break point’ for certain member states […and] we cannot make everyone happy, so there is the need to reach a compromise. There are several main issues among the EU28 at the moment, but it’s all part of the negotiation process.”
She went on to say that the directive is not the only thing that the Commission is doing on cyber security, but that they are also conducting awareness raising. “Digitalisation is invading all networks – energy, transport, etc. – and big data will be the future of our whole economic system. We should be aware of what we want to do with it” she said, adding that “from the digital agenda point of view, we don’t want to lose confidence in the digital economy, and we think that the NIS directive can support this confidence.”
Fellow speaker Freddy Dezeure, head of the EU’s Computer Emergency Response PreConfiguration Team (CERT-EU), pointed to the forthcoming supervisory challenges facing Europe: “In the future we will have many, many more devices to control. Many of these will have embedded files […and they] will be more and more invasive: they will control basically everything. At the same time they will become more and more complex, and we will be faced by more and more vulnerability.”
He added that “there are more and more people out there today that want to take advantage of these vulnerabilities – terrorists, organised criminals, drug traffickers, hostile states, friendly states.”
Dezeure said there are a number of things that need improving to protect Europe’s vulnerabilities such as more information exchange between trusted partners where “there can be multi-variable trusted partners”. He said national CERTs should use the increased information exchange “to work more fluently with each other. That also includes more automated info exchange, meaning “there is the need to ensure that different machines can speak with one another”.
Asked about the risk of cyber-attacks causing physical damage, Dezeure said “the information we get is very limited for the moment” but that defensive capability “could be swiftly improved if more in-depth information on attacks was shared”.
Speaker Michael Daniel, special assistant to the U.S. President and Cyber-security Coordinator, said the traditional approach of building “walls, gates and a moat for cyber defence is no longer appropriate. You have to work on the assumption that your networks are compromised, so how do I find them [the intruders], hunt them, kick them off and then recover from what damage they have done?”
When questioned if information-sharing across the Atlantic was adequate or more was needed to facilitate this, Daniel replied that “I think we have some of the right foundations in place with the CERTS, but we need it to grow. Information is shared across the Atlantic by ‘techies’ that know each other, rather than because there is a system in place. More of this needs to be automated. The foundations are there but we need to build them out and things need to happen at net speed.”
Despite the confidence of Kroes’s cabinet that the NIS directive will be completed by the end of 2014, we have our doubts. The EU’s past record on pushing through cyber-related legislation has not exactly unfolded at an appropriate “net” speed or anything approaching that. Member state resistance to possible encroaching EU regulation is one brake on the process; the sheer diversity of public players needing alignment is another. This dialogue could stretch on for many months.
On the other hand it is encouraging to see that no one government or segment of society thinks it can protect itself in isolation. A tight working partnership is the right approach where everyone knows his responsibility. If the NIS directive opens the gates for such cooperation and information exchanges at EU level (not to mention the transatlantic one), that alone will be a significant accomplishment…even if it takes longer than expected to achieve it.