Comments on proposed European Directive on cybersecurity
Following our post about "EU Cyber Security Strategy", we have analyzed the proposed European Directive on Networks and Information Security that was published simultaneously.
Our general conclusion is that, if approved as it is, we will be in front of a qualitative step ahead in the way we understand information security in the EU that will pose us as a reference in this field.
Nevertheless, in our opinion, there is some room for improvement that we would like to highlight in this post.
Scope
Proposed text does not consider organization besides "market operators" and public administrations and, explicitly, microenterprises. In our opinion, in a defense scenario like the one we are trying to improve, this means to leave weak links in the security chain that, could affect the overall level [security level is not an average, is the minimum of all the elements].
To solve the potential economical issue, it could be included a gradation regarding the security requirements to be observed according to some criteria to be defined (activity, technical resources managed, etc.) in a way that only very basic security controls should be required to the smallest. This could avoid security issues and weak links at the same time.
Harmonization of security measures and sanctions
In the proposed text seems that every Member State is going to define the minimum requirements and sanctions in case of non-compliance. In our opinion, considering that we are trying to improve our security at an EU level, both minimum security requirements and sanctions should be harmonized to avoid imbalances in the common economic market and, again, weak links.
National strategies objectives
Although considering risk analysis to establish objectives is academically perfect, coming back to our previous scenario of defense, we consider that should be better to establish them according to the scenarios with higher impacts more than those more probables (this is better for attack strategies). So, we think that these strategies should take more into account threats impact than probability.
Agile Security
Although proposed Directive mentions resilience and considers some measures to achieve it, like early warning and quick response, the other necessary conditions for an agile security has not been considered: leverage within the incidents. This is needed to assure that everybody learns from the incidents and systems and networks are improved towards resilience.
Incidents notification
In relation to this issue, only two minor aspects:
- It should be interesting to consider SLAs between all the national CERTs for notification of early warnings.
- For notification, "minor" incidents should also be reported, perhaps in a different way, because they could be useful as signals to detect global behaviors or "mayor" attacks.
Implementation and enforcement
Regarding this issue, we consider the control is basic to assure and effective implementation of Directive requirements. So, models like roadworthiness / technical inspection of vehicles or financial audits, could serve as example to implement this enforcement mechanisms. In this way, there could be room for private initiative to shelf-regulation and/or carry on audit activities, always under the scrutiny of the competent national authority.