EU member states are preparing to implement new rules on cybersecurity that mean certain attacks need to be reported. Simon Creasey asks how businesses will be affected. In its 2016 Internet Security Threat Report, global cybersecurity consultancy Symantec revealed a scary series of statistics.
In 2015, more than 430 million new unique pieces of malware were discovered, up a third on the previous year. The number of detected ‘zero-day’ vulnerabilities (holes in software unknown to the vendor) more than doubled and ‘spear-phishing’ campaigns (emails requesting confidential data) targeting employees grew by 55%. Thanks to numbers such as these, there is a growing acceptance among companies that it is no longer a case of whether hackers will attack, but of when. This acceptance has been accompanied by a strategic shift from attack prevention towards attack detection and rapid reaction to minimise financial and reputational damage to businesses. But in an increasingly interconnected and borderless digital world, a successful attack on a business in one country can have a knock-on effect on another business elsewhere. This means that if you do not adopt a consistent approach to security across different countries and continents, you are leaving weak links that could be the access point of an attack.
To address this issue, the European Commission approved the EU’s first ever cybersecurity rules in July 2016. Member states have two years to implement the directive on security of network and information systems (known as the NIS Directive), which places new requirements on digital service providers and operators working in essential areas such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors will be expected to take appropriate security measures and notify national authorities of any serious incidents.
So what are the main challenges around implementing these new controls?
Easy targets
Despite the security industry making significant improvements to cyber protection software, the scale of the threat to businesses has grown over the past few years. Companies no longer have to contend with just the threat of hacks carried out by criminal gangs or lone-wolf attackers – there is also the growing danger of corporate and economic espionage being carried out by nation-state-sponsored attackers.
And worryingly, it is getting easier for hackers to carry out these attacks, says Roger Francis, senior strategic consultant at cybersecurity firm Mandiant, a FireEye company. “From a capability perspective, the bar is lowering,” explains Roger. “There are a lot of tools out there and the ease with which attackers can leverage those tools is increasing the cyber threat posed to businesses.”
The slow pace of detection is also concerning. Looking at cases it dealt with in Europe, the Middle East and Africa in 2015, Mandiant found that the average time to discovery of a cyberattack was 469 days.
Transparency is critical to cybersecurity, as is data sharing, but the job of these hackers is being made easier because there is currently no consistency of approach at a government level across Europe. Therefore there are “no consistent requirements on industry and commerce about what protections they need to put in place”, says Daniël Jacobs, Cyber Manager for Benelux at Chubb.
This is particularly important when it comes to companies that are responsible for running essential services, as well as digital service providers – hence the long-overdue introduction of the NIS Directive.
Central record of attacks
“The government can only do something if it knows about attacks, and a lot of these essential services are now in the hands of the private sector. That’s why the EU is introducing legislation so that companies running essential services will need to report incidents to a central body, in order to work out where the threat is coming from and protect against it,” says Hans Allnutt, partner and leader of DAC Beachcroft’s cyber risk and breach response team.
The cybersecurity community unanimously agrees that the new directive is a good idea, but some question how it will be implemented. Because it is only a directive, EU member states must decide for themselves how to incorporate the provisions of NIS in their national law, which means we could see what Daniël describes as a “patchwork quilt” approach.
“It’s a great start – the problem is it’s a directive and not a regulation,” says Daniël. “Therefore all member states have two years to come up with their own version of it, which they can then implement, but that doesn’t ensure consistency. It will be different from country to country. So the way the UK approaches NIS and the minimum requirements and standards it introduces will probably be different to, say, Portugal.”
There could be further differences around the interpretation – both between companies and countries – of what actually constitutes a breach, says Roger. “The question of when an incident is declared is an interesting one, because within different organisations the definition and spectrum of what constitutes a breach is a bit of a grey area,” he explains. “Companies need to be sure that they have a defined escalation matrix, because without one, it will be hard to take appropriate action when they may need to declare a breach.”
With the clock ticking on the implementation of NIS, some member states are in a better position to implement the directive than others. For instance, in October 2016, the UK government launched the country’s first National Cyber Security Centre, which is part of GCHQ and will bring together CESG – the information security arm of GCHQ – the Centre for the Protection of National Infrastructure, CERT-UK and the Centre for Cyber Assessment to form a single organisation that will simplify the country’s approach to cybersecurity. Although it is not clear how far the UK will need to comply with the new rules when the country withdraws from the EU.
Other member states are playing catch-up and having to drag companies into line. “I was in Belgium with a big company recently and the Belgian government had told this company that it was a critical business for the country, but the company argued it was not,” says Wouter Wissink, senior information and network technology specialist, risk engineering services for Continental Europe at Chubb.
“The company finally accepted it was a critical business and, in this instance, I’ve seen a positive impact already because this company has decided to separate its SCADA [supervisory control and data acquisition] network from the internet. It’s good that at least companies are starting to think about it, and will have to report to authorities what they are going to do and how they are going to do it. This thinking will lead to a higher awareness in an organisation and that’s very positive.”
Although question marks remain around how the new directive will be precisely implemented, no one doubts that NIS will have a positive impact on Europe’s ability to thwart would-be hackers. Intelligence-sharing among companies and member states on the nature, extent and methods of attack will undoubtedly enable businesses to bolster their cyber defences. It will not stop attacks completely, but it should help to minimise the damage caused.
Daniël Jacobs, Cyber Manager for Benelux at Chubb
daniel.jacobs@chubb.com
This article was originally published in Chubb’s Progress Magazine 2017.