Infosec pros give verdict on EU’s new cybersecurity strategy: “Nice try”

The European Commission on Wednesday launched a proposal for a new cybersecurity strategy with good intentions and great fuzziness, as some dissatisfied infosec professionals see it.

The EC worked with the High Representative of the Union for Foreign Affairs and Security Policy on the new strategy, which it paired with a proposed directive on how to implement it.

The directive calls for each EU member state to set up Computer Emergency Response Teams (CERTs) to handle hacking and malware crises.

It also outlines blueprints for dealing with major incidents and puts the pressure on private companies in various vertical sectors, such as banking, to be less shy about reporting major breaches.

TechCrunch has embedded the directive proposal here. An FAQ is located here.

Here are the directive’s main points, paired with explanations of why they miss the mark, courtesy of Sophos’s James Lyne:

• Each member state must create a CERT, although most already have one.
• Member states will each nominate a “single national competent authority” (with some specificity as to what this may involve such as forensic and malware skills) to co-ordinate and handle incidents.

  These authorities will work with the European Network and Information Security Agency (ENISA) centrally and potentially other military/intelligence bodies such as NATO to drive change.

  Unfortunately, Lyne says, this will be a challenge vis-a-vis jurisdiction. Lyne points to an European Digital Rights editorial by Ross Anderson that provides a good example of this issue.

  For one thing, Anderson writes, the directive misdirects funds away from police, who have the primary responsibility for catching cybercrooks, funneling needed funds into intelligence agencies (aka spies).

  It is, Anderson says, “an attempt to militarise security in cyberspace.”

  The UK has ample experience with this type of bifurcated infosec spending: it allocated 59% of its £640m (approx. 770m Euro) cybersecurity spending from 2011-2015 to GCHQ (the British signals intelligence agency).

  That’s money that could have been spent on police efforts to fight cybercrime, Anderson points out:

  "Rather than giving the police the resources they need to catch cyber-crooks and put them in jail, the UK government decided to give most of the money to the spies so they could go commit more cyber-crimes (albeit in other people's countries)."

  "It is a tragedy that the European Union is now considering following this UK- and US-centric policy lead."

• Loosely defined breach notification for specific sectors such as banking, energy, Internet companies, healthcare etc. – although, Lyne says, there’s no clear separation of breaches that are caused by negligence vs. those that result from organisations being targeted by cybercriminals.
• An element of the proposal also talks about agencies and ENISA having access to “sufficient information”, but that, Lyne says, is language that’s liable to rile privacy advocates.

The EC has noted that the proposal is intended to provide direction and not be specific with regards to implementation.

Unfortunately, it needs more specificity, Lyne says, lest certain elements cause harm if executed incorrectly.

He points to breach notification as a case in point:

"A comment made alongside the release says that 'as breaches are so normal they should not be alarming... to report'. This is tragically misguided, as attacks such as those against Sony have demonstrated. A private scheme of breach notification to build authority visibility to efficiently tackle security issues could be helpful."

"However, moving from the present scheme of information asymmetry (where organisations often hide their breaches) to greater transparency could work against recent work to create trust and cause concern and economic damage. This is an area that needs to be revisited and needs a clearer outline of the objectives and implementation."