In 2013, President Obama signed executive order 13636, Improving Critical Infrastructure Cybersecurity, which besides getting a lot of attention, also called for the National Institute of Standards and Technology (NIST) to develop guidelines for dealing with cyber threats to the nation’s core infrastructure. NIST has since released a preliminary framework that’s expected to be finalized in February 2014. US cyber security policy is (for now) focused on best practices and depends on voluntary initiatives from energy, transportation, and other essential infrastructure players in the private sector. Over in the European Union, cyber preparedness has taken a different tact—involving, not surprisingly, more regulations. But on both sides of the Atlantic, at least there’s agreement that companies need to do more than just build higher security walls.
In response to its own cyber battles, the EU community drafted in February another one of its directives—in this case, 2013/40/EU. The full EU parliament ultimately passed these new rules requiring member nations to implement tougher sentencing for those initiating cyber attacks launched against many computers—think botnets, DDoS, worms, etc. And for good measure, they’ve criminalized the sale, procurement or use ofany software whose primary purpose is cyber warfare. No surprisingly, pen testing and other security software companies are not very happy.
So far so good—more or less.
But unlike in the US, EU companies will be under direct legal obligations to do something about their cyber defenses. The 2013/40/EU regulations effectively say that firms may incur liabilities if they don’t provide an “appropriate level of protection against cyber attacks”. And there’s another controversial requirement for reporting cyber attacks to national data security authorities.
A good question is how the cyber directive works with existing EU regulations—for example, the Data Protection Directive that the Metadata Era has been posting aboutover the last year. The answer is that it extends what organizations have to protect: they currently are required to implement security measures to guard consumer personal data—essentially PII—but now have to protect entire infrastructures of routers, devices, software, and servers against any efforts to disrupt or disable.
Not surprisingly, the new EU cyber directive has caused more than a little controversyand confusion. There’s a lack of clarity about what defines an attack against “many” computers and on the threshold guidelines for reporting a cyber episode. Since each EU member can implement the directive differently, there’ll be another layer of ambiguity for companies that operate across nations—especially an issue for large US social media players in Europe.
While the EU and US have taken a different approach on cyber regulations, there’s consensus that companies need to focus on monitoring and detection as a second line of defense.
Monitoring for unusual patterns in user and system activity is central to NIST’s voluntary guidelines, and it’s a key idea behind the new EU rules. Even if it’s not a strict regulatory requirement in the US yet, we think it’s an idea you’ll want to start seriously exploring as you develop your own cyber security plans for 2014.