By BROOKS TIGNER
BRUSSELS – The 27 EU countries know they are fated to work far closer with the private sector to combat cyber-threats but how to do this? A number of national officials are now advocating mandatory incident-reporting but say it must not include a channel to law enforcement authorities for fear of privacy concerns or discouraging the reporting.
“I think we need a mandatory IT-incident reporting system but not to law enforcement authorities. It must go directly from the private sector and general public to the non-police parts of the government,” said Helena Lindberg, director general of the Swedish Civil Contingencies Agency. “A number of our government agencies, banks and media were hit hard recently by cyber-attacks but we don’t know where they came from.”
Ways to tackle incident-reporting and other cyber-security challenges were aired by Lindberg and officials from other EU countries during a semi-closed policy debate here on 2 October held by the Security and Defence Agenda discussion forum.
Fellow participant Pauline Neville-Jones, the UK cabinet’s special representative to business on cyber-security, said her government is trying to get a fix on the vulnerabilities but admitted “there is a long way to go. The reporting is lacking in the UK and the capabilities in nearly all the member states are low,” she observed. “But as soon as you talk about the ‘how’ of tackling cyber-threats, it becomes absolutely clear you must have PPPs [public-private partnerships]: you are locked into this unavoidable relationship.”
She said that relationship means “reporting to the government would have to be confidential – and not made public [for reasons of protecting commercially sensitive business information]. But we should not forget that the priority of any [system’s security] breach reporting is to plug the breach itself – not the act of reporting. A 24-hour deadline for reporting would be too prescriptive.”
In Neville-Jones’ view, regulating industry to force it to take better preparatory steps is not practical. “If one put a regulatory clamp on a company’s preparatory ‘out-put’, how would you determine what is good enough? I think some kind of accreditation system is needed instead,” she observed.
Annemarie Zielstra agreed. Director of the Netherlands’ Centre for Protection of National Infrastructure, she said “this is about reputational management, and we are working on a certification system for ‘cyber-defenders’ in the private sector.”
Noting that her country launched PPPs as early as 2006 across 13 sectors to prevent attacks against process-control systems, cyber-espionage and other threats, Zielstra declared that “we think it’s time for the next step: awareness in the boardroom. Boards must understand the scale of the cyber-threats to their companies’ very viability – and they don’t.”
Neville-Jones also noted that “companies don’t even know they are losing their IP [intellectual property] or business information. It’s a matter of situational awareness, and boardrooms must take cyber-security as seriously as they do their P/L [profit/loss] metrics. Even audit and accounting firms are starting to assess the risks and assigning costs to potential cyber-threats.”
Meanwhile, the attacks will continue, which calls for the tools to investigate them, namely, cyber-forensics – an expensive capability. “This is, dead on, one of our central problems and we are trying to figure out how to get this to our police,” said Neville-Jones.
Unfortunately, governments have to compete with the private sector for this expensive, highly specialised expertise. That leaves little choice but to nurture the development of cyber-forensic skills over the long term.
For example, Luxembourg has a three-tiered approach to risk assessment based on installing best-practice at the level of local government, schools and small businesses. It reaches out to the latter in particular by offering cyber-security audits of the work place to identify cyber-vulnerabilities and how to counter them.
In Sweden, Lindberg’s agency is working up an educational package for schools to reach 11-year olds – those just on the cusp of diving seriously into the cyber-world – “to teach them about safe cyber-practices and how to avoid risk,” she said.
The UK is taking similar steps. “We are redesigning the country’s educational curriculum because there is no career path in our schools today that leads to cyber-forensics,” observed Neville-Jones. “The country will need some half a million IT/cyber-forensic experts in the future – and we are far from that.”
Luukas Ilves, head of international cooperation at the Estonian Information Systems Authority, said “the trillion-dollar question hanging over all of this is what to do about the cloud. “The future will see companies and even whole sectors consolidate all their accounting activities onto cloud-based platforms. How to regulate that and guard against illicit infiltration? We are looking to the EU for guidance here.”
That may not be coming any time soon, however. “It’s very hard to convince high-levels of government to invest in IT as long as there is nothing that visibly blows up [due to lack of investment],” one EU official observed after debate. “It’s a vicious circle, particularly in this period of financial crisis.”