With a greater proportion of personal and professional communications coming through electronic channels than ever before, cybersecurity has become a central social and economic issue. But as European Union officials review their role in ensuring safety and guiding progress, several significant shortcomings have come to the surface.
A shared burden
In new study on cybersecurity incident reporting, European Network and Information Agency (ENISA) analysts Marnix Dekker and Chris Karsberg highlighted several recent events that inspired a deeper investigation into matters. The report authors pointed to a password breach affecting as many as 6.5 million consumers, the failure of a smartphone vendor's data center that disrupted business communication across the region and a data security lapse from a certificate authority which allowed hackers to generate fraudulent public-key infrastructure credentials.
"The large outages and data breaches receive extensive media coverage, showing the importance of cybersecurity in society," Dekker and Karsberg wrote. "Many breaches, however, remain undetected and if detected, are not reported to authorities and not known to the public. There is no overall view across the digital society of the incidents, the root causes or the impact for users."
This lack of transparency can be blamed, in part, on the business community, as many companies remain unaware of the threats they are facing or would prefer to keep mistakes under wraps. But the EU legislation intended to root out such discrepancies may not be doing its job either.
Establishing comprehensive cybersecurity legislation has been of particular importance considering the interdependent nature of member states and the interconnection of their business affairs. Several Internet service providers operate across multiple EU countries, for example, making misaligned or contradicting national regulations both an administrative hassle and security vulnerability.
As a result, the past few years have seen sweeping reforms aimed at standardizing the security and integrity of public communication networks, bolstering privacy protections and developing incident notification protocols. But while many of the provisions govern similar processes, including notification of potential victims and reporting to national authorities, there are some concerning gaps between the laws that can leave proper incident response protocols open to interpretation.
The aforementioned password breach and data center failure, for example, revealed that there was no clear direction for how network service providers should communicate with ENISA and separate authorities following an incident.
"It is important that national authorities and the European Council discuss, agree and clarify the scope of legislation on electronic communications and address these and other gaps," the report stated. "This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing."
Areas for improvement
Dekker and Karsberg confirmed that an intelligent balance of legal insight and digital tools will be required to satisfy current data protection objectives and stay in position to handle emerging challenges. The report authors encouraged legislators to press service providers that may not have adequate technical resources to quickly contact outside experts such as national computer emergency response teams (CERTs) when merited to deescalate cybersecurity threats.
The success of these collaborative incident response efforts will rely on a spirit of transparency from all parties. Although reporting processes should be codified, according to Dekker and Karsberg, they should not be so cumbersome as to inhibit the quick intervention the situation demands.
Finally, the report authors called for regulators to review the implications of the type of information and level of detail required in incident reporting processes. If too few events are reported, or there is no depth to the data, it will be difficult for ENISA and other authorities to draw meaningful conclusions, uncover trends and issue effective advice.
Security News from SimplySecurity.com by Trend Micro