The EU’s first laws on cyber security need to deliver real protection to companies, not merely become a “tick box” exercise. Regulators need to ensure that their implementation encompasses all aspects of cyber-security from prevention and detection to response and recovery.
Harshul Joshi, Senior Vice President, Governance, Risk and Compliance at DarkMatter. DarkMatter is a team of cyber security specialists dedicated to providing secure, trusted and integrated protection services. They are headquartered in the UAE and serve clients regionally and globally.
Last week the European Union reached agreement on cyber security rules across all its 28 members: companies critical for the delivery of essential services across the energy, transport, health and banking fields will now have to ensure that their infrastructure is robust enough to withstand cyber-attacks and notify authorities if significant incidents occur.
This is the first time that the EU has ruled directly on cyber security and it is clearly a response to the exponential growth in cyber security incidents which, according to EU sources, now result in annual loses to the European economy of €260-340 billion (US$284-372 billion) every single year. The emphasis on critical national infrastructure is an overdue recognition that as software and control systems become increasingly integrated cyber attacks can have real and lasting impacts in the physical world. As the largest economy in the world, this step by the EU is significant; where the EU takes the lead other nations will often follow.
This is a welcome step in the right direction; the Internet itself is less than 30 years old and it was never built for security. It’s only in the last fifteen years, as it has morphed into a platform for global commerce, that this has become a fundamental concern. The field of cyber security law is extremely new and approaches to combating threats still vary hugely. Inevitably, the efficacy of any new regulations must lie in the details of their implementation: the pre-2008 banking sector was covered by a wide variety of regulations, at a national and trans-national level, but they did not keep up with present risks, failing to prevent the global crisis, the consequences of which we are all still living with.
It’s just not enough to identify the critical operators in the fields of critical infrastructure and try to raise their security standards: forcing operators to report security breaches is only part of the battle; the point of any law or regulation must be to reduce the overall risk to public safety. Reporting a security breach may already be too late in the game. We need to protect the confidentiality and integrity of entire systems with preventive technologies and, if an incident occurs, respond quickly to remediate vulnerabilities in systems before they are compromised by adversaries. New regulations need to mandate technological and procedural controls across the full spectrum of prevention, detection, response and recovery.
At DarkMatter, we truly integrate cyber security operations with global and national regulations. We take a holistic approach to security, anticipating current and upcoming regulations and adapting them to the specific needs of governments and companies from the executive, to the procedural, to the technological implementation level. Trust should be stamped through both hardware and software from inception with all systems hardened and, where appropriate, encrypted. Implemented correctly these bricks knit together to provide a strong defence. In the UAE, DarkMatter is building a cutting edge Security Operations Center with national and global regulations in mind. In addition we are helping to launch the UAE’s only owned Certificate Authority designed to increase trust and ensure cyber physical security across the whole nation. We ensure that all our solutions bake in current, as well as upcoming, regulations.
We always test any regulation on the basis of its real-world impact. At DarkMatter one of our key approaches is to simulate a cyber breach in key critical infrastructures, using our team of in-house “hackers”. Having studied the results in a controlled environment, we then work backwards, making sure that the steps being prescribed at the policy level, and their eventual translation at the technological and implementation level, are truly reducing the risks and mitigating the impact of any that do occur.
We’ll be watching the EU’s new regulations closely as they pass through their final stages in the European Parliament. It is vital that they enhance the security of the EU’s nations, and the countries in the GCC which trade with them. These rules began life as a proposal in 2013 and will only be passed into law in 2016 – in the same period, according to Moore’s law, computing power has more than doubled. Any regulations will need to walk the tightrope of being sufficiently robust to force companies into action, without being so specific that they are overtaken by the relentless advance of technology.