Cyber security advances up the international agenda
Enisa conducted a similar exercise in 2010 that was limited to public sector bodies and involved 70 experts simulating over 300 cyber attacks designed to cripple the internet and bring down critical infrastructures across Europe. By comparison, the 2012 exercise involved 29 member states, 339 organisations and 571 individuals from both the public and private sector covering cyber security agencies, government ministries, financial institutions, internet service providers and telecommunication firms.
While the exercise was rated positively by 88% of participants, the report’s findings identified a number of operational challenges. The largest of these was ensuring sufficient public-private cooperation across national boundaries and achieving the necessary scalability to complete the exercises given the number of countries involved. In addition, the exercise also revealed crisis management decision-making challenges in certain countries and the importance of keeping technical infrastructure up to date.
Consequently Enisa has made a number of key recommendations to further the development of pan-European cyber resilience for key infrastructures. These include running more exercises, extra training in crisis procedures, gaining input from critical sectors such as health and transportation and increasing the involvement of private sector firms in the exercise.
hide
The Enisa report was published shortly before the European Commission proposed a new network and information security (NIS) directive that calls on companies operating critical infrastructure or providing an internet-based information service to adopt cyber risk management practices and meet a minimum standard of network security in order to minimise the threat of cyber attacks.
The new directive was announced as part of the EU Cybersecurity Plan, which is designed to create a greater level of cyber resilience and a common cyber defence policy across Europe. The EU has already established a European Cybercrime Centre to develop new legislation for cybercrime and it is now turning its attention to the practical side of cyber risk management.
“It is time to take coordinated action—the cost of not acting is much higher than the cost of acting,” said Neelie Kroes, European Commission Vice-President for the Digital Agenda.
The EU’s strategy is threefold. Firstly, member states must adopt a NIS strategy and appoint a national authority to prevent, handle and respond to cyber security incidents. Secondly, the EU would like to see a mechanism that allows for greater information sharing between member states and an early warning facility on risks and incidents.
Thirdly, the public and private companies included in the proposed directive’s remit must not only ensure the adoption of cyber risk practices but also report any major cyber security incidents to the relevant national authority.
Telecom, network and internet service providers already have an obligation to report incidents but the EU is proposing to extend this obligation to a further six critical sectors—energy, transport, banking, health, public administration and key internet companies. This last group includes large cloud computing providers, search engines, e-commerce platforms and social networks.
The introduction of public notification rules in the event of a data breach has been instrumental in the adoption of cyber insurance policies in the US and similar rules could come into force in the EU in 2015 through changes to data protection policy. However, the EU’s proposed directive on cyber security will not mandate that every incident be reported or that notifications of cyber incidents be made public.
Concerns regarding the exposure of critical national infrastructure to a cyber-related attack have never been greater, both in Europe and globally. In the US, President Barack Obama announced plans to bolster the protection of computer networks used by critical infrastructures, issuing an Executive Order and using his State of the Union address to publicise the initiative.
“America’s enemies are seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. Now congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” he said.
The Executive Order addresses three areas—information sharing, a framework of best practice and privacy protection. According to Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, one of the primary objectives of the Order is to better enable information sharing between government agencies, public sector bodies and private sector companies.
To this end the US Department of Homeland Security’s Enhanced Cybersecurity Services programme will expand to provide constant and updated information to critical infrastructure companies on cyber threats and provide timely warnings to private companies should it have evidence of a potential cyber attack against specific firms.
At the same time the US government is urging company CEOs to be more involved in managing cyber security and suggests a number of key questions to be asked of their security teams.
These relate to the business impact of cyber risks, the number of cyber incidents reported on a weekly basis, the process for informing senior management, the rigour of the company’s cyber security programme and the extent of any cyber incident response plan.
The work to develop a more robust framework nationwide will be led by the country’s National Institute of Standards and Technology (NIST), which will look to incorporate existing consensus standards and best practices rather than set out an entirely new set of rules. “The administration recognises that there are private sector cyber leaders in our critical infrastructure sectors who are already implementing strong cyber security controls, policies and procedures,” said Mr Daniel. “Rather than burdening such organisations with more to do, the Executive Order puts these innovators at the core of informing and driving the development of voluntary best practices.”
The rising threat to critical infrastructure from cyber attacks does raise the question of what role the insurance industry can play in its protection. The US has led the way in terms of insurance adoption, with global premiums from cyber insurance policies in the US passing the $1bn mark for the first time in December 2012, an increase from $800m in 2011.
However, despite this rapid growth, the industry is still seen as embryonic rather than mature.
One of the consequences of the market’s relative immaturity is a lack of standard wording in policies.
A number of cyber-specific policies have existed for some time in the US and are now being made available in Europe. These policies tend to be based on recovery costs in the event of a privacy breach caused by a cyber attack—credit monitoring, customer notification, forensic analysis and any PR costs.
However, according to Miriam Smolen, Partner at US law firm Gilbert, the increased regulatory attention on cyber security will likely lead to an increase in civil liability, either from disgruntled shareholders or compromised customers, alleging that management failed to take sufficient cyber security precautions.
It will also be interesting to see how companies value a business interruption caused by a cyber security breach, she added.
“Up to now we have not seen what kind of damages people will claim in first party coverage in the result of a business interruption. It will be almost impossible for policies to have the right wording to cover all eventualities and we could see this play out in the courts. So it will be interesting to see what the terms of the actual coverage and the exclusions mean when business losses occur,” she explained.