APCO Transatlantic Tech: Progress on Cybersecurity, But No Finish Line in Sight
This post originally appeared on https://apcoworldwide.com/blog/detail/apcoforum/2015/09/03/transatlantic-tech-progress-on-cybersecurity-but-no-finish-line-in-sight
The view from Brussels
As the European Union institutions return from the summer recess, the finishing line for negotiations on the network and information security (NIS) directive remains some distance away. Despite a high-level political agreement on the shape of the legislation, much remains on the table, including the definition of “digital service platforms” (a.k.a. internet enablers) and the obligations they should be subject to under the directive.
Beset by intense debate since its proposal in February 2013, the NIS directive treads a fine line between supporting a European digital single market by increasing trust in the online world and influencing national security approaches for critical infrastructures throughout Europe. High-profile cyberattacks continue to push cybersecurity up the EU policy agenda and into everyday conversations in Brussels.
Following lengthy negotiations both in and between the European Parliament and Council, it seems that the two institutions have broadly agreed on the scope of the directive, threading the needle of deciding what services and providers should be covered under the directive, while allowing sufficient flexibility for the national security needs and preferences of Member States.
Both the European Parliament and Council have agreed that internet enablers would be treated in a different manner from so-called essential services, but there is no consensus on exactly what would be covered by either of these two terms, with the Luxembourg Presidency actively canvassing views from Member States on a proposed definition which meshes parts of the Commission proposal with a definition of “information society service” taken from a 1998 directive on technical standards and regulations. Thus, increasing risk of a patchwork of requirements just after the launch of the Digital Single Market strategy.
What’s next?
While talks drag on, high-profile cyberattacks continue, with the recent grounding of Poland’s national airline LOT and the data breach of Italian cybersecurity company Hacking Team the most recent examples. In terms of national security, many member states don’t want to share huge amounts of information due to the sensitivities involved. It is hoped that such concerns will diminish as the directive enters the implementation phase driven by ENISA and technical expertise from capitals. There’s a good chance of a finalized agreement by the end of the year.
The view from Washington
High-profile cyberattacks have been major news in the U.S. the past few months. Most recently, a data breach of the U.S. Government’s Office of Personnel Management threatens disclosure of personal information of over 21 million current and former U.S. government employees. The Obama Administration and Congress have both made claims to their keen interest and concern over the issue, but consensus, like most issues in Washington, remains beyond reach.
In Washington, cybersecurity policy has not made significant advances since President Obama issued an Executive Order in February 2013. EO 13636 was written to, “Increase the level of core capabilities for our critical infrastructure to manage cyber risk. It does this by focusing on three key areas: (1) information sharing, (2) privacy, and (3) the adoption of cybersecurity practices.
These steps are important, yet they are limited in scope to “critical infrastructure” and there are a broad and increasing number of cybersecurity threats facing businesses and consumers for whom this policy does not apply. Data breaches from consumer-facing entities like Target, Home Depot, Neiman Marcus, and Anthem, have raised the stakes for Congress – consumers and companies feel threatened by cyber-attacks and are looking for answers on how to best protect themselves.
Congress has made numerous attempts to enhance the ability of companies to share information with the government, while proposals to strengthen notification rules after data breaches have also been considered. Yet, none of these provisions have become law due to a myriad of competing priorities in addressing cybersecurity. Most cybersecurity laws have been held up by concerns over one of three issues: litigation concerns, privacy or authority.
As Congress is returning to work, the Senate will again attempt to take up a cybersecurity bill. Also in September is Cybersecurity Awareness Month. While this should see greater initiatives from the Obama administration to combat the range of risks to U.S. cybersecurity, the biggest steps require a legislative solution. If history is any guide, finding a legislative solution for cybersecurity concerns will be a challenge. A balance or even consensus amongst the vast competing interests over security, privacy and capacity has been difficult to find – no matter which party controls Congress and the White House.
What's next?
There is pressure building on Senate Majority Leader McConnell to attempt to pass cybersecurity information-sharing legislation, particularly from major business groups whose companies have been victimized by hacks. Yet, even within his own party there are differences in views threatening passage of the bill. Complicating matters is the desire to improve the U.S. government’s own cyber defenses after the OPM breach and competition for the leading role within government between the NSA, FBI and Department of Homeland Security. Finally, recent news of the ability to hack into cars and other connected devices will continue to present policymakers, consumers and businesses with major questions around security. These three issues are continuing to mount pressure on lawmakers, particularly in Congress, for a consensus approach.