EU Council promotes ignorance and backwardness in IT security in the e-government by rejecting the obligation to report for the public sector in cyber attacks
March 2015 by KuppingerCole
No obligation to report for the public sector in cyber attacks. The EU Council (Council of the European Union, EU Council of Ministers) last week opposed the plan of the EU Commission that was also endorsed by the European Parliament in which the proposed directive for network and information security, including an obligation to report security-related incidents also for authorities, is anchored. This information was released yesterday by Statewatch, a civil rights organisation. However, operators, including those of Internet exchange points, online providers of payment and e-commerce, social networks, search engines or cloud services should remain subject to the obligation to report.
"This privileged status of public bodies of not having to report data security incidents in the same manner as companies, appears as political patronage in their own right. The thought arises that the public authorities deem their own networks as insecure and their own structures as not sufficiently organized to do what the private sector - with good reason - is required to do," according to Karsten Kinast, lawyer and fellow analyst at the analyst firm KuppingerCole. Kinast continues: "Traditionally, a presumption of innocence in favour of the public sector may not have been an entirely false reflex in other issues. However, this was due to the fact that authorities were subject to comprehensive supervision. If now, an important part of that, namely transparency, is dispensed with, this is a very bad sign. Such secretiveness should belong to history with the abolition of secret processes since the French Revolution."
This decision of the EU Council receives a special twist in the light of the results of the recent study "Digital Risk and Security Awareness Survey" by KuppingerCole. The study shows that around a quarter of the administrators are not at all concerned about the issue of cyber security. In the industry, this value is at a low 8%, in the financial industry at an even lower approx. 2.5%.” That the sector that lags most behind in the field of cyber security is exempted from the obligation to report rules has a certain logic, when looking at the general weaknesses of most EU States in the e-government. How should such a complex topic like cyber security be mastered if even basic tasks in the e-government cannot be managed?”, says Martin Kuppinger, founder and Principal Analyst at KuppingerCole. "Indeed, the fact that many States have great difficulty with the step to e-government, should be a reason to pay particular attention to security and also to use the obligation to report rules in order to have a monitoring role and create incentives for better security", according to Kuppinger.
Also a quote from an audit report by the Schleswig Holstein Regional Court of Audit last August reads as follows: “Although several districts have followed the suggestion of the Regional Court of Audit resulting from the audit in 2004 and have appointed a data protection officer, the level of data protection has not significantly increased. Concepts of data protection and IT security are few and far between. Specialist services and IT posts are neither sufficiently sensitised nor qualified on the topic. Basic elements of data protection such as a public procedure register, testing and release or minimization principle are not observed. Thus the use of IT in most cases is not in accordance with the regulations.”
KuppingerCole also holds that the regulations intended for dealing with notifications are not sufficient. That incidents must only be sent once a year by the Member States to an EU cooperation group and the public should only learn of “individual glitches”, is not sufficient. "Given the dangers of cyber-attacks on states, critical industries, but also on other companies and individuals, a permanent coordination and response to such attacks is required. Only then can the extent really be seen. An annual coordination is definitely not sufficient when looking at the growing number of zero day attacks”, says Martin Kuppinger. “There also need to be clearly defined rules as to when and in what form the public is to learn about what attacks. The public has a right to be informed. In addition, legal certainty can only be established with clear guidelines.”
KuppingerCole recommends that the EU Parliament reject the changes requested by the EU Council and insist on a contemporary policy for network and information security.