The current wave of data protection regulations and how it will affect the infosec industry
In 2016, the EU is set to review the next draft of The Network and Information Security (NIS) ‘cybersecurity’ directive which will bring new compliance requirements into place, not just for EU companies but all companies who deal with EU consumer data. This is echoed in the UK, where the government has rated cyber security as a tier 1 threat, and is currently debating a new draft of the “Investigatory Powers Bill”.
Arguably the most criticised part of this proposed bill is the forcing of each Internet Service Provider (ISP) to store 12 months of its customers browsing history. This is being done as the government thinks that law enforcement should have more visibility into an individual’s digital footprint to aid in criminal investigations. The government feels that its ability to investigate has been slowly reduced over the years due to anonymising and built in application security measures. If we avoid the discussion of the right-to-privacy and merely focus on the technical security aspects of implementing this, we see many of the same issues arise as those faced by cloud service providers (CSPs).
What we have seen with CSPs is that the more data you store, the larger the risk and more attractive target you become. Of course, there is a central difference between CSPs and ISPs, which is that the protection, storage and safety of this data is a core business function of CSPs and as such they already maintain high standards. For ISPs this is not the case, and they will have to build or expand their infrastructure to manage this information, which requires careful consideration of how to fund this system, and encourage best practice to protect this data once it is gathered.
This data will need protecting; we have already seen numerous cases of consumer records being stolen by hackers with 80 million from Anthem and 145 million from eBay alone. These records were primarily monetary, website logins and health records, which are all considered quite sensitive. However, most people would agree that internet browsing records are more sensitive and could be used for blackmail, extortion, targeted burglary or cyber-attacks. So we have to be careful that in creating this well of data we do not also create a large aggregated storage location with a single points of failure that can be easy target for hackers.
If the government does not provide specific guidance, and potentially grants for ISPs to implement the technology to protect this data, it is likely that inconsistent levels of protection will exist across the board with some ISPs doing a good job and unfortunately, some doing a bad one. Specific guidelines or regulations could lead to significant extra costs and potentially to smaller ISPs going out of business, which would reduce competition in the marketplace, and a wave of consumer data leaks, the like of which this country has not seen. Whereas by providing grants, the government could support ISPs to deploy high levels of security, whilst also providing what is effectively a stimulus package to further boost the growth of cybersecurity companies in this country.
However, more important than how the industry can bear the brunt of paying for this is the question of how this data is protected. Presently there are a broad range of data protection solutions available in the marketplace to choose from, and so legislation should not advocate a specific piece of technology as a solution – as products and services are constantly evolving and in some situations completely changing. Legislation can, however, specify attitudes and levels of data identification providing specific guidelines as to what steps companies need to take to protect company data. If the government fails to provide this support to ISPs and governance as part of its new bill, then it could quickly see many ISPs failing to secure data properly or in worse cases leaving the sector for fear of reprisals and fines, and create a dearth of competition and a failing internet service throughout the country.
The government has reasons for wanting to collect this data, and if this bill does go ahead serious consideration must be given to how this data is protected. Part of this planning must realistically be addressed towards what happens when there is a breach, what rights the consumer then has, and who is liable for failing to protect the data. There is also a broader question about how this will interact with the Freedom of Information act, and what data will be available by individual request. It is also important to offer incentives for companies that have protected their data to the government standard, and allow companies that have the right technology deployed and respond to the situation appropriately to avoid fines.
With the persistent and ever changing nature of global cybercrime, it is ultimately not the fault of a well-protected company if one hack in 1,000 gets through, it is the nature of the industry and when writing legislation it should be assumed that hacks will happen, even to well-protected companies. It is important that companies are judged based on the quality of their defence, with harsh punishments levied against those that do not meet the standards.
Turning our attention to Europe’s new NIS Directive, this seems to be a step forward in terms of regulation that is fit-for-purpose. It has many provisions, such as requiring member states to adopt a national security strategy that maintains a base level of network security, and establishing computer emergency response teams in each country, which can co-operate on a pan-European level.
It does seem that the NIS is attempting to create the legislative system that we advocate in this piece by pushing the responsibility onto the government of each member state to ensure that its public bodies and market operators are secure and compatible with standards set to be drafted by the European Commission. If this directive is given the strength it needs, it will hopefully spark a discussion in every member state and raise awareness about what needs to be done.
If this discussion leads to the implementing of regulations that advocate proper technology standards, which are incentivised as well as punitive, then it could lead to a security renaissance in Europe – a renaissance which is sorely needed in the wake of rising cybercrime throughout the world.
It is likely that 2016 will be the year that the European Union collectively gets serious about cyber security – it can’t afford not to. There are many approaches to doing this, such as tax breaks for cybersecurity companies working with critical infrastructure providers, incentives for new security start-ups, specialised university courses and centres of excellence and many other tactics that have been effective in countries like Israel which has a booming cybersecurity industry. Whether it’s a directive aimed to allow for the authorities to do their job or businesses to protect consumer data, we see there’s a call for standardisation in subjects related to cyber security – at the core of all of this there needs to be an informed government and a series of modernised, effective, legislation and standards which takes into account the practicalities of cybersecurity, and provides a collective mandate for companies to follow to improve their own protections.