An Eerie Silence on Cybersecurity? Not for the EU

An interesting article popped up in The New York Times (best paper on earth) feed today. Titled “An Eeerie Silence on Cybersecurity,” this editorial takes a look at the reasons so many American companies have been quiet about cyberattacks on their systems. Fear of stakeholder reaction to disclosures? Reputational fallout? Unwanted government scrunity? Possible lawsuits?

The reality is that industrial espionage, counterfeiting, data theft and data manipulation together cost companies billions of Euros. In the UK alone, the Ministry of Defence puts the cost of cybercrime at over €13 billion per year. And in 2012, 93% of large companies and 75% of small businesses had suffered cybersecurity breaches. However very few of them communicate about it.

In the US, President Obama’s recent executive order on cybersecurity proposes a voluntary sharing of information from business.

But EU proposals released earlier this month go even further.

Alongside an over-arching Cybersecurity Strategy, the European Commission has proposed a Directive with measures to ensure a harmonized level of network and information security across the EU. What does this mean in non-EU jargon? The EU wants its Member States and businesses to be more equally prepared to prevent, detect, respond to and recover from cyber incidents. It singles out a number of sectors which need to boost their preparedness, including:

  • “critical” infrastructure operators in energy (oil, gas, electricity), transport (airlines, airports, traffic management, rail, logistics), banking, and healthcare services (electronic medical devices in hospitals and electronic patient records)
  • “key” internet companies such as payment services, social networks, search engines, cloud services, apps providers, e-commerce platforms, video sharing platforms and voice-over-Internet providers.

The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.” The Directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.

The New York Times editorial makes an interesting point – by keeping quiet, companies are likely making it more difficult for others to protect themselves against increasingly complex attacks. Many industries are not properly prepared. However, it will be important for governments and business to work together in the months to come to reassure industry that their commercial interests are not harmed in the process.

Key internet companies in Brussels have been following EU developments in this area – which are closely linked with EU legislation on telecommunications and data protection. But other sectors, such as energy, transport, financial services and healthcare, should be taking a closer look at what this debate will mean to them.  Because in all likelihood, silence will not be an option in Brussels…

For more insight on the EU’s cybersecurity proposals, take a look at this FH Spotlight.