EU Cyber Strategy – A Risk of Overkill!

Last Thursday the European Commission of the European Union (EU) released their much leaked and awaited Cybersecurity plan to protect open internet and online freedom and opportunity – ‘Cyber Security strategy and Proposal for a Directive’

The challenge that faces all Nations and individuals alike is the increased impact of Cyber Thread. This is fundamentally what the European Commission is attempting to address for the whole of the European Union (EU) by encompassing an eye watering range of disciplines and jurisdictions from law enforcement, defence, the digital agenda, security, and foreign policy. On the face of it the format fits the EU objectives of greater integration and harmony, but under the surface it has all the hall marks of an exercise in herding cats. The rubber will not really hit the road till we see the action plans, and the monitoring process to qualify results, that are going to be fundamental to exercising and delivering on this ambitious strategy. This latter point being the Achilles heal of the exercise in tight economic times when the EU budget has to reflect the austerity measures of its members with NO exceptions.

Most worryingly cost of delivery is in the timescales this whole process is going to take to implement. In the meantime Cyber Crime becomes more creative maturing as fast as, if not faster, than the creative innovation engine that drives the digital landscape, itself moving at a faster and faster rate of evolution.

In summary the politicians and unelected cohorts of bureaucrats will forever be playing catch up. The fear is that in their haste they will be riding rough shod over some of our core democratic rights. As the Dutch Member of the European Parliament, Sophie in ‘t Veld was quoted saying “The lines are being blurred and we need to safeguard the fundamental rights we expect in a democracy and not cede disproportionate powers to law enforcement”.

The rolling up of all these powers does have a very dark side. One that is open to abuse. The danger here is that once in place the temptation / convenience can become too compelling for any elected governing entity to leverage, and the European Commission has inadequately addressed historical challenges to its own Trust and Credibility record across too many areas to be endowed with this level of centralised power.

This exercise the EU is going through is communicating a need for a new approach. Instead of a Big Brother flavour about it, an approach that can reflect the nature of the changing environs that are being addressed. The problem is it is easier said than done to teach an old dog new tricks, especially when we are talking about what goes on largely behind the closed doors from behind which unelected bureaucrats influence our elected politicians and launch sallies of conditions on our lives.

Actions speak louder than words and one thing the new digital economy is good at is making things happen, and happen FAST.

Estonia and their implementation of X-Road and individual digital certificate usage demonstrates where there is a will there is a way, and leveraging the technology (not having to reinvent anything) can be an effective remedy. It is encouraging to see that Thomas Hendrik Ilves, the President of Estonia, has been elected as Chairman for the European Cloud Partnership governance Steering Board. But more needs to be done faster.

As I wrote just before Christmas ‘Data Security – It’s in the Name!’ We should perhaps be taking a fresh perspective on the problem. Protecting the DATA itself and less worrying about the actual environments that data exists in (networks/cables, computers/serves/PC’s, smart devices, datacenters/offices etc). Why? It’s actually about managing the risk of the loss of DATA availability, and this is an EDUCATIONAL issue more than a regulatory and legislative requirement. Risk management is an acceptance that there will be failures, and that is REAL WORLD.

Take for example:

1. The internet – It was designed to withstand nuclear impact! It is largely self-healing and can route around network failures or even whole geographical regional blackouts. If so much of the Internet goes down that it ceases to function then no EU strategy is going to help. Furthermore Cyber Terrorists are unlikely to see much gain in the digital equivalent of triggering an extinction event by killing the Internet!
2. Datacentres – Deigned for failure, or perhaps you should be re-evaluating your datacentre provider 😉
3. Computers – These are commodities today and with the exception of a few specialist systems, disposable with affordable options for data resilience through external backup storage media or cloud computing empowering even the most economically distressed with scalable backup. Or for the more paranoid both!
4. Smart Devices – It’s in the name. If they are doing their job they should be replicating core data and configuration settings to resilient external storage options which will allow a new device to be provisioned conveniently.
5. Data – Use of Information Rights management (similar or that used by the music Industry) encrypts data objects such as a digital document (Microsoft Office files) so they can only be read by those the creator has intended the document to be shared with. Theft of these files then becomes futile, remove the attraction, the threat is expunged. The same principles apply to an automated function of databases and exported record sets.
6. Digital Certificates – A means for individuals to identify themselves consistently so that access to Data can be reliably managed and TRUSTED.

The demands of society are actually on mandatory digital education and should be taught like learning how to tie up your shoe laces. To cover the following areas amongst others:

• Backup (and restore).
• Encryption.
• Digital Certificates.

At the moment society is learning by osmosis and Urban Myth. Times have changed, so must needs, and the EU Cybersecurity plan may have a place at a National response level but quite possibly there are more practical and immediate means of addressing needs further down the social hierarchy that will not have the cost burden on Small Medium Enterprises (SME’s) that the current strategy would impose.

Remove the ease with which data can be breached and the requirement for security and data breach notification regimes start to look somewhat dated controls.