The NIS Directive and the potential for European Member State cooperation
Imagine a massive cyber attack shutting down your fridge-freezer, immobilising your car and switching off your central heating.
As the deadline looms for EU Member States to compile a list of 'essential services' that will require a national strategy to provide a particular standard of cyber security under the Network and Information Systems Directive ('the NIS Directive'), Mark Surguy, Partner at Weightmans, dissects the applicability of the NIS Directive and the potential success of Member States working cooperatively to protect such services.
Imagine a massive cyber attack shutting down your fridge-freezer, immobilising your car and switching off your central heating. Worse still, what if the attack took out all the traffic lights in major cities, disabled railway signals and infiltrated air traffic control? Such a scenario might seem fanciful, but its likelihood seems greater today than ever.
Mindful of the impact of deliberate and malicious attacks but also taking cognisance of simple system failure, the aim of the NIS Directive is to drive improved collaboration across the European Union and to require each Member State to create a national strategy for the protection of its key network and information systems with a view to an overall improvement in resilience. Its scope is not all systems operators, but those providing essential services and a limited number of operators of digital services and who are either based in a Member State or who are doing business in one or more Member States. By insisting on minimum levels of security and by introducing a national and cross border system of notification of major incidents, it is hoped that a 'doomsday' scenario such as that outlined above can by avoided or at least contained.
But who is a provider of an essential service? Furthermore, surely digital service providers are already commercially motivated to take their own steps to combat cyber attacks. Do they really need regulatory supervision?
Digital service providers were at one stage going to be excluded from the ambit of the Directive. In the result, however, providers of online search engines, cloud computing services and online marketplace providers have been brought within its scope. The application of the NIS Directive to these particular providers was driven by a realisation that digital services are of significant use to some businesses. If these services were to be taken out of action, there might not be suitable alternatives and the impact on business could be severe. There is also a recognition that providers of essential services themselves also may rely on these digital services. Equally, however, the NIS Directive recognises that the degree of risk for digital service providers might be less than for those of the providers of essential services. For this reason the security requirements of the NIS Directive are less onerous for digital service providers than for the providers of essential services.
The fact remains that the standard of security of information systems varies considerably across the European Union with some countries more vulnerable than others. Consumers and businesses are therefore better protected in some Member States than in others. The NIS Directive requires the exchange of information on the kind of incidents that are occurring across the EU, who is being targeted and how best to respond to them. If best practice is shared, it is believed that standards overall will be improved. The NIS Directive also requires national governments to encourage the adoption of international standards (this could be ISO 27001 on information security management, for example) or other relevant European standards. The UK Government has published a set of high-level security principles which it will expect affected operators to observe.
The NIS Directive requires Member States to draw up a list of the providers of essential services. These are the public and private entities of the types specified in the NIS Directive. Examples are an operator of oil pipelines, an electricity undertaking, a road transport authority, a credit institution and the National Health Service. In other words, the NIS Directive focusses on those whose systems would cause major loss, widespread economic damage or significant disruption to supply chains if they failed.
The identification of entities to go on the list is not an easy task. Not all operators in a particular sector will be providing essential services. The criteria for identifying such an operator are general: the service provided depends on network and information systems, whether the provision of the service could experience a 'significant disruptive effect' and whether something could happen which has an actual adverse effect on the security of the systems. This could apply to most businesses. The real defining feature is that the service is 'essential for the maintenance of critical societal and/or economic activities,' although this is somewhat circular. There are more specific criteria to assist the identification process, but the task is far from easy and there is scope for considerable divergence between the Member States of what is and what is not an 'essential service.' Lists have to be completed by November next year. The UK Government launched a public consultation on 8 August 2017 in respect of the thresholds for identification. For example, the owner or operator of an airport with annual passenger numbers in excess of 10 million is the proposed threshold for identifying airports that will come within the ambit of the NIS Directive.
By May 2019 the European Commission (the 'Commission') has to report to the European Parliament and the European Council as to what is and what is not an essential service. In the area of air transport for example, those responsible for managing runways will in all likelihood be essential. Those providing restaurants and bars in the departure lounges will be unlikely to qualify for this designation. Member States are expected to discuss this classification system with each other. The Cooperation Group (made up of Member State representatives, the Commission itself and the European Union Agency for Network and Information Security) created by the NIS Directive will help and its first work programme is due for publication in February 2018.
The inter-Member State cooperation is not restricted to identifying the operators of essential services but extends to reporting security incidents and discussing best practices to respond to them. Not all incidents are to be reported, however, but only those where (in the case of the providers of essential services) there is a significant impact on the continuity of the services or (in the case of digital service providers) there is a substantial impact on the provision of a service. Again, it is only the operators of essential services and the limited number of digital service providers who are caught by the compulsory reporting requirements. Others will be encouraged to do so voluntarily, much in the way that the Action Fraud System has operated in the UK as a central reporting and information gathering point for incidents of fraud, including cyber fraud. The UK has proposed that the National Cyber Security Centre will be responsible for reporting.
The work involved in determining what should and what should not be reported on a compulsory basis is considerable. Cooperation is naturally difficult where fragmented approaches are in use. The Cooperation Group certainly faces a challenging time in comparing national strategies, collecting best practice and exchanging ideas with a string of Union agencies and institutions as the NIS Directive requires. This is an unprecedented information sharing and data gathering exercise. The extent to which the detail will be made public remains to be seen, but the information likely to be assembled is vast. In effect, the collaboration will pool the capability, know-how, experiences, actual reported incidents and the outcomes of simulated events across the entire EU. The Commission has to report on how the Directive is functioning in mid-2021, by which time considerable convergence in knowledge and approach is likely to have occurred.
Each Member State is to designate one or more competent authorities to enforce the provisions of the NIS Directive and a single point of contact to coordinate incident reporting. Separately or within the competent authority itself a computer security incidents response team ('CSIRT') must be designated to deal with risk and incident handling. The national CSIRTs are to share information with each other. In the UK it is proposed that the National Cyber Security Centre be the CSIRT.
Crucial to this working well will be the provision of sufficient resources by government. It will not be obvious what level of staffing will be required but governments may choose to designate an existing authority as the competent authority without necessarily having to create a new one. In the UK it is proposed to tackle the issue along sector lines and to designate the existing authority as the competent authority. So, for example, the competent authority for digital infrastructure will be Ofcom. These designated authorities will have a role in developing guidelines as to what incidents are to be reported.
Reporting can be onerous and expensive. The operators of essential services and the relevant digital service providers will want to be clear how this will work in practice in order that effective and streamlined processes can be introduced to ensure that reporting takes place properly and that an identifiable line can be drawn between what is reportable and what is not. If one draws a comparison with the interpretation of the requirement to report suspicious activity under the Proceeds of Crime Act 2002 (to take the UK legislation), reports were filed of so many activities that the competent authority was overwhelmed. Could the same happen with security incident reporting?
The first formal summary report of notifiable incidents required by the NIS Directive is due in August next year. At the same time the Cooperation Group and the CSIRTs are to report on the way cooperation has taken place. It should become clearer at this point how manageable the process is going to be in practice.
The NIS Directive obliges Member States to adopt a national strategy for ensuring a high level of network and information systems security for at least the essential services, cloud computing, online search engine providers and online marketplace providers. The UK considers that its 2016 National Cyber Security Strategy meets the requirements of the Directive (or at least can be easily amended to do so). In addition to formulating a national strategy, governments are required to ensure that the providers of essential services and the digital service providers caught by the Directive have risk management systems in place and have these systems documented so they can be evaluated. The regulation for these sectors could be extended to other sectors at national level, but national governments are not permitted by the NIS Directive to impose any additional burdens on the digital services providers than those contained in the Directive itself. At its heart will be the adoption of security polices by the relevant business sectors. These businesses will need to be able to prove the policies are in place and are being followed.
It is easy to write a policy, but far more difficult to implement and monitor one. The national laws that will be needed to enforce these requirements will include powers for the designated authorities to require disclosure of documents and information to audit the new policies along with powers to direct the remediation of any deficiencies. Local laws to implement the NIS Directive have to be published by May next year by which time it is assumed that national strategies will have to have been formulated. In order to enforce compliance, these laws will include penalties for non-compliance. It will be interesting to see what penalties the UK Government will impose.
The General Data Protection Regulation ('GDPR') will be in force by then with its turnover based fines. Whilst the GDPR covers the use of personal data across all sectors, the NIS Directive is not limited to personal data but is restricted in its application to the specified sectors. Will operators of cloud computing services and the private utility operators, for example, be exposed to turnover based fines for not having demonstrable cyber risk management policies in place? If so, the risks of non-compliance will be considerable. The UK's recent public consultation is proposing turnover based fines of €10 million or 2% of turnover for lower level offences and €20 million or 4% of turnover for more serious ones.
An interesting comparison might be the regulatory and voluntary codes to combat bribery which have improved the risk management culture in that specific context. Their overall success is still being assessed in practice, but the model of an international agreement implemented in local law is already established in the bribery context, suggesting that such an agreement in the cyber context may work equally well.
Computer hardware manufacturers and software developers are not within the scope of the Directive because they do not provide essential services or digital services. Their role in cyber security cannot be ignored, however. At present, the incentive for these suppliers is the protection of their commercial reputation and the risk of expensive lawsuits for breaching product liability rules. However, there is a view (which this writer has heard expressed by Cal Leeming, a reformed hacker) that there is insufficient incentive for 'security by design' at the manufacturing/design stage. A possible focus of future attention in combatting cyber attacks and cyber failures might be on expansion of the liability of the component makers of products and services to the front line operators.
One other area that should not be overlooked in the area of network security is the degree of reliance on technology in the first place. Surely the most secure means for the providers of essential services (certainly in regards to malicious attacks) is to reduce their reliance on technology where possible? In the recent bout of ransomware attacks, victims had little choice but to use paper and pens to continue to operate whilst their systems were locked down by encrypted data. With the cost of cyber incidents being quantified more and more accurately, a cost-benefit analysis may reveal that in the long run, less dependency on technology is in fact safer and more cost effective. The UK Government is committed to the Directive notwithstanding Brexit. It should lead to a safer Europe.
This article was first published in the August edition of Cyber Security Practitioner.