On Wednesday, I attended a discussion at the International Institute of Communications on Data Protection, Privacy and Surveillance. The question posed was “Will cyber insecurity fundamentally change how we use the Internet?” Academics, EU insiders and senior industry policy figures led the discussion, with a focus on how to better protect European businesses from being hacked.
The attack on Sony last year, widely reported as carried out by North Korean hackers in repose to the “The Interview,” brought hacking to the fore. 100 terrabytes of sensitive personal information from 47,000 current and former employees was thrust into the public domain. 35 million dollars of infrastructure damage accompanied a PR fallout and on-going lawsuit from former employees.
Financial loss to business as a result of security breaches is on the up. Resulting reputational damage and loss of trust can be hard to ascribe a financial value to but few would dispute it can cause serious long-term harm.
The EU has thought the issue very important for sometime. Billed as a daring move to legislate a traditionally industry led arena, the Network Information Security Directive (NISD) aims to ensure that business takes appropriate measures to mitigate risk. Member states will be tasked with forming national strategies for handling threats under the umbrella of a Europe wide co-operation network. Yet, despite being the centrepiece of its grand Cyber Strategy plan, the directive has wholly failed to meet its December 2014 deadline. Two impediments have stood in the way.
Firstly, initial proposals anticipated a high degree of information sharing amongst member states from the outset. However, digital security is traditionally seen as a national issue and member states have been reticent to share sensitive data amongst each other.. A softer approach where trust is allowed to develop over time is now the order of the day. However, all on the panel were clear that a culture of openness where fixes and problems are shared, rather than suppressed, is essential. It will be crucial for the Commission to build up enough political will in the lengthy and complex negotiations to come if it wants to succeed.
Secondly, digital companies raise particular problems for a pan-European cyber security doctrine. Directives are interpreted differently across nation states. The result may be a patchwork of regulation making compliance difficult and costly for the very companies Europe is looking to promote. Do we really want to impose more regulatory burden on Europe’s digital sector?
The discussion moved to whether super advanced encryption technologies, beyond even the government’s hottest code crackers, should be prohibited. On this, all were in unison. The more sophisticated technologies to protect business, the better. Moreover, tactical and “minor” law enforcement gains do not outweigh preserving a free and unfettered Internet and protecting human rights. Some in the intelligence community might have had something to say here. There was little acknowledgement of geo-political realities, which for some, might help inform where the pendulum lies in this balancing act.
As to whether the cyber insecurity will fundamentally change the way we use the Internet, understandably perhaps, there were no clear predictions. Loss of trust can be hard to pin down.
What can be said with some certainty is that with the coming Internet of Things, the capacity for cyber criminality will be growing ever wider.
Phot Credit: “Virus With Death Skull On Computer Screen” by 2nix on Freedigitalphotos.net