Critical infrastructure firms face crackdown over poor cybersecurity

Another peculiarity is that the government announcement doesn’t once mention the EU. Instead, the NIS directive is presented as an important part of the U.K. Cyber Security Strategy, even though it is an EU initiative. A pattern is emerging here: the removal of mobile roaming fees, a ban on hidden credit card charges and environmental initiatives have all been claimed as U.K. policies by Theresa May’s government without any adequate attribution to the EU. Digital minister Margot James said: “We are setting out new and robust cybersecurity measures to help ensure the U.K. is the safest place in the world to live and be online. We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.”

Who needs to be aware of the NIS directive?
The government consultation response clarifies which operators of essential services and digital service providers the directive will apply to, once transposed into U.K. law. It uses a narrow definition of “essential”, excluding sectors such as government and food. Small firms are mostly excused from compliance; nuclear power generation has been left out, presumably to cover it exclusively under national security; and electricity generators are excluded from compliance if they don’t have smart metering in place. Digital service providers expected to comply with the NIS directive include cloud services (such as those providing data storage or email), online marketplaces and search engines.

The law requires one or more “competent authorities”, which the UK plans to organize by sector. It means communications regulator Ofcom will oversee digital infrastructure businesses and data watchdog the ICO will regulate digital service providers. They will receive reports on incidents, give directions to operators and set appropriate fines.

It’s worth noting that the ICO, in its multiple roles, could fine a service provider twice for different aspects of the same incident – once due to non-compliance with NIS and once due to non-compliance with GDPR. But incidents need to be considered significant in order to be on the radar for this directive. It will be judged on the number of affected users, the duration and geographical spread of any disruption and the severity of the impact.

Clearly, once this legislation is in place, the next WannaCry-style incident will be closely scrutinized by regulators to see how well-prepared organizations are to deal with such a major event.

National and international coordination
The coordination of many NIS activities falls to the U.K.’s National Cyber Security Centre (NCSC), part of the government’s surveillance agency, GCHQ. It will provide the centralized computer security incident response team (CSIRT), and act as the “single point of contact” to collaborate with international peers as a major cyberattack unfolds. The NCSC will play a central role in reporting and analyzing incidents, but remains out of the loop on enforcing the law and fines.

Sharing cyber incident information within an industry sector or internationally is important for larger scale analysis and better overall resilience. However, there are risks due to the inclusion of cyber vulnerability implications, business critical information and personal data in such sensitive reports. Two EU research projects (NeCS and C3ISP) aim to address these risks through the use of privacy preserving methods and security policies. The C3ISP project says its “mission is to define a collaborative and confidential information sharing, analysis and protection framework as a service for cybersecurity management.”

More security standards?
The idea of having prescriptive rules per sector was considered and rejected during the U.K.’s consultation process on the NIS directive. It’s in line with how the GDPR imposes cybersecurity requirements for personal data: it consistently refers to “appropriate technical and organizational measures” to achieve security, without pinning it down to specifics. Such an approach should help with obtaining organizational involvement that goes beyond a compliance culture.

A set of 14 guiding principles were drawn up, with the NCSC providing detailed advice including helpful links to existing cybersecurity standards. However, the cyber assessment framework, originally promised for release in January this year, won’t be published by the NCSC until late April – a matter of days before the NIS comes into force.

Nonetheless, the NIS directive presents a good drive to improve standards for cybersecurity in essential services, and it is supported by sensible advice from the NCSC with more to come. It would be a shame if the positive aspects of this ended up obscured by hype and panic over fines.

Eerke Boiten is Professor of Cybersecurity, School of Computer Science and Informatics, De Montfort University. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative)