EU Outlines Internet Security Framework; Some U.S. Companies Concerned

Search engines, social networks, e-commerce, would have reporting requirements

By John Eggerton -- Broadcasting & Cable, 2/7/2013 10:30:45 AM

The European Union has released its proposals for protecting cybersecurity and information network security and it has some U.S. companies with European tech arms a little worried.

Billed as "An Open, Safe and Secure Cyberspace," the directives are meant to be a "comprehensive vision on how best to prevent and respond to cyber disruptions and attacks."

The network security portion would require that EU member nations:

"[A]dopt a Network and Information Security [NIS] strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents;
"[Create] a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organize regular peer reviews; and that
"Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services."

The U.S. government has yet to come to an agreement on information security standards, with Democrats pushing for voluntary best practices and most Republicans arguing those best practices are best left to individual companies, saying voluntary guidelines would eventually morph into mandates that could impede swift reaction to cyber threats.

TechAmerica Europe, whose members include Dell and Apple, had some problems with the scope of the EU recommendations, particularly with the broad category of affected online players outlined in part three above.

"While we applaud the Commission's effort to seek to comprehensively address all three pillars of cybersecurity, i.e. people, process and technology, we are concerned about the overly broad scope of the draft network and information security (NIS) directive," the group said in a statement. "The directive extends from developing competent authorities, cooperation networks and secure information exchanges to incident reporting obligations and audits for a broad set of market operators including an indefinite range of providers of Internet services, which is not only broad but is also unclear about the positive outcomes and benefits which it seeks to deliver to the EU and its member states.

"We believe that to be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures. We are concerned that the sweeping and indiscriminate inclusion of 'enablers of Internet-services' in the scope of the directive would fail to strike the delicate, but indispensable, balance between the risk-based prioritization of assets and functions to be protected and the strong interdependencies in cyberspace across sectors and across borders."

Add the Software & Information Industry Association (SIAA) to those who saying the EU proposals go too far.

"we are concerned about the scope of the Commission's regulatory approach," the association said in a statement. "It is overly broad, too prescriptive and threatens to suppress the very innovation that will help businesses, governments and citizens anticipate and address changing cybersecurity threats.

"The proposal's cybersecurity performance requirements will likely lead to technical mandates and rigid regulatory standards and reporting obligations. Its scope goes well beyond critical infrastructure, where the harms from cyber-attacks are the greatest. In doing so, it threatens to engulf a broad range of other industries, thereby wasting scarce security resources on areas where the dangers are not urgent."

SIAA members include Google and Bloomberg.