This post originally appeared in CSO Magazine.
Everyone in the security world is talking about the EU’s General Data Protection Regulation (GDPR), and rightly so. GDPR is almost in full force, supplanting the older (and some will argue, out of date) EU Data Protection Directive (DPD). I don’t think regular readers of security news need to be reminded of the severity of penalties that the EU can levy against negligent misuse and abuse of EU citizens’ data.
But there’s another deadline in May that needs to be paid heed. While GDPR primarily deals with data and how it is used, the NIS Directive is “the first piece of EU-wide legislation on cybersecurity.” The directive was adopted in July 2016 and the European Parliament gave EU Member States 21 months to adopt the directive into their respective state laws, and another half a year to identify the organizations, both public and private, that must adhere to the directive.
Earlier this week the UK announced how they plan to adopt the NIS Directive and some of the measures organizations must make to ensure compliance with the directive. The NIS Directive was designed to focus on key critical portions of Member States’ information technology infrastructures – sectors like public utilities, power generators, transportation providers, and organizations providing healthcare for the public – all the basic services a nation needs to operate today. The NIS Directive considers each of these sectors as “Operators of Essential Services,” or OESs.
While currently the NIS Directive only applies to the OESs, the UK’s National Cyber Security Centre (NCSC) recommends that everyone should pay the directive heed. It’s clear this new directive was pushed forward after the substantial impact many attacks have had in recent years on public infrastructure and essential utilities. WannaCry’s disproportionate impact on the networks of the National Health Service (NHS) is clearly not being forgotten by the NCSC.
The NCSC itself understands how complex and difficult it will be to prepare for any and all cyber-related eventualities, and because of this, the guidelines being provided are intentionally vague. In practice, this gives OESs significant freedom and latitude to design, build, and monitor their unique infrastructures in the ways they deem best. Will that be enough?
The top level objectives of the directive are pretty straight forward:
- Each organization needs to adequately and appropriately manage security risk.
- Each OES needs to have “proportionate” security infrastructure to protect their assets from attack.
- They must have the ability to monitor the effectiveness of their defences and to detect security incidents.
- They must also be able to minimize the severity of incidents and be able to restore services if an attack succeeds in affecting the availability of critical services.
Failure to comply can lead to fines as large as £17M ($24M USD). But the fines themselves seem to be a last resort for the UK after continued failure by OESs to improve and learn from incidents. It appears there is going to be a lot of assistance provided to organizations by Her Majesty’s government, which will be a boon for many organizations that may have fallen behind on cybersecurity obligations. Though, I find this method to be a double-edged sword. Being pragmatic in understanding that breaches and incidents are going to happen and allowing organizations the ability to learn and improve from them is great. Yet at the same time, the lack of sharp teeth ready to take a giant financial bite out of an organization may give some the false sense that punitive enforcement is just a paper tiger. I guess we shall see if it is enough.
The biggest take away for any organization, even if you aren’t an OES, is that we are entering a new period of regulatory enforcement of cybersecurity-related issues. This is likely just the beginning, and I would not bet against seeing more and more similar rules being adopted all over the globe as things like GDPR and the NIS Directive claim their first sets of penalties. Thankfully, if you’re already thinking about how to comply with GDPR, there will be a significant amount of overlap between the two obligations and in many cases, you will be able to kill two birds with one stone.
But just like GDPR, organizations are going to need to shine some very bright flashlights under the bed to coax out all the monsters hiding under there – before some sharp teeth decide to take a chomp or two.