Share this post:
Thousands of shipments disrupted. Manufacturing halted. Postponement of surgical procedures. Just some of the fallout from cyber attacks in the past few months. As the pace and severity of cyber-attacks show no sign of abating, IBM CEO Ginni Rometty’s 2015 assertion that “cybercrime…. is the greatest threat to every profession, every industry, every company in the world” holds up stronger than ever.
IBM cybersecurity policy expert Nick Coleman
The European Commission’s Cyber Security Strategy, which was published this week, is not a moment too late. We support every effort to raise the bar of cyber resilience. Our daily experiences in cyber security – from devising high-level strategies for global organisations to being on the front line, helping our clients resist cyber-attacks – give us a clear vision of what good public policy looks like.
Having a goal not just to raise the quality of cyber defence amongst organisations across Europe, but also to drive organisations to achieve cyber ‘maturity’ as quickly as possible is essential. A cyber-mature organisation is capable of mastering security challenges from an early detection approach right through to successful recovery from an attack. Enabling a rapid journey to cyber maturity must be the essence of the Commission’s plan. Evolution in general technology is fast, but changes in the cyber world –particularly in the nature and frequency of cyber-attacks – continually break records. Industry, working closely with governments, needs to match that agility.
At the core of any successful cyber policy is a workable framework. A framework for maturity throughout the supply chain, enabling greater collaboration, public-private cooperation, and understanding of threats and risks across common challenges and shared adversaries. Moreover, technology is changing traditional industry verticals which means we must be agile in frameworks and able to operate “beyond silos”. A good example of a workable framework is the NIST framework in the United States. For critical infrastructure security, NIST has created a consistent approach in its use of taxonomies and in how it works with international standards.
We strongly support incident reporting to gain an understanding of systemic risk. Incident reporting facilitates practical support and intelligence sharing that disrupts or dissipates threats. But effective incident reporting requires efficient methods for the private sector to share information and collaborate with public institutions. To avoid needing support to decipher reams of legislation and contrasting requirements – while new attacks are happening every week – we rightly need the most efficient ways for organisation to rapidly reach cyber maturity.
As policies are implemented across the world, a patchwork of approaches is emerging. NATO, Data Protection bodies, Cyber Security agencies and national regulatory authorities need to work together in consistent ways, with common interoperable cyber security frameworks to capture, manage, and share security intelligence. Simplified reporting will let organisations focus on reducing the impact of a cyber threat.
For organisations – particularly smaller organisations – to be able to develop satisfactory cyber defences, they must not be bamboozled by multiple layers of legislation. The cyber security elements of different legislation such as GDPR, the European Banking Regulation and the e-Privacy directive must be harmoniously aligned if organisations are to be able to focus effectively on security while new attacks are happening every week. We need the most efficient ways for organisations to rapidly reach cyber maturity.
Cyber security certification and labelling of objects connected to the internet – IoT – seem in theory like a good route to cyber maturity. In practice, there are key limitations which need consideration. For example: a security label can lull some customers into thinking that their device is safe forever – without the need to update its security. Many consumers may not even know how to update security measures or their devices may not have update capabilities. Implementing and enforcing common cybersecurity standards and encouraging voluntary codes of conduct is a much more trustworthy and feasible approach. In the implementation of the Commission’s strategy we believe that these factors need to be taken into account.
Good policy enables cyber security resilience, keeping citizens safe and healthy, goods moving, and businesses operational. We look forward to engaging with the European Commission in the path towards a renewed cyber security strategy that achieves just that.