In a time of turmoil, and with recent unprecedented cyber breaches such as Solarwinds, the EU’s revision of the NIS Directive certainly is a timely one. As a leading cybersecurity services provider, IBM believes the Revision should focus on increasing collaboration between government and industry and global industry-led initiatives, prioritise fixing a cyber breach over reporting it, positively incentivise companies with a commercial rationale instead of sanctions, increasing clarity in the reporting process, and establishing global standards with clear technical requirements. We strongly believe these are important steps in increasing the cybersecurity resilience of European governments and organisations.

 

Global threats

 

2020 was without a doubt one of the most consequential and transformational years in recent memory: a global pandemic, economic turmoil impacting millions of people’s lives, and social and political unrest. The reverberations from these events affected businesses in profound ways, with many making a major shift to virtual working with distributed workforces.

 

For cyber adversaries, 2020 offered the ideal circumstances to exploit the information systems and communication networks and provided rich targets in supply chains and critical infrastructure. 2021 has started as 2020 closed: with globally consequential threats that require rapid response and remediation.

 

The recent Solarwinds exploit which leveraged a backdoor in network monitoring software to attack government and private sector organizations, demonstrated how third-party risk should be anticipated, but can’t be predicted. This cyber breach has demonstrated how important the extended supply chain is. And Europe is not immune. The medical sector including hospitals have also been subject to ransomware attacks at a time when their resources are stretched.

 

What should the revised NIS Directive take into account?

 

All this operational activity to keep society safe is the backdrop to the EU’s revision of its Security of Network and Information Systems Directive (NISD). Today, IBM provided its input to the public consultation on the NISD review. As one of the leading cybersecurity services providers we would like to share the following views.

 

Close collaboration between industry and government agencies is more crucial than ever. The revised NIS Directive should further enhance the framework for collaboration in areas such as raising cyber awareness, building skills, and improving threat intelligence sharing capabilities. The attention to industrial supply chain vulnerability and the manufacturing industry is welcome — the recently published X-Force Intelligence index showed that attacks on operational technology including manufacturing facilities are on the rise.

 

We recommend that the European Commission take into account recommendations from industry-led global initiatives in this area such as the Charter of Trust for Cybersecurity’s recommendations for baseline security requirements in the digital supply chain. Baseline security requirements, such as the avoidance of backdoors, need to be supplemented by a security-by-design approach to products and services.

 

We strongly support incident reporting to gain an better understanding of systemic risk. Incident reporting facilitates practical support and intelligence sharing that disrupts or dissipates threats. For incident reporting to be effective, the private sector needs to have efficient methods to share information and collaborate with public institutions. For organisations, especially smaller ones, to be able to develop satisfactory cyber defences, they must not be bamboozled by multiple layers of legislation. The focus should thus be on ensuring that cyber breaches are solved, rather than introducing very tight incident reporting timeframes to regulators. Exposing information about an incident before a patch is applied or operations restored, makes operators and their customers vulnerable to increased hacker attacks.

 

Reporting obligations should be about incidents and vulnerabilities in the IT system of important or essential entities, not about the sectors, product groups, software or components that the entity produces or trades more widely. We encourage the European Commission to adhere to this risk-based approach and resist pressure to include broad sectors, such as the software sector, directly in the scope of the Directive.

 

Legislative frameworks such as the NIS Directive should incentivize positive behaviours rather than heavily deploy sanctions or fines. The proposed sanction and oversight regime should be proportionate to the risk. Too many organisations are underinvested in cyber resilience, especially those that have not had a critical cyber security incident. These organisations require clearer commercial rationales and business drivers to stimulate the prioritisation of and investment in cyber risk management. Sanctions and penalties as currently proposed need to be commensurate with this approach. An overly punitive regime could lead to a market disincentive to use transformational technologies such as cloud computing, which has proved particularly important to allow organisations to operate flexibly and effectively in the COVID-19 environment.

 

Now that cloud services are categorised as essential in the new proposal, we believe that more clarity is needed as to what kind of incident is reportable to the regulatory authority and by whom. It needs to be a clearly understood process for essential operators, and overlapping responsibilities and multiple reporting obligations will make it difficult and delay the right actions being taken.

 

Furthermore, IBM calls for global standards with clear technical requirements to improve cybersecurity resilience. Such requirements, including cyber security certification schemes, could either be appropriate risk management systems or specific technical requirements in a certification scheme. Risk management systems should be accompanied by open, measurable criteria so they can be applied cross-sector.

 

Cyber resilience will become only more important. We believe these recommendations play an important role in allowing Europe’s citizens, governments and businesses to remain safe and flexible in an increasingly digitized society.

 

Authored by:

 

Julian Meyrick, Vice President, Security Strategy Risk & Compliance, IBM Security

 

Jonathan Sage, Government And Regulatory Affairs Executive, IBM Europe

 

 

 

Media contact:

Michaël Cloots

Michael.cloots@be.ibm.com

 

Share this post: