October is Cyber Awareness Month and in this particular October cyber threats, attacks and cyber crimes are at an all time high. COVID-19 and the unprecedented shift to working from home has exposed new targets to threats. To tackle this reality and fight these threats head on, cooperation between industry and governments is key to ensuring that our digital infrastructure is resilient.
While industry has a large responsibility in making this happen as it protects many core critical infrastructures, governments need to step up as well. In particular, securing our crucial sectors such as public health, will also largely depend on collaborative efforts, for which open international cybersecurity standards and joint approaches to cybersecurity such as threat intelligence sharing are a must. Stakeholders from public and private sector need to unite to create collective security.
A strong framework for security requirements
Cybersecurity threats are nearly always cross-border. One cyberattack on critical infrastructure in one country can affect the EU as a whole. The NIS Directive (Directive on security of Network and Information Systems), was adopted in 2016 and came into effect in 2018. It is currently being reviewed and we expect a revised Directive or a Regulation to come into effect beginning in 2021.
IBM strongly supports the development and further enhancement of this legal framework that strengthens cybersecurity in Europe, as we agree that strengthening cybersecurity resilience has benefits for industry, governments and society as a whole. The NIS Directive has played an important part in setting common security requirements across Europe as well as establishing incident reporting procedures. Such requirements and procedures need to be founded on a risk-based approach.
As a leading cloud service provider hosting many customers that provide critical infrastructure (known as Operators of Essential Services or OES), IBM does not believe that expanding the scope of the Directive to include new sectors or services under the OES category is advisable. Adding more sectors will add more burden on Member States and reduce effective supervision, while a narrow approach where Europe concentrates its collective efforts on securing the most critical environments based on risk, will be more effective in increasing cyber resilience. In other words, it is better to have an effort that is carefully focused based on risk than trying to boil the ocean.
In addition to the revision of the NIS Directive, the Commission is expected in the coming months to publish its new Cyber Security Strategy with additional measures such as a European Cybersecurity Competence Centre. IBM’s view is that participation in such an initiative should be open to all industry players, and should not be tinged with a European only, digital sovereignty approach. When it comes to cybersecurity, cooperation is key, not borders.
The Charter of Trust
The value of cooperation is why IBM has been key in putting our global expertise to work in co-founding and driving the Charter Of Trust for Cybersecurity, an initiative of world leading companies which have put cybersecurity at the top of their corporate agendas and want to act together to raise the bar. The Charter of Trust has developed recommendations and requirements for more secure IoT devices and systems, foundational requirements for the supply chains, including the importance of cyber awareness and education. When new cyber attacks are being launched, the Charter of Trust now enables cooperation and swift and responsible threat information sharing between partners to blunt the impact.
IBM has also been supportive of the European Union Agency for Network and Information Security ‘ENISA’, the EU’s agency that deals with cybersecurity, and was represented on its industry advisory body until recently. ENISA provides support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.
International cooperation is key
In a time when a pandemic not only stress tests our healthcare systems, but our digital systems as well, governments and industry need to step up and work together. The examples above are important steps, but more can and should be done.
Raising awareness, increasing cyber education, applying security as a default, increasing transparency and responsibility throughout the digital supply-chain, creating a regulatory framework and international standards, setting up joint initiatives…now is the time to step up the cooperation between governments and industry to protect our digital infrastructure, and European citizens and businesses.
When cybersecurity is nearly always cross-border, the solution should be too.
Authored by: Jonathan Sage, Government And Regulatory Affairs Executive, IBM Europe
Press contact: Michaël Cloots, +32 (0) 496 590 311
Share this post: