An EU-wide cybersecurity law is due to come into force in May to ensure that organisations providing critical national infrastructure services have robust systems in place to withstand cyber attacks.
The legislation will insist on a set of cybersecurity standards that adequately address events such as last year’s WannaCry ransomware attack, which crippled some ill-prepared NHS services across England.
But, after a consultation process in the UK ended last autumn, the government had been silent until now on its implementation plans for the forthcoming law.
The NIS Directive (Security of Network and Information Systems) was adopted by the European parliament in July 2016. Member states, which for now includes the UK, were given “21 months to transpose the directive into their national laws and six months more to identify operators of essential services.”
The Department for Digital, Culture, Media and Sport (DCMS) finally slipped out its plans on a Sunday, but – given its spin on fines – it doesn’t seem as though the government was attempting to bury the story.
The DCMS warned – in rather alarmist language – that “organisations risk fines of up to £17m if they do not have effective cybersecurity measures” in place. There are echoes of the EU’s General Data Protection Regulation (GDPR), by matching its €20m (£17m) maximum penalty level – though the option to charge 4% of turnover for NIS as well was dropped after consultation.
However, exorbitant penalties have been used as a scare tactic by GDPR snake oil salesmen, despite clear statements from the Information Commissioner’s Office (ICO) indicating a cautious regime. Did the DCMS mean to invite overblown headlines about the NIS directive, too?
Another peculiarity is that the government announcement doesn’t once mention the EU. Instead, the NIS directive is presented as an important part of the UK Cyber Security Strategy, even though it is an EU initiative. A pattern is emerging here: the removal of mobile roaming fees, a ban on hidden credit card charges and environmental initiatives have all been claimed as UK policies by Theresa May’s government without any adequate attribution to the EU. Digital minister Margot James said:
We are setting out new and robust cybersecurity measures to help ensure the UK is the safest place in the world to live and be online. We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.
Who needs to be aware of the NIS directive?
The government consultation response clarifies which operators of essential services and digital service providers the directive will apply to, once transposed into UK law. It uses a narrow definition of “essential”, excluding sectors such as government and food. Small firms are mostly excused from compliance; nuclear power generation has been left out, presumably to cover it exclusively under national security; and electricity generators are excluded from compliance if they don’t have smart metering in place. Digital service providers expected to comply with the NIS directive include cloud services (such as those providing data storage or email), online marketplaces and search engines.
The law requires one or more “competent authorities”, which the UK plans to organise by sector. It means communications regulator Ofcom will oversee digital infrastructure businesses and data watchdog the ICO will regulate digital service providers. They will receive reports on incidents, give directions to operators and set appropriate fines.
It’s worth noting that the ICO, in its multiple roles, could fine a service provider twice for different aspects of the same incident – once due to non-compliance with NIS and once due to non-compliance with GDPR. But incidents need to be considered significant in order to be on the radar for this directive. It will be judged on the number of affected users, the duration and geographical spread of any disruption and the severity of the impact.
Clearly, once this legislation is in place, the next WannaCry-style incident will be closely scrutinised by regulators to see how well prepared organisations are to deal with such a major event.
National and international coordination
The coordination of many NIS activities falls to the UK’s National Cyber Security Centre (NCSC), part of the government’s surveillance agency, GCHQ. It will provide the centralised computer security incident response team (CSIRT), and act as the “single point of contact” to collaborate with international peers as a major cyber attack unfolds. The NCSC will play a central role in reporting and analysing incidents, but remains out of the loop on enforcing the law and fines.
Sharing cyber incident information within an industry sector or internationally is important for larger scale analysis and better overall resilience. However, there are risks due to the inclusion of cyber vulnerability implications, business critical information and personal data in such sensitive reports. Two EU research projects (NeCS and C3ISP) aim to address these risks through the use of privacy preserving methods and security policies. The C3ISP project says its “mission is to define a collaborative and confidential information sharing, analysis and protection framework as a service for cybersecurity management.”
More security standards?
The idea of having prescriptive rules per sector was considered and rejected during the UK’s consultation process on the NIS directive. It’s in line with how the GDPR imposes cybersecurity requirements for personal data: it consistently refers to “appropriate technical and organisational measures” to achieve security, without pinning it down to specifics. Such an approach should help with obtaining organisational involvement that goes beyond a compliance culture.
A set of 14 guiding principles were drawn up, with the NCSC providing detailed advice including helpful links to existing cybersecurity standards. However, the cyber assessment framework, originally promised for release in January this year, won’t be published by the NCSC until late April – a matter of days before the NIS comes into force.
Nonetheless, the NIS directive presents a good drive to improve standards for cybersecurity in essential services, and it is supported by sensible advice from the NCSC with more to come. It would be a shame if the positive aspects of this ended up obscured by hype and panic over fines.