Data Security & Privacy

Self-Regulation Does Not Provide ‘Sufficient Protection’ Against APTs – EU to Adopt New Cybersecurity Rules

Advance Persistent Threats, or “APTs” as they are known to cyber-security experts, occur when individuals or groups gain unauthorized access to a computer network with the intent to cause a persistent catastrophic interruption of mission-critical functions.   For quite some time, governments from around the world have taken a “hands-off” approach to regulating how organizations secure their mission-critical information.  To companies who do business on the Internet, self-regulation is seen as the best way to avoid stifling innovation.

Oh how the good times are about to come to an end in Europe.  In a draft proposal to the European Union on Thursday, the number of “incidents” whereby information systems are affected by security failures have become “bigger, more frequent, and more complex[,]” and therefore it is being recommended that all 27-member nations of the EU vote to approve new cyber-security rules that would require search engines, energy providers, banks and other companies to report disruptions to government authorities.

The current situation in the EU, reflecting the purely voluntary approach followed so far, does not provide sufficient protection against network and information security incidents and risks across the EU.”

The EU member nations are looking to intensify global efforts to fight cyber-crime in order to gain consumer confidence in online economies.  The proposal being submitted to the EU parliament on Thursday would affect U.S. companies that have subsidiaries based in EU member states (which is an estimated 40,000 businesses).  EU officials have stressed the importance of having Trans-Atlantic cooperation in dealing with cyber-security matters, but a recent bill put before Congress in August, 2012, was blocked by Republican lawmakers.  The risk to U.S.-based businesses is that there could be conflicting reporting requirements that would render them compliant in one country, and violate a law in another country.  The EU and U.S. are oceans apart (not just the Atlantic) in their approach to cyber-security measures, the most likely scenario is some sort of “safe-harbor” requirement is allowed so as not to be an impediment to trade or commerce.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.