The growing dependence of states and societies on ICT systems means they face a higher risk of cyberattacks. Increasingly sophisticated hacking attacks target not only individual people and companies, but also highly developed countries. Although cyberattacks can have disastrous consequences, research shows that we still miss the mark in preparedness. Acknowledging the magnitude of the risk, global government decision-makers have made the security of cyberspace one of their highest priorities. Daniella Terruso and Adam Palmer, experts partnering with the Kosciuszko Institute, have outlined below the major cybersecurity policy challenges for 2017.
GDPR & NIS: New Security & Privacy Rules
The EU is currently implementing two key pieces of legislation adopted in 2016, namely the Directive
on Security of Network and Information Systems (the NIS Directive) and the General Data Protection Regulation (GDPR). While the NIS Directive directly concerns the so-called “operators of essential services” (e.g. search engines, cloud computing services, online marketplaces as well as identified businesses in the energy, transport, water, banking and healthcare sectors, and digital and financial market infrastructures), GDPR covers all businesses that process data relating to an individual (personal data). Both pieces of legislation contain stringent security and breach notification requirements which business must comply with from May 2018. GDPR provides for substantial fines for non-compliance.
Restrictions on the Sale of Security Products & Services (Wassenaar Arrangement)
The EU faces a delicate challenge in 2017: how to encourage much needed growth and jobs in the digital economy, while defending Treaty-based fundamental rights. The current export control/dual-use review highlights this challenge. Trade in the so-called dual-use items, i.e. goods, software and technology that have both civilian and military applications, is subject to international and EU controls. In the EU, a regulation governs dual-use items; this has the benefit of ensuring the application of the same rules throughout the EU. The 28 Member States are responsible for enforcement and fines. The EU regime is under review and may adversely impact the export, transit, and brokering of cyber surveillance products and services, in particular through the European Commission’s controversial proposal to address human rights concerns related to the misuse of dual-use items in third countries. Operators are also concerned that EU controls could conflict with Member State obligations under international export control regimes, such as the multilateral Wassenaar Arrangement. Negotiations on the EU review are expected to continue throughout 2017.
Data Sharing & Network Upgrades
A consultation organised by the European Commission on international data flows (both personal and machine-generated data) could result in a legislative proposal outlawing unjustified restrictions by the Member States on data flow (so-called data localisation requirements). In addition, negotiations throughout 2017 on a revised European Electronic Communications Code are intended to improve online infrastructures and connections (connectivity). In particular, it includes measures to facilitate the roll out of very-high-capacity (VHC) fixed and mobile infrastructures across the EU and improvements to spectrum management to prepare for 5G deployment in the EU.
In line with the EU Digital Single Market strategy from 2015, the EU is undertaking numerous initiatives to encourage innovation.
Internet of Things (IoT)
Internet of Things policy in Europe is largely being developed through the European ePrivacy Regulation and the Product Liability Directives. The proposal to revise the EU ePrivacy Regulation is very broad as it applies to IoT, stating:
To promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications.
Extending the scope of the ePrivacy Regulation to IoT device data would mean that fines up to €20 million, or up to a maximum of 4percent of total global annual turnover (whichever is higher) would be applicable in cases of an IoT related data breach. The EU institutions are also considering revisions to the EU Product Liability Directives because strict liability standards are difficult to apply to IoT where the cause of fault may not be readily identifiable.
All of the above-mentioned initiatives are somewhat overshadowed by the UK decision to leave the EU (Brexit), following a consultative referendum in the UK in June 2016. The UK government may notify its intention to withdraw from the EU in March. This means that the withdrawal will take effect in March 2019. Negotiating the terms of withdrawal is expected to last two years. The imminent departure of a large EU Member State has already caused market disruption and uncertainty in the UK and the remaining EU Member States (EU27). Market operators are understandably anxious about the future trading relations between the EU 27 and the UK as well as the future regulatory environment in the UK. For as long as the UK remains a member of the EU, EU legislation will continue to apply,
i.e. at least to March 2019.
Nation State Cyber Threat Focus
The selection of Gen. John Kelly to lead the U.S. Department of Homeland Security (DHS) indicates there will likely be a focus on addressing nation-state cyberattacks and cyber warfare related issues. President Trump has said he would seek advice from military commanders on how to strengthen the U.S. Cyber Command. This includes an international approach that focuses on developing the “offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”
Last October, President Trump said he would make cybersecurity an “immediate and top priority for my administration.” He pledged to conduct a top-to-bottom review of the U.S. cyber defence posture and its vulnerabilities by putting together a Cyber Review Team composed of military, law enforcement, and industry representatives. The team would produce specific recommendations for U.S. cyber defences.
Internet of Things Focus
Internet of Things security will receive a lot of attention from the U.S. Congress and the Trump Administration, beginning with fact-finding focused hearings. The U.S. Congress is unlikely to propose any meaningful legislation prior to these hearings. There have been continued calls from lawmakers for agencies such as the Department of Homeland Security (DHS) to reorganize how they approach cybersecurity. Congressional efforts to address agency organization, Internet of Things security, oversight of information sharing implementation, and cyber workforce enhancement are likely to continue, with increased opportunities for the private sector to engage in cybersecurity education and public-private collaboration with the Trump Administration. In one of the first U.S. legal cases involving IoT, the U.S. Federal Trade commission (FTC) in 2016 brought a claim against a California company who created surveillance equipment for personal use. The FTC claimed that the company’s IP camera products failed to provide “reasonable and appropriate” measures to secure the live feeds from the IP cameras from unauthorized access to sensitive information. The FTC has continued its IoT enforcement actions in 2017, now raising a case against another company that develops and sells routers, IP cameras, baby monitors and similar products designed for home networks. The FTC alleges that company advertising materials were false or deceptive. While no actual breach occurred, it is claimed the company failed to take reasonable steps to address well-known and easily preventable security flaws.
As a candidate, President Trump made comments regarding encryption that would seemingly place the tech sector at odds with his administration. When the Apple iPhone encryption controversy initially erupted in 2015, Trump argued “Who do they think they are? No, we have to open [the phone]” and proposed a boycott of Apple products. President-elect Trump viewed encryption, at least initially, as primarily a hindrance to national security efforts to detect and monitor terrorist communications. Without the administrative support of strong encryption standards, the odds of anti-encryption policies being introduced in Congress increase.
Focus on Financial Services & Critical Infrastructure
In October, the Board of Governors of the Federal Reserve System (“Federal Reserve”), the Office of the Comptroller of the Currency (“OCC”), and the Federal Deposit Insurance Corporation (“FDIC,” collectively the “Agencies”) issued a joint advance notice of proposed rulemaking inviting public comment on cybersecurity regulations and guidance designed to improve the safety and soundness of the U.S. financial system. The Notice proposes a two-tiered framework in which all covered institutions would have to meet a minimum standard, and “those entities that are critical to the functioning of the financial sector,” which the Notice refers to as “sector-critical systems,” would have to meet with “more stringent standards.” The Agencies ambitiously call for entities that provide sector-critical systems to ensure they can recover those systems within two hours of a cyber event and validate their efforts with regular, quantitative testing. If the Agencies do in fact issue binding standards, they will go beyond the existing, largely nonbinding frameworks that apply to covered institutions. Further, the Agencies are also considering other measures to address cyber risks that could impact the largest, most interconnected U.S. financial entities in all of their operations.
New Chinese Cybersecurity Rules
In June 2017, new rules governing cyber security will become effective in China. The policy was adopted despite more than 40 business groups from the U.S., Europe and Asia submitting petitions requesting significant changes to the policy. These claims argue that the policy is protectionist, intrusive, and burdensome. China has defended the policy and stated that these claims are exaggerated or untrue.
Like similar data breach notification laws in the U.S. and Europe, companies operating in China will be required to report “network security incidents” to the government. However, the Chinese law raises concerns by adding a vague requirement for “technical support” to government agencies during investigations. The ambiguous definition of “technical support” has raised fears that this might imply government surveillance or “backdoors”. The new cybersecurity policy also includes heightened cybersecurity standards, greater controls for security of critical infrastructure, and requirements for transparency by eliminating anonymized registration for some online services. Finally, the policy includes data localization requirements for critical infrastructure operators. These requirements are particularly concerning for global businesses whose operations depend on cross-border data transfers.
Enforcement is outlined through fines for non-compliance and government authority to punish organizations or individuals. This includes freezing foreign owned assets or possible physical detention of persons accused of wrongdoing
Although no companies have indicated they will leave China as a result of these new policies, they do create increased concerns. China has tried to address some of the concerns by suspending rules that would have required the financial sector to prove its equipment is “controllable”. The Government committee in charge of defining cybersecurity standards has also, for the first time, allowed select foreign companies to take an active part in drafting rules, rather than participating only as observers.
One of the greatest challenges for multi-national companies is compliance with a variety of global standards and regulations for cybersecurity.
At the World Internet Conference in December 2015, Chinese President Xi Jinping reiterated the Chinese position that nation states must be allowed to set their own rules for cyberspace in their own countries. However, the further adoption of localized standards will continue to be a challenge for global companies. Adopting widely recognized international frameworks and standards would create a more harmonized system and reduce confusion. This would allow companies to operate across borders with predictability and clarity of standards. It would also reduce costs by allowing security providers to implement worldwide solutions.
New Disclosure Requirements
Last year, the Government of India suggested it may require security vendors to report data security incidents simultaneously with assistance to clients, with the intended purpose of raising government awareness of security incidents. However, such a rule also raises concerns about the ability of companies to internally manage security matters and avoid public attention that may harm their brand. Some other governments in Asia have considered similar rules. China explicitly adopted disclosure requirements and cooperation with law enforcement as part of its new cybersecurity standards effective in June 2017.
How these rules may be interpreted or enforced is still uncertain, but they will be a continuing challenge for security companies to maintain cooperation with governments worldwide, while also protecting customer privacy. It creates a serious concern if a private company knows that a security vendor is being given access to its private systems and must also disclose proprietary information to the national government if it detects a breach.
New National Strategies (Japan, Singapore, Australia)
2016 was the year several influential Asia-Pacific countries released new national cybersecurity strategies. New national plans were rolled out in Japan, Singapore, and Australia. These plans include comprehensive goals and national strategies. 2017 will now be the year these plans begin to be implemented. This will transform the security landscape in these countries and create opportunities for the adoption of new frameworks and standards.
Many significant cybersecurity initiatives have begun in the Middle East, including major capacity building projects across the Gulf Cooperation Council countries (GCC). Bahrain is implementing its national “cyber trust program” over the next 2 years and Saudi Arabia has invested heavily in security following the cyberattack against Saudi Aramco. The UAE and Qatar are also expanding cybersecurity plans. Qatar released its new national strategy last year for implementation in 2017.
In December 2016, the Organization of Islamic Cooperation (OIC) met in Saudi Arabia to also finalise plans for a cybersecurity capacity building program across all OIC member states. This program will begin implementation in 2017.
Although begun in 2012, last year South Africa finally released a new national cybersecurity governance framework. The policy framework is “intended to implement an all-encompassing approach pertaining to all the role players (State, public, private sector, civil society and special interest groups) in relation to cybersecurity”. South Africa State Security Minister David Mahlobo spoke about the framework policy at a cybersecurity symposium last year, highlighting several areas of the framework including the centralized coordination of cybersecurity activities within South Africa so as to have a coordinated approach, and the strengthening of intelligence collection, investigation, prosecution and judicial processes against cybercrime.
In Brazil, policy makers are continuing to review national cybersecurity policy in line with the “Marco Civil” national IT policy. Marco Civil is a national policy designed to harmonize all new IT laws in accordance with defined national plans. After some of the political turmoil of 2016, this year may be an opportunity for Brazil to re-focus on new cybersecurity plans.
Daniella Terruso is the EU Policy Advisor for Steptoe & Johnson in Brussels. She provides policy advice and strategic representation before the EU institutions for EU and third-country corporate and government clients. dterruso(at)steptoe.com
Adam Palmer is a former U.S. Navy Officer, Prosecutor, and Manager of the U.N. Global Programme Against Cybercrime. He is a Senior Research Fellow of the Kosciuszko Institute and a global consultant for CyCap – an EU & Singapore based cybersecurity consulting firm. adamppalmer(at)gmail.com
About the Kosciuszko Institute:
The Kosciuszko Institute is an independent, non-governmental research institute that was founded in 2000 as a non-profit organization. The institute drafts expert reports and policy recommendations for European and Polish decision-makers. The Kosciuszko Institute is the organizer of the European Cybersecurity Forum – CYBERSEC, an annual public policy conference dedicated to the strategic aspects of cybersecurity. The 3rd edition of the forum will be held on 9-10 October 2017 in Krakow, Poland.