欧盟网络安全法案对英国产业意味着什么?
What the EU’s cyber security bill means forUK industry
从去年电信运营商TalkTalk网站遭黑客大规模攻击事件到最近发生的乌克兰电力系统遭黑客攻击事件,我们可以清楚地看到网络漏洞产生的现实影响。它不再仅仅关乎一家公司是否遭到黑客攻击,而是什么时候会受到攻击。
欧盟一直以其捍卫用户隐私而闻名,但在网络安全问题上,欧盟的做法却落后于美国。尽管我们生活在相互关联的世界之中,但直至目前,欧盟尚未出台任何法规以解决网络安全问题。
作为欧盟网络安全战略的一部分,欧盟于2014年3月发布了《网络与信息安全指令》(NIS)提案,旨在加强成员国的数据安全。指令旨在创建成员国之间的合作机制,同时确立了所有核心服务的安全要求。
Splunk公司安全专员马提亚斯·迈尔(Matthias Maier)指出,“攻击可以发生在任意时间。我们从过去的经验中可以得知,制定正确的策略可以明显提高公司从攻击中恢复的速度。”
欧洲议会与欧盟议会在2015年12月7日就欧盟委员会的提案达成协议,《网络与信息安全指令》提案草案于11天后公布。欧盟内部市场委员会于2016年1月14日举行投票,支持这一政治协定。《网络与信息安全指令》旨在为欧盟成员国提供高水平的网络与信息安全,不仅用于应对黑客的网络攻击,还用于应对技术故障及自然灾害。
指令所要试图解决的核心问题之一是网络不受地域和国籍限制。英国政府科学技术委员会成员马特·沃曼(Matt Warman)指出,在解决重要的网络问题时,“更高水平的合作有利于缓解矛盾”。他认为,“矛盾一方面源于源于缺乏沟通,另一方面源于不同立法采取的政策大相径庭。”
《网络与信息安全指令》大体可以分为四个部分:
各成员国采取国家NIS战略——该框架包括国家层面信息安全的战略目标及优先事项。
确定具体执行主管部门以为成员间提供跨境支持及战略合作。
建立计算机安全事故应急小组 (CSIRTs) 以开展有效运行合作。
制定核心服务及数字服务提供商所需遵循的安全及通知要求。
由于指令大部分内容最终将会在政府政策层面实施,因此将会对英国产业产生极大的影响。
提案草案第1章第14条规定,“成员国应确保核心服务运营商采取合理及适度的技术和组织措施,以应对其运营所使用的网络与信息系统安全中存在的风险。”受到该立法影响的公司是条文中被定义为“核心服务运营商”的公司。这一广义定义中包括运营内容重点为下列任意行业的公司:
能源(电力、石油及天然气)。
运输(陆运、铁路、航空及水运)。
银行。
金融市场基础设施。
医疗卫生领域(公共及私人)。
饮用水供应及分配。
数字基础设施(互联网交换点,域名系统(DNS)服务提供商及顶级域名注册)。
核心服务公司不仅需要管理其网络中存在的风险,还需要确保采取适当措施以防止攻击并将攻击成功的潜在风险最小化。
对于建议适用何种安全协议,指令提案只规定该协议应符合当前的技术发展水平。指令提案并未建议任何适当措施,如双重验证或加密。由于技术处于飞速发展之中,明确特定措施会使得指令在几年内即被废除。
指令同时强制要求公司报告具有“重大破坏性影响”的事故。“重大破坏性影响”需根据受该破坏性事故影响的用户数量、事故持续时间、事故的地域传播以及破坏性影响的范围等因素确定。
相关信息
通知中须包括所有与事故相关的信息,以使得主管部门或CSIRT确定该事故的跨境影响。通知义务不会使公司承担任何附加责任,但如果其后发现公司知而不报,则会受到处罚。一些公司可能不想暴露其安全已受到威胁,这是由于其品牌形象可能遭受损害。但是如果他们之后被发现未及时通报攻击事件,其声誉会受到更大损失,同时还需缴纳罚款。
非提供核心服务的公司可以自愿报告对其所提供的服务持续性具有重大影响的事故。这一自愿通知行为不会使得公司承担指令项下的任何其他义务。
英国工业联合会代理会长汤姆·萨克雷(Tom Thackray)认为,“采取有效的空间安全(措施)是数字经济成功的基础,所有企业需要保证他们评估其网络风险,并采取强有力的保护措施以保障其资产、知识产权、客户数据及品牌。但是,强制行动或报告可能还不够成熟。在网络安全问题上,应当允许企业自行管理其风险及投资决策。目前,许多企业已采取此做法。”
数字服务提供商
指令还规定属于“数字服务提供商”的公司——即提供在线市场、搜索引擎或计算机服务的公司——同样需要确保其“明确并采取合理及适度的技术和组织措施,以应对其运营所使用的网络与信息系统安全中存在的风险。”
指令还适用于提供核心数字服务的第三方公司,该类公司对核心服务供应商服务持续性起到重要作用。任何对核心服务持续条款造成影响的事项都需公布。该责任由争议事项的核心服务运营商承担。
核心服务运营商及数字服务提供商将需接受主管部门审计以确保其网络与信息系统符合最低安全要求。主管部门有权发布具有约束力的命令,要求核心服务运营商对其运营行为进行修正。
大型公司已具备大量《网络与信息安全指令》提案所要求的系统。例如BT公司自信地认为指令将对其运营活动造成极小影响,甚至不会造成任何影响。BT公司发言人称,“我们已经拥有全球计算机事故应急小组(CERT),目前该小组一直在运作,其规模也在不断扩大。”
安全协议
然而,小型公司目前无需广泛的安全协议而采取行动,以符合指令规定。Skyscraper实验室常务董事亚历山大·莫伊谢耶夫(Alexander Moiseev)认为,“根据各公司已采取的措施不同,其所承担的费用也有所不同,如报告、职员以及空间安全战略的制定等。”但是这些短期花费会带来长期回报。他指出,“长远来看,这将会节省时间与金钱。这些预防措施将有助于缓解巨大的空间安全风险,包括数字服务干扰,甚至对重要基础设施的物理攻击等。”而其最大的益处在于可以在事故发生之前就予以阻止。
接下来的两个月将对指令的语言表述是否符合法言法语进行审查,但不会涉及对术语的修改。在此之后,欧洲议会将会通过最终文本,而后再由欧洲议会批准,该指令才得以正式发布生效。
国内立法
欧洲议会及欧洲理事会正式通过该指令后,指令的最终文本将由欧盟官方公报正式发布。成员国将在此后的21个月内将该指令转换为国内法,并延长六个月的时间以确定其核心服务的供应商。萨克雷指出,“指令中的许多要求已在英国法中有过规定。因此实施该指令将会相当简单。”该指令将于2018年年中正式生效。届时,所有纳入指令项下的公司都将全面遵循指令规定。
随着恶意攻击数量日益增加,《网络与信息安全指令》旨在通过建立普遍高水平的网络安全以强制公司加强其系统。来自卡巴斯基实验室的莫伊谢耶夫(Moiseev)指出,“由于仅遵循相关规定已不足以应对当前网络威胁所带来的多样性风险,我们相信公司会自行制定并实施明确的网络安全及恢复策略以加强信息安全。”
(注:本文作者为彼得·雷·艾莉森 Peter Ray Allison,转译自工信部国际经济技术合作中心WTO与涉外法律研究所萨楚拉)
What the EU’s cyber security bill means forUK industry
Peter Ray Allison
Coming Europeanlegislation on network and information security could have cost andorganisational implications for a range of UK companies
From lastyear’s TalkTalk hacks through to the recentattack on Ukrainian power systems, we are witnessing hownetwork breaches are having real-world repercussions. It is no longer a case of whether acompany will be hacked, but when.
The EU is renownedfor championing user privacy, but has lagged behind the US when it comes tonetwork security. Despite the interconnected world we live in, there has neverbeen any EU legislation to address this issue – until now.
The Network and Information Security (NIS) Directive wasproposed in March 2014 as part of the European Union’s cyber security strategy, which was created toenhance data security throughout member states. The directive is intended tofoster co-operation between EU nations while legislating expected securityrequirements for all essential services.
“A breach canhappen at any time,” says Matthias Maier, security evangelist for Splunk.“We have seen in the past that having the right strategy in place significantlyimproves the rate at which a company recovers.”
After the EuropeanParliament and the European Council reached an agreement onthe Commission’s proposal on 7 December 2015, the draftproposal for the NIS Directive waspublished 11 days later. On 14 January 2016, the EU’s Internal MarketCommittee voted to support the political agreement.
The NIS Directiveis designed to provide a high-level network and information security throughoutEU member states, not just against network breaches by hackers, but alsoagainst technical failures and natural disasters.
One of the keyissues the directive is seeking to overcome is that networks are not bound bygeography and nationality. In the event of a critical network problem, a“greater level of co-operation is intended to smooth out the friction,” says Matt Warman,a member of the UK government’s Science and Technology Committee.
“Friction is amixture of the lag in communication, but also when you have very differentpolicies taken because of different legislation,” he says.
The NIS Directivecan be broadly subdivided into four areas:
Adoption of anational NIS strategy – a framework that provides strategic objectives andpriorities on information security at national level.
Formation ofcompetent authorities to provide cross-border support and strategicco-operation between member states.
Development ofcomputer security incident response teams (CSIRTs) for effective operationalco-operation.
Establishingsecurity and notification requirements for operators of essential services, aswell as digital service providers.
While most of thedirective operates at a government policy level, it is this final point thatwill have the biggest impact on UK industry.
The draft proposalstates in Section 1 of Article 14: “Member states shall ensure that operatorsof essential services take appropriate and proportionate technical andorganisational measures to manage the risks posed to the security of networksand information systems which they use in their operations.”
Companies affectedby this legislation are those defined as being “providers of essential services”.This broad definition includes any company whose operation is critical for anyof these industries:
Energy(electricity, oil and gas).
Transport (road,rail, air and water).
Banking.
Financial marketinfrastructures.
Health sector(public and private).
Drinking watersupply and distribution.
Digitalinfrastructure (internet exchange points, domain name system (DNS) serviceproviders and top-level domain name registries).
Not only mustessential service companies manage the risks posed to their networks, but theymust also ensure that the appropriate measures have been taken to preventattacks and minimise the potential for any attacks to succeed.
When recommendingwhat security protocols should be used, the proposed directive states only thatthey should be “state of the art”. It does not recommend any appropriatemeasures, such as two-factor authentication orencryption. Because of the ever-evolvingnature of technology, specifying certain methods could render the directiveobsolete within a matter of years.
Companies will alsobe compelled to report incidents of “significant disruptive effect”, which aredetermined by the number of users affected by the disruption, the duration ofthe incident, the geographical spread of the incident and the extent of thedisruption.
Relevant information
Notifications wouldbe expected to include all relevant information about the incident, enablingthe competent authority or CSIRT to determine the cross-border impact ofthe incident. The notification will not expose the company to any increasedliability, but there will be penalties if a company is later found to haveknowingly failed to submit the notification.
Some companies maynot want to reveal that their security has been compromised, because this coulddamage brand image. However, they face a greater loss of reputation, as well asa fine, if they are later found not to have declared a breach.
Companies that arenot deemed as providing essential services may still voluntarily reportincidents that have significant impacts on the continuity of the services theyprovide. This voluntary notification will not result in the firm being subjectto any of the other obligations of the directive.
Tom Thackray,acting CBI directorfor competitive markets, says: “Adopting effective cyber security isfundamental to the success of the digital economy, and all businesses need toensure that they are assessing their cyber risk and taking robust protectiveaction to safeguard their finances, intellectual property, customer data andbrand.
“However, mandatedaction or reporting could be premature. Businesses must be allowed to managetheir own risk and investment decisions when it comes to cyber security – andmany already are.”
Digital service providers
The directive alsostipulates that companies that come under the heading of “digital serviceproviders” – those that offer online market places, search engines or computerservices – will similarly need to ensure they “identify and take appropriateand proportionate technical and organisational measures to manage the risksposed to the security of networks and information systems that they use”.
This legislationwill also apply to third-party companies that provide essential digitalservices that are deemed crucial to the continued operation of an essentialservices provider. Any events that affect the continued provision of theessential services are to be announced. However, the responsibility for thislies with the operator of the essential service in question.
Operators ofessential services and digital service providers will also be subject to auditsby the competent authority to ensure their network and information systems meetthe minimum security requirements. The competent authority will have the powerto issue “binding instructions to the operators of essential services to remedytheir operations”.
Larger companieswill already have many of the systems required by the proposed NIS Directive inplace. BT,for example, is confident that the directive will have little to no effect onits operations.
“We already have aglobal CERT [computer emergency response team] which has been operating forsome time and is growing,” said a BT spokesperson.
Security protocols
However, smallercompanies that have, until now, not needed wide-ranging security protocols maybe required to do so to comply with the directive.
Alexander Moiseev,managing director Europe at Kaspersky Lab, says: “Costs will vary fromcompany to company, depending on the measures already in place, such asreporting, staff and development of a cyber security strategy.”
Costs will vary from company tocompany, depending on the measures already in place, such as reporting, staffand development of a cyber security strategyAlexander Moiseev, Kaspersky Lab
But theseshort-term costs could lead to long-term gains. “In the long run, this willsave time and money,” says Moiseev. “These precautions will help mitigateenormous cyber security risks, including interruption of digital services andeven physical damage to critical infrastructure.” The biggest benefit comesfrom stopping incidents before they happen, he adds.
The next two monthswill see a lawyer-linguist check to ensure the language of the directive iscorrect, but will not involve any change of technicalities. After that, theEuropean Council has to adopt the final text, followed by the EuropeanParliament, which will be a formality.
National legislation
Once bothco-legislators have formally agreed, the final text of the directive will bepublished in the OfficialJournal of the European Union. From then, member states will beexpected to have the directive entered into national legislation within 21months, with a further six months to identify the operators of their essentialservices.
“Many of therequirements in the directive already exist in UK law,” says the CBI’sThackray, “so implementation should be reasonably straightforward.”
The directive isexpected to come into force by mid-2018. By then, all companies that come underthe purview of the directive will be expected to be fully compliant.
With the number ofmalicious attacks increasing, the NIS Directive is intended to compel companiesto reinforce their systems by setting a high common level of network security.
“We believecompanies should take it upon themselves to develop and implement clearcyber security and resilience strategies to increase informationsecurity,” says Kaspersky Lab’s Moiseev. “Just being compliant is notsufficient to tackle the diverse range of risks in thecyber-threat landscape today.”
This was first published in January2016