The emphasis on critical national infrastructure is an overdue recognition that as software and control systems become increasingly integrated
The growing importance of ensuring cyber security remains a central theme on which nations can build their digital transformation programmes was made clear in the second half of last year when the European Union (EU) reached agreement on cyber security rules across all its members .
Companies critical for the delivery of essential services across the energy, transport, health and banking fields were instructed to ensure that their infrastructure is robust enough to withstand cyber attacks and notify authorities if significant incidents occur.
The ruling marked the first time the EU has ruled directly on cyber security and is clearly a response to the exponential growth in cyber security incidents.
The emphasis on critical national infrastructure is an overdue recognition that as software and control systems become increasingly integrated, cyber attacks can have devastating and lasting impacts in both the cyber and physical worlds. As one of the largest economies in the world, this step by the EU is significant.
The interconnected nature of digital networks means a threat to one is a threat to all, and perhaps it is time regulators and government agencies everywhere also considered a closer level of cyber security cooperation than ever before.
The developments in Europe offer a positive example of what can be gained through closer alliance, and the types of measures that need to be put in place to achieve a greater cyber security posture.
The time to effect these changes is now. The Internet is less than 30 years old and it was never built for security. It’s only in the last 20 years, as it has morphed into a platform for global commerce, that this has become a fundamental concern. The field of cyber security law is new and approaches to combating threats are still evolving. Inevitably, the effectiveness of any new regulations must lie in the details of their implementation.
In order to build digital resilience, it’s just not enough to identify the key operators in the fields of critical infrastructure and try to raise their security standards though. Requiring operators to report security breaches is only part of the battle; the point of any law or regulation must be to reduce the overall risk to public safety. Reporting a security breach may already be too late in the game. We need to protect the confidentiality and integrity of entire systems with preventive technologies and, should an incident occur, respond quickly to remediate vulnerabilities before they are compromised by adversaries.
New regulations need to mandate technological and procedural controls across the full spectrum of prevention, detection, response and recovery. Additionally, key regulations need to address industry leading vendors of critical infrastructure with regards the inclusion of security measures in their base infrastructure.
We believe in truly integrating cyber security operations with global and national regulations. We believe a holistic approach to security ought to be followed, anticipating current and upcoming regulations and adapting them to the specific needs of governments and companies from the executive, to the procedural, and extending to technological implementation. Trust should be stamped through both hardware and software from inception with all systems hardened and, where appropriate, encrypted. Implemented correctly these bricks provide a strong defence.
It is worth watching and learning from the EU’s unfolding cyber security regulations as they pass through their final stages in the European Parliament. It is vital that they enhance the security of the EU’s nations, and the countries in the GCC that trade with them. These rules began life as a proposal in 2013 and are set to only be passed into law this year. In the same period, according to Moore’s law, computing power would have more than doubled. Any regulations that are implemented will need to walk the tightrope of being sufficiently robust to force companies into action, without being so specific that they are overtaken by the relentless advances of technology.