February 7, 2013
Cyber Security Proposal Looks To Force Companies To Report Hack Attacks
Michael Harper for redOrbit.com — Your Universe Online
New cyber security proposals in the European Union (EU) could force companies to report when their systems are attacked. This proposal is part of the nation's commitment to battle cyber-crime as well as protect its citizens from cyber-attacks. Such a proposal would affect more than 40,000 companies in the EU.Banks, cloud providers, hospitals and even search engine providers are now being labeled as “Critical Infrastructure.” These companies will have to report to a set of national authorities to be named in each member state under the new proposals. In addition to these authorities, member states would be required to install a Computer Emergency Response Team, or CERT.
"Europe needs resilient networks and systems and failing to act would impose significant costs on consumers, businesses and society." said the EU´s Digital Agenda Commissioner Neelie Kroes, announcing the new proposal.
"At the end of the day openness and transparency about your experience is going to result in a better environment for all," said Kroes, as cited by TG Daily.
Under the new proposal, each member state would be responsible for installing their own CERT and board of authorities to whom they´ll report any attacks. Once a company has discovered the attack and reported it, these authorities will decide whether they should make the attacks public. These authorities will also be responsible for levying any fines against the companies who came under attack should subpar security practices be found.
According to the EU, only one in four companies currently self-regulate and review their Information and Computer Technology (ICT) procedures. What´s more, the EU claims that those businesses which operate in the ICT aren´t any better, with only 50 percent of these businesses reviewing their policies.
It´s these seemingly lax practices which Kroes believes is responsible for the high number of attacks upon UK businesses. According to Kroes, one-third of all UK small businesses suffered a cyber-attack last year alone. 93 percent of larger businesses came under an attack of some sort in the same year.
If these companies were required to report these breaches, says Kroes, the EU will be able to protect its citizens.
As an example, Kroes mentioned the 2011 attacks against Dutch security certificate issuer DigiNotar. The company was responsible for handing out security certificates to Websites to prove their authenticity. In August 2011, DigiNotar announced that not only had they suffered a rash of attacks, they had been under attack for nearly a month.
A Turkish hacker operating under the name “Comodohacker” claimed responsibility for the attacks which lead DigiNotar to issue out 530 fraudulent certificates. This attack affected Websites for the CIA, MI6 and Mossad, as well as Facebook, Microsoft and Twitter.
DigiNotar´s refusal to announce these attacks likely made the effects much worse, said Kroes.
Companies often prefer to keep these attacks hidden from the public to protect their reputation. As such, a move to require these companies to report these attacks could have them complaining about damages to their reputations.