Last Wednesday the European Parliament approved the new European Union Network and Information Security directive, which applies common cybersecurity and reporting obligations for operators of essential services, such as energy, transport, health finance and water utilities. Other online services such as cloud services and retailers will also have to implement new measures under the directive.
EU members will also have to establish an EU network of Computer Security Incident Response Teams to coordinate and address cyber security incidents. Member states are now required to implement national laws that reflect the requirements of the directive, which they must do by May 2018. That means that the NIS directive will take effect at the same time as the EU’s General Data Protective Regulation, which similarly aims to standardise regulations across all member states, rationalising fragmented national regulations across the trading bloc in pursuit of the Digital Single Market.
On 5 July, the day before the NIS Directive was agreed, the EU Commission announced a new public-private partnership to improve cybersecurity, including a €450 million co-investment in the Horizon 2020 research and innovation program. Private sector partners are expected to contribute three times that amount, creating a €1.8 billion program to build cybersecurity capability to better secure various industry sectors including the energy, health and finance.
Staying with the EU, the European Commission looks set to adopt the new ‘Privacy Shield’ deal with the US, replacing the ‘Safe Harbor’ agreement that was struck down last year by the European Court of Justice. The new US–EU data transfer agreement was approved by member states last Friday, and once the Commission formally adopts it, expected to be early this week, trans-Atlantic data flows should be able to resume. However some critics believe that the agreement doesn’t go far enough to meet tough EU privacy measures and won’t stand up to legal examination if challenged in European courts by privacy advocates.
Still in Europe, as foreshadowed in previous Cyber wraps, NATO officially recognised cyberspace as a military operational domain at the Warsaw Summit last weekend, and signed a new Cyber Defence Pledge. According to NATO, the official change means that the alliance can place a greater focus on cyberspace in its missions and operations, and a better framework to manage resources, skills, capabilities and coordination.
NATO is now expected to set cyber defence capability targets, part of the commitment by members to ‘Develop the fullest range of capabilities to defend our national infrastructures and networks’. At the same time NATO was discussing the future of its cyber efforts, NATO websites were taken offline in a suspected hacking incident during the Warsaw Summit. Suspicions naturally fell on Russia, but officials declined to discuss if the outage was due to hacking or other more mundane technical faults.
Last week the UN’s Human Rights Council passed a resolution on the ‘Promotion, protection and enjoyment of human rights on the Internet’, declaring that people’s offline rights must be protected online—particularly freedom of expression. The resolution also condemns states that prevent access to the internet as a violation of human rights and calls on them to refrain from doing so. It frames access to the internet as a basic human right, and requests that states address ‘digital divides’, including gender and disability, as a means to facilitate education and empower women and girls through access to information.
The resolution was passed by consensus, but Russia and China—among other countries including India and South Africa—did request amendments to remove the references to a human rights based approach to expansion of access and references to the Universal Declaration of Human Rights and International Covenant on Civil and Political rights regarding freedom of expression. The application of international humanitarian law, particularly the principle of proportionality, was also the subject of a roundtable earlier this year in Moscow, the summary of which has now been provided by the Red Cross here.
After several big breaches this year resulting in the theft of tens of millions of dollars, bank transfer operator Swift has hired two new security firms to restore confidence in its system. Swift will establish a new cyber forensics security intelligence departments to gather information about breaches and share information with its user community.
And finally, the internet has led to many notable innovations in consumer convenience, notably the ability to order and pay for pizza online (it’s like there is some connection between pizza and computer nerds and pizza). But how secure is that website you use to get your pizza fix? This list, compiled using the open source CSTAR website security analysis tool has scored about 200 international pizza delivery websites on their ability to resist malicious actors.