The NIS2 directive was recently approved, and it is going have significant impact in cybersecurity in the EU. Today I want to talk about being proactive in managing digital diseases. By digital diseases, I mean anything on the network that stops things from working as they should or that lead to any number of disasters of varying intensities. Lets talk about what gets in the way of proactive digital disease control.
I have had the opportunity to work with many companies on managing digital diseases arising from cybersecurity issues. It has been enriching in all cases. Working with teams that need to address cybersecurity directly is always great. Genuine cybersecurity workers are like medical professionals. They want to identify and cure the digital diseases that run rampant in the networked world. They are rarely the roadblock.
As organizations get larger, they begin to fall under the control of legal teams and public relations executives who tend to look at everything in terms of damage control and image. Legal teams are often not proactive in any public sense regarding cybersecurity. They often still look at things in a very reactive manner, at least until they are part of an organization that has been hit and publicly shamed for something related to cybersecurity. This may be due to how risk in cybersecurity can be difficult to grasp. It is a reactive response when they take action, but they become more open to more proactive measures as part of the response.
However, one thing they never want to share is any information about the digital diseases that have affected the organization. It seems that there is a stigma attached to cybersecurity issues, not unlike the stigma of being a leper in ancient times. This, of course, is bad from a proactive sense. In the biological world, we frown upon those who do not publicly share information about biological contaminants. Keeping this information from the public leads to disastrous consequences.
So the question arises: “how do we stop organizations from being ashamed of getting sick?”
Or maybe, “how do we penalize organizations for failing to report digital diseases?”
We all know penalizing organizations is not a popular idea, at least not at the mega-corporation level. Any attempts to do this will result in massive lobbying efforts to shut down such actions. Eventually, if things get bad enough, it can happen. It is how we ended up with environmental protection regulations. However, the consequences of such regulations are often fraught with additional problems that I don’t want to go into now. Suffice it to say it is not always ideal.
How does the NIS2 fit into this picture
At the moment, EU is engaged in an experiment to try enforcement through the NIS2 regulation, building on the lessons leared from their first attempt. They managed to overcame a lot of lobbying. NIS required only operators of essential services to report significant incidents to the competent authority, whereas NIS2 requires digital service providers (including online marketplaces, search engines, and cloud computing services) to report significant incidents as well. Many more organizations are now covered by these requirements.
NIS2 provides more specific and detailed criteria for identifying what constitutes a significant incident, including the type and duration of the incident, the number of users affected, and the potential impact on the service or infrastructure. This will offer less wiggle room for organizations who would prefer to opt-out from the reporting requirement.
In addition, NIS2 also establishes more stringent reporting timeframes. Digital service providers are required to report significant incidents to the competent authority without undue delay, and in any case no later than 24 hours after becoming aware of the incident. This is a big step up from status quo where a specific timeframe for reporting incidents was not specified at all.
There is a whole lot of stick that comes with NIS2, and it remains to be seen how well it will work. In the best scenario, these changes will strengthen the EU's cybersecurity and resilience by ensuring that all critical infrastructure and digital services are secured and protected from cyber-attacks, and by providing clear guidelines and procedures for reporting cybersecurity incidents.
Can there be cybersecurity without the stick?
Another question is, could a better approach is to incentivize organizations with carrots to participate in activities that achieve the goal of sharing such information and providing government-funded assistance to organizations trying to improve outcomes. Provide a plan of execution and needed resources rather than public shaming.
If you provide organizations with tools to help discover and address issues proactively rather than reactively, it becomes less likely that they need to report a cybersecurity incident in the first place. This could work. However, it can only do so if we can get legal teams in large organizations to allow some level of autonomy for teams within organizations to participate in such activities without needing to go through extended periods of legal review. In the modern networked world, things change dynamically at a very rapid pace, and we simply don’t have time for such nonsense.
Of course all of this requires several pieces to fall into place, so let’s start somewhere.