Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

EU agency ENISA analyses cyber security legislation & spots implementation gaps; incidents remain undetected or not reported

August 2012 by Marc Jacob

In a new paper the EU ‘cyber security’ agency ENISA takes a snapshot of existing and future EU legislation on security measures and incident reporting. The analysis underlines important steps forward, but also identifies gaps in national implementation, as most incidents are not reported.

Cyber security incidents significantly impact society. Here are five well-known examples:

 In 2012, millions of business network passwords were exposed

 In 2011, the storm Dagmar wrecked millions of Scandinavian communication links

 In 2011, a British data centre failure interrupted millions of business communications worldwide

 In 2011, a certificate authority was breached exposing the communications of millions of users

 In 2010, a Chinese telecom provider hijacked 15% of the world’s internet traffic for 20 minutes

Each time, millions of citizens and businesses were seriously impacted. But most incidents are not reported or not even detected. Dr Marnix Dekker and Chris Karsberg, the report’s co-authors, argue: “Cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes.”

The new report “Cyber Incident Reporting in the EU” provides an overview of existing and planned legislation (please see graphic attached) covering the mandatory incident reporting clauses in Article 13a of the Telecom package and Article 4 of the e-privacy directive, the proposed e-ID regulation’s Article 15, and Articles 30, 31, 32 of the Data Protection reform. The study shows common factors and differences between the articles and looks ahead to the EU cyber security strategy. The paper also identifies areas for improvement. For example, only one of the above-mentioned incidents was within the scope of the national regulators mandate, indicating that there are gaps in the regulation. Thus, EU-wide sharing of incident reports sharing should be improved.

Much progress has been made recently: An ENISA working group for national regulators has developed both a common set of security measures and an incident reporting format. This will enable a more uniform implementation of Article 13a. ENISA just received reports on 51 large incidents from the regulators, describing impact, root causes, actions taken and lessons learnt. This material is used as input for the European cyber security strategy and the European cyber security exercise. The Executive Director of ENISA, Professor Udo Helmbrecht, commented: “Incident reporting is essential to obtain a true cyber security picture. The EU’s cyber security strategy is an important step and one of its goals is to extend the scope of reporting provisions like Article 13a beyond the telecommunications sector.”


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts