A common, though slightly belated, New Year resolution has emerged within the EU and the US; a fully-formed ambition to see greater Cybersecurity across the private sector. In the EU, this is signified by the Draft Cybersecurity Directive. In the US, it’s the President Obama Cybersecurity Executive Order. While the details and tools of regulation differ, there isn’t a cigarette-paper’s width between them on the motives for regulation and the core objectives of Cybersecurity law making. Both agendas were published this month, just four days apart, and they herald the beginnings of a very challenging new compliance puzzle for a wide range of private sectors actors, if they underpin economic stability and societal well-being.
Before considering the detail of the two approaches, its worth remembering the wider context within which they sit. Cybersecurity has been one of the hottest political topics of recent years. It has been rammed up the agenda by a combination of hundreds of high profile cyber incidents, sometimes extreme rhetoric from “opinion formers”, a lot of political grandstanding, and bucket loads of fear mongering, often from people who have solutions to sell. Occasionally the language has been regrettable, with concepts like “Cyber Armageddon” and the UK government’s rating of Cybersecurity being a greater threat than Nuclear weapons (within the UK Cyber Security Strategy) being cases in point. Yet, between the FUD there is truly a very real problem here. Cybersecurity is an incredibly serious problem for societies like our’s whose reliance on electronic communications networks and services is total. Neelie Kroes, the EU Commissioner behind the Directive, and President Obama, speak the truth when they say that the threats to Cybersecurity could cause us very grave damage.
This contextual view leads to only one conclusion; regardless of the overstatements and the hyperbole, new Cybersecurity law making is necessary and the trajectory for many businesses is one where wholesale operational change will be necessary.
Yet, a person new to this topic may think after reading the Directive and the Order that the EU and US are not as aligned as my opening seeks to suggest. A reader in the private sector could suggest that on the face of the Order there isn’t much for them to worry about. I mean, President Obama isn’t actually saying that his vision is one of Cybersecurity lawmaking for bigCos.
That observation is fair as far as it goes, but the President lays many clues for those who want to spot them. In his speech launching the Order, he referred expressly to the financial system as being under threat. The Order talks about the economy. There is more than enough there to say with supreme confidence that the US has chartered exactly the same course as the EU, as far as the private sector is concerned. To borrow a phrase from one of President Obama’s predecessors, “it’s the economy, stupid” and so it’s obvious where the President’s priorities lie. The US has to protect the key platforms that support business because the economy rests on them and much of this is in the private sector. Period.
This will be borne out soon enough, because the Secretary of Homeland Security has been charged with a Presidential task to identify critical infrastructures that need to be protected for, cyber threats. This task, which needs to be completed within 150 days, cannot avoid identifying critical infrastructures in the private sector.
However, the US approach to regulation will be one that builds more on cajoling than coercion, in stark contrast to the EU approach. This reflects political differences just as much as cultural and legal differences and viewing US matters from this size of the pond it’s clear that the President will always have to be cautious in his approach and how he presents things, seeing how the US political system is so split. So, the Order talks about consultations, voluntary frameworks, rather than “you must do this”. But however they get there, our US cousins are on the same path as us Europeans.
This is not to say that the EU will not promote consultation processes, industry working groups, the creation of public sector – private sector “partnerships”, and other positive engagements with business, which are the meat and drink of the Presidential Order, but the EU’s overwhelming preference is always regulation with a slap; as far as the EU is concerned why give a friendly tickle when a punch in the mouth will do?
So, what we see within the Directive is the standard EU approach to regulation; the EU prescribes its objectives and then commands the Member States to deliver. The natural result is that rather than dancing around the issue, the Directive names key parts of the private sector as being a compulsory focus of regulation. If President Obama is ballet dancer, the EU is a headbanger. The Directive is as subtle as a brick. All “market operators” are being ordered to “up” their Cybersecurity, which includes ecommerce platforms, internet payment gateways, cloud services, app stores, search engines, social networks and the financial and payment services sector, namely banking and credit institutions and financial market infrastructures, including stock exchanges and central counterparty clearing houses. And if they fail to be cybersecure they will have to disclose security breaches and take the regulatory pain that will be metered out. At all times they will be overseen by a watchdog, who will feel overwhelming pressure to be tough on failure.
There is a complex compliance puzzle here. For multi-nationals, they will have to cope with different regulatory styles, that is a given and it can be very unhelpful, yet this is not an uncommon problem and people will adjust. The greater problem is the nature of organisational change that will be required to deliver legal compliance. Presently, Cybersecurity is a silo’d operational function, where most of the corporate intelligence is contained in individuals’ minds, rather than written down on paper. The cybersecurity function will be concerned more about delivering patching, monitoring its dashboards and so on, rather than creating an organisational structure that is capable of demonstrating legal compliance to a regulatory mind. The means by which the adjustment from an operational function to a legal compliance function can be properly managed is probably the greatest puzzle that the Directive and the Order present.