A new EU cybersecurity directive will make Ireland the world’s data policeman. But are we ready?
The Minister for Communications, Climate Action and Environment, Denis Naughten, TD, will this week brief the Cabinet about the creation of a new national cybersecurity centre. This will be responsible for protecting the nation’s digital assets and individuals from cyberattacks.
As difficult as that will be in a world of spiralling threats that, he said, would be the easy part.
‘A regime of mandatory reporting of all incidents impacting significantly on the confidentiality, integrity and availability of the digital data and systems underpinning the essential services is envisaged’
– DENIS NAUGHTEN
Addressing the ISC2 EMEA Security Congress at Croke Park last week, Naughten spoke on the forthcoming cybersecurity directive from the European Commission, which refers to digital service providers, including search engines like Google and cloud providers like Microsoft.
Effectively, because many of these technology giants have their EU headquarters here, Ireland will be required to manage their compliance with the directive on a pan-European level.
“This will be challenging, to say the least,” Naughten said.
His point is this: Ireland is home to nine out of 10 of the world’s biggest software companies, and all of the top 10 internet companies have significant operations here, as well as the top five global cybersecurity firms.
If any one of these companies endure a cyber breach, they will need to disclose it to the authorities in Ireland.
And those authorities will have to investigate to an exacting and detailed world standard.
Dragging a tiger by the tail
The one and only time I met Max Schrems (the Austrian law student who sued Facebook and was vindicated by the Edward Snowden revelations, ultimately prevailing by bringing an end to Safe Harbour), he showed me a picture on his phone.
That picture was of a Centra store in Portarlington, above which were the offices of the Irish Data Protection Commissioner.
In suing Facebook, the Office of the Data Protection Commissioner (ODPC) found itself on the global stage and had to conduct a global audit of the social network giant, followed up by a similar global audit of LinkedIn.
Those pictures of the offices over a supermarket were perhaps embarrassing to the establishment in Ireland, but may have actually also done a world of good.
Schrems’ lawsuit did not only shake up the transatlantic data transfer model; it set in motion a series of events that made Ireland step up to the plate and provide the right resources to help police the world’s data.
Ireland has appointed a government minister with responsibility for data protection: Dara Murphy, TD, Minister of State for European Affairs, EU Digital Single Market and Data Protection.
In the recent Budget, it emerged that the ODPC is to be given a budget of €7.5m for 2017, an increase of €2.8m on last year, and fourfold its budget in 2014.
As well as brand new offices in Dublin, the office of the current Data Protection Commissioner, Helen Dixon, also saw an increase in headcount from 29 to 50 last year.
Policing the data world
The Facebook audit saga proved that Ireland was underprepared in 2012. Four years on, will these new resources and powers prepare the country to effectively become the data policeman of Europe, and by virtue, of anywhere outside of North America?
Naughten pointed out that the new cybersecurity directive, which will be enacted in May 2018, will represent a step change in how countries in Europe approach cybersecurity.
This covers everything from security standards in energy, transport finance, health, water supply and any infrastructure regarded as critical, which cannot afford to be tampered with by hackers.
“The other core component of the directive covers so called ‘Digital Service Providers’ – those search engines, sales platforms and cloud providers that power and underpin the global internet economy.
“We won’t be designating these, but in Ireland, the list of eligible companies suggests itself. More to the point, given that many of these companies have their EU headquarters here, we will be required to manage their compliance with the directive on a pan-European level. That will be challenging, to say the least.”
Naughten said that he will be launching a public consultation on the directive in the coming days.
“Our likely approach is to incorporate both regulatory and operational functions within the National Cybersecurity Centre, folding the existing computer security incident response team into this new office.
“Effective and acceptable cybersecurity involves a balance of individual rights, particularly in regard to privacy and data protection with the public safety interests of protection of life, property and national security.
“In line with the directive, it is envisaged that personal data such as IP addresses will be exchanged with competent third parties for the purpose of network and information security, so that the property of individuals and of businesses can be protected.”
Mandatory risk assessment and testing
Naughten also revealed that his department is considering whether a documented risk assessment approach, based on health and safety law, should be applied to all businesses and organisations in Ireland.
“Just last month, the Central Bank of Ireland published its guidance in respect of information technology and cybersecurity risks. In welcoming this in[to] a world becoming ever more reliant on digital, I echo the need for appropriate governance and risk management processes to be in place. Our banks, hospitals, airports, airlines, shipping, rail and road vehicles, together with our utilities providers, need to be safe from cyberattacks.”
Naughten continued: “A regime of mandatory reporting of all incidents impacting significantly on the confidentiality, integrity and availability of the digital data and systems underpinning the essential services is envisaged.
“Data breaches [and] malfunctioning smart sensors, as well as disruption to delivery of the essential services such as electricity, will need to be reported. There will also be provision for significant regulatory powers encompassing information security audits, including penetration testing.”
The directive will see the European Commission implement acts on security requirements and the parameters for reporting when it comes to digital service providers. “In practice, the minimal acceptable security and reporting requirements for operators of essential services in Ireland will need to be more onerous than those set by the Commission for digital service providers,” Naughten added.
What Naughten appears to be proposing – a regime where strong checks and balances exist for all organisations within Ireland that hold data – may at first sound onerous, but in the future might actually be remembered as forward-thinking.
We are only scratching the surface of a world that will have 50bn connected devices by 2030. Judging by last week’s internet meltdown in America, which took down the biggest websites in the US for several hours using unsecured IoT devices to flood a hosting firm with traffic, we are only at the dawn of a dangerous, new digital world.
Just like the owner of a car is expected to have their vehicle NCT’d or MoT’d before it is considered safe to be on the road, the same may have to be true of businesses that create a touchpoint or artery to the digital world.
In data protection terms, Ireland has come a long way from that office over a supermarket. If we are to understand Naughten correctly, Ireland has to be exemplary in the management of data on its own turf before it tells the world how to manage its data too.
We live in interesting times.
Updated, 3.45pm, 28 October 2016: This article was updated to correct the fact that the regionally located Office of the Data Protection Commissioner is in Portarlington, Laois, not Carlow as originally stated.