Intensifying Threat Climate and Regulatory Changes are Fundamental Challenges Facing the European Union
A perfect storm is threatening, and 'cyber storm clouds are gathering over Europe on three fronts'. Those fronts are a dramatically intensifying threat landscape; a profoundly changing regulatory landscape; and the need for significantly more work from organizations to confront the combined challenge.
This is the conclusion that FireEye draws from its own insights combined with the results of a preparedness survey of 750 European clients by Marsh & McLennan. Published under the title 'Cyber Threats: A perfect storm about to hit Europe' (PDF), the findings formed the basis of a panel discussion at last week's World Economic Forum annual meeting in Davos, Switzerland. Panel members comprised Tony Cole (FireEye Global Government CTO); Peter Beshar (Marsh Executive VP and General Counsel); and Robert Wainwright (Europol director).
The first 'storm cloud front' in FireEye's perfect storm metaphor is the intensifying threat landscape.
"Hackers and purportedly nation states," says the report, "are increasingly targeting industrial control systems and networks — power grids, chemical plants, aviation systems, transportation networks, telecommunications systems, financial networks and even nuclear facilities," the report says. This is a reality facing most of the developed world that has such industries; it is not limited to Europe.
FireEye names government, financial services, manufacturing and telecommunications as the main targets for European cyber-attacks -- but again, this is little different to the rest of the developed world. The report does, however, make one Europe-specific point: from May 2018, there will be a dramatic increase in the number of reported European breaches.
This will follow the arrival of the new European General Protection Regulation (GDPR). Under existing European data protection laws there is little requirement for European organizations to make public breach notifications, and they tend not to. This will change with GDPR when notifications of personal data loss will be required. The US already has a variety of breach notification requirements; but in general, GDPR will be even more strict. The effect will be similar to this year's UK crime statistics that doubled over the previous year. There wasn't really such an increase in crime; it's just that cybercrime was included and therefore disclosed for the first time.
Under GDPR, companies "will soon be required to publicly disclose data breaches to national data protection authorities and," notes the report, "where the threat of harm is substantial, to affected individuals. Failure to do so could result in fines of as much as four percent of a company’s global turnover — a staggering sum."
This must be done within 72 hours of the organization becoming aware of the breach -- but it is not an absolute. Article 31(1) of the Regulation states that notifications must be made "unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals." This suggests that if stolen personal data is adequately encrypted, the breach need not be notified.
GDPR places far-reaching requirements on the storage and protection of European personal data that go beyond just security. One particular aspect, the data subject's right to erasure (also called the right to be forgotten), will require organizations to know the location and have rapid access to every single piece of personal data they store anywhere in the world. The right to erasure is again not an absolute. It can be refused under certain circumstances (such as legal obligations and in the interest of public health); but these exemptions are not sufficient to allow an organization to ignore the requirement in total.
GDPR is the second front in Europe's perfect storm described by FireEye. But GDPR doesn't just affect Europe -- it affects any organization anywhere in the world that does business in Europe and collects European personal data. FireEye itself quotes Jan Philipp Albrecht, Europe's GDPR rapporteur: "The GDPR will change not only the European Data protection laws but nothing less than the whole world as we know it." So, like the threat landscape front, this second front also applies to the greater part of the developed world.
FireEye's third front claims a general lack of preparedness against the first two. For this, the report draws on the research of Marsh. "The study found that while high-profile events, government initiatives, and legislation have pushed cybersecurity to the forefront, far more work needs to be done." Again, this statement could be applied to just about any region in the world.
"Marsh found that the percentage of companies indicating that they assessed "key suppliers" for cyber risk actually decreased from 23 percent in 2015 to 20 percent in 2016." Proof of the importance of securing the supply chain comes from the US. "As numerous attacks in the US and elsewhere have shown, hackers often gain access to larger organizations by initiating attacks against smaller vendors that provide services like air conditioning or takeout food." Empirically, then, poor preparedness in securing the supply chain can also be applied to 'the US and elsewhere'.
The goal of the paper, according to FireEye's Tony Cole, is to "make the EU community more aware of emerging cyber threat storm clouds and encourage organizations to prioritize cyber defense by partnering with experts in industry and government."
The Perfect Storm is an interesting metaphor. Its validity could be debated, but it is used to highlight that the combination of an intensifying threat landscape, an expanding regulatory framework, and a general lack of cyber security preparedness will present a major challenge to business in the coming years. While this may be true, it is a challenge that must be faced by the entire world. This Perfect Storm threatens all business and not just European business.