I’ve submitted a Janet response to a European consultation on a future EU Network and Information Security legislative initiative. The consultation itself seems to suffer from “if you only have a hammer” syndrome: if you’re a legislator then it must be tempting to think that all problems (lack of reporting of “cybercrimes”, insecure end-user computers, etc.) can be solved by legislating. Our response suggests that it may be more productive to deal with the why and how – show organisations and individuals the benefits of being secure, and explain how they can do it.
The good news is that in a number of areas there is now evidence of that working: I’ve pointed out end-user services such as GetSafeOnLine and Germany’s anti-botnet service. It was also recently reported that most of the reports of privacy breaches to the UK’s Information Commissioner are now voluntary: organisations that don’t have a legal duty to report breaches are nonetheless seeking the Commissioner’s help when they happen. Reporting, whether of breaches or attacks, seems much more likely to work where reporters see direct benefits in terms of improved information and guidance on securing their own systems, as in ENISA’s new report on major outages in European telecommunications services.