ENISA have published an interesting report on cyber incident reporting. Their scope is wide – incidents range from the failure of a certificate agency to storms creating widespread power (and therefore connectivity) outages. In each of these areas they find a common pattern, where governments are trying to encourage (or mandate) notification of incidents in order to learn lessons and improve both the Governments’ and the respective industries’ ability to resist and recover from such incidents in future. It’s good to see recognition of this function of incident reporting, since its requirements are different from those involved in notifying customers how to protect themselves from the consequences of incidents. Improving technical and business practice requires sharing detailed information about how incidents occurred and were treated – information that could be both commercially and nationally sensitive. This is most often done either by reporting to a trusted third party (often a national regulator) who can analyse the information and disseminate lessons learned without disclosing their source, or by sharing information within industry exchanges covered by strict confidentiality agreements.
The European Commission seems to have recognised that diverse national reporting schemes may create an unnecessary burden for infrastructure companies and organisations that often work in more than one European country. However ENISA point out that the current European approach, which involves a mixture of general and sector-specific regulation, may still leave the same organisation having to report the same incident through a number of different reporting schemes. The problem seems particularly severe for telecommunications services:
- Public Electronic Communications Networks and Services (PECN/S) are already required to report incidents affecting service availability under Article 13a of the Telecoms Framework Directive. Different member states have different procedures, though there is a standard template and notification process for national regulators (in the UK’s case Ofcom) to report to ENISA;
- Those networks and services are also required to report incidents affecting privacy to national privacy regulators (the Information Commissioner in the UK) under Article 4 of the Telecoms Privacy Directive;
- The proposed Data Protection Regulation would require all organisations to report incidents affecting privacy to their national regulator, though the thresholds and timescales for reporting are currently different from those in the Telecoms Privacy Directive;
- The proposed Regulation on Digital Signatures and Electronic Identities also contains an incident reporting requirement, potentially to yet another national regulator. Given the wide definition of electronic identities in the Regulation it is likely that many telecommunications providers will also be covered by this;
- And the current Cyber-Security strategy consultation suggests that there should be further mandatory incident reporting for critical infrastructure sectors, networks and “services critical to the functioning of the Internet” including e-commerce and social network sites. Again there are obvious overlaps with the schemes above.
This complexity and overlapping doesn’t seem helpful for something companies and organisations ought to be participating in for their own benefit (it’s encouraging to see that the vast majority of privacy breach notifications to the Information Commissioner are now voluntary). Indeed it’s tempting to think that if reporting incidents is so hard that organisations need to be compelled by law to do it, then maybe we’ve got reporting processes wrong!
ENISA point out another reason why reporting needs to be made simple and cost-effective, both for the creators and recipients of reports, which is that you want to be able to set the thresholds for reporting low enough that you get sufficient reports to extract patterns and trends. One of the characteristics of the Internet that has challenged law enforcement for years is that it allows a criminal to cause significant harm by committing large numbers of small crimes. Statistics and responses that focus only on individual large incidents will miss these, even though in aggregate they may cause much more damage, suffering and loss of confidence in the e-infrastructure.
Finally I’m delighted to see explicit recognition that reporting is less urgent than actually fixing the incident: that incident response must “not [be] slowed down by legal reporting requirements”. As I noted in our response to the Data Protection Regulation proposal, if organisations with limited resources have to choose between fixing an incident and getting fined for not reporting it within 24 hours then some may well be tempted to do the wrong thing. A premature incident report is likely to be worthless for learning lessons anyway, as if the incident response hasn’t been completed then it’s very unlikely that the organisation will know what happened or how it could have been prevented.