Categories
Publications

CSIRT Information Sharing: completing the legal framework

[UPDATE: slides from my TF-CSIRT presentation are now available] Several years ago I wrote a paper on using the GDPR to decide when the benefits of sharing information among network defenders outweighed the risks. That used the Legitimate Interests balancing test to compare the expected benefits – in improving the security of accounts, systems or […]

Categories
Articles

Draft NIS2 Directive: security teams “should” be collaborating

Anyone who works with flows, logs and other sources of information to protect network and information security should already be familiar with Recital 49 of the GDPR, where European legislators explained why that was (subject to a risk-based design) a good thing. Now the European Commission has published its draft of the replacement Network and […]

Categories
Articles

NIS Directive – UK implementation published

The Government has published the Network and Information Security Regulations 2018, which will implement the EU NIS Directive in the UK from May 9th. The education sector is not covered by either law. Where we might have been inadvertently captured was in the provisions for DNS Services. These cover both authoritative domain servers and DNS […]

Categories
Articles

Network and Information Security Directive – nearly done

[UPDATE: the Directive has now been published, with Member States required to transpose it into their national laws by 9 May 2018] The European Council has published the text of the Network and Information Security Directive recently agreed by its representatives and those of the European Parliament. This still needs to be “technically finalised” (in […]

Categories
Articles

Reducing the Impact of Privacy Breaches

At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]

Categories
Articles

EU Parliament committees on Network and Information Security

The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already “have to exert due diligence in the […]

Categories
Closed Consultations

Draft Network and Information Security Directive: consultation summary

The Department for Business, Innovation and Skills has published a summary of the responses to its consultation on the proposed EU Directive on Network and Information Security (NIS) (JANET’s response). Summarising that summary (!): There seems to be agreement that there is a role for the EU in Network and Information Security, in particular in […]

Categories
Articles

Can Internet Stability be Regulated?

A wide-ranging panel discussion at the TERENA Networking Conference considered the stability of the Internet routing system at all levels from technology to regulation. The conclusion seemed to be that at the moment the Internet is stable because two systems, technical and human, compensate effectively for each others’ failings. While improvements to increase stability may […]

Categories
Articles

Critical Cloud Computing

ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security […]

Categories
Closed Consultations

EU Network and Information Security legislation

I’ve submitted a Janet response to a European consultation on a future EU Network and Information Security legislative initiative. The consultation itself seems to suffer from “if you only have a hammer” syndrome: if you’re a legislator then it must be tempting to think that all problems (lack of reporting of “cybercrimes”, insecure end-user computers, […]