|
 |
 |
|
Tech associations raise concerns with EU's proposed cybersecurity rules
Trade associations that represent tech giants such as Google, Amazon, IBM and Cisco argue that a proposed cybersecurity directive released by the European Union on Thursday is written too broadly and could slap burdensome new regulations on the tech industry.
The EU's proposed cyber rules would require "enablers of information society services" — such as search engines, social networks and cloud storage services — to report major intrusions on their "core services." As hacker attacks have become more prevalent, the EU says key Internet companies should be required to report significant security incidents, just as telecom companies and data controllers do under the existing cyber rules.
The European Commission directive calls for each member state to designate a national network and information security "competent authority" to handle and respond to cyber risks and incidents. Under the directive, companies would report cyber incidents to that authority.
"Past efforts have been on too small a scale and too fragmented, with the voluntary nature of past efforts leaving many gaps in our overall cybersecurity," a European Commission memo reads.
"The proposed directive includes internet companies because it is absurd to work to protect critical internet infrastructure without obliging such companies to take responsibility for their wider role in this ecosystem," according to the memo.
A table at the bottom of the memo says AT&T, Amazon, Google, PayPal, Dropbox, eBay, Skype, Instagram, YouTube, Spotify and Apple's iCloud storage service are examples of companies that would fall under the reporting requirement in the proposed cybersecurity directive.
"We believe that to be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures," said Christian Wagner, security and privacy policy manager of TechAmerica's Europe arm, in a statement.
"We are concerned that the sweeping and indiscriminate inclusion of 'enablers of Internet-services' in the scope of the directive would fail to strike the delicate, but indispensable, balance between the risk-based prioritization of assets and functions to be protected," Wagner added.
Tech trade groups also fear that another section in the EU cyber directive would force companies to meet a set of performance standards, arguing that it's too prescriptive. The EU directive says member countries will ensure market operators "take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations."
Mark MacCarthy, vice president of public policy at the Software and Information Industry Association (SIIA), argued that new performance standards would likely lead to technical mandates and rigid regulations, which would "prevent the very kind of innovation [companies] need to respond to the ever-changing threats."
"That's the biggest worry, that [the framework] won't meet the challenges we recognize are all there," he said.
If enacted, that section would also make tech companies follow a different set of cybersecurity standards from one region to another, MacCarthy argued.
"Cybersecurity is a global problem and the solution should be global," he said.
In a statement, TechAmerica's Wagner said "security ultimately cannot be achieved by measures which would hinder industries’ ability to innovate and respond by raising new market barriers at the borders or within the EU single market."
MacCarthy argued that the scope of the EU's proposed cyber rules is also troublesome. SIIA counts Google, IBM and Cisco as members, which would be subject to the new directive.
"When we've been talking about cyber proposals [in the U.S.], they usually try to define critical infrastructure narrowly," he said.
For example, proposed cybersecurity legislation and policy in the U.S. would only apply to companies that operate critical infrastructure, such as the electric grid, water plants and financial networks. They are defined as entities where an outage caused by a cyberattack would lead to loss of life or a grave national security and economic risk.
MacCarthy said the proposal "may reopen the debate" about which companies will be covered under cybersecurity rules in the U.S.
"That's one reason why we'd want to persuade the EU regulators that a more narrow approach is desirable," he said.
IBM echoed the same message in a company statement.
"Cyber security attacks on vital network infrastructures pose a growing threat in Europe and around the world. ... We urge EU national governments and the European Parliament to make needed changes to the proposed directive to ensure that it fosters improved information sharing between governments and industry; focuses on the highly critical networks such as power grids, financial and transportation systems; and allows for continued investment in private-sector R&D," IBM said.
In its memo, the European Commission argues that citizens, governments, private companies and activists heavily rely on Internet services in their day-to-day lives. In addition to Internet companies, energy, transportation, banking, stock exchange and healthcare entities would be required to report significant cyber incidents under the proposed rules.
Hardware manufacturers and software developers would be exempt from the reporting obligations.
According to the memo, "only incidents having a significant impact on the security of core services provided by market operators and public administrations will have to be reported to the competent national authority." For example, cloud storage services and travel sites would need to report an outage.
— An earlier version of this story misstated the reporting authority. This has been corrected at 7:15 p.m.
Most Viewed RSS Feed »
