Information infrastructure security: stepping up the fight against the invisible cyber enemy
Information infrastructure security
A new EU report urges greater public-private collaboration and information sharing, to protect critical information of national importance | 🕒 3-min read.
Paul Weissmann and Pascal Pillokeit, KPMG in Germany
Now that the world has gone digital, it seems that no part of a nation’s information infrastructure is safe from hackers. We’ve all seen how breaches can disrupt the economy and destabilize our most-prized institutions, with cyberspace the new frontline for espionage and unfair competition, criminality and terrorism.
Every government and every private and public organization is thinking about, and to differing degrees addressing this invisible but very real threat. In a bid to protect critical information infrastructure (CII), most EU states have formed dedicated cyber security authorities, emergency agencies or national regulators.
But how effective are these efforts? To answer that question – and recommend improvements – an EU agency (ENISA – EU Agency for Network and Information Security), in partnership with KPMG, has reviewed practices and legislation across several EU member states.
The resulting report, Stocktaking, Analysis and Recommendations on the Protection of CIIs, places cooperation and information sharing at the top of the ‘to do’ list. Given the global nature of cyber threats from criminal gangs or hostile nation states, collaboration cannot end at Europe’s borders, and must be truly global.
The seven key recommendations
- Increase institutionalized cooperation with private stakeholders.
- Align CII with existing national crisis and emergency management structures.
- Participate in or host international exercises.
- Establish mandatory security incident reporting.
- Conduct a national risk assessment.
- Utilize best legal framework practices for CII protection across critical sectors.
- Examine ways to incentivize CII operators to invest in security measures.
We feel strongly that other countries within and beyond Europe can follow some of these suggestions to shore up their own cyber-security.
Lack of trust is a big barrier to openness
Many companies are wary of revealing details of incidents, fearing that government will go public and damage their reputations. It’s important to see public agencies engaging the private sector when developing legislation. They need to build strong relationships with key industry figures and reassure them that any reported events will remain confidential.
Some nations are making good progress. In the Netherlands, the National Cyber Security Centre is a focal point for public-private partnerships, while Austria’s Cyber Security Platform brings together private and public CII operators as well as relevant public agencies.
Sweden’s Cooperation Group for Information Security is taking it one step further where various authorities meet regularly to discuss current national and international developments.
Here in Germany we have a number of information sharing schemes between public and private sector agencies. Public regulators and corporate specialists attend joint workshops to discuss pressing issues, voice concerns and keep abreast of emerging regulations.
The report also calls for a joined-up strategy bringing together CII protection
with existing national crisis and emergency management structures, including
simulation exercises to test readiness against cyber attack. Three-quarters of
the countries studied have a Computer Security Incident Response Team
Community, able to mobilize swiftly to minimize the impact of an incident, made up of operators of critical infrastructure and sometimes individual citizens.
We’ve only given you a small snapshot of what’s in the report. If you want to find out more about combatting this growing threat to national security, you can read the full document Stocktaking, Analysis and Recommendations on the Protection of CIIs.
About the author
Paul Weissmann and Pascal Pillokeit are cyber security experts. They contributed extensively to and produced the ENISA report Stocktaking, Analysis and Recommendations on the Protection of CIIs. They can becontacted via email at email@example.com and firstname.lastname@example.org.
Five ways for governments to tighten up cyber security
Governments can embrace leading practices from the private sector and encourage employees to be more cyber-aware | 🕒 4-min read.
How vulnerable are governments to cyber crime?
As government services go digital, criminals are spotting new opportunities for fraudulent claims and theft | 🕒 4-min read.