We are currently experiencing an unprecedented period of radical social, technological, economic, and political change. Policymakers across the globe are rushing to cope with this shifting landscape and must adapt or die. In Europe, the lack of a coherent, international approach to deal with the growing problem of failed states and autocratic governments is already threatening to rip apart the European Union. Failing to produce a cybersecurity policy that correctly aligns the interests of private and public stakeholders across the continent would be just as dangerous.
According to the EU Agency for Network and Information Security (ENISA), lapses of cybersecurity currently result in annual losses in the range of €260 – €340 billion worldwide and the number of cyber-related incidents is increasing exponentially. In Europe, as elsewhere, human mistakes, technical failures, and malicious attacks continually expose individuals and institutions to enormous risk. The recent terrorist attacks in Paris only further underscore the need for an effective solution.
Thankfully, after years of debate and negotiation, European officials are seeking to implement the first EU-wide cybersecurity rules: the Network and Information Security (NIS) Directive. At the same time, it remains to be seen whether the agreement’s proposed “stick” rather than “carrot”- driven approach will strike the right balance. The new agreement requires that critical operators of essential services and digital service providers ensure that their digital infrastructure can withstand cyber-attacks and notify the authorities in the case of a serious breach. The challenge, however, is that many breaches go unnoticed for months or even years.
If they are identified at all, the prevailing corporate culture of occluding bad news often makes matters worse increasing reputation risk and public mistrust. In the status quo, firms often conceal attacks because of the increased likelihood of a public backlash and potential damage to their business. Given the diversity of services that EU policymakers have deemed essential – energy, transport, health, banking, online marketplaces, search engines, and cloud computing – the rules will affect a wide variety of industries and global operators. Notably all of the industry segments targeted by the NIS Directive are interconnected and a breach that cascades across sectors may multiply fines and descend into corporate finger pointing. However, as currently proposed, the agreement’s preference for penalties over incentives is liable to lead to acrimony, legal quagmires, and a reduction of the already low level of cooperation between governments and systemically important operators.
If a company does not comply, the consequences could be harsh. Firms could endure fines as high as 2% of their global turnover or up to €75 million. This stick first approach will likely see a number of multinationals raising flags of convenience and finding new homes with laxer cyber security rules for parts of their operation. Just as Ireland’s GDP has seen an upward lift at 7.8% due to corporate tax inversions, onerous cyber security penalties may drive away global operators from the E.U. The lack of global coordination on cyber security standards only exacerbates this flight risk and affected firms would be wise to remember that a chain of cyber defense is as strong as its weakest link. The problem with this setup is that global operators are already hesitant to cooperate with many governments on cybersecurity. Public officials have often fought with companies over existing or proposed requirements to include backdoors to key software and weaken encryption.
In the United States, the so-called war on encryption has tended to weaken cooperation and erode trust between the government and systemically important firms such as Google, Apple, and Yahoo. This growing tension has flared most recently in the high-profile dispute between the Federal Bureau of Investigation (FBI) and Apple over obtaining access to a phone belonging to one of the perpetrators of the San Bernardino terror attack. As these same companies face the added threat of steep penalties posed by seemingly unavoidable breaches, they may seek to house IT and other important operations outside of the EU, at least until there are uniform, international cybersecurity standards. Indeed, while the new U.S. Cybersecurity Information Sharing Act of 2015 aims to strengthen international norms and regulations on cybersecurity, multilateral agreements will be a long time coming. Looking to the future, the NIS Directive will probably be ratified during the second quarter of 2016 with a subsequent period of around two years for member states to incorporate the new rules into their legal systems and create their lists of critical operators.
As they move forward with plans to bolster their cybersecurity posture, government officials in the E.U., the U.S., and elsewhere would do well to recognize the necessity of both carrots and sticks in designing effective cybersecurity policy. In particular, a mixed approach balancing incentives and penalties would lay the groundwork for the dynamic, innovative partnerships the E.U. needs to thrive in our uncertain, rapidly changing world.