Di Donato Noemi Tommasina*
- Introduction
“We need to build the foundation for collective decision-making – this is what I call situational awareness. We fall short if Member States active in the same region, do not share their information on the European level […]”.
President Ursula von der Leyen, State of the Union, 15 September 2021
Last year, in the State of the Union Address, the President of the European Commission Ursula von der Leyen roughed out initiatives that the Commission is currently meant to adopt «to address the cyber threat, but also [to make Europe]a leader in cyber security»[1].
The view of enhancing cyberattacks and the fight against them foresees the improvement of technical response capabilities as well as new legislative actions to support central administrations and operators of essential services. In the wake of the recent European policies that strive the relevance of data availability and data interoperability across sectors, the common consciousness moves forwards to the increasing power of data-sharing also achieved in the cyber-security dimension to thwart the ever-growing cyber-attacks[2]. More specifically, governments, at international and national level, consider the aforementioned process as vital to preserve the strength and the resilience of Critical Infrastructures which entire Nations and citizens rely on.
- Towards a common legislative consciousness
The frequency and growing sophistication of cyber-attacks makes as imperative for all the parties involved to have mechanisms that will help improving their security and, in turn, decrease their risks of suffering financial and reputational damage.
In the perspective of a new European Cybersecurity Strategy, the review of the NIS Directive (EU 2016/1148) is included in the European Commission 2022 agenda where the Commission stresses the importance to take measure to increase the level of trust between competent authorities, to set rules and procedures in the event of a large-scale incident or crisis and to share information on cyber-attacks and risks[3]. Furthermore, the Commission is meant to also review the Directive on the Resilience of Critical Entities (CER Directive) that has been proposed to address current and future online and offline risks in a coherent and complementary way.
In US, the nation’s cybersecurity defences and the protection of all federal networks are two key points for the current administration’s campaign so that President Biden has signed in February 2022 the Memorandum Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems that proceeds on the heels of the Executive Order, signed in May 2021, aimed to remove barriers to Threat Information Sharing between government and private sector. In addition to this, in July 2021, President Biden issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems announcing the government’s ICS Cybersecurity Initiatives as to facilitate the deployment of technologies and systems to provide threat visibility and to increase the cooperation with industry by sharing threat information for the control systems of critical infrastructure throughout the country.
The ongoing legislative texts prove that legislators contemplate the efficiency of information-sharing process as technique to protect CIs.
- Data Sharing process: an analysis for the protection of Critical Infrastructures
The strategies to patch vulnerabilities in CIs represents a high complex challenge since an account must be taken of disparate factors such as the system architecture, configurations, cost and benefits of downtime and vendor interoperability. Therefore, in this peculiar field, the cybersecurity protection calls for solutions that are shaped to address their specific information needs for the management of CIs weaknesses[4].
Benefits from data use and re-use in the infrastructure sectors could be grouped under two main titles (as the American doctrine suggests): stronger cyberattack resistance since it enhances computer security, and lower security investment costs which allows individuals to have knowledge of the surrounding environment[5]. More specifically, information sharing encompasses improving efficiency, by making operators to take more informed decisions and support coordination between different parties; strengthening infrastructure resilience by providing real-time understanding of infrastructure assets and how they are used; facilitating the predictive maintenance and management of disruption[6].
However, the current challenges to data sharing (mostly related to privacy, civil liberties, and organisational culture) emphasizes that the data value that can be extracted depends on the extent to what it is shared with the other players, on the respect of three objectives that ensure cyber-security (confidentiality, integrity, and the availability of the system) and mainly on the regulatory model adopted to administer the sharing process by guaranteeing its efficiency.
Due to its multifaceted and all-encompassing nature, cybersecurity policy requires a diversification of the actors involved in its execution. As a matter of fact, the need to create a legal framework that encourages the sharing process is enhanced by the lack of trust to share information among the parties (which may exist because of the few interactions between the players involved, both public and private); the insufficiency of the conditions and modalities regarding how the process will be carried out; the safeguard of sensitive information (disclosure of sensitive information can result in financial loss, violation of sharing agreements and loss of consumer trust); the absence of mechanisms to enforce the rules to share information and, last but not least, the unawareness of the positive aspects information sharing can bring forth[7]. This last point also concerns the effort of building education on the subject matter which targets even citizens who could contribute to disseminate collective knowledge on threats and related challenges and make available greater information to business.
- Regulatory and Non-regulatory approaches
In the European panorama, as for the US, the traditional regulation is not considered the most efficient approach for policy issue. Clearly, the hard law (European Commission, 2015) entails rules established by authorities which control the enforcement of the compliance so that, alternative and (softer) forms of regulation are identified as possible approaches: self-regulation (where market stakeholders agree upon rules to regulate their actions) and co-regulation (the regulatory body gives power and entrust market stakeholders to achieve a policy objective)[8]. The co-regulation diverges from self-regulation as it requires the legislative support and the more active governmental involvement. Though the aforenamed lines of regulation are more favourable, they still face the challenge to be based on a complete voluntary scheme of compliance: a serious concern that affects the cyber security dimension because of the backwardness to deliver information that could potentially provide advantages to rivals if shared.
Besides the presence of central national agencies that play a predominant role for collecting information and disseminating it to private and public sectors, both in Europe and USA, governments must play as leader in fostering the growth of trustworthiness and the promotion of data exchange. Clearly, the government has many concerns which include creating promotive legislative regulations, elaborating best practises, employing mechanisms to protect the national security and critical infrastructures by promoting public-private corporation and coordination in terms of CIs.
Additionally, the threat information processing may require the use of standardized data formats that would consent information to be rapidly shared, examined, evaluated and more accurate responses would be promptly provided to manage cyber-attacks.
* LL.M. Candidate in Law of Internet Technology, Bocconi University.
[1] President Ursula Von der Leyen, State of the Union Address, in europe.eu, 15 September 2021.
[2]N. N. P. Mkuzangwe, Z. C. Khan, Cyber-threat information-sharing standards: A review of evaluation literature. The African Journal of Information and Communication (AJIC), 2020, vol. 25, 1-12.
[3]M. Negreiro, A high common level of cybersecurity in the EU, in europe.eu, 1 December 2021.
[4] D. Kapellmann – R. Washburn, Call to Action: Mobilizing Community Discussion to Improve Information-Sharing About Vulnerabilities in Industrial Control Systems and Critical Infrastructure, 28 May 2019.
[5] A. Pala – J. Zhuang, Information Sharing in Cybersecurity: A Review, Decision Analysis, 6 August 2019.
[6] Deloitte, New Technologies Case Study: Data Sharing in Infrastructure A final report for the National Infrastructure Commission, November 2017.
[7] ENISA, Cyber Security Information Sharing: An Overview of Regulatory and Non-regulatory Approaches, Version 1.0, in europe.eu, 2015.
[8] Ibid.