ISAFE participates in EU Plenary Meeting
ISAFE is a cross-industry group of major European companies that promotes a more economically sustainable approach to cybersecurity. It has come together to provide unified private sector input on an ongoing basis on proposed legislation, including the draft EU Directive on Network Information Security (NIS) currently under discussion in Brussels.
As we all know, cyber attacks, including some sponsored by nation states, are growing in number and complexity, threatening both our national and regional economies and our citizens. Although government and industry are using the same systems, it is industry that owns and operates the vast majority of the Internet. So it is industry’s job to come together and provide clear advice to our government partners on how to best secure this complex set of systems.
Unfortunately, the traditional mechanisms for providing input from industry on legislative approaches do not lend themselves to this cross sectoral problem. Major companies from across Europe and across industry sectors need to pull together and to speak with one voice. They can then help outline a new digital model to secure our systems from these increasingly sophisticated attacks. And they can do this in a way that will demonstrably improve security, while promoting the growth of the EU economy and job market.
ISAFE is distinctly different from other groups operating in this space. It is cross-sectoral and represents major industries from all across Europe. It is a model which has proved highly successful in the USA, where the Internet Security Alliance have successfully advocated an industry-led, incentive-based voluntary approach to cyber security as opposed to the traditional regulatory model.
ISAFE’s approach is based on five core principles.
- The enormous and growing cyber threat to industry is primarily an economic issue, where the attacking community has massive advantages over the victims of these sometimes nation-state supported attacks.
- Traditional regulation is ill-suited to addressing the realities of 21st century cyber-attacks.
- Over-regulation not only doesn’t enhance security, but it will have substantial negative economic impacts on EU industry and member states at a time when we can least afford it.
- We need a cross-sectoral coalition to establish a “cyber-security social contract” between EU industry and government to promote collaborative security and economic growth.
- Following a primarily regulatory model in the EU will place EU-based companies at a competitive disadvantage, thus hurting EU economic growth.
Some of the core EU discussions to date on long-term cyber security rest on assumptions that may be mistaken. For example, there is an assumption that a corporation that has suffered a cyber-breach must have been behaving irresponsibly in terms of securing its systems. The reality is that cyber-attacks are now so sophisticated that the notion of perimeter defence is widely regarded as outdated among cyber experts, and even government systems have suffered successful cyber-attacks.