First Ever EU Rules On Cybersecurity

An anonymous reader writes: Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday. In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.

But at the same time

[Geoffrey.landis]

But at the same time, other European lawmakers are demanding back doors for law enforcement.

So, which one wins? Can they use this rule to say "we can't install back doors because they're a security leak"?

Re:

[Rob MacDonald]

All backdoors become front doors eventually. Case closed. You can not knowingly subvert security and at the same time act appalled that it was abused.

Re:

[KGIII]

I have five exterior doors in my home. One of which is the back door. I can't think of any situation where it would eventually become the front door. The case is not closed.

Not that I disagree, I just think you need better pithy sayings than that if you want to appeal to the masses. How about, "If you put a backdoor in encryption, some jackass will abuse it and this is a near certainty?" That might work. Let's see if we can fluff it out a little, shall we?

"In order to be able to decrypt something that has b

Re:

[dAzED1]

Depends on lots of things. People mistakenly think cybersecurity only has to do with confidentiality - that's incorrect. It also has to do with integrity, availability, and non-repudiation. If the "back door" provides access to only certain types of data, and it doesn't allow the data to be changed, and it doesn't present a method for making the data less available, and it is still fully audited and the FBI can be shown to have accessed something when it did and to have *not* accessed it when they didn't

Re:

[kbonin]

As an engineer who has designed devices and seen them deployed at a few companies with strong encryption, role based access control, auditing, and documented the thread models the system does and does not defend against, I'd take some exception to the hyperbole of "on any device anywhere". That said, yes, most companies don't care, and those of us that do fight a continual uphill battle against people who want to make security weaker so the products are easier to use. That also said, as someone familiar b

Re:

[dAzED1]

you seem to not be staying within the context of my response. Laws are being passed to improve cybersecurity, and GP said

"But at the same time, other European lawmakers are demanding back doors for law enforcement. So, which one wins? Can they use this rule to say "we can't install back doors because they're a security leak"?

It's not an either-or situation. It would be quite simple to have a law-enforcement role, which was then able to view certain specific types of data. To do that, you have to introduce the concept of roles-based-access. Tada, you've actually just improved security. One could very easily argue against the law-enforcement role having anything more than an incomplete auditing role; no

Re:

[Anonymous Coward]

Except his entire point was that law enforcement won't accept anything less than full access.

And to top it off, law enforcement is generally a pile of meat-headed, mouth-breathing morons, so they'll end up letting the keys out into the wild in short order, making any other levels of security moot in the process. If LEO's could be trusted to act like they know what in the actual fuck they're doing, there might be a sensible argument in favor of adding backdoors. But they can't, so we shouldn't give them toys

Re:

[gstoddart]

So, which one wins?

Likely both.

The problem with laws around technology is the people writing them don't care how reality differs from what they've put in their law.

Lack of understanding of technology has never really stopped people passing laws about technology.

I agree with holding companies to some level of accountability instead of letting them just say "oops, we were lazy and incompetent and got hacked" -- I just have no idea how governments expect to reconcile that with demanding security exceptions to

You beat me to it

[surfdaddy]

I was going to post something almost identical. Europe seems to be a bit schitzo on this - on the one hand the stridently demand privacy for their citizens and fault companies like Google, etc. But then they call for backdoors, making encryption illegal, etc. If it's a back door - do you REALLY think the "bad guys" won't find out about that and exploit them? That's a very dangerous game.

Today TLS is weak partly because of the weak ciphers used in our browsers in the early days, that are still there - because the US called encryption a "munition" (haha) so that they could restrict the export of the technology. So nowadays we all use encryption that is weak and exploitable - just so that governments can snoop.

Re:

[Anonymous Coward]

You're confusing EU with UK.

Re:

[Teun]

Spot on.

On governments too?

[John Jorsett]

Governments are always coming up with these requirements for others, are they going to impose these same rules on themselves as well? The only time my data has been compromised was when the United States Office of Personnel Management managed to lose every scrap of data it had on millions of people, including the intimate details of their lives necessary for security clearances. If Google or General Motors or some other private business had done this, there'd have been resignations, firings, huge fines, pri

Oh-oh

[Errol backfiring]

Micro and small digital companies will get an exemption, the deal says.

Yet another reason for the big players to hide behind 2000-in-one-building post-box companies. And still our government thinks there is nothing wrong with that.

penalty?

[Gravis Zero]

so what's the penalty for failing? if they fined all the executives 50% of their annual income for failing security, i'm sure they would be less resistant to spending 0.1% to have good security.