Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Ever EU Rules On Cybersecurity

Posted by timothy on from the tell-us-about-you-new-pwners dept.

An anonymous reader writes: Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday. In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.

21 comments

  1. But at the same time by Geoffrey.landis · · Score: 1

    But at the same time, other European lawmakers are demanding back doors for law enforcement.

    So, which one wins? Can they use this rule to say "we can't install back doors because they're a security leak"?

    --
    http://www.geoffreylandis.com
    1. Re:But at the same time by phishybongwaters · · Score: 1

      All backdoors become front doors eventually. Case closed. You can not knowingly subvert security and at the same time act appalled that it was abused.

    2. Re:But at the same time by dAzED1 · · Score: 2

      Depends on lots of things. People mistakenly think cybersecurity only has to do with confidentiality - that's incorrect. It also has to do with integrity, availability, and non-repudiation. If the "back door" provides access to only certain types of data, and it doesn't allow the data to be changed, and it doesn't present a method for making the data less available, and it is still fully audited and the FBI can be shown to have accessed something when it did and to have *not* accessed it when they didn't, then we're 999,999,999,999,999 times better than where we are right now. Right now, there's no roles-based access control on any device anywhere, no auditing, no secure software design...not even a hint of threat modeling and such. I'm more anti-big-brother than most, but I'd certainly prefer an overall improvement which then will show with certainty when the gov accessed data, than what we have now. The idea that a "back door" means some sort of idiotic root kit to full un-mitigated access to absolutely everything, is not only false - but is also a very incomplete picture, if true.

    3. Re:But at the same time by gstoddart · · Score: 1

      So, which one wins?

      Likely both.

      The problem with laws around technology is the people writing them don't care how reality differs from what they've put in their law.

      Lack of understanding of technology has never really stopped people passing laws about technology.

      I agree with holding companies to some level of accountability instead of letting them just say "oops, we were lazy and incompetent and got hacked" -- I just have no idea how governments expect to reconcile that with demanding security exceptions to bypass security.

      --
      Lost at C:>. Found at C.
    4. Re:But at the same time by kbonin · · Score: 1

      As an engineer who has designed devices and seen them deployed at a few companies with strong encryption, role based access control, auditing, and documented the thread models the system does and does not defend against, I'd take some exception to the hyperbole of "on any device anywhere". That said, yes, most companies don't care, and those of us that do fight a continual uphill battle against people who want to make security weaker so the products are easier to use. That also said, as someone familiar both the CALEA as well as what happens when you're visited by people asking for back doors, those people are certainly NOT interested in reasonably manged, audited, or in any way limited back doors - its always 'give us unlimited unaudited access or...'

    5. Re:But at the same time by dAzED1 · · Score: 1
      you seem to not be staying within the context of my response. Laws are being passed to improve cybersecurity, and GP said

      "But at the same time, other European lawmakers are demanding back doors for law enforcement. So, which one wins? Can they use this rule to say "we can't install back doors because they're a security leak"?

      It's not an either-or situation. It would be quite simple to have a law-enforcement role, which was then able to view certain specific types of data. To do that, you have to introduce the concept of roles-based-access. Tada, you've actually just improved security. One could very easily argue against the law-enforcement role having anything more than an incomplete auditing role; no need for them to turn off parts of the grid such as TFA mentions as an example, nor tweek the setting on your insulin pump. Show me even a *proposed* law asking for such types of access. Also, it might surprise you to learn (apparently) that you are not be the only person on Slashdot that has an IA architect-type role. There's many a project I've helped run where such requests have been made, and which we then made them pay for an overall cybersecurity improvement as part of the minimal auditing role that was given out.

    6. Re:But at the same time by Anonymous Coward · · Score: 1

      Except his entire point was that law enforcement won't accept anything less than full access.

      And to top it off, law enforcement is generally a pile of meat-headed, mouth-breathing morons, so they'll end up letting the keys out into the wild in short order, making any other levels of security moot in the process. If LEO's could be trusted to act like they know what in the actual fuck they're doing, there might be a sensible argument in favor of adding backdoors. But they can't, so we shouldn't give them toys they're not smart enough to play with.

    7. Re:But at the same time by Anonymous Coward · · Score: 0

      I just have no idea how governments expect to reconcile that with demanding security exceptions to bypass security.

      Easy. When their backdoor gets used by someone else, simply disclose the fact that it happened. Loudly. And blame lawmakers for the backdoor. And point out that if they hadn't demanded it, your company's best practices would have prevented that backdoor from being created and everyone's data would still be safe.

      Basically, make them eat their own shit sandwich. Then have a parallel system in place without the backdoor, spin everything up, and never let the dumbshit law enforcement guys in your system again. They can't be responsible enough to keep it secure, so don't trust them with access at all.

    8. Re:But at the same time by Anonymous Coward · · Score: 0

      Unfortunately lawmakers understand only one thing: that what they deem to be law IS the law. If technology does not comply, well, it will comply. Or else.

    9. Re:But at the same time by KGIII · · Score: 2

      I have five exterior doors in my home. One of which is the back door. I can't think of any situation where it would eventually become the front door. The case is not closed.

      Not that I disagree, I just think you need better pithy sayings than that if you want to appeal to the masses. How about, "If you put a backdoor in encryption, some jackass will abuse it and this is a near certainty?" That might work. Let's see if we can fluff it out a little, shall we?

      "In order to be able to decrypt something that has been encrypted, you need a key. If you want to decrypt everything you'll need to either store all of these keys or have a master key that is given to only certain people. Now, as we know, storage can be broken into and people are not infallible. This key storage or master key will be targeted very aggressively by those who wish to do us harm. Because of this, there's no realistic way to reasonably provide a centralize means of decrypting encrypted data."

      'Snot so hard and even the less technical will understand it. The pithy reply you parroted isn't really very accurate and doesn't convey enough to clarify the problem for those who are unaware of the problem or think that there's a technological solution to this situation.

      --
      "So long and thanks for all the fish."
    10. Re: But at the same time by Anonymous Coward · · Score: 0

      There's no way that they can grant access, audited or otherwise, to data for which they don't themselves have the key. E.g. They can't give out a password they don't possess. Properly held passwords house a one-way hash and a salt (you can tell if it's a proper password, because they make you change it if you forget, rather than reminding you what it is. If they can remind you, they can tell the spooks, or leak your data.

    11. Re: But at the same time by Anonymous Coward · · Score: 0

      They'll make such disclosure illegal, just as they have made it illegal to disclose that you have been asked for keys- hence the sites that use "canaries".

  2. You beat me to it by surfdaddy · · Score: 2

    I was going to post something almost identical. Europe seems to be a bit schitzo on this - on the one hand the stridently demand privacy for their citizens and fault companies like Google, etc. But then they call for backdoors, making encryption illegal, etc. If it's a back door - do you REALLY think the "bad guys" won't find out about that and exploit them? That's a very dangerous game.

    Today TLS is weak partly because of the weak ciphers used in our browsers in the early days, that are still there - because the US called encryption a "munition" (haha) so that they could restrict the export of the technology. So nowadays we all use encryption that is weak and exploitable - just so that governments can snoop.

    1. Re:You beat me to it by Anonymous Coward · · Score: 2, Insightful

      You're confusing EU with UK.

    2. Re:You beat me to it by Anonymous Coward · · Score: 0

      Europe seems to be a bit schitzo on this - on the one hand the stridently demand privacy for their citizens and fault companies like Google, etc. But then they call for backdoors, making encryption illegal, etc.

      Crazy right? Almost makes you think the EU is made of several people, some of whom care about privacy and others who care about control.

    3. Re:You beat me to it by Teun · · Score: 1

      Spot on.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  3. NO by Anonymous Coward · · Score: 0

    Sorry E.U. but our property is our property and we won't be reporting on anything.

  4. On governments too? by John+Jorsett · · Score: 1

    Governments are always coming up with these requirements for others, are they going to impose these same rules on themselves as well? The only time my data has been compromised was when the United States Office of Personnel Management managed to lose every scrap of data it had on millions of people, including the intimate details of their lives necessary for security clearances. If Google or General Motors or some other private business had done this, there'd have been resignations, firings, huge fines, prison, etc. OPM does it and there's a little public handwringing, some Congressional Shame Hearings, but nothing too drastic.

  5. Oh-oh by Errol+backfiring · · Score: 1

    Micro and small digital companies will get an exemption, the deal says.

    Yet another reason for the big players to hide behind 2000-in-one-building post-box companies. And still our government thinks there is nothing wrong with that.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  6. worse than worthless... just like their cookie law by Anonymous Coward · · Score: 0

    worse than worthless... just like their cookie law

  7. penalty? by Gravis+Zero · · Score: 1

    so what's the penalty for failing? if they fined all the executives 50% of their annual income for failing security, i'm sure they would be less resistant to spending 0.1% to have good security.

    --
    Anons need not reply. Questions end with a question mark.