First Ever EU Rules On Cybersecurity

An anonymous reader writes: Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday. In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.

Re:But at the same time

[dAzED1]

Depends on lots of things. People mistakenly think cybersecurity only has to do with confidentiality - that's incorrect. It also has to do with integrity, availability, and non-repudiation. If the "back door" provides access to only certain types of data, and it doesn't allow the data to be changed, and it doesn't present a method for making the data less available, and it is still fully audited and the FBI can be shown to have accessed something when it did and to have *not* accessed it when they didn't, then we're 999,999,999,999,999 times better than where we are right now. Right now, there's no roles-based access control on any device anywhere, no auditing, no secure software design...not even a hint of threat modeling and such. I'm more anti-big-brother than most, but I'd certainly prefer an overall improvement which then will show with certainty when the gov accessed data, than what we have now. The idea that a "back door" means some sort of idiotic root kit to full un-mitigated access to absolutely everything, is not only false - but is also a very incomplete picture, if true.

You beat me to it

[surfdaddy]

I was going to post something almost identical. Europe seems to be a bit schitzo on this - on the one hand the stridently demand privacy for their citizens and fault companies like Google, etc. But then they call for backdoors, making encryption illegal, etc. If it's a back door - do you REALLY think the "bad guys" won't find out about that and exploit them? That's a very dangerous game.

Today TLS is weak partly because of the weak ciphers used in our browsers in the early days, that are still there - because the US called encryption a "munition" (haha) so that they could restrict the export of the technology. So nowadays we all use encryption that is weak and exploitable - just so that governments can snoop.

Re:You beat me to it

You're confusing EU with UK.

Re:But at the same time

[KGIII]

I have five exterior doors in my home. One of which is the back door. I can't think of any situation where it would eventually become the front door. The case is not closed.

Not that I disagree, I just think you need better pithy sayings than that if you want to appeal to the masses. How about, "If you put a backdoor in encryption, some jackass will abuse it and this is a near certainty?" That might work. Let's see if we can fluff it out a little, shall we?

"In order to be able to decrypt something that has been encrypted, you need a key. If you want to decrypt everything you'll need to either store all of these keys or have a master key that is given to only certain people. Now, as we know, storage can be broken into and people are not infallible. This key storage or master key will be targeted very aggressively by those who wish to do us harm. Because of this, there's no realistic way to reasonably provide a centralize means of decrypting encrypted data."

'Snot so hard and even the less technical will understand it. The pithy reply you parroted isn't really very accurate and doesn't convey enough to clarify the problem for those who are unaware of the problem or think that there's a technological solution to this situation.