back to article EU: We'll force power plants, Apple and pals to admit hack attacks

Power stations, banks, online shops, cloud providers, search engines, app stores, social networks and governments may soon be required by law to disclose ALL major security breaches. In a strategy titled An Open, Safe and Secure Cyberspace, the European Commission proposed this new directive for the continent: Operators of …


This topic is closed for new posts.
  1. Ole Juul

    It'll take more than encryption

    They will need to find a way to avoid viruses, Trojans, keyloggers, and other malware. So far government agencies haven't been very willing to do that. In fact they haven't even been willing to adopt secure operating systems - despite there being numerous choices.

  2. Yes Me Silver badge

    More work for Mr Jobsworth

    "forcing companies to notify the authorities of any data breaches or significant security incidents."

    Right, that will certainly frighten the criminals.

    1. Graham Marsden

      Point Missed: Re: More work for Mr Jobsworth

      The idea is not to "frighten the criminals" the idea is to get businesses and organisations to actually admit that they have flaws in their security and *DO* something about them instead of just trying to sweep it under the carpet for fear that it might affect their share prices (and thus bonuses).

      1. Destroy All Monsters Silver badge

        Re: Point Missed: More work for Mr Jobsworth

        Correct. But it will also mean that more mechanisms for "plausible denability" will be put in place internally.

        Of course, there are laws coming down the pipe (actually there already are) mandating full control & surveillance of all modifications to and consultations of data by company personnel or unwanted guests ... HOWEVER! While the employer must generate and keep the logs, he is not allowed to look at them, because that would be surveillance of the employee, which is a no-no. What do? Lawyers start to say that it is now impossible to be compliant to the law, so you have to take a risk approach even here ... reduce the risk of running afoul too hard and having to go to jail as opposed to handing over some cash from time to time.

        The time of the small ICT company is coming quickly to an end I fear. Time to read books on how to make and sell sammich.

        1. Robert E A Harvey

          Re: Point Missed: More work for Mr Jobsworth

          My feeling is that the best people to report things to are people who will roll up their sleeves , put on big boots, and say "Ok, let's go get them!".

          OK , having to report you have a broken fence may be embarrasing, but only if the broken fence register is posted on the outside of the town hall, and people who own fences go and look at it. If it just gets filed in the 'broken fence' drawer and never sees the light of day, all you have done is make extra work.

          Perhaps companies should have to report such failures in thier annual reports, and on a case-by-case basis to shareholders?

          But if officialdom wants reports, then officialdom should send a 'policeman' out to respond.

          1. PrivateCitizen

            Re: Point Missed: More work for Mr Jobsworth

            But if officialdom wants reports, then officialdom should send a 'policeman' out to respond.

            Excellent point - but before the policeman can respond, people have to start reporting the crimes and show that it is happening enough to make police responses necessary.

            Implementing good security is an individual company responsibility. Tracking down and punishing the perpetrators is a police responsibility. At the moment, there is a bit of a disconnect because in lots of (although far from all) situations, the company decides to not mention the breach and deal with it using its own resources.

            At the moment, this makes sense for lots of companies - is this what the EU is trying to change?

  3. Destroy All Monsters Silver badge

    Come back when the criminals are out of the parliaments!

    Well-meaning discussions, furrowing of brows and exhortations by the bureacracy, as well as new laws, shall improve data security, deter criminals and fend off Chinese hackers?

    This is like believing that monetizing debt is a good idea or that printing money will make us wealthy and ease the depression in a jiffy. Who would believe that? Oh wait...

    "During a 30-minute press conference, Euro bigwigs were grilled on what they were doing to end corporate espionage"

    Yeah, with that kind of attitude we are on the right track. What *can* they do, Einsteins?

    1. Greg 10

      Re: Come back when the criminals are out of the parliaments!

      Definitely the prize for the stupidest comment of the day.

      Just the ideological title ensures we know from the beginning you're gonna say dumb things (not that there may not be criminals in the parliaments, but pray tell, what's the link?).

      Then there's that random rant about monetizing debt, because of course, there is a clear angle about that here, and you should probably have mentionned gay marriage and social security, just to be sure it made no sense at all.

      Then of course, now that we know you make no sense whatsoever, we have that stupid assumption that anyone actually said it would stop hackers. Of course it doesn't, but if a crime goes unreported, then for sure you CANNOT do anything about it.

      So yeah, complain about taking a first step just because one step is not enough.

      Governments shouldn't take that first step to battle chinese IP theft, because one step is not enough, so they better do nothing at all and keep their eyes closed.

      1. Bronek Kozicki

        Re: Come back when the criminals are out of the parliaments!

        Hold on, it's barely lunchtime.

        But yeah, I agree, seems like some people do not quite understand the concept of indirect incentives.

  4. Piers

    Cecilia Malmström

    Cecilia Malmström = Cecilia "BadStorm"?


  5. Anonymous Coward
    Anonymous Coward

    Sigh, here we go again..

    *Please* don't feed politicians complicated words, the fact that they now feel qualified to use the words "Could Services" is bad enough.

    Stating that "more encryption" is the way to solve problem is what I'd call the Microsoft way to solve bad engineering: stick a plaster called "anti virus measures" over the wide cracks.

    First, you assess the risks, insofar that you don't just decide what has value and WHAT can be done to cause harm, but also BY WHOM - the latter is a regular omission by reports I get to read through prepared by far-to-expesive consultancies. Only then do you design (greenfield) or adjust (established platform) your architecture, and put in place the procedures to keep it safe, in parallel with educating your users to a standard than can be proven (gives you a way to identify possible problem sources and take measures so that they cannot make a mess). Information storage, backup, recovery and age management are fun things to look at too (especially aged personal data can get you into a mess with Data Protection). After that, have a look at encryption, fine - that's where your next challenge arrives. CA and key management, key disposal (never zap a key unless you have a log of it or you'll be done for under UK's RIPA). Encryption is also good to manage the insider threat, but it means your intrusion detection ability degrades.

    In short, just yelling "more encryption" is not helping. The whole picture needs to be improved.

  6. Steve Davies 3 Silver badge

    Dumb title

    So El Reg only mention apple in the title of an article that starts by saying that just abour every company in the EU would have to tell some quango about security breaches.

    Why just Apple eh?

    Why not MS, Oracle , IBM etc as well in the title.

    Come on show some journalsitic balance. We expect better from you.

    Or were your page hits down a bit this week and wanted to get a few more in the bag?


    Utter fail.

  7. toadwarrior

    You know jboss runs on macs. You should mention Apple in the heading of the jboss submission too. Let the world know how big your erection is for Apple.

  8. Anonymous Coward
    Anonymous Coward


    So now we have a comprehensive list of all the critical companies with shitty security...

  9. I think so I am?

    Please define for me:

    significant security incidents

    1. Mephistro

      Re: Please define for me:

      "significant security incidents"

      When the executive's salaries and bonuses and the earnings of the company are, accidentally or otherwise, made public without having been heavily doctored first.

      The rest of the security incidents -those concerning the pleb's private data- fall in the category of "insignificant security incidents".

  10. Mr Young

    Shock, horror...

    The EU considering digital security then? I guess they must have something to hide...

  11. regorama

    the real question is:

    ...does the EU disclosures it own security incidents?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022