European Cyber and Data security, What is coming and how we can be prepared

for it

Who Am I?

CEO of BH Consulting – Independent Information Security Firm

Founder & Head of IRISSCERT – Ireland’s first Computer Emergency Response Team

Special Advisor on Internet Security Europol's CyberCrime Centre (EC3)

Adjunct Lecturer at University College Dublin

Expert Advisor to European Network & Information Security Agency (ENISA)

Regularly comments on media stories – BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times

Who Am I?

 “considers cybercrime to be an ever-increasing threat to the EU in the form of large-scale data breaches, online fraud and child sexual exploitation, while profit-driven cybercrime is becoming an enabler for other types of criminal activity..”

Europol Serious & Organised Threat Assessment 2013

 “Total Global Impact of CyberCrime US$ 3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined.”

Europol Serious & Organised Threat Assessment 2013

 “cybercrime as one of nine EU priorities in the fight against serious and organised crime between 2014 and 2017”

The Justice and Home Affairs Council of 6-7 June 2013

Policy on Critical Information Infrastructure Protection (CIIP) – 2009

Focusing on the protection of Europe from cyber disruptions by enhancing security and resilience.

Based on five pillars: Preparedness and prevention Detection and response Mitigation and recovery International cooperation Criteria for European Critical Infrastructures in the field

of ICT.

 DIRECTIVE 2011/92/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCILof 13 December 2011

on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council

Framework Decision 2004/68/JHA

(to be transposed into national law in the Member States by 18th December 2013)

DIRECTIVE 2013/40/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 12 August 2013on attacks against information systems and replacing

Council Framework Decision 2005/222/JH

(to be transposed into national law in the Member States by 4th September 2015)

This Directive

Sets out minimum rules defining criminal offences. Improves operational cooperation between Member

States’ national law enforcement services Improves operational cooperation between Member

States and relevant EU agencies (Eurojust, Europol, ENISA).

Member States have to respond within eight hours to an urgent request related to a cyber-attack.

EU agencies will conduct threat assessments and strategic analyses of cybercrime

All such activities have also to comply with existing EU legislation on privacy and electronic communication and data protection

The main crimes defined in the Directive are

illegal access to information systems, illegal interference with systems or data, illegal interception of data transmissions, stricter criminal sanctions for botnets

Key Priorities For the Strategy

Freedom and openness

The EU's laws, norms and core values apply as much in cyberspace as in the physical world

Developing cyber security capacity building

Fostering international cooperation in cyberspace

EU Cyber Security Strategy - 2013

The Cyber Security Directive (formally known as the Network & Information Security

Directive) (the Directive)

bring all member states to a minimum security standard promote cooperation and ensure preparedness and

transparency in important sectors introduce mandatory breach notification for certain

organisations All member states to develop a National Security Strategy Appointment of a single point of contact among national

competent authorities (NCAs) 

Changes to Data Protection Directive

View to being ratified in 2015 Fines of up to €100 million or 5% of Global Turnover for Data

Breaches Mandatory Breach Notification “without undue delay” Right to Be Forgotten Companies with more than 250 employees will need to have a

Data Protection Officer Privacy by Default baked into all business processes &

services

Trend Micro's UK Study re Data Protection Directive

50% of UK IT decision makers were unaware of the impending legislation

25% percent adamant that compliance is not achievable

To enhance the capability of the Commission, other EU bodies and the Member States to prevent, address and to respond to NIS problems

To provide assistance and deliver advice to the Commission and the MS on issues related to NIS falling within its competencies as set out in this Regulation

To develop a high level of expertise and use this expertise to stimulate broad cooperation between actors from the public and private sectors

To assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of NIS.

Objectives

Computer Emergency Response Teams

Resilience of Networks and Services and Critical Information Infrastructure Protection

Identity, Privacy and Trust

Risk Management

Areas of Research

National Cyber Security Strategies

Countries aligned for the deployment of the European Cyber Security Month

List of available courses and certification programmes

@BrianHonanBrian.honan@bhconsulting.ie