Cybersecurity due diligence

By on 22 Nov 2016

Category: Tech matters

Tags: , , ,

Blog home

Joanna Kulesza (centre) at RIPE 73. Photo credit: RIPE NCC

Cybersecurity is no longer a corporate or private affair. What once was simply good business practice is now a legal obligation for ISPs, large and small.

In Europe, this is the direct consequence of the upcoming EU Network and Information Security (NIS) Directive, to be implemented into national laws within the next few years, but such obligations are reflected in other international and national documents describing contemporary policies and future laws.

This begs the question: Is there a universal standard of due diligence to be applied to all those concerned with cybersecurity issues? This brief post seeks to answer this.

New EU law on cybersecurity – the NIS Directive

The NIS Directive was adopted by the European Union (EU) in 2016 after years of debate, which primarily focused on the additional security requirements for “digital service” operators. These operators included online stores, search engines and “cloud services”, among others.

From the operators’ vantage, these extra security standards being forced upon them were costly “obstacles”.

The EU argued that the new security standards are for the common benefit, emphasizing that:

“Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities, and in particular to the functioning of the internal market”. [NIS Directive Preamble]

According to Article 21 of the NIS Directive, member states are to adopt national laws enacting the Directive and “shall take all measures necessary to ensure that they are implemented”, including laying down rules on penalties applicable to infringements” of such national provisions, making sure that “the penalties provided for shall be effective, proportionate and dissuasive”.

While the broad catalogue of operators to be targeted by the upcoming national laws alone is ground for cautionary vigilance, the reference to “all necessary measures” is a codeword for a flexible yet largely extra-legal standard of due diligence.

Who should care about cybersecurity? Is your company targeted by the new laws?

If your company operates on the European open market, you might want to double check whether you are eligible for the upcoming cybersecurity verification as per the NIS Directive and the laws implementing it.

Annex II, provides a list of “digital services” that the new cybersecurity laws are aimed at, including “IXPs, DNS service providers and TLD name registries”. Interestingly, these are named alongside well-known critical infrastructure operators, including energy (electricity, oil, gas) and water providers, mass transportation services (air, rail transport, water and road transport), banking services, financial market operators, and the health sector. The EU clearly views online service operators as potential targets of attacks that could result in massive loss of lives or significant damage to persons or property, placing them right alongside businesses traditionally perceived as performing risk-generating operations.

What’s more, the more inclusive Annex III adds various other kinds of “digital services” to the list, including but not limited to “online marketplace” services, online search engines and cloud computing services. All these operators need to watch out for the national laws implementing the EU NIS Directive and make sure they remain compliant.

Cybersecurity obligations? What cybersecurity obligations?

As already indicated, the NIS Directive seeks to establish a uniform level of cybersecurity throughout the EU when it comes to its critical infrastructure, which includes the Internet and its agents.

The above-mentioned reference to “all necessary measures” that member states need to take when ensuring compliance with EU law, justifies an anticipation of what could be expected.

Looking at other risk-generating business areas, such as energy supply or mass transportation, the flexible standard of due diligence has been well recognized by member states and businesses alike. The international law model of “good government” requires member states to introduce laws that refer to the contemporary state of art in a given area of practice.

The much needed due diligence standard is intentionally left flexible to be decided on a case-by-case basis by experts, who are at times, called upon for advice by courts deciding on international liability or reparations. We are therefore likely to expect national laws encouraging businesses to adopt and benchmark best business practices rather than expect detailed guidelines coming from national lawmakers.

What is more significant, is that technical communities, like those composed of IXPs or name registries, will serve as both: targets for the new laws, and points of reference to establish the required level of care in a given situation.

This self-referring mechanism, which is well represented in other areas of international law, is likely to come into play also in the case of international cybersecurity.

A model “good” company will, therefore, need to follow and adopt the contemporary trends in cybersecurity the best it can to avoid civil liability for negligence. This is not to imply that it will have to adopt all the latest technologies regardless of expense; the common good due diligence standard takes reference of the economic capabilities of various groups of players and requires them to keep up with average, contemporary good practice, rather than to seek out the latest, costly developments.

Forums such as those offered by RIRs like the RIPE NCC and APNIC will therefore become even more valuable as disregarding or ignoring them might be perceived as a sign of company’s negligence.

Is this a European trend?

No, it is not. Other international forums that refer to due diligence as the upcoming standard for cybersecurity include the UN GGE and the Council of Europe.

Due diligence will also come into play when it becomes not just a matter of protecting infrastructure but data, with a similar reference and a necessary privacy risk assessment well present in the upcoming EU data protection regulation (General Data Protection Regulation, GDPR), to come into force in 2018.

What lessons are to be learned from other business areas where due diligence has long been present?

Apart from being active in a relevant community, as well as sharing and learning, one might also want to look at another interesting issue, specific to the risk-generating enterprises known thus far.

All enterprises generating risk of significant transboundary harm, such as nuclear energy production, space exploration or oil transportation have been endowed with two legal obligations: state authorization and obligatory liability insurance. One cannot enter those markets without providing to the state evidence of due care, including a risk assessment or proof of insurance, in case of significant damage occurring despite due care paid by the operator.

While the former – state authorization – is difficult to introduce for the cybersecurity sector, drafted as broadly as it has been, an ISP liability fund seems one of the lessons that might be worthy of noting.

While some states offer voluntary insurance in case of liability (surprisingly, not due to infrastructure cybersecurity but due to copyright violations), this is not the standard by far. Introducing cybersecurity liability insurance might add to the evolution of the Internet market, rather than curb its small and middle players who are unable to fund sufficient cybersecurity measures (or legal aid).

The business community might complement this new service by providing technical expertise for example, running risk assessments when the insurance fee is set.

What’s next?

The NIS Directive, likely with its cybersecurity risk assessments, the GDPR with its obligatory privacy risk assessment, and the ongoing international dialogue with the increasing role of cybersecurity due diligence are all on the cards. And while states are unable to attribute a cyberattack to a given actor (state or non-state), they are likely to point to due diligence and negligence in order to attribute fault. As stated by the White House’s International Strategy For Cyberspace: Prosperity, Security, and Openness in a Networked World,  it is the state’s “responsibility to protect information infrastructures and secure national systems from damage or misuse.”

This international law obligation is likely to be reflected in national cybersecurity laws, paving the way for individual obligations on Internet infrastructure operators. It is therefore high time to engage with the community to know what the “cybersecurity due diligence” standard actually is for 2016 and the years to come.

If you’d like to know more about this issue watch my presentation at RIPE 73 [video] or read my latest book “Due Diligence in International Law”, BRILL, 2016.


Joanna Kulesza is assistant professor in International Law at the University of Lodz, Poland.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *