Power stations, banks, online shops, cloud providers, search engines, app stores, social networks and governments may soon be required by law to disclose ALL major security breaches. In a strategy titled An Open, Safe and Secure Cyberspace, the European Commission proposed this new directive for the continent: Operators of …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 8th February 2013 08:19 GMT Ole Juul

It'll take more than encryption

They will need to find a way to avoid viruses, Trojans, keyloggers, and other malware. So far government agencies haven't been very willing to do that. In fact they haven't even been willing to adopt secure operating systems - despite there being numerous choices.

2 0
Friday 8th February 2013 08:53 GMT Yes Me

More work for Mr Jobsworth

"forcing companies to notify the authorities of any data breaches or significant security incidents."

Right, that will certainly frighten the criminals.

2 6
1. Friday 8th February 2013 09:08 GMT Graham Marsden
  
  Point Missed: Re: More work for Mr Jobsworth
  
  The idea is not to "frighten the criminals" the idea is to get businesses and organisations to actually admit that they have flaws in their security and *DO* something about them instead of just trying to sweep it under the carpet for fear that it might affect their share prices (and thus bonuses).
  
  9 1
  1. Friday 8th February 2013 09:21 GMT Destroy All Monsters
    
    Re: Point Missed: More work for Mr Jobsworth
    
    Correct. But it will also mean that more mechanisms for "plausible denability" will be put in place internally.
    
    Of course, there are laws coming down the pipe (actually there already are) mandating full control & surveillance of all modifications to and consultations of data by company personnel or unwanted guests ... HOWEVER! While the employer must generate and keep the logs, he is not allowed to look at them, because that would be surveillance of the employee, which is a no-no. What do? Lawyers start to say that it is now impossible to be compliant to the law, so you have to take a risk approach even here ... reduce the risk of running afoul too hard and having to go to jail as opposed to handing over some cash from time to time.
    
    The time of the small ICT company is coming quickly to an end I fear. Time to read books on how to make and sell sammich.
    
    2 0
    1. Friday 8th February 2013 10:43 GMT Robert E A Harvey
      
      Re: Point Missed: More work for Mr Jobsworth
      
      My feeling is that the best people to report things to are people who will roll up their sleeves , put on big boots, and say "Ok, let's go get them!".
      
      OK , having to report you have a broken fence may be embarrasing, but only if the broken fence register is posted on the outside of the town hall, and people who own fences go and look at it. If it just gets filed in the 'broken fence' drawer and never sees the light of day, all you have done is make extra work.
      
      Perhaps companies should have to report such failures in thier annual reports, and on a case-by-case basis to shareholders?
      
      But if officialdom wants reports, then officialdom should send a 'policeman' out to respond.
      
      2 0
      1. Saturday 9th February 2013 22:18 GMT PrivateCitizen
        
        Re: Point Missed: More work for Mr Jobsworth
        
        But if officialdom wants reports, then officialdom should send a 'policeman' out to respond.
        
        Excellent point - but before the policeman can respond, people have to start reporting the crimes and show that it is happening enough to make police responses necessary.
        
        Implementing good security is an individual company responsibility. Tracking down and punishing the perpetrators is a police responsibility. At the moment, there is a bit of a disconnect because in lots of (although far from all) situations, the company decides to not mention the breach and deal with it using its own resources.
        
        At the moment, this makes sense for lots of companies - is this what the EU is trying to change?
        
        0 0
Friday 8th February 2013 09:12 GMT Destroy All Monsters

Come back when the criminals are out of the parliaments!

Well-meaning discussions, furrowing of brows and exhortations by the bureacracy, as well as new laws, shall improve data security, deter criminals and fend off Chinese hackers?

This is like believing that monetizing debt is a good idea or that printing money will make us wealthy and ease the depression in a jiffy. Who would believe that? Oh wait...

"During a 30-minute press conference, Euro bigwigs were grilled on what they were doing to end corporate espionage"

Yeah, with that kind of attitude we are on the right track. What *can* they do, Einsteins?

3 0
1. Friday 8th February 2013 12:12 GMT Greg 10
  
  Re: Come back when the criminals are out of the parliaments!
  
  Definitely the prize for the stupidest comment of the day.
  
  Just the ideological title ensures we know from the beginning you're gonna say dumb things (not that there may not be criminals in the parliaments, but pray tell, what's the link?).
  
  Then there's that random rant about monetizing debt, because of course, there is a clear angle about that here, and you should probably have mentionned gay marriage and social security, just to be sure it made no sense at all.
  
  Then of course, now that we know you make no sense whatsoever, we have that stupid assumption that anyone actually said it would stop hackers. Of course it doesn't, but if a crime goes unreported, then for sure you CANNOT do anything about it.
  
  So yeah, complain about taking a first step just because one step is not enough.
  
  Governments shouldn't take that first step to battle chinese IP theft, because one step is not enough, so they better do nothing at all and keep their eyes closed.
  
  1 3
  1. Friday 8th February 2013 12:35 GMT Bronek Kozicki
    
    Re: Come back when the criminals are out of the parliaments!
    
    Hold on, it's barely lunchtime.
    
    But yeah, I agree, seems like some people do not quite understand the concept of indirect incentives.
    
    1 0
Friday 8th February 2013 10:01 GMT Piers

Cecilia Malmström

Cecilia Malmström = Cecilia "BadStorm"?

Fantastic.

1 0
Friday 8th February 2013 10:53 GMT Anonymous Coward

Sigh, here we go again..

*Please* don't feed politicians complicated words, the fact that they now feel qualified to use the words "Could Services" is bad enough.

Stating that "more encryption" is the way to solve problem is what I'd call the Microsoft way to solve bad engineering: stick a plaster called "anti virus measures" over the wide cracks.

First, you assess the risks, insofar that you don't just decide what has value and WHAT can be done to cause harm, but also BY WHOM - the latter is a regular omission by reports I get to read through prepared by far-to-expesive consultancies. Only then do you design (greenfield) or adjust (established platform) your architecture, and put in place the procedures to keep it safe, in parallel with educating your users to a standard than can be proven (gives you a way to identify possible problem sources and take measures so that they cannot make a mess). Information storage, backup, recovery and age management are fun things to look at too (especially aged personal data can get you into a mess with Data Protection). After that, have a look at encryption, fine - that's where your next challenge arrives. CA and key management, key disposal (never zap a key unless you have a log of it or you'll be done for under UK's RIPA). Encryption is also good to manage the insider threat, but it means your intrusion detection ability degrades.

In short, just yelling "more encryption" is not helping. The whole picture needs to be improved.

2 0
Friday 8th February 2013 12:06 GMT Steve Davies 3

Dumb title

So El Reg only mention apple in the title of an article that starts by saying that just abour every company in the EU would have to tell some quango about security breaches.

Why just Apple eh?

Why not MS, Oracle , IBM etc as well in the title.

Come on show some journalsitic balance. We expect better from you.

Or were your page hits down a bit this week and wanted to get a few more in the bag?

Pah

Utter fail.

1 1
Friday 8th February 2013 12:34 GMT toadwarrior

You know jboss runs on macs. You should mention Apple in the heading of the jboss submission too. Let the world know how big your erection is for Apple.

1 1
Friday 8th February 2013 13:10 GMT Anonymous Coward

Right.

So now we have a comprehensive list of all the critical companies with shitty security...

1 0
Friday 8th February 2013 13:27 GMT I think so I am?

Please define for me:

significant security incidents

1 0
1. Friday 8th February 2013 14:12 GMT Mephistro
  
  Re: Please define for me:
  
  "significant security incidents"
  
  When the executive's salaries and bonuses and the earnings of the company are, accidentally or otherwise, made public without having been heavily doctored first.
  
  The rest of the security incidents -those concerning the pleb's private data- fall in the category of "insignificant security incidents".
  
  1 0
Friday 8th February 2013 21:15 GMT Mr Young

Shock, horror...

The EU considering digital security then? I guess they must have something to hide...

0 0
Saturday 9th February 2013 13:01 GMT regorama

the real question is:

...does the EU disclosures it own security incidents?

0 0