European Union security directive slammed by Ross Anderson

Proposed EU directive will put the spooks in charge, claims Anderson

Computer security guru Professor Ross Anderson has criticised the European Union's proposed computer security directive which, he says, represents "yet another unfortunate step towards the militarisation of cyberspace".

The directive forms the centrepiece for the EU's new cyber security strategy, which was launched yesterday.

In an analysis, Anderson writes that "it will oblige member states to set up single 'competent authorities' for technical expertise, international liaison, security breach reporting and CERT [computer emergency response team] functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new National Crime Agency, the Information Commissioner's Office and various private-sector bodies".

As a result, it will no doubt put the security services in de facto charge of the internet, while also damaging co-operation between government agencies and the private sector, which runs most of the internet infrastructure in the UK and across Europe.

"Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cyber security co-operation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play," he added.

Furthermore, he notes, whereas laws in the US require organisations that experience a security breach to report the breaches to users, the EU directive only requires them to report breaches to the mandated "competent authority".

These authorities only have to tell people affected if they decide that it is in the "public interest", whatever that is. "So instead of empowering us, it will empower the spooks," warns Anderson.

On top of that, the 48-page directive - longer than the entire US constitution - also demands that those "competent authorities", which will be led by the security services, can demand information from public and private players to assess the security of both their networks and information systems and conduct security audits.

Those authorities will also be empowered to issue "binding instructions" to operators, says Anderson. "As Parliament has just criticised the Home Office's attempt to take powers to order firms like Google and Facebook to disclose user data by means of the Communications Data Bill, I hope everyone will think long and hard about the implications of passing this Directive as it stands," he says.

Anderson also criticised the EU for omitting critical opinions about the proposed Europe-wide legislation, which would be binding on all member states if it were passed in its current form, that had been submitted to the Impact Assessment Board.

[Please turn to page two]

European Union security directive slammed by Ross Anderson

Proposed EU directive will put the spooks in charge, claims Anderson

In a separate policy document, the EU justified the proposed directive in order to improve confidence in the internet and conducting business over the internet.

It is needed to complete the "digital single market" which, it claimed, would boost the gross domestic product of the countries that comprise the EU by €500bn. "For new connected technologies to take off, including e-payments, cloud computing or machine-to-machine communication, citizens will need trust and confidence," states the document.

It added, somewhat implausibly, that one-in-10 EU citizens had been victims of online fraud - a claim it neither defined, nor referenced - and that one-in-three EU citizens were nervous about using the internet for online banking or buying goods.

It also stated that the "overwhelming majority" of people said that they avoid disclosing personal information online because of security concerns - disregarding the hundreds of millions that use Facebook, Twitter, LinkedIn and other social networks across the continent.

The European Union is also ultimately responsible for the much-criticised Communications Data Bill, which the UK government is obliged to pass in some form as the UK implementation of the 2006 Data Retention Directive.