Internet access has become crucial to the functioning of our most important systems. The Directive on security of network and information systems (NIS Directive) is the first EU-level effort to enhance cybersecurity measures. What are these requirements? Are they enough for ensuring the availability and security of systems critical to the ways we live today?
Online and ready when you are – that is a promise realised by most of the Internet-driven world, where our offices, our homes, and even our bodies are just one mouse click or one finger swipe away from the latest financial news and the temperature of the oven roast. Energy, sanitation and water supply, food, transport, financial networks, governments – Internet access has become crucial to the functioning of our most important systems.
So what would happen to this world if all access disappeared? We have at least one approximate real-life example. At approximately 4:37 p.m. PST on August 16, 2013, Google went dark – Gmail, YouTube, Google Drive, and the rest. It was just a four-minute failure but, unsurprisingly, Google’s system-wide outage did not affect its users alone. According to analytics firm GoSquared, in fact, Google’s downtime reduced web traffic worldwide by a whopping 40 percent.
Increasingly, the question is raised as to whether the Internet is a critical infrastructure – one of high importance for society’s ability to function in general and one to be protected in particular. While this question cannot be discussed for the Internet as a whole, of course – with all of its connected networks, systems, and services – the European Union is now rightly asserting that there are a core set of components whose reliability and security is vital to the functioning of our societies and economies. Moreover, in recognition of this fact, the EU moved in 2016 to require that certain enterprise operators of critical IT infrastructure and providers of digital services meet standards that secure these services against threats – whether an innocent service disruption or a malicious cyberattack.
To whom are these requirements directed? What are these requirements? And are these requirements enough for ensuring the availability and security of systems critical to the ways we live today?
About the Author
Martin Schallbruch is the Senior Researcher for Cyber Innovation and Cyber Regulation at the Digital Society Institute of ESMT Berlin. As a Director-General for Cybersecurity in the German Federal Ministry of the Interior, he was responsible for the German position in the EU legislation process on network and information security.