UK against mandatory reporting of cyber attacks

London – The UK government will, next year, launch a collaborative initiative with industry to help reduce the vulnerability of the UK to cyber attack. The initiative will feature incentives to help businesses to share information on IT security breaches, rather that mandatory reporting - as proposed by the European Commission.

The UK project aims to counter cyber threats through facilitating the sharing of cyber attack information across a range of groups including: within industry sectors; between industry sectors; between industry and Government; and between industry and law enforcement.

A pilot, which concluded in March, demonstrated that industry could share information, knowledge and experience for mutual benefit across sectors, according to the UK government response to a European Commission consultation on network and information security.

“The UK government and industry partners are now actively working to create a scalable and sustainable collaborative operating environment to build on the current momentum and demonstrate enduring value and benefit to the project’s community of stakeholders,” said BIS (the UK department for business, innovation and skills).

A key finding has been that the best way to enhance cyber security is to allow businesses to share information in a non-regulatory and ‘safe’ environment. This should involve them in benchmarking “cyber security maturity” against others, and receiving information on threats and mitigation from other businesses, government and law enforcement bodies.

This collaboration environment should include an analytical function that can digest and process the information that the participants feed in.

This, said BIS, will enable participants to receive direct and relevant advice on specific threats from the central function, in addition to direct information from other participants.

“The project is being run jointly with industry partners, and the participation criteria, operating model and building of the actual environment is a collaborative venture. We intend to go live with the new environment early in 2013,” said a BIS statement.

The UK is, however, not convinced that proposed European Commission measures to make security-breach disclosures mandatory would provide business with the right incentives to disclose information or to improve existing cyber security measures.

“At present, we believe that businesses require guidance and encouragement to look for issues and address them, rather than penalties for issues which they may not have the capabilities to address,” BIS explained.

“Paradoxically, the introduction of mandatory security breach reporting could mean that those who are better capable of finding and reporting security breaches are penalised, when in fact they should be the ones who are being rewarded for their good practice.

“Making security breach disclosure mandatory is therefore likely to discourage businesses from improving their cyber security practices and actively looking for threats, and would therefore be a disincentive to addressing cyber risks. The reputational damage and cost to business that disclosing breaches entails is also likely to be a disincentive to disclosure.”