EU critical infrastructure and cyber security

The EU critical infrastructure directive was developed as part of an EU wide strategy to fight against terrorism, but its actual implementation has, in reality, made critical infrastructure in the EU28 more vulnerable to attacks.
It is one of the many examples where membership of the EU makes citizens across the bloc less safe.
The proposals put forward by the European Commission to ‘enhance European prevention of, preparedness for and response to terrorist attacks involving critical infrastructures’  in reality make it more likely for hackers to access information to pass onto those who wish us harm or to encrypt data to hold us to ransom, as was seen in May 2017 in a number of countries across the globe. 
In December 2005 the Justice and Home Affairs Council called upon the Commission to make a proposal for a European programme for critical infrastructure protection (‘EPCIP’) and decided that it should be based on an all-hazards approach while countering threats from terrorism as a priority. 
All man made, technological threats and natural disasters would be taken into account, with a priority given to terrorism - but with no real consideration given to cyber security and limiting the number of people who have direct access or potential access to details of ECI.
Despite this being ordered at EU level the primary responsibility for protecting ECIs falls to national governments and the owners of such infrastructure, who have to comply with the directive and bear the additional costs and compensate for the additional risks the implementation of the directive created.
However, it was not until 2016 that the minimum standards for cyber security were enshrined in EU law, which demanded that companies which supply essential services – such as energy, transport, banking, health or digital services such as cloud services and search engines – will be required to achieve minimum standards of cyber-security.
The Network and Information Security (NIS) directive placed minimum and common cyber standards for infrastructure operators such as transport, banking, health and digital services such as cloud storage or search engines in order to ‘prevent attacks on EU countries’ interconnected infrastructure’. 
According to the Parliament’s rapporteur for the directive, Andrea Schwab, the directive will “establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe's important interconnected infrastructures in the future.”
“…it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU. This is a huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU.”
Digital service providers such as cloud services and search engines have a new obligation to report major incidents to a national computer security incident response team (CSIRT). The European Network and Information Security Agency (ENISA) will help member states in cross-border cooperation.
The reason for the initial sharing of data and top down rules on infrastructure, which for years had been managed solely by national governments and related agencies, was the catch all reason for the EU to make legislation: ‘cross border impacts’.
‘There are a certain number of critical infrastructures in the Community, the disruption or destruction of which would have significant cross-border impacts,’ the directive says. ‘This may include transboundary cross-sector effects resulting from interdependencies between interconnected infrastructures. Such ECIs should be identified and designated by means of a common procedure.’
But as anyone who has worked in an industry requiring operational security (OPSEC) knows, the fewer people who share this information, the smaller the probability of a leak or an error, either of which could have devastating impacts should the information get into the wrong hands. So why did the EU decide to ignore this basic rule and instead increase the chances of information falling into the wrong hands? Indeed the NIS directive is so vague it may as well be worthless, requesting a ‘Computer Security Incident Response Team and a competent national NIS authority - competent in case anyone should consider employing someone totally unqualified, like their dentist, for the position.
It also demands it’s favourite, ‘cooperation among all the member states by setting up a cooperation group in order to support and facilitate strategic cooperation and the exchange of information’ as if all national governments agreeing that cyber crime is a bad thing will magically stop there being any. 
The approval of those granted access to data is in itself lax, simply insisting that any person handling classified information on behalf of a country r the Commission should have ‘an appropriate level of security vetting.’
It goes on: ’Member States, the Commission and relevant supervisory bodies shall ensure that sensitive European critical infrastructure protection-related information submitted to the Member States or to the Commission is not used for any purpose other than the protection of critical infrastructures.’
It may be well meaning, but it means national governments and even private companies may lose control over who can access secure information, since accountability has been passed on to a variety of organisations including the government procedures in other Member States. This means that the security of a power plant or water treatment processing in one country could be at the mercy of the thoroughness of the procedures of another country which may not even have the democratic and legal oversights we would expect in the West.
No business worth its salt - and it is important to mention that private companies have been included within the scope of this directive - will invest in a huge capital project with very high fixed and variable costs and not consider cyber security: the problem here is predominantly state run projects with procurement and cost guidelines based on false economies. To take an example from the UK, the reality of the NHS cyber attacks has little to do with this notion of 'chronic underfunding' but stems from a reticence to redevelop in-house IT teams who develop applications with no real understanding of information security or futurability. Consequently, these legacy in-house software applications often don’t work when new versions of the operating systems or programming languages are released, but usually by that point the original developers have left the organisation, or the organisation doesn’t want to invest in either improving the legacy system or buying a better version from a reputable external supplier. If this happens in the UK it is inevitable it will be happening in other countries in the EU.
Sometimes it’s an external supplier who developed the legacy system, and the system is so embedded in the practice of the organisation that the supplier can charge extortionate rates simply for continued licensing—never mind support, maintenance, and improvements.
The NHS in particular has been criticised for its lax approach to security. One member of staff who works regularly with NHS IT teams said "the NHS seem to have no idea about what actual security means, so they get paid tens of thousands of pounds a year in salary to push paper around and document all their security holes, but never have the power or the will to actually get them fixed."
When asked about their experience of working with NHS IT teams on cyber security, they said:
“What we’ve found is that it’s not simply a question of squeezed budgets. Information governance and executive teams are focused on the upfront cost of replacing embedded legacy software—usually the reason why Trusts are running outdated and insecure operating systems—but lose sight of the cost of dealing with an attack like the one that’s just happened. 
"The cost to patients and their families, Trust staff, and the taxpayer of recovering from this security breach will be many, many times higher than simply improving their internal systems in the first place."
There is a danger that the complexity of the subject will mean that a solution will be a broad brush response of 'we need more money' but what has come out of the EU, the NIS directive, is not even that. It’s just more meetings, more paperwork and a new agency in Greece with a shiny building. 
Rather than pacify the public with promises of cash, ’lessons learned’ and repeating the word ‘cooperation’ as if a group of politicians sitting around a table with no real experience of dealing with complex software, firewalls and malware what needs to happen is a root and branch reform of cyber security and software procurement. Some of this won't even take massive reform, as our insider says, 
“Even after this wake-up call, we’ll still expect to find insecure software in use across NHS organisations—for example, old versions of Internet Explorer which aren’t compatible with modern web security standards. For the NHS, there’s still a long way to go.”
In contrast to the solutions offered by private companies, such as insisting on up to date operating systems (Windows XP, an unsupported operating system, is still the third most popular operating system in the world. According to, the out-of-date and vulnerable Windows XP is still running on 7.04% of the world's computers and more widely used than Windows 8.1 or Apple’s OSX), state run organisations are still operating on out of date systems where the manufacturer stopped releasing updates to protect it from new methods of threat or not applying updates when it was made available. 
The Commission implemented the directives because of the prevalence of ICT in the sectors heavy with critical infrastructure which are vital for the economy and society, including energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. 
The legislation on critical infrastructure implements bilateral schemes for cooperation between Member States, stipulating that EPCIP should build on such cooperation. ‘Information pertaining to the designation of a particular infrastructure as an ECI should be classified at an appropriate level in accordance with existing Community and Member State legislation.’ But where is this information stored? And who has access to it? Once again, we have to ask ourselves why security is considered less of a priority than the power base of the European Union. 
The initial proposals for the directive even included plans for energy generation which covered nuclear power stations. Just think about the potential for those who wish us harm to have increased opportunities due to the increased ‘cooperation’ over nuclear power stations, held in more than one country and by the EU centrally. Thankfully, due to some intense lobbying by certain member states, this was withdrawn. But its initial inclusion demonstrates the priorities of the EU: power over safety.
The rules regarding risks and communication for ECIs are as follows:
‘The efficient identification of risks, threats and vulnerabilities in the particular sectors requires communication both between owners/operators of ECIs and the Member States, and between the Member States and the Commission. Each Member State should collect information concerning ECIs located within its territory. The Commission should receive generic information from the Member States concerning risks, threats and vulnerabilities in sectors where ECIs were identified, including where relevant information on possible improvements in the ECIs and cross-sector dependencies, which could be the basis for the development of specific proposals by the Commission on improving the protection of ECIs, where necessary.
Effective protection of ECIs requires communication, coordination, and cooperation at national and Community level. This is best achieved through the nomination of European critical infrastructure protection contact points (‘ECIP contact points’) in each Member State, who should coordinate European critical infrastructure protection issues internally, as well as with other Member States and the Commission.’
If you were a hacker, a criminal gang or a terrorist organisation, you now have numerous places to start looking and more chances that one of those agencies may have a lax approach to cyber security. It has increased the risk to us and to our economy and way of life.
The directive stipulates that ‘Classified information should be protected in accordance with relevant Community and Member State legislation. Each Member State and the Commission should respect the relevant security classification given by the originator of a document’ but as we have seen from the NHS hack, which then went on to affect another 150 countries, those rules are simply not good enough. 
Nor is the request that ‘information sharing regarding ECIs should take place in an environment of trust and security. The sharing of information requires a relationship of trust such that companies and organisations know that their sensitive and confidential data will be sufficiently protected.’
This isn’t a secret society with pledges and promises, this is the security of vital parts of our daily way of life, our confidential data, the ability to run vital services, to keep the power on, to make sure our drinking water is safe, to maintain state secrets. But it has been handed over to Brussels to make legislation which is not only vacuous but dangerous in its scope. It’s obsession with power means it puts itself above basic principles of security and that is something all citizens in the EU should be concerned about.
Cyber security isn;t just something we need to be lobbying national governments about, we have the supranational level we need to be concerned with, too.
For the purpose of this Directive:
‘critical infrastructure’ means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions;
‘European critical infrastructure’ or ‘ECI’ means critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure;
‘risk analysis’ means consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure;
‘sensitive critical infrastructure protection related information’ means facts about a critical infrastructure, which if disclosed could be used to plan and act with a view to causing disruption or destruction of critical infrastructure installations;
‘protection’ means all activities aimed at ensuring the functionality, continuity and integrity of critical infrastructures in order to deter, mitigate and neutralise a threat, risk or vulnerability;
‘owners/operators of ECIs’ means those entities responsible for investments in, and/or day-to-day operation of, a particular asset, system or part thereof designated as an ECI under this Directive.
AB Sanderson for EFF





Contact Details

Brussels Head Office: 
Rue Pascale 16, 1040 Brussels,
Tel. +32 2 830 7141 

Registered Office:
2A, 'Delmar', Flat 1,
Brared Street,
Birkirkara, MALTA