It is said that Otto von Bismarck once said that:
Laws, like sausages, cease to inspire respect in proportion as we know how they are made.
Working with the Commission in their endeavours to legislate EU27 turns this saying into stark reality. In particular since there never seems to be any analysis of the consequences of the proposed legislation.
As so often, the road to hell is paved with good intentions.
Let’s take an example.
Currently on my desk there is a proposal with the staggering title:
Directive of the European Parliament and of the Council concerning measures to ensure a high common level on network and information security (NIS) across the Union. 2013/0027 – COM(20139 48 final.
As the reader can surmise the aim with the proposal is to get a better view of civil threats on the Internet and how to co-ordinate any responses. It will be done by reporting breaches on the network. This legislation has partly come about because the affected industries don’t do their own cleaning up. And seeing how many voluntary co-operation groups and industry groups there actually are I can only see this as severe lack of coordination. It is just another example where civil society could have acted to avoid regulation.
My problem here is that no one, not even the proposal writers seems to know what should be notified, to whom and where.
Let’s assume I change my logon password on my PC at home. Next time I logon I type in an old password, in reality this constitutes a breach which should be notified. There is e.g. no way of knowing if this is an honest mistake on my part, if it is a breach in bad faith or if my PC has been high-jacked by someone more malevolent that myself.
But one swallow doesn’t make a summer, as Grand Ma always said. So let’s take another more poignant example – in the German commercial banking sector there are 100 000 new Trojan threats monthly. 100 000 new Trojans monthly. Times 12, (in fact around Christmas there are even more) and times 27 if we want to extrapolate it to EU level. In only one sector in one country.
Who can deal with that type of mass-information? SHOULD it be dealt with? And then we have the fact that a database like this will constitute a perfect map of EU NIS weaknesses – if that is hacked, and we must assume it will be, it will provide any enemy with a perfect blue print of were to aim an attack.
Well done, the Commission.