Computer security guru Professor Ross Anderson has criticised the European Union's proposed computer security directive which, he says, represents "yet another unfortunate step towards the militarisation of cyberspace".
EU security body warns on sophisticated new online banking attacks EU security agency calls for breach notification law EU security spend falls short
The directive forms the centrepiece for the EU's new cyber security strategy, which was launched yesterday.
In an analysis, Anderson writes that "it will oblige member states to set up single 'competent authorities' for technical expertise, international liaison, security breach reporting and CERT [computer emergency response team] functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new National Crime Agency, the Information Commissioner's Office and various private-sector bodies".
As a result, it will no doubt put the security services in de facto charge of the internet, while also damaging co-operation between government agencies and the private sector, which runs most of the internet infrastructure in the UK and across Europe.
"Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cyber security co-operation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play," he added.
Furthermore, he notes, whereas laws in the US require organisations that experience a security breach to report the breaches to users, the EU directive only requires them to report breaches to the mandated "competent authority".
These authorities only have to tell people affected if they decide that it is in the "public interest", whatever that is. "So instead of empowering us, it will empower the spooks," warns Anderson.
On top of that, the 48-page directive - longer than the entire US constitution - also demands that those "competent authorities", which will be led by the security services, can demand information from public and private players to assess the security of both their networks and information systems and conduct security audits.
Those authorities will also be empowered to issue "binding instructions" to operators, says Anderson. "As Parliament has just criticised the Home Office's attempt to take powers to order firms like Google and Facebook to disclose user data by means of the Communications Data Bill, I hope everyone will think long and hard about the implications of passing this Directive as it stands," he says.
Anderson also criticised the EU for omitting critical opinions about the proposed Europe-wide legislation, which would be binding on all member states if it were passed in its current form, that had been submitted to the Impact Assessment Board.