In his recent blog post Jan Jaap Oerlemans of Leiden University’s Law school reacted in-depth on the recent cyber security analyses of the Dutch National Cyber Security Centre and the accompanying letter of minister I. Opstelten of Security and Justice. Having read his blog post, I want to make two main points in reaction, addressed to all governments, not just the Dutch. (My apologies, as all links are to texts in Dutch.)
The more regulators the merrier?
As more sectors are obliged by law to notify on security breaches in the near future, more regulators seem to come in play. From my point of view this seems just a call for havoc and disorder if the true crisis, so many discuss and prepare for, should ever come around.
Why not give this topic to one regulator? One that has experience with the topic and already has people that are trained to do the job? This allows for:
- less cost, more efficiency;
- a better overview;
- one centre of knowledge and true expertise;
- one priority setting;
- one regulator to coordinate with.
There most likely are more points to consider, but you get my drift. How many entities do you want to coordinate with and get to do what you want it to do in a time of crisis? In my opinion as little as possible. So why not look at which entity is the best equipped (or can be best equipped) to take on the task of regulating cyber security breaches and related topics?
My second comment sees on coordination and the (lack of) powers to coordinate. If you need to coordinate, the entity having that task needs the powers to do so. A common complaint around the EU is, that no one involved in the cyber realm has experience with coordination, i.e. telling other (enforcement) entities what to do, when, in a time of crisis, because of the simple reason that no one has the powers to do so. This is a topic that needs serious attention and deliberation from a government, no matter how, politically and practically, sensitive it is. In a time of crisis or a major online threat case it is important to truly depend on one another.
A government may want to rethink how many regulatory agencies it wants to involve in the same topic. Efficiency may be worth more than political correctness towards an x number of regulators where one would do nicely. And while at it, those involved can seriously contemplate what powers and/or tools a coordinator needs to be able to truly coordinate in a time of crisis or when involved in a major case that involves several and very different entities to investigate and enforce.
Without the proper answers to these challenges, solutions are all sub-uptimal where cyber crime, online threats and cyber security are concerned. While the challenged are huge already.
Wout de Natris, De Natris Consult
Leiderdorp, 17 July 2012