The European Union's case of doublethink: New cybersecurity rules and backdoor dreams

The EU wants critical service providers to ramp up their security -- while in the same breath members are fighting encryption and considering mandatory backdoors in software.
Written by Charlie Osborne, Contributing Writer

EU lawmakers have agreed to enforce a set of cybersecurity rules across the bloc which demand that critical service providers can no longer brush data breaches under the carpet -- but contrary beliefs when it comes to backdoors and weakened cryptography threaten to completely negate all efforts.

Businesses operating in the European bloc that deliver essential services, such as transport control or electricity grid management, will soon be expected to invest in security solutions which will make corporate networks robust enough to withstand cyberattacks -- if that is ever possible, of course -- due to a fresh set of regulations laid down by members of the European Union.

Online marketplaces and large e-commerce retailers such as eBay and Amazon, search engines and cloud service providers will also have to adhere to the EU's new rules, which require that infrastructure is "secure."

As a press release issued by the EU explains, the new framework was proposed and terms agreed by the Members of the European Parliament (MEPs) and Luxembourg Presidency of the EU Council of Ministers on Monday.

Parliament's rapporteur Andreas Schwab said:

"Member states will have to cooperate more on cybersecurity -- which is even more important in light of the current security situation in Europe.

Moreover this directive marks the beginning of platform regulation. Whilst the Commission's consultation on online platforms is still on-going, the new rules already foresee concrete definitions -- a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services."

The energy, transport, banking, financial market, health and water supply sectors, in particular, will be affected by these new rules. They must be "robust enough" to resist cyberattacks, as well as be "ready to report serious security breaches to public authorities."

ISPs, e-commerce sites, search engines and cloud service providers are now bound by the same regulations, but small companies are exempt.

Computer Security Incidents Response Teams (CSIRTs) are set to be established to handle data breaches and attacks, especially when incidents cross borders.

Once approved by Parliament's Internal Market Committee and the Council Committee of Permanent Representatives, the rules will come into effect.

Scwab called the ruling a "milestone," and in one way, it may be such. There is little regulation or enforcement in the EU when it comes to investing in security, beyond the Data Protection Act which requires consumer data to be adequately protected, but as high-profile cyberattacks continue to rise, the EU must be seen to respond in some manner.

However, taking a tip from Orwell's 1984 term "doublethink," -- in which contrary beliefs are accepted at the same time -- some of us may wonder how this can actually be used to protect essential services when in the same breath European Union member states wish to weaken cryptographic protocols, restrict the use of encryption and even force companies to install backdoors in their software.

The UK government, for example, proposed a new surveillance bill which would force companies to bypass encryption for the benefit of police and intelligence agencies. However, such weakened encryption is akin to handing the keys to the kingdom over to those who want to infiltrate a network, potentially leading to damaged systems and data theft.

Meanwhile, in the wake of the terrorist attacks on Paris, the French government is mulling over banning the use of the privacy-based Tor network, as well as the mandatory closure of free and public Wi-Fi networks if the country is in a state of emergency.

Technology firms in the US are already fighting against proposed communication software backdoor enforcement for intelligence purposes, and UK Prime Minister David Cameron has floated similar ideas, potentially leading to the outright ban of encrypted apps such as Apple iMessage and Snapchat.

You can't have it both ways. You may want businesses to better protect themselves from cyberattacks, but then also trying to force them to deliberately place backdoor vulnerabilities in software for the amusement of law enforcement agencies defeats the whole purpose.

A backdoor is a backdoor, and the way forward is not to reduce or destroy the technology we already have. If EU member states expect companies to maintain "secure" networks -- although today, data breaches are a matter of when, not if -- they can't also force regulations down the throats of businesses providing security and encryption solutions with the aim of weakening the system as a whole for their own convinience.

2015 Holiday guide: Top tech gadgets to give this season

Read on: Top picks

Editorial standards