© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
March 27, 2013 6:00 pm
Britain has raised concern over European Commission plans to force companies to declare publicly whenever there has been a breach in their cyber security systems, fearing it may undermine the UK’s commitment to voluntary collaboration.
Unveiling a new push to boost collaboration against cyber attacks between the security services and business, Francis Maude, minister for the Cabinet Office, said Britain’s policy of urging companies to inform each other voluntarily when they face a cyber attack was better than compulsion.
“Our concern would be that, as collaboration develops, the EU must build on best practice and on what is being done successfully, rather than trying to reinvent the wheel,” he said.
“You would want any system of information sharing after a cyber attack to operate in a way that stimulates greater exchange of information and not get in the way of that process.”
The government fears a statutory requirement on companies to declare when their systems have been attacked may encourage some to turn a blind eye to breaches of their IT systems.
“The risk is that many companies feel that when a cyber attack takes place their reputation is at risk and it could impact on share price . . . so they avoid saying anything publicly about it,” said a Whitehall official. “A system based on trust about the handling of information between companies is far better than one based on legislation.”
Compulsory information sharing among businesses is part of a proposed EU cyber security directive being pushed by Neeli Kroes, the top EU digital affairs official.
Mr Maude insisted there was no antagonism with Brussels over the issue and said he has had useful conversations with Ms Kroes. “She is interested in what we are doing,” he added.
The comments came as Mr Maude launched the Cyber Security Information Partnership, which will see officers from MI5, the security service, and GCHQ, the intelligence listening post in Cheltenham, work with business to combat cyber threats.
At the Chatham House launch, several speakers emphasised the need to increase trust among businesses so they are prepared to share intelligence.
Richard Horne, managing director of cyber security risk at Barclays, said strong exchange of information among British banks had led to a considerable reduction in financial sector losses caused by cyber fraud in recent years.
Mr Horne said that online banking losses because of fraud in Britain had almost halved from £59.7m in 2009 to £35.4m in 2011. “The threat is going up but we have brought the impact under control, thanks to greater collaboration among British banks, informing each other about what is going in at any one time,” he said.
Meanwhile Howard Schmidt, former White House cyber security co-ordinator, told business leaders there were instances in the US where authorities had been too slow to inform companies when a significant cyber security breach had taken place.
Mr Schmidt recalled how, in 2011, the White House was alerted to a big cyber security breach at a US bank which required a big response from US authorities. However, he said 102 days passed before any other US company was informed of the incident, a situation which he said was regrettable.
“The default time-scale for informing other companies of any big breach of cyber security ought to be 24 hours,” he said.
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in