* Firms should reveal serious breaches - EU report
* Britain against mandatory reporting
By Ethan Bilby
BRUSSELS, Dec 17 The European Union may force
companies operating critical infrastructure in areas such as
banking, energy and stock exchanges to report major online
attacks and reveal security breaches, a draft EU report seen by
Reuters on Monday said.
The European Union's executive Commission is due to present
a proposal on cybersecurity in February once it has received
feedback from the European Parliament and EU countries.
EU moves to protect critical infrastructure echo similar
concerns worldwide amid an increasing number of cyber attacks
globally that can disrupt important areas of the economy, from
online banking to stock exchanges.
"Minimum security requirements should also apply to public
administrations and operators of critical information
infrastructure to promote a culture of risk management and
ensure that the most serious incidents are reported," the report
said.
Unlike the United States where companies are required to
report online attacks, which supporters say forces companies
into keeping cyber defences tight, the EU has a piecemeal
approach.
Some countries like Britain oppose mandatory reporting,
which it believes would encourage companies to cover up online
breaches because they do not want to alarm their customers.
An EU official said the aim of the report was to get
companies to be more open about cyber attacks and help them fend
off such disruption.
"We want to change the culture around cyber security from
one where people are sometimes afraid or ashamed to admit a
problem, to one where authorities and network owners are better
able to work together to maximise security," the official said.
European companies in critical areas of the economy "lack
effective incentives to provide reliable data on the existence
or impact" of network security incidents, the report said.
Companies fear that revealing their vulnerability could cost
them customers, but authorities are eager for increased
transparency to try and shut down methods hackers use to exploit
networks before they can do widespread damage.
"Cyber security incidents are increasing at an alarming pace
and could disrupt the supply of essential services we take for
granted such as water, sanitation, electricity, or mobile
networks," the report said.
The EU proposal would require companies in critical
infrastructure areas to conduct risk assessments and work with
national authorities to ensure a minimum standard across the
27-country bloc.
Inconsistent measures on cyber security also carry an
economic cost. In 2012, 38 percent of the EU's Internet users
say they were concerned about making payments online, an EU
poll showed.