The EU last week published a draft directive on network security that requires communications operators (including utilities, banks etc) to report threats or attacks on their operations to national security agencies. In the US, President Obama is about to issue an Executive Order on critical infrastructure security that will provide for notices of imminent threats to operators of such operations. (Drafts of the Order have been circulating for months.)
Any word on official Canadian attention to such matters?
Do you know of any legal barriers that would prevent especially state-based operators of information systems (whether ‘critical’ or not) from defending their systems? Do any privacy laws, or communications interception rules, or unauthorized access prohibitions, stand in the way of comprehensive or even aggressive defence measures? Is there a difference between the rights or duties of public sector organizations and private-sector organizations in this regard?
Is some law reform needed to facilitate effective defences?
I ask for a purpose: I am on a panel at the RSA Conference on information security later this month, the topic for which is exactly that: legal barriers to defending information systems.
Here’s the description:
As governments seek to protect their networks against cyber attacks, they are frequently constrained by laws designed to protect privacy, citizens’ rights to access information and employee rights. This panel will discuss where the law is unclear or unhelpful for agencies responding to cyber security threats such as monitoring, blocking network traffic and incident investigations.
For Canadian purposes, I can’t think of any such legal barriers. What am I overlooking?