A study by Queen Mary University of London’s Cloud Legal Project has stated that the cybersecurity strategies for air transport set by the NIS Directive of European Union might be ineffective against cyber risks and do not go far enough. The 2018 NIS Regulations which implemented the NIS Directive in the U.K. ensures the safety of operators of essential services against disruptions caused by cyber risks.
The researchers found that, to comply with the regulations, operators must identify, assess, and then address the cyber risks they face which often entails a level of subjective judgement and trade-offs. They stressed that the requirements of the Directive are too vague and open to interpretation. The flipside to this is that several airports and airlines may only put in place the security measures they deem commercially beneficial to them. They also pointed out that service providers may even abuse the directives by engaging in a malpractice called paper compliance, which basically means creating a massive trove of security documentation to show regulators without making actual changes to the cybersecurity infrastructure.
Another downside was that, with the NIS directives being so vague, it is difficult for regulatory bodies to effectively check and scrutinize whether the security requirements are being met. Dave Michels, Researcher at Queen Mary’s Centre for Commercial Law Studies and co-author of the paper, said, “Regulators will need to carefully monitor airports and airlines and challenge their approaches as necessary. This will require them to hire cybersecurity experts to do this effectively.”
Ian Walden, Professor of Information and Communications Law and co-author of the study, added, “Brexit may further complicate matters due to the UK’s departure from the European Agency for Cybersecurity, which plays an important role by providing guidelines for compliance and sharing best practices.”