As Datonomy readers may know October is Cybersecurity Month - a good time to read the second edition of Olswang's Cyber Alert. There is no doubt that cyber security is rising up the international as well as the business agenda. NATO recently adopted an amendment to its charter to put cyber attacks on the same footing as armed attacks – see paragraph 72 of NATO’s Declaration. In this edition:
A small selection of the cyber threats and statistics that have made recent headlines.
  • Sources including censorship watch dog GreatFire have alleged that the Chinese authorities are staging a “man-in-the-middle” attack on Apple’s iCloud, just days after the iPhone went on sale in China. The attack is designed to intercept user’s iCloud account usernames and passwords, using a fake login site that looks exactly like the Apple iCloud login site. Read more from The WHIR and ITProPortal.
  • A new bug, which could be affecting hundreds of millions of computers, servers and devices using Linux and Apple’s Mac operating system, has been discovered. System administrators have been urged to apply patches to combat the bug, which has been dubbed “Shellshock”. Read more from the BBC.
  • US companies Home Depot, Supervalu and JPMorgan Chase & Co have all been hit by high profile cyber attacks.
  • Mark … Continue Reading ››
As  reported  in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation which will impose data breach reporting requirements on all data controllers. The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy’s Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November.  The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release, … Continue Reading ››
With the text of the draft Network and Information Security Directive (“NISD”) still being negotiated between EU institutions, and the national transposition deadline for the Directive likely to be 18 – 24 months from the date of EU adoption, some Member States are pre-empting the new regime with national legislation of their own. France has already implemented the principles enshrined in the draft Directive via its Military Programming Act, which was published at the end of 2013.  Overview France has already implemented many of the principles enshrined in the Draft NISD into national law. The French Government published its strategy on Information systems and defence in February 2011. This included reviewing and where necessary strengthening cyber laws. As a result, the government passed Article 22 of Act n°2013-1168 dated 18 December 2013 (the “Military Programming Act”) which sets out several obligations applicable to vitally important operators (“VIOs”) which are … Continue Reading ››
The ICO has published a review of the impact of its civil monetary penalties (CMPs), the vast majority of which have related to security breaches. The review canvassed the views of representatives from 14 organisations who had received a CMP and 85 peer organisations who had not. The findings suggest that overall CMPs are effective at improving data protection compliance. However some respondents felt that there was a lack of transparency about how CMPs have been calculated and some showed a lack of understanding of just what poor practices trigger the CMP threshold.
UK: Cyber security certification scheme launched Following the consultations on the requirements for a preferred standard for cyber security, which concluded in November 2013 (background information here), the Government has launched a new cyber security certification scheme. The scheme focuses on five main controls for basic cyber hygiene:
  • boundary firewalls and internet gateways;
  • secure configuration;
  • access control;
  • malware protection; and
  • patch management.
Businesses can apply for a “Cyber Essentials” certificate (based on independently verified self-assessment) or a “Cyber Essential Plus” certificate (offering a higher level of assurance through external testing). The scheme is designed to be affordable and offers a snapshot of the organisation’s cyber security effectiveness on the day of assessment. Guidance on meeting the Cyber Essentials requirements can be downloaded from the government-approved cyberstreetwise website here, and a summary of the scheme can be found here. Vodafone has become the first telecoms company to gain the UK ‘cyber essentials plus’ … Continue Reading ››
These new guidelines were published in June by the Cloud Select Industry Group. Forming part of the European Commission’s wider Cloud Computing strategy which was unveiled in 2012, the guidelines have been described as a first step towards standardised building blocks for terminology and metrics in cloud SLAs. They aim to improve the drafting clarity and customer understanding of cloud SLAs. European Commission Vice-President Viviane Reding said: "[the] new guidelines will help generate trust in innovative computing solutions and help EU citizens save money. More trust means more revenue for companies in Europe's digital single market."  The 62 page guidelines – created by a drafting team which included participants from IBM, Amazon, Microsoft and T-Systems – deal with service levels relating to availability, reliability, security, support services and data management, and take into account the guidance of the Article 29 Working Party.