With cyber attacks now routinely in the headlines, with the global cost of cybercrime estimated at $400 billion for this year and with governments responding with a host of counter-measures, The Datonomy team is launching a weekly round-up to help you stay up to date the latest legal, regulatory and news developments from around the world. Given the inextricable link between data privacy and cybersecurity, we hope that Datonomy’s growing readership will find this update useful. We look forward to hearing your comments, and welcome news and updates from Datonomy readers around the globe.
- Cyber security was again front page news last week with the announcement by the UK and US that they will stage cyber attack war games, initially in the financial services sector, and improve the exchange of cyber intelligence between the two powers – read the BBC’s coverage here. In related news, twelve UK cyber defence firms, including Darktrace, Cambridge Intelligence and Digital Shadows, have joined David Cameron on his trip to the US to discuss cybersecurity with the Obama administration. The effort hopes to reinforce the international perception of the UK as a leading player in terms of the skills, knowledge and intellectual property in cyber defence.
- The UK government has published updated cybersecurity guidance (originally published in 2012) for businesses. In an interdepartmental report between the CESG, Cabinet Officer, Centre for the Protection of National Infrastructure and DBIS, a 10 step approach to bolstering information risk management regimes was presented as the most cost-effective way to protect businesses against cyber threats. Although the 10 steps remain the same, the updated guidance includes a new paper entitled “Common Cyber Attacks: Reducing The Impact”.
- Progress on the draft EU Network and Information Security Directive: This update will be keeping a keen eye on the progress of the EU’s proposed Network and Information Security Directive, also known as the Cyber Security Directive. As Datonomy readers will be aware, it is almost two years since the European Commission published its proposals, which include the mandatory reporting of cyber attacks by providers of key infrastructure – see our original summary here and our status update as at the end of October 2014 here. A revised draft (with significantly narrowed scope) was passed by the European Parliament in March 2014, and trilogue negotiations between the Commission, Parliament and Council to finalise the Directive began in October and were predicted (by the Council) to conclude in early December. However, there have been no official progress reports since November. The scope of the “market operator” definition – and in particular whether ecommerce and social networks should be caught (as per the Commission’s original proposal) or not (as per the Parliament’s text) – is one key area of debate. It remains to be seen when the Directive will be adopted; the incoming Latvian Presidency of the Council has included it as one of its policy priorities for the six months ahead. Once adopted, Member States are likely to be given an 18 month transposition deadline – although some Member States such as France and Germany are already pre-emption it with new cyber legislation Watch this space for future updates.
- The European Network and Information Security Agency (ENISA) has published a report aimed at internet infrastructure owners and operators highlighting the threat landscape and best practice with regard to cybersecurity. The report details specific threats that can disrupt connectivity, including: routing threats, DNS threats and denial of service threats.
- ENISA has also published its findings in relation to the draft Network and Information Security Directive (NISD) specific to the EU’s finance sector. Despite varying approaches in the 28 member states, the study largely demonstrates a good understanding of the risk landscape and appropriate response strategies within the sector.
- To cap off a busy week, ENISA has published another new report, “Privacy and Data Protection by Design – from policy to engineering”, detailing leading privacy design strategies. The report lays out a plan to marry the EU’s existing legal framework with expected technological implementation measures in the field. Targeted towards data protection authorities, policy makers, regulators, engineers and researchers, the report suggests producing further incentives for adopting privacy by design measures and new standards for electronic communication.
- A recent survey of French, German and British companies found that only 39% of organisations have met the new requirements introduced by the NISD and even fewer (20%) in the case of the General Data Protection Regulation (GDPR). The survey details the strain placed on in-house IT departments to pay for and implement the necessary additional hardware, software and security policies.
- Following recent reports of the resurfacing of a Cybersecurity Bill in Washington, President Obama is pushing forward in attempting to implement the findings of his Cyberspace Policy review with a host of new legislative proposals focused on the following issues: enabling cybersecurity information sharing between the private sector and the government, modernising law enforcement authorities to combat cyber crime and harmonising national data breach reporting protocols. Within the legislative proposal is a specific bill, the Student Digital Privacy Act, preventing companies from selling student data to third parties, and another, the Personal Data Notification & Protection Act, mandating that companies alert consumers within 30 days of discovering a security breach involving customer information. President Obama does however face an uphill challenge to get the legislation approved with a Republican-led Congress, which he has already threatened with three vetoes within the first week of sitting. Read more here and here.
- Vice President Joe Biden has announced a bump of $25 million in funding to be applied to cybersecurity education efforts throughout the US. The investment, which will mainly be provided to 13 historically black colleges and universities, aims to address the recent understanding that the demand for cybersecurity workers is growing 12 times faster than the US job market.
Attacks, statistics and other news
- In the biggest cyber news story of the past seven days, the Obama administration was given a stark reminder of the threat posed by hackers after the US military’s Central Command twitter account was allegedly hacked by ISIS this week. The terrorist group posted the message, “American soldiers, we are coming, watch your back. ISIS” on the account and provided a link to a statement that claimed the terror cell were already inside all the military’s computers.
- Cybercrime has even made it onto the agenda for this week’s annual World Economic Forum, in Davos, Switzerland. The members of over 40 heads of state want to progress discussion regarding cybersecurity after an estimate that cyber crime will cost the world around $400 billion this year. See the 2015 Edition of the WEF’s Global Risks Report available here.
- The Australian government are concerned about the rising threat of cyber espionage after reports that Chinese spies have stolen the designs of its new F-35 Joint Strike Fighter jet.
- The threat of cyber attacks from criminal gangs in Russia and China is not being abated according to a top-secret US cybersecurity report. The report points to the failure of public and private entities to implement sophisticated encryption technologies fast enough.
- Venture capital funding in new cybersecurity companies increased by more than a third in 2014 according research company Privco, as reported by the FT. Over $2.3 billion was invested last year as high-profile hacks fuel early stage investment in online security companies.
- Games developer, Money Horse, has been forced to abandon the development of its game “Glorious Leader!” The game allowed players to assume the role of the North Korean leader as he bids to take on the US Army. Hackers recently penetrated the game’s data files and shut down production completely.
More cyber news from the Datonomy team next week.