Weekly cyber update for the week commencing 2 February 2015

Tom Pritchard

Another weekly round-up of legal and regulatory developments and news in the field of cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.

UK developments

  • Andrew Gracie, the Bank of England’s Executive Director for Resolution, has called upon companies to put their competitive objectives to one side and work together in order to combat cybersecurity.  Gracie was speaking at the Cyber Defence and Network Security conference in London on 23 January 2015.  Read the speech in full here.
  • London is launching a cybersecurity technology business incubator in April 2015.  The incubator, named CyberLondon (or CyLon), will grant £5,000 each to ten teams who will then house themselves within the incubator for 13 weeks.  The incubator is founded by Alex van Someren of Amadeus Capital Partners, however, the incubator is not-for-profit and will not take equity stakes in any of the businesses.
  • The tech press is reporting that as part of the Cybersecurity Challenge UK, the defence firm QinetiQ has simulated cyber attacks in order to test 20 of the UK’s top amateur code breakers.  The amateurs were asked to intercept and prevent a real-time attack on a fictitious international publishing house.
  • Ofcom has published a document entitled “Promoting investment and innovation in the Internet of Things. Summary of responses and next steps” which summarises responses to a call for evidence. Priority areas include data privacy and network security and resilience. The focus is on ensuring that data is stored and processed securely. See paragraph 1.30 for proposed next steps, including amending guidance to relate specifically to the Internet of Things. Section 4 of the document goes into more detail.
  • Further to our update last week, controversial proposals by a group of Lords to introduce the 2012 Communications Data Bill by means of amendments to the Counter Terrorism and Security Bill were withdrawn.  See BBC coverage here.  The BBC report suggests that a further attempt to reintroduce the provisions could be made, unless the Home Office agrees to publish its latest draft of the Comms Data Bill – so Datonomy readers should watch this space.  For updates on the latest stages of the CTS Bill see this page of the  Parliament website and for a very useful potted history of the Communications Data Bill see this 15 page Parliamentary briefing paper published on 30 January 2015.

 

EU developments

  • Progress on GDPR: As Datonomy readers will be well aware, 28 January was Data Protection Day, and the three year anniversary of the official  publication of the Commission’s draft of the General Data Protection Regulation.  The EU Commissioners responsible for data protection (the Justice Commissioner Věra Jourová and Vice-President Andrus Ansip) marked the occasion with this detailed blog post taking stock of the procedural state of play on the Regulation. In line with recent statements from the Commission and Council Presidency, the post states: “The European Commission is pushing for a complete agreement between Council and European Parliament on the data protection reform before the end of this year.” This is the latest in a series of Commission-imposed deadlines; with a number of issues still to be agreed both within the Council, and then between the three institutions, it remains to be seen whether this will be achieved – we will continue to monitor progress.
  • Progress on the draft  NISD: After a quiet patch on the draft Network and Information Security Directive (NISD), this document leaked to the Statewatch website sheds some more light on the state of play on trilogue negotiations between the three EU institutions.  In short, there remain significant differences between the Council and the European Parliament over – among other things – which critical infrastructure providers should be made subject to the new obligations to report cyber attacks.  The Council is due to have further meetings to agree its own negotiating stance on 3 and 10 February, with a view to having further trilogue meetings towards the end of February.  For Datonomy readers with the appetite for more detail, the leaked Council paper, which is 145 pages long, contains a detailed 4 column table showing the current stances of the Commission, EP and Council respectively, and possible areas for compromise, on the entire draft Directive.
  • Trade press are reporting that business leaders and IT decision makers are generally ill-prepared for the changes that will be brought about by the NISD and GDPR, according to research conducted by IDG Connect on behalf of Fire Eye.  Confusion remains as to whether preparations can be put in place while the legislative wording is yet to be finalised. Read further coverage here and here as well as the full report here.
  • The European Network and Information Security Agency (ENISA) has published its “Cloud Certification Schemes Metaframework” (CCSM).  The CCSM is an online tool for businesses to ensure security when purchasing cloud storage services.  By requiring 27 security objectives to be met in order to become a certified cloud scheme provider, Udo Helmbrecht, the Executive Director of ENISA, hopes that procurement of cloud services can be greatly simplified.
  • ENISA has also published its third annual “Threat Landscape” document.  The report analyses the top cyber threats currently facing the world.  Among the major changes noted in 2014: increased complexity of attacks, successful attacks on vital security functions of the internet, and successful international coordination of operations involving law enforcement and security vendors.

US developments

  • The American Chamber of Commerce in China (and 17 other US business lobbies) has asked the Chinese government to delay the implementation of new regulations requiring technology vendors to Chinese banks to undergo security testing.  Vendors are facing increased pressure to use Chinese encryption algorithms should they wish to continue working with China’s state-run financial institutions, however, opponents argue this may lead to the disclosure of sensitive intellectual property.  Read more here.
  • The CEO of Marble Security, David Jevans writing for Forbes, has opined that cybersecurity threats will not only be addressed by government agencies and corporate America, but that not-for-profit businesses have a large and important role to play. Not-for-profit organisations such as the ShadowServer Foundation, Anti-Phishing Working Group (for whom Jevans is the chairman), Team Cymru and the Internet Systems Consortium, operate systems that detect attacks all over the internet and provide data services that are shared with banks, companies, and government agencies to help protect them against cyber attacks.

Attacks, statistics and other news

  • The Wall Street Journal is reporting that the increased threat of cyber attacks is driving the development of a new insurance market.  Demand for insurance policies that cover the fallout from hacking is rising, and while the policies have been available in the US for some time, the WSJ’s tech blog is now reporting that the European market is gathering momentum.
  • Singapore is set to bolster its public sector cybersecurity measures by appointing a minister and launching a government agency to specifically deal with the threat.  The National Cybersecurity Agency will commence operations on 1 April 2015.  Read more here.
  • Malaysia Airlines was hacked last week by the hacking group, Lizard Squad.  The airline’s website went down for almost a full day as Lizard Squad left the message, “404 – Plane Not Found” (a reference MH370, the missing plane).  Worryingly, the message also said that the site had been hacked by the “Cyber Caliphate” raising suspicions that Lizard Squad, who previously only attacked gaming sites, may now be allied with the Islamic State.
  • The global hotel chain, Marriott, was warned about the vulnerability of its customers’ data by software developer Randy Westergren when he found problems with the company’s Android app.   Westerngren discovered a security issue that made available customers’ full names, postal and email addresses and credit card information.  Westerngren and Marriott security have now moved swiftly to address the issue.

 

This week’s  Cyber update is brought to you by Datonomy bloggers: Katharine Alexander (Trainee Solicitor), Tom Pritchard (Paralegal) and Claire Walker (Head of Commercial Know-How).

Leave a Reply

Your email address will not be published. Required fields are marked *