The latest round up of legal and regulatory developments and news relating to cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.
- On 6 February 2015, the Investigatory Powers Tribunal (IPT) found that the UK government had breached Articles 8 and 10 of the European Convention on Human Rights (ECHR) when soliciting, receiving, storing and transmitting the private communications of individuals located in the UK, that had been provided by the US’s Prism and Upstream intelligence programmes. The Tribunal rebuked the government for not making public its arrangements and was ordered to sufficiently sign-post such information to the public. Read the full judgment here.
- The Home Office began a consultation on 6 February 2015 on updating the interception code of practice and introducing a new equipment interference code of practice under the Regulation of Investigatory Powers Act 2000. The codes will regulate when law enforcement agencies can legally hack and bug devices including computers, servers, routers, laptops, and mobile phones to either obtain information or conduct surveillance. The consultation will close on 20 March 2015.
- Internet of Things: The European Network and Information Security Agency (ENISA) has published the “Threat Landscape and Good Practice Guide for Smart Home and Converged Media” report. As smart technologies become increasingly prevalent in our homes, recording and transmitting more and more personal data, the study aims to address the security risks inherent in the collection of that data and the connection of our homes to the cyber world. Read the full report here.
- ENISA has also published a report on its own cybersecurity campaign, “European Cyber Security Month” (ECSM) which took place in October. ECSM’s popularity, reaching 40 million online users, reflects the increased importance and engagement around the topic.
- ENISA has also announced Crete as the location for the next Conference on Cyber Security & Privacy Challenges for Law Enforcement. The conference will be held on 18-19 May 2015 and will bring together experts to discuss emerging cyber technologies, cross-border cooperation and future policy initiatives.
- On 10 February, the White House announced the creation of a new agency to coordinate the country’s cybersecurity efforts. The agency, The Cyber Threat Intelligence Integration Centre (CTIIC), will be responsible for joining up the cybersecurity efforts of the National Security Agency, the Department of Homeland Security, the FBI and the CIA. White House security advisor, Lisa Monaco, said that the agency will become the hub for public-private information sharing about cybersecurity threats, noting “we want this flow of information to go both ways.” However, opponents have already questioned whether this is another unnecessary level of bureaucracy in the fight against cyber threats, and one that increases worries that the US government is spying on the private sector and its customers.
- On 12 February, President Obama announced that he would sign an Executive Order that day promoting the sharing of cybersecurity information between private companies and the government. The Order calls for the creation of, and participation in, ISAOs (information sharing and analysis organisations). More specifically, “In encouraging the creation of ISAOs, the Executive Order expands information sharing by encouraging the formation of communities that share information across a region or in response to a specific emerging cyber threat. An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.” The Order also directs ISAOs to begin developing common sets of voluntary standards for information sharing, makes clear the Department of Homeland Security’s ability to enter into agreements with ISAOs, provides companies with the ability to access classified threat information held by the government when facing an appropriate risk, and also attempts to protect private sector civil liberties. Read more here and here.
- In line with the above Executive Order, President Obama hosted a cybersecurity summit on 13 February at Stanford University featuring Apple’s Tim Cook and senior executives from Microsoft, Facebook and Google. President Obama reiterated his point that “this is a challenge that we can only meet together” (referring to the public and private sectors). The venue of Stanford symbolised the enhanced collaboration between the Washington D.C. and the Palo Alto tech centre. However, reports suggest that high-profile figures such as Mark Zuckerburg, Marissa Mayer and Larry Page all declined invitations and sent their CIOs instead.
Attacks, statistics and other news
- Russian cybersecurity company, Kaspersky, has publically stated that they believe a hacker group called Carbanak has stolen up to $1 billion from financial institutions around the world in the last two years. The conclusion is the result of Kaspersky’s collaboration with Interpol and Europol, in which it was found that the group used carefully crafted emails to trick particular employees into using invasive software (a technique called “spear phishing”). Once the software had been opened the hackers supposedly gained access to video surveillance and began mimicking the activity of bank tellers when transferring money between accounts and then ordering cash machines to dispense money at predetermined times. Read more here and here.
- Following last week’s story that Anthem, the US’s second largest health insurer, was the subject of a data breach, in which their databases containing nearly 80 million records were compromised, security experts are now warning that healthcare and insurance companies could become the next big targets of cyber crime. As healthcare and insurance companies tend to hold masses of personal (and often very private) data about large numbers of individuals, the tech press are picking up on expert predictions that hackers are moving away from financial organisations towards the less secure health sector. In the UK, the ICO has made similar predictions about the NHS. Furthermore, Connecticut Attorney General, George Jensen, sent an open letter to Anthem admonishing their failure to provide adequate details to the individuals affected by the data breach regarding what renewed efforts Anthem will make and how customers can sign up.
- And finally…Japan recently hosted a hacking competition, called the Security Contest or SECCON, in which over 4,000 young hackers competed to hack into six virtual servers to discover keywords. Participants came from China, Japan, Poland, Russia, South Korea, Taiwan and the US. Organisers stressed the importance of bringing people with these skill sets into the mainstream so that they are not pulled into the “underground world” of hackers.