The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
- The Serious Crime Bill received Royal Assent on 3 March 2015, among other things introducing amendments to the Computer Misuse Act 1990 to tackle cyber crime. The change results from the government’s 2011 cybersecurity strategy and also reflects changes required by EU law. The amendments provide for a new offence in respect of unauthorised acts committed in relation to a computer which cause or create a risk of serious damage of a material kind. Damage of a material kind constitutes damage to human welfare or the environment in any place, or to the economy or national security of any country. Acts cause damage to human welfare only if they cause loss to human life; human illness or injury; disruption of a supply of money, food, water, energy or fuel; disruption of a system of communication; disruption of facilities for transport; or disruption of services relating to health. This offence is punishable by up to 14 years imprisonment (or in some cases, life imprisonment) and/or an uncapped fine. Read more on Olswang’s Datonomy blog here.
- Fifty-six suspected hackers were arrested as part of the UK National Cyber Crime Unit’s (NCCU) initiative, “strike week.” The NCCU is a division of the National Crime Agency tasked with targeting cyber criminals suspected of data theft, fraud and/or virus writing. The NCA also organised visits to over 70 companies to provide education regarding cybersecurity as part of “strike week”.
- The Financial Times (subscription only) has reported that Bronzeye (a cybersecurity company) reported 22 vulnerabilities to the FCA in the security of a (unnamed) UK bank’s online banking facility.
- Abertay University in Dundee is hosting Scotland’s largest cybersecurity conference, organised by students on an ethical hacking course at the university, and was supported by GCHQ. Read the BBC report here.
- GCHQ has opened applications for their summer cybersecurity school, starting on 6 July 2015. More information can be found from Computer Weekly here.
- Computer Weekly has reported that the UK will be one of the first European countries to to pilot a security industry-supported scheme to provide cybersecurity services for small and medium enterprises (SMEs), named the coordinated cyber security taskforce and response scheme.
- Network and Information Security Directive: Trilogue negotiations on the draft Directive are due to resume this week. The Business Software Alliance, an industry lobby body, has taken the opportunity to publish this very useful “EU cyber security dashboard” which compares the “patchwork” of cybersecurity regimes in the 28 Member States. The research looks at 25 criteria across five themes (including legal foundations and operational entities). Unsurprisingly, the BSA takes the stance that cyber notification obligations under the NISD should be restricted to critical infrastructure providers – which is one of the main sticking points in the negotiations. Read coverage of the BSA’s report on the EurActiv blog here and on Info Security Magazine here.
- General Data Protection Regulation: Last week the European digital civil liberties group EDRi leaked a 305 page document comparing the text of the GDPR as approved by Parliament, compared with the consolidated text of the Commission and the Council (i.e. Member States), which can be found on EDRI’s website here. EDRi’s analysis of the latest Council positions (presented with eye-catching “Breaking Bad” style graphics) is that, from a civil liberties point of view, the draft Regulation is “Broken Badly” and risks becoming an “empty shell devoid of meaning”. On the other hand, businesses may view some of the Council’s risk-based, business-friendly changes in a more positive light. From the perspective of data security and data breach notification, the leaked document does not contain any new news, but simply confirms the Council’s partial general approach adopted on the security provisions in October 2014. In short, all three EU institutions agree on the principle of universal breach notification, but there are differences of detail and degree, with the Parliament representing the the most prescriptive approach and the Council taking a more risk-based approach to the new obligations. For a more detailed analysis of where the three institutions stand on the security and breach provisions, see the security section of Olswang’s recent guide “EU data protection reform: where are we, and what can you do to prepare?”.
- The European Network and Information Security Agency (ENISA) has rebuilt its training material in Network Forensics including to ensure better protection of digital services and the inclusion of identification of Shellshock traces.
US and China developments
- A report by the Government Accountability Office (GAO) in January 2015 (reported by CNN on 2 March) has found that the Federal Aviation Administration needs to improve their cybersecurity measures in their air traffic control systems. The GAO give 17 recommendations in their report to ensure that the cybersecurity standards are in line with the current law.
- Industry website Bank Info Security is reporting that the Senate Select Committee on Intelligence is set to review a new draft of the Cybersecurity Information Sharing Act (CISA) 2015. Chairman Richard Burr and Vice Chairwoman Dianne Feinstein are apparently circulating an amended version of the controversial bill that attempts to appease private sector concerns by providing broader liability protection for companies that voluntarily share cybersecurity information with the government.
- In an interview with Reuters on Monday, Obama has criticised China’s proposed cybersecurity rules imposing obligations on US technology companies including to hand over encryptions keys and passcodes protecting data for Chinese authorities to have surveillance access. Obama stated that China would need to change this policy for the US and China to do business. Computer World has since reported that on Tuesday China’s Foreign Ministry spokeswoman, Hua Chunying, defended the policy.
Other news, attacks and reports
- Following our previous update that a hacker group had stolen up to $1 billion from financial institutions around the world, James Ashton of the Evening Standard has written an article regarding what cyber start-ups are doing to combat the issue.
- The latest Cybersecurity 500 (containing the cybersecurity companies to watch in 2015) has been released, and features only 11 UK companies, as reported by TechWorld.
- Mandiant has release its 2015 M-Trends threat report. Its findings include organisations not knowing they have been breached until notified by a third party in 61% of cases and hackers targeting a wider selection of victims. Read IT Governance’s summary here.
- According to IT Governance, another Philippine government website has been hacked by Anonymous, following three previous bouts of attacks since 2013.
- And finally, Symantec has reported that hackers are using phishing sites to trick those who have lost their iPhone or iPad into giving away their iCloud login credentials.
Contributors to this week’s update: Tom Pritchard, Paralegal, Katharine Alexander, Trainee Solicitor and Claire Walker, Head of Commercial Know How.