The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- The Department for Business, Innovation and Skills (DBIS) has published cybersecurity guidance for small businesses. The guide details how stronger passwords, up-to-date software and staff training can go a long way in protecting company assets and goodwill. The guide also emphasises that in 2014, 60% of small businesses experienced a cyber breach and that the average cost of the worst breach was between £65,000 and £115,000.
- On 9 March the Government announced various new initiatives to boost entry into the cyber security profession. The Government press release estimates the UK cyber security industry to be worth £6 billion, employing 40,000 people – with significant growth predicted in the coming years.
- With the Apple Watch and other wearable tech much in the news this week, CERT UK (the UK’s National Computer Emergency Response Team) is warning security professionals that wearable tech should be factored into security checks for sensitive work areas – just like phones and cameras. See CERT’s weekly update for 12 March.
- After ten months of qualifying rounds, and thousands of applicants, 42 of the UK’s brightest young IT amateurs competed in the Cyber Security Challenge UK (sponsored by BT, GCHQ, the NCA, Lockheed Martin and others). The challenge, in which contestants were hunkered down in the HMS Belfast, simulated a real life cyber attack to test who amongst them was the best ‘cyber defender’. The competition finished on the evening of Friday, 13 March 2015, the Cyber Security Challenge UK Champion has yet to be announced. Check here for your own update.
EU policy and regulatory developments
- Network and Information Security Directive: Council agrees its negotiating mandate; trilogues to resume in late April. On 11 March the Council’s negotiating mandate on the NISD was agreed at the Permanent Representatives Committee. This means that trilogue negotiations with the Commission and Parliament can resume. The third trilogue is scheduled for late April, according to this press release from the Council. Two further drafts relating to the Council’s position were announced on (but not yet uploaded to) the Consilium website. These are: a 126-page note from the Council Presidency to the Delegations (i.e. Member States) detailing changes to the Council’s negotiating position, which has, helpfully, been leaked on the Statewatch website here. The second document, dated 9 March, is headed “Preparation for the informal trilogue, but does not appear to be in the public domain yet. The leaked Presidency document is a 5-column mark-up of the Directive showing the relative positions of the three institutions: the Commission (as per its original draft), the Parliament (as per the text adopted in March 2014) and the Council’s proposed position. One of the most controversial areas of the draft has been the scope of the “market operators” who would be caught. Over recent months, there has been an intense lobbying effort by software and internet players to restrict the scope of the new obligations to “truly critical infrastructure” – see the CCIA lobby group’s open letter to Europe’s Telecoms Ministers from November 2014. It has been reported that there are differences between the Member States over how wide or narrow the regulated entities should be, with the UK government reportedly favouring a narrower scope. The leaked mark-up (see Article 3 (8)(b)) seems to suggest that the Council favours a middle position – it would reject the Commission’s widely-drawn proposal to catch “Information Society Services which enable other information services”, but it would include certain key internet infrastructure and digital service platforms which meet specified criteria. It will be very interesting to see where the negotiations on market operators end up in April. Numerous Commission targets for adopting the NISD have come and gone. Assuming April’s trilogue does result in a swift agreement, the Directive could in theory be adopted in April or May. It would then have a transposition lead time of between 18 months (as per the Commission text) and two years (as per the Council’s mark-up) – meaning it might not take effect until the end of 2016 (at a pinch) or even 2017/ 2018. We will provide full analysis of the “who, what and when” of the new cybersecurity and breach notification requirements when the final text is agreed. There is further coverage of last week’s announcement on The Register here.
US policy and regulatory developments
- The controversial Cybersecurity Information Sharing bill was voted through the senate Select Committee on Intelligence by a vote of 14 to 1 on Friday, 13 March 2015. The bill, which enables greater sharing of cybersecurity intelligence between US public and private sectors, will now proceed to a Senate vote. A revised definition of the term “cyber threat indicator” that limits the amount of information that may be shared under the Act, and improved liability protection for companies sharing information, appear to have helped the bill to proceed. However, the American Civil Liberties Union (ACLU) remain strong opponents of the bill’s privacy protections, as voiced in this recent opinion piece.
- New York Senator, Charles Schumer, has told the Federal Aviation Authority that it needs to implement the cybersecurity improvements proffered by the US Government Accountability Office’s recent air traffic security report. The report accuses the FAA of having unclear roles and responsibility relating to cybersecurity. Read the full report here.
Attacks, reports and other news
- Reuters is reporting that the cybersecurity industry is becoming increasingly fragmented along geopolitical lines. With Russian firms such as Kapersky becoming increasingly expert at uncovering American computer espionage methods and US firms such as FireEye revealing Russian and Chinese hacks, friends and foes are quickly creating an entrenched and divided cybersecurity industry. “Some companies think we should be stopping all hackers. Others think we should stop only the other guy’s hackers – they think we can win the war.”
- Reports suggest that a Pakistan-based firm, with close ties to the Pakistani government, has been coordinating cyber attacks against the Indian government’s computer networks within the past two years.
The threat landscape
- CERT UK published its latest weekly update on 12 March. The update reports on FREAK, a recently reported vulnerability capable of downgrading the security of websites by affecting Secure Socket Layers (SSL). Where effective the FREAK vulnerability enables attackers to capture sensitive personal data. Most major browsers have now issued a patch or update to deal with the issue. Read further commentary from ITPro here.
- Reuters is also reporting the findings from a study by Chicago-based managed security services firm, Trustwave, which found that that security professionals are struggling to keep pace with cybersecurity threats against their companies. Having surveyed over 1,000 security professionals, the study depicts a general shortage in the necessary IT skills needed to properly staff cybersecurity teams across all industries. Read more from SC Magazine here.
- The FBI’s head of the cyber division, Leo Taddeo, has warned the American public to prepare for “an attack that has an impact that may shake some confidence-levels.” Taddeo points to the increasing sophistication of hackers around the world in arguing that “the notion that you can protect your perimeter is falling by the wayside.” Watch Taddeo’s interview with Bloomberg here.
- IT security professionals’ website, SC Magazine, has published an opinion piece bemoaning an over-reliance on cyber insurance. The article’s author, Philip Lieberman, president & CEO of Lieberman Software, has argued that the majority of attacks in 2014 were perpetrated using well-known techniques such as malware, phishing and the use of zero-day exploits. Consequently, the author argues that these attacks are defensible and thus, “For those that chose to buy insurance rather than fix their poor security, they will most likely see legislation this year to punish this behaviour.”
- Blue Coat Systems, Inc., a cybersecurity firm that counts 80% of the Fortune 500 as customers and blocks over three million threats a day, has agreed to be acquired by the investment firm, Bain Capital, for $2.4 billion. Blue Coat was previously bought by the private equity firm Thoma Bravo LLC for $1.3 billion in 2012.
- And finally… Industry website, ITNews, has written an opinion piece criticising the cybersecurity strategies of the UK, US and Australian governments. The main accusation levelled at the three governments is that there is an over-emphasis on public-private sharing of information relating to cyber threats and that this has created a disincentive to invest properly in robust cybersecurity systems.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Commercial Know How.