The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- The UK government and Marsh (a UK insurance broker and risk advisor), have announced a new joint initiative to promote cyber insurance by publishing a report titled, “UK cyber security: the role of insurance in managing and mitigating the risk”. The report details how the UK can become the world centre for cybersecurity insurance by working with the Cyber Essentials scheme. The insurance industry has a major opportunity to expand offerings given that fewer than 10% of UK companies currently have cyber insurance protection. Read the full report here.
- The UK Minister for the Cabinet Office, Francis Maude, has announced that the UK is planning to collaborate with Israel on the issue of cyber research by agreeing three joint academic ventures. By pledging £1.2 million to these three academic partnerships (University of Bristol / Bar Ilan University, University College London / Bar Ilan University, and University of Kent / University of Haifa) the government hopes to make strides in six specific areas of cybersecurity development: identity management, cyber governance, privacy assurance, mobile and cloud security, usable security and cryptography.
- Francis Maude also recently launched the Cyber First initiative aiming to identify young individuals with the aptitude to succeed in cybersecurity and offering them financial assistance during their studies.
- The Department for Business, Innovation and Skills (BIS) is partnering with The Accelerator Network to conduct a three-day hackathon. Similar to the UK Cyber Security Challenge we reported on two weeks ago, the initiative aims to identify the best and brightest emerging cybersecurity talent by gathering students to compete in a series of cybersecurity challenges. The event will take place in June 2015 and will feature students from 13 different UK universities.
- Last year the Bank of England launched “CBEST”, the first framework for testing the cybersecurity vulnerabilities of the UK’s financial institutions. The exercise aimed to shift financial firms’ focus from preventing attacks to improving resilience and the ability to bounce back after suffering an attack. In this article “CBEST: a new line of defence?”, Senior Olswang Associate Laurence Kalman examines how CBEST differs from standard penetration testing, whether the programme will be expanded beyond the UK’s core financial system and whether it may have broader consequences for other industry sectors.
EU policy and regulatory developments
- Network and Information Security Directive: The date for the next round of trilogue negotiations is 30 April according to this report on MLex (subscription required). Since our last update, some of the latest Council documents have become publicly available, albeit with some redactions, on the Consilium These are: the 5 March Examination of the amended Presidency consolidated text which as we reported was leaked a couple of weeks ago, and the 9 March “Preparation for the informal trilogue” document.
- According to a report on MLex (subscription only) officials at the European Central Bank have called for all financial institutions to renew their vigilance against cyber attacks. Financial companies were among the first to take the threat of cyber attacks seriously, however, after an assessment of 130 lenders, the ECB leadership is concerned that banks have now relaxed too much. The comments were made at a recent bank industry event in Brussels. The report goes on to say that the ECB will scrutinise computer security as part of their review of lenders this year.
- The European Union Network and Information Security Agency (ENISA) has published a good practice guide for CERTs’ first responders. The guide provides a helpful explanation of the best digital forensic practices to adopt and how to collaborate with law enforcement agencies when collecting digital evidence in the immediate aftermath of an attack. Read the full report here.
- Personal data transfers to the US: While not strictly a “cybersecurity” story, last week’s hearing before the CJEU of the Schrems v The Data Protection Commissioner of Ireland (case C-362/14) action has been widely reported, including this coverage in the Guardian. The CJEU’s eventual ruling will determine whether transfers of personal data from the EU to the US under the Safe Harbor scheme are lawful under the Data Protection Directive. The next milestone in the case, the Advocate General’s non-binding opinion, is expected on 24 June.
US policy and regulatory developments
- While the Cybersecurity Information Sharing Act we reported on last week is still due to be voted on in the Senate, the Protecting Cyber Networks Act bill was introduced to the House of Representatives on Tuesday, 24 March 2015. The bill provides hacked companies with liability protection when sharing cyber intelligence within the private sector (a crucial difference to CISA which is more focused on sharing with the public sector). Wired.com has written an opinion piece about how privacy advocates are losing out as the US pursues greater cybersecurity protection.
Asia policy and regulatory developments
- Singapore’s new Cyber Security Agency (CSA) is due to go live on 1 April 2015. The CSA will replace the Singapore Infocomm Technology Security Authority’s function as the Computer Emergency Response Team (CERT). Formation and investment in the new agency shows how seriously the Singaporean government is taking the threat of cyber attacks. Read more here.
Attacks, reports and other news
- Wired.com have analysed three new documents in order to assess the extent of GCHQ’s hacking powers. The documents considered are: the Intelligence and Security Committee’s report into the UK’s security services, the government’s open response to the same report, and documents from the secret court proceedings released by Privacy International. Wired.com concludes that GCHQ “can hack anyone, anywhere in the world, even if they are not suspected of any crime.”
- Google have reportedly accused China’s cyberspace administration of being complicit in attacks against the internet giant. Google apparently learnt of unauthorised digital certificates for several of their domains that were issued by the Egyptian firm MCS Holdings. MCS is owned by the China Internet Network Information Centre. However, MCS has publicly apologised, claiming the action was a mistake.
- The government website for the US state of Maine was repeatedly taken down for three straight days starting on Monday, 22 March 2015. A hacking group by the name Vikingdom2015 have publicly taken responsibility for the attack, claiming “We will knock all American governments’ websites offline…We all like doing this.” While inconvenient, a Maine government spokesperson has claimed that no data breach occurred.
- A new US survey by Rasmussen Reports has found that 61% of likely US voters believe a cyber attack by a foreign state poses a greater economic threat than a traditional military attack. This marks a 12% increase over last year.
- CERT UK’s weekly update highlights the threat posed by new “Dridex” malware distributed via a phishing campaign and a new OpenSSL security patch intended to fix a number of high security defects. Read the full update published on 26 March 2015 here.
- A weakness has been detected in Google’s Android operating system software that allows installation and hijacking of the Andriod Package File (APF). Hijacking of such a package causes the device to download and distribute malware and steal users’ data. It is reported that this problem affects approximately half of all Android users. However, Google have released a diagnostic application to monitor the problem.
- Alibaba are reportedly investing in the cybersecurity sector via a $15 million investment into the Israeli cybersecurity-focussed investment firm, Jerusalem Venture Partners.
Contributors to this week’s update: Tom Pritchard, Paralegal, London Associates Ross Ledingham, Melanie Shefford and Laurence Kalman, Singapore Associates Daniel Jung and Matthew Hunter and Head of Commercial Know How Claire Walker.