Following a short Easter break, the Datonomy blogging team at Olswang LLP is back with the latest round up of legal and regulatory developments and other news on cybersecurity.
UK policy and regulatory developments
- With a pre-election freeze on government policy announcements, let’s look instead at what the major parties are saying about cybersecurity. On 11 April the Lib Dems announced they would introduce a Digital Rights Bill if elected, and launched an online consultation seeking voters’ views on what this should include. The proposed Bill would enshrine individuals’ digital rights in one comprehensive piece of legislation. The eleven “big ideas” are set out in this document and include privacy, data protection, control of user content, consumer rights, freedom of speech, open data and surveillance. Cybersecurity features as part of Big Idea Number 9: Encryption. The manifesto calls for individuals, businesses and public bodies to have the right to use strong encryption, and for law enforcement powers to require decryption to be on a proportionate and case by case basis only.
EU policy and regulatory developments
- The European Network and Information Security Agency (ENISA) has set the date for the second National Cyber Security Strategies Workshop. The event is now scheduled to take place on 13 May 2015 in Riga, Latvia. Government agencies, industry representatives and academics are invited to discuss the status of cybersecurity in the EU, best practices, lessons learned and educational initiatives.
- Network and Information Security Directive: Euractiv are reporting that Ireland, Sweden and the UK are the countries leading the effort to delay the NISD. The reported reason for the resistance is the continued controversy over whether (as proposed by the Commission) ecommerce platforms should be included within the scope of market operators obliged to report cyber attacks, or kept out of scope – the position favoured by the European Parliament. The Council, representing the 28 Member States, now needs to agree its own stance in order to resume trilogue negotiations with the other two institutions. The countries lobbying for the Directive to apply to a narrower class of critical infrastructure providers all host large US-based tech companies. As reported in our 30 March cyber update, it has been reported that the Latvian Presidency of the Council aims to resume trilogue negotiations on 30 April.
US policy and regulatory developments
- President Obama signed his second cybersecurity Executive Order of the year on 1 April 2015. The “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” Executive Order allows the US government to levy economic sanctions against overseas individuals who engage in cyber activity that is likely to result in, or has materially contributed to, “a significant threat to national security, foreign policy, or [the] economic health” of the US. The Order represents an added weapon in the US arsenal when combatting international hacking groups by allowing the government to go after individuals who may previously have been unreachable due to weak cyber security laws in their resident country (e.g. Russia). The Order also extends to those who knowingly use and receive data stolen in such attacks (e.g. companies who hire hackers). However, the ability to sanction individuals or companies is predicated on the foreign actor having assets in, wanting to trade with or wanting entry into, the US. Read the White House’s blog here and Wired.com’s further analysis here.
- The National Institute of Standards and Technology (NIST) has announced its “Cybersecurity for Smart City Infrastructure” event will be held on Wednesday 27 May 2015 in Gaithersburg, Maryland. The event aims to bring together industry, government and academic cybersecurity experts to discuss standards and research and development targets relating to secure, reliable and privacy-enhancing smart cities.
Asia policy and regulatory developments
- Korea recently passed the world’s first cloud-specific law. The Act on the Development of Cloud Computing and Protection of Users (Cloud Act) is careful to address the cybersecurity concerns inherent in storing a greater amount of data in a digital space by imposing a series of security and privacy standards on cloud service providers. Read Olswang’s analysis of the Act here.
Attacks, reports and other news
- SC Magazine is reporting that the hacking group “Cyber Caliphate”, who have been closely linked to ISIS, attacked the French TV Station TV5Monde on Thursday, 9 April 2015. The hacking group took down the company’s live TV broadcast and hijacked its social media account for several hours. The group uploaded the IDs and CVs of French soldiers participating in the war against ISIS and posted messages warning soldiers to stay away from the Islamic State.
- The BBC is reporting that a coordinated effort between the EU Cybercrime Action Taskforce, the FBI and private security firms, Intel, Kapersky and Shadowserver has been successful in taking down a very sophisticated piece of malware called “Beebone”. The malware reportedly controlled up to 100,000 computers a day and evaded detection for a long time by being able to change its own identity up to 19 times a day. Now that the malware has been contained, Operation Beebone is focusing on identifying those behind the attacks.
- US coding website GitHub is reportedly being targeted by a Chinese distributed denial-of-service attack in which internet traffic from the Chinese search engine Baidu is being redirected to the site in order to overload its servers. Experts at the Wall Street Journal are theorising that the attack is political in nature due to the fact that GitHub has been helping Chinese users circumvent government blocks on certain censored websites.
- Taiwan has asked to be included in future US cybersecurity testing as the state has recently become more vocal about the threat it believes it faces from Chinese hackers. Taiwanese Vice Premier, Simon Chang (formerly of Google) spoke unreservedly in an interview with Reuters when claiming that it is well known that China’s cyber army uses Taiwan as a testing ground for its newest cyber attack methods.
- Wired.com have written this opinion piece arguing that Russia’s 2014 cyber attack on the White House was possible due a weak link inherent in all cybersecurity systems: people. Despite increasing trends for businesses and public bodies to use the best available technology, the system often fails if it is not backed up by sufficient staff education.
- Following a live question and answer session on the topic of how businesses can best address cybersecurity, on 25 March 2015, the Guardian has written up the top “things we learned”. The expert panel consisted of executives from leading cybersecurity firms such as Context Information Security and Symantec, the Guardian’s head of information security and data protection lawyers from Olswang. The key take away messages can be found here, or alternatively read the full discussion here.
- And finally…The FT is reporting that Southeast Asia’s largest telecoms company, Singapore Telecommunications, has acquired Chicago cloud-based cybersecurity firm Trustwave for $810 million. The same article reports that the global market for cybersecurity services is growing 15% per year and should be worth $24 billion by 2018.
Contributors to this week’s update: Tom Pritchard, Paralegal, Singapore Associates Daniel Jung and Matthew Hunter and Head of Commercial Know How Claire Walker.