The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
EU policy and regulatory developments
- Network and Information Security Directive: Last week the MLex service (subscription required) reported on the EU Commission’s continued effort to include key web services in the list of companies who would, under the proposed NISD, have to notify authorities whenever their systems have been hacked or otherwise compromised. Social networks, search engines, online payment facilitators, e-commerce platforms, cloud-computing services and app stores would be within scope the under the draft originally proposed by the Commission in 2013, along with more conventional critical infrastructure providers. The extended definition, which could catch approximately 1,400 internet companies based in Europe, continues to be hotly debated by state governments, EU parliamentarians (who have voted to keep web services out of scope) and industry leaders (with the Internet and IT players still lobbying hard to stay out of scope). With Member States still divided over which entities should be caught by the new rules, it remains to be seen whether the next trilogue between the Council, Commission and Parliament planned for 30 April will go ahead. Datonomy will continue to monitor progress.
- Continuing the theme of controversy over scope of the NISD, a report of the UK House of Commons European Scrutiny Committee’s consideration of the draft Directive (dated 18 March) is available here. It confirms that (as we reported in last week’s updated) “the UK has pushed extremely strongly to exclude digital services from the scope of the Directive”. For readers interested in the detail of the progress of the draft Directive, it provides a useful summary of its EU legislative progress, the remaining areas of controversy (scope and operational cooperation), and the workings of the UK parliamentary scrutiny process for draft EU legislation.
- Furthermore, the Security Alliance for Europe (SAFE), a policy group representing the ICT sector, has published criticism of the NISD, taking the position that the Directive inhibits the creation of the “Digital Single Market”. The argument put forward by SAFE states that by including “internet enablers” within the broad remit of the Directive and demanding only “minimum harmonisation” between member states, internet enablers will face “a patchwork of different obligations” that will be ineffective in improving cybersecurity and creating a Digital Single Market.
- The European Union Network and Information Security Agency (ENISA) has published an advisory guide and an online tool for small to medium sized businesses regarding security considerations when choosing to use cloud services. The guide highlights eleven security risks and security opportunities for SMEs to take into account when procuring a cloud services.
US policy and regulatory developments
- The U.S. Government Accountability Office (GAO) has written a congressional report that suggests commercial flight providers’ plans to offer passengers in-flight WiFi could make aeroplanes a lot more susceptible to cyber attacks. The report, titled “FAA needs a more comprehensive approach to address cybersecurity as agency transitions to NextGen”, concludes that “IP networking may allow an attacker to gain remote access to avionics systems and compromise them”. Read com’s analysis here and the full report here.
Asia policy and regulatory developments
- Following the tensions between the US and China regarding proposed Chinese cybersecurity rules that would oblige US tech companies to hand over encryption keys, reported in our 9 March cyber update, China appears to have backed down. According to the Business Spectator, China has withdrawn the contested rules until further notice in an effort to appease US business and government. The Chinese government is yet to clarify when these rules will be redrafted.
Global policy and regulatory developments
- The International Chamber of Commerce has published a “cyber security guide for businesses.” The aim of the guide is to help business management “to frame cyber security discussions with information technology professionals – and vice versa – to put a collaborative and ongoing management approach in place.” The guide provides five main areas of focus: gathering information, developing a resilient mind-set, being prepared to respond, demonstrating leadership and taking action.
Attacks, reports and other news
- According to ZDNet, computing giant, IBM, is planning to make public nearly 20 years’ worth of cyber threat information. The move, in which 700 terabytes of raw data concerning 270 million computers and 25 billion websites, is being explained by IBM’s Security General Manager as an effort to “accelerate the formation of the networks and relationships we need to fight hackers.” Read more about the IBM “X-Force” programme here.
- Following last week’s report on the GitHub denial of service attacks (reportedly perpetrated by China), researchers at the University of Toronto, University of California, Berkeley, the International Computer Science Institute and Princeton University claim China have designed a cyber offensive system called the “Great Cannon”. The Great Cannon can reportedly intercept foreign web traffic, import malicious code and redeliver it to specific IP addresses. Such a method has been compared to the QUANTUM system reportedly deployed by both the NSA and GCHQ. Read analysis from com here.
- In another story following on from last week’s report, another French media company has been hacked (following TV5 last week). SC magazine are reporting that hackers gained access to French TV broadcaster, France Television’s, email servers. “Linker Squad” have publicly claimed responsibility for the attack and boasted about the ease with which security systems could be bypassed and its intention to sell the stolen emails on the black market.
- Forbes.com is reporting on a new “secret cybersecurity weapon” recently bought by a spate of top companies such as Visa and Amazon. “Tanium” is a peer-to-peer IT central nervous system that can almost instantly scan and report back on suspicious behaviours taking place on hundreds of thousands of computers. The product, designed by father and son team Orion and David Handawi whose company is now valued at $1.75 billion, theoretically makes possible the real-time detection of security incidents no matter the size of the computer network.
- Cert-UK’s weekly update is reporting on the successful conclusion of an Interpol operation to take the malicious botnet, Simda. Simda allowed cyber criminals to target individuals’ financial details and spread malware to more than 190 countries worldwide. Microsoft has now released a removal tool to complete the eradication of Simda. Read Cert-UK’s complete weekly update for 16 March 2015 here.
- The FT (subscription required) is reporting that, for the first time in history, funding for cybersecurity start-ups surpassed $1 billion in a single quarter in Q1 2015. The overall investment of $1.02 billion is almost double the $540 million figure posted in the same quarter last year. The largest investors are reported to have been venture capital firms Andreessen Horowitz and Kleiner Perkins in addition to a number of unnamed VC arms of technology and banking companies.
- And finally… TechCrunch is reporting that executives at Symantec, Internet Security System, Sourcefire and NetSuite are all investing in a new cybersecurity startup, Phantom Cyber. The company announced seed funding of $2.7 million. Though the amount is relatively small, the number of high-profile investors has created a buzz around this young company that is aiming to remove human processes from cybersecurity efforts by automating many of the processes.
Contributors to this week’s update: Tom Pritchard, Paralegal and Head of Commercial Know How, Claire Walker.