The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
EU policy and regulatory developments
- Network and Information Security Directive (NISD): the Council is reported to be meeting today (27 April) to discuss its position further, and the next trilogue is reported to be taking place on Thursday, 30 April. The Council has publicised two new documents relating to the draft on its website, dated 1 and 17 April. These are entitled, respectively, State of Play and “Presidency’s proposal on the way forward”. Frustratingly, they have not yet uploaded and do not appear to be in circulation in the public domain. On 24 April, the MLex Service (subscription only) carried a helpful report explaining the latest twists and turns on negotiations over the controversial issue of whether key internet services should be subject to the Directive. According to MLex, two alternative approaches are under consideration by the Council. Under the first option, the Directive would define the types of online services which should be in scope. The second approach – proposed by the current Latvian Presidency – “would require governments to share with the commission a list of companies they believe should fall under the scope of the new law”, with Member States assessing “all operators under specific categories to establish whether they provide critical services”. The list of in-scope operators could either be drawn up by each member State, or by the Commission as an “implementing act”, and in consultation with a newly-created cooperation group of national authorities. Watch this space for the next developments on the critical issue of scope.
- The European Union Network and Information Security Agency (ENISA) has announced that the second workshop on National Cyber Security Strategies will be held in Riga, Latvia on 13 May 2015. Stakeholders from EU government agencies, industry and academia will meet to discuss the status of cybersecurity in the EU, capabilities building and responsible disclosure in breach scenarios.
- ENISA has also updated and extended its “Mobile Threats Incident Handling” guidelines. The rework provides new help with the analysis of well-known ransomware and techniques for identifying, mitigating and handling specific mobile platform cyber risks.
- General Data Protection Regulation (GDPR): In the continuing saga of EU data protection reform, a collection of over 60 rights groups (led by EDRi – the European Digital Rights group) have penned a letter to President Juncker expressing concern that the GDPR will actually erode individuals’ data protection and privacy rights. The letter argues that the new GDPR will compromise the data protection standards set out in the 1995 General Data Protection Directive and the right to protection of personal data enshrined in Article 8 of the Charter of Fundamental Rights. The letter concludes by asking President Juncker to ensure that these rights will not be compromised.
US policy and regulatory developments
- The House of Representatives passed the Protecting Cyber Networks Act on Wednesday, 22 April 2015. The bill (which you can read more about here, when Datonomy originally reported on the bill’s introduction on 24 March 2015) provides for a “cyber portal”, administered by the Department of Homeland Security, through which private companies would be able to share cyber threat information. Surprisingly, the Executive Office of the President published a letter expressing concern about the extent of the liability protection afforded to private companies under the Act. Furthermore, the American Civil Liberties Union (and many other civil society organisations, security experts and academics) also wrote a letter urging the House to reject the bill, citing specific concerns regarding government’s proposed enhanced surveillance activities. Nonetheless, the House passed the bill by a landslide 307 to 116 vote. The bill is scheduled to be voted on by the Senate later this month. Read further analysis from com here.
- The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (sorry – DHS’s ICS-CERT) has issued a legal notice that the country’s grid is subject to an ongoing, sophisticated malware campaign that has already compromised numerous industrial control systems inside utility companies.
Attacks, reports and other news
- Following the RSA Conference 2015, 20-24 April 2015 in San Francisco, which brought together thousands of the world’s information security experts, SC Magazine has published a series of articles detailing some of the most important themes to have emerged from the conference. Topics include: Is cyber-security in enough of a crisis to need a paradigm shift?, the rise of cyber criminals, protecting critical infrastructure, the radical improvement in email authentication schemes and cloud security being undermined by poor credential management. Find out who the RSA awarded in their annual awards here. The next RSA Conference is scheduled to be held in London on 4 June 2015.
- The BBC is reporting that UK government scientists are concerned by proposed plans to control all of Britain’s trains via a high-tech digital signalling system. The concern is that by replacing the signal light system with a modern digital network, the country exposes itself to a greater risk from cyber attacks. The system is not scheduled to be installed until 2020 but sceptics are concerned hackers could divert trains to cause a “nasty accident” or “major disruption”.
- EurActiv has published an opinion piece stating that the European insurance industry will play a critical role in ensuring that Europe maintains its position as a global leader in cybersecurity. While “Cyber-attacks are increasing in number, sophistication, scope and impact, and represent the most salient non-traditional security issue on the global agenda” it is argued that European laws should be relaxed to encourage further investment from insurance companies.
- Verizon has released its Data Breach Investigations Report (DBIR). The company analysed 79,790 security events from 2014. The report displayed a wide variety in the cost of a data breach, ranging from $57,600 to $27.5 million (when at least one million records are accessed during the breach). Other interesting findings from the report include: smartphones are not the target of the great majority of attacks (only 0.03% of smartphones on the Verizon network were targeted per week), social engineering attacks (such as phishing emails) are still surprisingly effective despite increased awareness and 60% of organisations can be hacked within minutes.
- The BBC is reporting that virtual currency, Bitcoin, is decreasing in popularity with cyber criminals. While the anonymity offered by the cryptocurrency made it very appealing for cyber criminals wishing to evade identification, the volatility of the currency’s value (one Bitcoin is now worth £155, versus the £728 valuation obtained in late 2013) is making it a much less attractive medium.
- CERT-UK’s weekly update features a plug for the importance of public-private cyber threat information sharing as the US looks to follow the UK’s lead with the Cyber Intelligence Sharing and Protection Act (read more on the subject of US public-private information sharing from Datonomy here). Read the full update here.
- And finally…investment website, MarketWatch, is reporting that cybersecurity stocks are soaring after companies like HACK posted strong earnings reports and defence-industry giant Raytheon announced it will invest $1.7 billion to establish a stand-alone cybersecurity business. Read more about Raytheon’s investment here.
Contributors to this week’s update: Tom Pritchard, Paralegal and Head of Commercial Know How, Claire Walker.