The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- According to SC Magazine, the Bank of England has approved its first commercial provider of CBEST threat intelligence and penetration testing (read more from Datonomy about the financial sector CBEST programme here). The company now approved to assess financial sector companies’ preparedness for a cyber attack is BAE Systems.
EU policy and regulatory developments
- Network and Information Security Directive (NISD): as we reported in last week’s update, the next trilogue meeting on the draft Directive was reportedly taking place on 30 April. As yet we have been unable to find any progress reports in the public domain, other than a headline on the EU Issues Tracker Service (subscription required) indicating that the Council’s permanent representatives are due to receive a debrief today, 5 May, indicating that the trilogue went ahead. The Council’s Consilium website has reported on the existence of two new documents in relation to the draft, both entitled “Preparation for the trilogue”. However, as at the time of writing, the content of these documents does not appear to be available.
- Vice-President of the European Commission, Federica Mogherini, has penned a blog article on the Commission’s website titled, “Cyber space needs stronger rule of law”. Mogherini argues that the recent attacks on France’s TV5 Monde and Sony illustrate the growing need for a more clear set of international laws that create trust and confidence online.
- According to V3, the European Commission is set to host meetings with Facebook, Google, Twitter and a multitude other major tech companies (though unreported on the Commission website) in order to address concerns regarding encryption technologies. In addition to discussing encryption technology’s relationship with cybersecurity, talks will also encompass the challenges the technology poses for law enforcement agencies and the opportunities it affords to terrorists.
- The European Network and Information Security Agency (ENISA) has announced that the Protection of Electronic Communications Infrastructure and Information Sharing workshop will take place on 16 June 2015, in Bucharest, Romania. The workshop will build upon the ENISA report of the same name published in December 2014. The workshop aims to bring together electronic communication providers, civil work companies (i.e. those who install and maintain infrastructure) and state policy makers to reduce internet outages caused by the disruption of underground assets such as cables, fibre optics and ducts.
US policy and regulatory developments
- The Department of Justice has released a cyber guide regarding “Best Practices for Victim Response and Reporting of Cyber Incidents”. The publication is part of a wider effort to engage with the corporate sector about how best to report more information relating to cyber threats. The guide provides suggestions for: steps to takes before a cyber intrusion, executing an incident response plan and what not to do following a cyber incident.
- According to Lexology (subscription required) and our friends at Alston & Bird LLP, the Securities and Exchange Commission (“SEC”) is planning to rewrite the rules relating to disclosure of information concerning cybersecurity incidents. Though there has been no formal announcement regarding the content of these new rules, SEC Chief of Staff, Smeeta Ramarathnam’s recent comments at the RSA conference (reported on by Datonomy, here) suggested a move towards greater disclosure of potentially sensitive information.
- Chinese website, Xinhuanet, is reporting on the comments made by Geng Yansheng of the Chinese Defence Ministry regarding China’s opposition to the U.S. cybersecurity strategy. Mr Yangsheng was reported to have stated, “With its great edge in cyber technology and the strongest and largest cyberforce in the world, the U.S. declaration of offensive cyber strategy [the U.S. Defence Department stated it would use cyber operations to disrupt an adversary’s command and control networks] will not help manage or settle differences in cyberspace, but will strain conflicts and increase the arms race.”
Attacks, reports and other news
- The New York Times is reporting that hackers obtained access to President Obama’s email correspondence, as well as the State Department’s unclassified system, during last last year’s attack carried out by Russian actors. White House officials maintain that no classified information was obtained, yet were willing to admit the worrying nature of such specifically-targeted Russian attacks.
- The Observer is reporting that the 12-hour blackout suffered in Instanbul in March 2015 was purportedly the work of an Iranian cyber attack. The attack, which shut down Turkey’s airports, hospitals, traffic controls and even water and sewage, was said to be political retaliation by Iran for Turkey’s public support of Saudi Arabia in its battle against the Iran-backed Houthis in Yemen. Iran is now said to have one of the most advanced cyber armies in the world.
- The Telegraph is reporting that the former chief of the US National Security Agency, General Keith Alexander, recently issued a stark warning about the threat of a systemic cyber assault on the West at a private dinner event. Alexander spoke seriously about the increasing threat of a doomsday scenario in which there is a coordinated cyber attack on refineries, power stations, the electric grid and payment platforms.
- Cert-UK’s weekly update is reporting that last year’s Sony attack was perpetrated by hackers who used fake Apple ID accounts in order to carrying out a phishing campaign. The update also takes pains to highlight the threat to organisations posed by rogue former employees. Read the full update here.
- Shipping publication, Seatrade Global, has published an article highlighting the cybersecurity concerns of the industry. As shipping embraces the internet of things and across the board computer controlled processes, real concerns are emerging that a hacker could divert a ship into pirate territory. The article quotes research by the watchdog organisation, CyberKeel, that 90% of the world’s top 20 container lines are vulnerable to cyber attack.
- Wired.com is reporting that security researchers will do a live demonstration of how to hack into a computer’s digital system, at the Defcon and Black Hat security conferences, in order to caution major automobile manufacturers. The plan is to perpetrate a remote attack on the vehicle’s computers to show how the steering, brakes, seat belts and even the horn can be manipulated once a hacker has breached the digital control system.
- And finally…Reuters is reporting that leading cybersecurity company, FireEye, has raised its revenue projections after billings jumped 53 percent in the first quarter of 2015. Despite failing to post a profit since the company went public in 2013, and spending $1 billion on acquiring Mandiant Corp in January 2014, the company now looks set for rapid expansion.
Contributors to this week’s update: Tom Pritchard, Paralegal and Head of Commercial Know How, Claire Walker.