The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- Election special: It will be interesting to see what the new Conservative Government means for cybersecurity. The Conservative manifesto pledged to continue investment in cyber defence capabilities and improve response to cyber crime with reforms to police training (including the use of volunteer “Cyber Specials”). Datonomy will be looking out for new policy announcements – the state opening of Parliament and the Queen’s Speech will be on 27 May. In terms of ministerial appointments which may have a bearing on cyber policy, these include: Matt Hancock, who has replaced Francis Maude as Minister for the Cabinet Office, Oliver Letwin who is in overall charge of the Cabinet Office and Sajid Javid, the new Secretary of State for Business, Innovation and Skills.
- On 7 May the Gov.uk website re-published a document originally published in February by the Cabinet Office, BIS, FCO and National Security and Intelligence entitled “2010 to 2015 government policy: cyber security”. The document details the efforts made by the last government to address the threats posed to the UK’s digital infrastructure. The document focuses on how the UK Cyber Security Strategy, published in November 2011, has helped to deliver a safer online environment for e-commerce, a stable cyberspace, greater resiliency to cyber attacks and increased cyber skills, knowledge and capability throughout the workforce.
- This week’s Cert-UK update focuses on the Rombertik malware which has successfully managed to evade most computers’ anti-virus software. The malware is said to be able to steal users’ credentials and other information and can destroy a computer by deleting its Master Boot Record. Cert-UK worryingly reports that “this is yet more testament to the unfortunate truth that malware is developing more rapidly than defences.” This week’s report also contains an in-depth assessment of the Dridex banking Trojan. Read the full update for 7 May 2015 here.
EU policy and regulatory developments
- The European Commission released its long-awaited Digital Single Market Strategy on 6 May 2015. The strategy contains 16 initiatives intended to realise the creation of a single European market for e-commerce. Initiative number 13 relates to cybersecurity and states that “in the first half of 2016 the Commission will propose a partnership with the industry on cybersecurity in the area of technologies and solutions for online network security.” Read EurActiv’s reaction to the strategy here. Olswang has published its reactions to the telecoms regulatory aspects of the strategy more broadly here.
- Network and Information Security Directive (NISD): Since last week, there does not appear to be any new news in the public domain concerning the NISD. The Strategy refers to it as marking “an important step forward” but does not shed any light on the latest state of play, noting only that it is “in the legislative process”.
- In coordination with the publication of this Strategy, the Commission has also announced that the “High-level Cybersecurity Conference” will take place on 28 May 2015 in Brussels. The conference will focus on the proposed NISD and the next steps for building cybersecurity capabilities.
- Review of the ePrivacy Directive: the Strategy also mentions the forthcoming review of the ePrivacy Directive, something that was heralded in President Junker’s Mission Statements to his new Commissioners at the end of 2014. The Strategy document alludes to a potential future widening of the PECD rules relating to Internet players – it states that the PECD may need to be reassessed since most of its provisions apply only to providers of electronic communications services. The review of the PECD will not begin until the provisions of the new GDPR are adopted “which should be by the end of 2015” according to the Strategy.
US policy and regulatory developments
- The Department of Commerce has announced that it will be leading a delegation of 20 US companies to Bucharest, Romania and Warsaw, Poland in order to discuss a cybersecurity trade mission. Deputy Secretary, Bruce Andrews, will lead the five day trip which is due to start today (11 May 2015). The delegation (reportedly including major companies such as IBM, Cisco and Microsoft) aims to expand US cyber presence within Central and Southeast Europe.
- Following on from our 20 April update on China’s “Great Cannon”, the US State Department has confirmed that it has asked China to officially investigate the allegations that it has interfered with internet content hosted outside the country and that was then used to attack US websites. Despite repeated denials of knowledge by the Chinese government, the US has asked the Chinese authorities to conduct an investigation and report its findings.
Asia policy and regulatory developments
- Reuters is reporting that China’s legislature, the National People’s Congress, has drafted a new cybersecurity law calling for sovereignty over China’s cyberspace. The legislation is said to be a reaction to the recent Snowden leaks as the state seeks to protect “national internet space sovereignty, security and development interests”. It is not yet clear what this would mean in practice for net neutrality or international cyber cooperation.
- PBS is reporting that amongst the 32 bilateral agreements recently signed by China and Russia, is an agreement to end aggression in cyberspace between the two countries. The article linked above hypothesises on whether this is an attempt to gang up on the West.
Attacks, reports and other news
- Following the release of its 2015 cyber attacks analysis report (named, “2015: A View from the Front Lines”, registration/download needed), Mandiant is asking whether 2015 will see the rise of the Chief Information Officer. The report highlights that there has been a big rise in the proportion of incidents affecting legal, business and professional service firms. Furthermore, the proportion of incidents detected by the victim organisation has fallen since 2012, from 38% to 33%. In the majority of cases, the victim is informed by an outside entity such as a law enforcement agency.
- Microsoft has released its new school of cybersecurity tools, named Microsoft Advanced Threat Analytics (ATA). The release is reported to be the product of Microsoft’s purchase of the enterprise security firm, Aorata, in November 2014, according to Ars Technica. ATA is said to continuously learn the behavior of organisational entities and adjust itself accordingly to detect abnormal behaviour and malicious attacks.
- According to local press, an Alaska-based company, Afognak Native Corporation, has had $3.8 million stolen by cyber criminals. Hackers reportedly requested the transfer of money to a fictitious business account in Hong Kong, which the business’s controller regrettably believed to be real. The company is now working closely with the FBI in order to try to recover the sum.
- The BBC is reporting that far-right extremists may have been to blame for the hack of a website relating to the Nazi concentration camp, Mauthausen. The website had to be quickly deactivated after an unspecified message was displayed on the website to mark the 70th anniversary of the closing of this concentration camp that killed more than 100,000 Jewish people in WWII.
- New startup Cybereason, which specialises in gathering and displaying real time threat information, has just raised $25 million in Series B funding. Investors include the security company, Lockheed Martin.
- One hacker has received his digital comeuppance after exploiting weaknesses in the code of the online game, Guild Wars 2, in order to cheat the game into giving him additional powers. The hacker, called DarkSide, was brought to the attention of the game’s administrators via a series of user-captured videos of his unfair exploits. The administrators served up their own brand of retribution by forcing the online character to strip and then making him leap from a bridge to his digital death.
Contributors to this week’s update: Tom Pritchard, Paralegal, Claire Walker, Head of Commercial Know How and Ashley Hurst, Partner, Commercial Litigation.