The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- The Department for Business, Innovation and Skills has announced the addition of two more participating companies to the cybersecurity supplier to government scheme. The NCC Group and Perspective Risk Ltd can now advertise themselves as companies supplying a cybersecurity product to the UK government and use the government’s logo in marketing materials in order to increase the UK’s cybersecurity exports.
EU policy and regulatory developments
- Network and Information Security Directive (NISD): There is a frustrating dearth of information in the public domain about the latest progress on the NISD. The EU Council’s Consilium website page on the Directive has been updated with the following report: “A third trilogue meeting took place on 30 April 2015. Although progress was made during the trilogue, important differences remain between the Council and European Parliament positions. The trilogue was therefore useful in further clarifying their respective concerns. The date for the next informal trilogue has not yet been finalised”. Datonomy will continue to monitor progress.
- European Commission Vice-President for the Digital Single Market, Andrus Ansip, has given an interview regarding data protection and cybersecurity to the European policy website, EurActiv. In the interview, Ansip commented that he expects the Commission’s proposed public-private partnership on cybersecurity to go live in early 2016.
- Regarding the General Data Protection Regulation (GDPR), Ansip stated: “After three years of talks, the negotiations on the data protection reform are in a good path. The next EU Presidency Luxembourg is willing to conclude the negotiations and the European Parliament is ready to vote. The Commission expects an adoption of the reform by the end of the year. Once the new EU rules on data protection are adopted, which should be by the end of 2015, the Commission will review the ePrivacy Directive. Special rules which apply to electronic communications services will indeed need to be adapted to the new framework on the protection of personal data. It will also be important to assess the scope of the Directive. It currently applies to providers such as traditional telecoms companies but not all market players are covered.”
- Regarding the importance of cybersecurity, Ansip also stated, “I want EU industry to stay ahead in the fast moving and ever more important cybersecurity market. Today, only 22% of Europeans have full trust in companies such as search engines, social networking sites and e-mail services… A public-private partnership is a good tool to ensure industry and public actors jointly deliver a project of common European interest. This not only about new initiatives. The Network and Information Security Directive that is currently being negotiated with the European Parliament and the Council will greatly contribute to a higher level of cybersecurity in Europe.”
- The European Union Network and Information Security Agency (ENISA) has been busy holding and announcing a variety of workshops. The ENISA CERT (Computer Emergency Response Team) workshop was held on 12 May 2015. On 13 May 2015, ENISA hosted two different workshops. The first workshop discussed the lessons learned from Cyber Europe 2014 and plan for Cyber Europe 2016 (see Datonomy’s previous coverage of the Cyber Europe programme here) while the second workshop discussed the topic of cybersecurity in education and how better to integrate cyber disciplines into university curricula. Looking forward, the ENISA Trust Services Market workshop is now scheduled to be held on 30 June 2015 in Brussels.
US policy and regulatory developments
- President Obama has put his full support behind the USA Freedom Act, which is about to be voted on by the House of Representatives. The Act would put limits on the National Security Agency’s powers to collect bulk information concerning American’s phone records but would still retain other more targeted collection powers. The Act, which is expected to pass easily following a 25-2 vote in the Judiciary Committee last month, is seen as a necessary step before the before the legislature will move on any cybersecurity bill.
- Admiral Michael Rogers, the head of the National Security Agency, recently commented that the US will be prepared to use physical retaliation against the agents of a cyber attack. Speaking at a forum at George Washington University, Rogers stated, “Because an opponent comes at us in the cyber domain doesn’t mean we have to respond in the cyber domain”.
Asia policy and regulatory developments
- Japan’s National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) is planning to expand the Japanese private sector’s obligation to share cybersecurity information with the government as early as June 2015. Following 5.08 million cases of unauthorised computer access within the Japanese government in 2013, the legislature and executive appear keen to bolster the national information-sharing regime.
Attacks, reports and other news
- Russian cybersecurity company Kaspersky has opened a research centre in London (to complement its offices in Moscow, Beijing and Seattle and another planned research centre in Jerusalem) according to Wired.com. The centre, which will focus on threats targeting national governments, major infrastructure and the public, will be in Paddington and will enable Kaspersky to better track attacks around the clock and to detect emerging malware threats more rapidly.
- The New York Times is reporting that the creator of Hacker’s List, a website that allows people to bid for the services of hackers, has been revealed as Charles Tendell, the owner of Azorian Cyber Security, a cyber consultancy firm. Tendell is now arguing that site only offers the services of ethical hackers to do legal jobs.
- SC Magazine is reporting that hackers have attacked Starbucks’ mobile rewards card app. The hackers were able to gain access to users’ personal data and transfer money from various bank accounts. Experts are advising that this is a cautionary tale for the use of a two-factor authentication process (2FA) where users are required to verify their identity when logging in from a new device or location.
- The Washington Post has published an opinion piece regarding the potential effect quantum computing could have on the cybersecurity industry. The author notes that quantum computers “will perform in seconds computations that would have taken conventional computers millions of years. They will enable better weather forecasting, financial analysis, logistical planning, search for Earth-like planets, and drug discovery. And they will compromise every bank record, private communication, and password on every computer in the world — because modern cryptography is based on encoding data in large combinations of numbers, and quantum computers can guess these numbers almost instantaneously.”
- Industry website BusinessGreen.com has written an opinion piece regarding whether or not the UK’s energy infrastructure is prepared for a cyber attack. Innovations within the energy sector, such as smart meters and energy demand response controls could create yet another conduit through which hackers may be able to penetrate our homes, our businesses and our infrastructure. Michael John, a cybersecurity expert at the European Network for Cyber Security (ENCS) is interviewed to explore the possibilities.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.