The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- On 11 June the much-anticipated Report of the Investigatory Powers Review (or Anderson Report) was published, making recommendations for overhaul of the UK’s regimes for communications data retention and communications interception. It will inform the government’s promised Investigatory Powers Bill which is due to be published in the autumn for pre-legislative scrutiny. The news has been widely covered by the BBC, the Guardian and there is tech industry reaction on the website of Tech UK.
EU policy and regulatory developments
- Network Information Security Directive (NISD): Inter-insitutional agreement on the draft Directive before the end of June – when the rotating Council Presidency will change hands from Latvia to Luxembourg – is looking less likely. The Telecoms Council met on 12 June to discuss digital topics relating to the Telecoms Single Market. As part of those talks, ministers received an update on negotiations around the Commission’s draft of the NISD. The meeting note from Consilium states that, “The presidency informed ministers on progress on the draft network and information security directive. Minister Matiss said that talks with the Parliament were approaching their final stage. The key outstanding issues were the approach to the harmonisation in the identification of operators covered by the rules and the issue of the inclusion of Internet enablers.. [Furthermore]The incoming Luxembourg presidency presented its telecommunications work programme for the second half of 2015. Digital issues will be a horizontal priority for Luxembourg.” In other words, no concrete news yet.
- The only new official document on the Consilium website relating to the Directive is a 2-pager dated 8 June entitled “Information on the state of play”, which indicates that as at that date the Latvian Presidency was “confident” that the Council and Parliament “will be able to work towards effective compromise solutions on the outstanding issues with a view to bringing closer the positions of the institutions and possibly an agreement before the end of June”.
- Meanwhile, the UK Department for Business, Innovation and Skills has published a note stating that “A number of areas have been informally agreed between the two institutions” (the European Council and Parliament). These areas are said to be:
- Allowing Member States greater flexibility in using existing authorities for the required “institutional infrastructure”;
- Allowing Member States to develop their own sector-specific guidelines on what would constitute a reportable ‘incident’;
- Allowing voluntary cooperation and information sharing.
- However, the note does concede that the issue of scope (i.e. whether search engines and social media sites will be included) is yet to be resolved. A written statement by Ed Vaisey, Minister for Culture and the Digital Economy on 11 June in advance of the Telecoms Council meeting sets out the UK Government’s stance on the negotiation as follows: “I do not intend to intervene on this item. However, if a round table is initiated by others on this item I will remind Council that whilst the UK supports the aim of raising the level of, cyber security across the Union it would be prudent to take our time and make sure we get the detail right so the Directive is not unduly burdensome on business.” As previously reported by Datonomy, the UK is one of the Member States opposed to the Directive extending to online service providers.
- General Data Protection Regulation (GDPR): As reported in last week’s update, the Council is scheduled to try to agree its common position on the GDPR at a meetings today and tomorrow (15 and 16 June) and if it is successful, the final phase of the legislative process – namely trilogue with the Commission and Parliament – can begin. More news next week.
US policy and regulatory developments
- The Washington Examiner is reporting that Senate Majority Leader, Mitch McConnell, is pressing hard to advance cybersecurity legislation following last week’s Office of Personnel Management (OPM) breach in which 4 million employees’ records were compromised.
- Sputnik News is reporting that US Senator, Charles Schumer, has said that the IMF should punish China for their supposed role in the aforementioned OPM hack. Former Arkansas Governor and potential Republican Presidential nominee, Mike Huckabee, is going even further, urging President Obama to retaliate against the Chinese and “punch them in the face”.
Attacks, reports and other news
- The RSA has published its first “Cybersecurity Poverty Index”. The index is the result of a self-assessment conducted by over 400 information security professionals across 61 countries. The survey found that:
- Only 25% of respondents have a mature security strategy, consequently, 75% of respondents are exposed to a significant cybersecurity risk;
- In a regional analysis, Asia Pacific was found to have the highest percentage of respondents with mature security strategies (39%). EMEA was second with 26% and the Americas third with 24%.
- A sector analysis revealed that the telecommunications industry had the highest percentage of respondents with mature security strategies, with 50%, while the government sector scored a poor 18%.
- RSA concluded that “organizations still overemphasize protection over detection and response, despite the fact that protection / preventative capabilities alone are fundamentally incapable of stopping today’s greatest cyber threats.”
- The Sunday Times (subscription required) is reporting that Russian and Chinese spies may have cracked the encryption code Edward Snowden was using to secure the files he stole the NSA. According to an anonymous source in the Home Office, this has meant that MI6 has had to withdraw multiple agents from the field to ensure their safety. Read more from the Guardian here.
- The BBC is reporting the Russian cybersecurity giant, Kapersky Lab, has revealed that it was hacked in “early spring”. The attackers used previously unknown techniques to gain access to access to files relating to the company’s newest technologies, though chief executive, Eugene Kaspersky, has stated that the attack was caught relatively early and that no critical data has been compromised.
- German news site DW is reporting that French investigators have reason to believe that the hack of France’s TV5 Monde broadcast in April 2015 was perpetrated by a Russian group. The use of Islamic State messages in the hack led many to believe the perpetrators were from Iraq or Syria, however, the hack has now been traced back to “APT28” in Russia.
- The BBC is also reporting that the attack on the German Bundestag computers, which came to light over a month ago, is still managing to steal data from infected machines. The federal office for computer security (the BSI) is apparently considering whether to just replace all 20,000 compromised computers or whether there is a way to effectively disinfect the computers.
- CERT-UK has chosen to focus its weekly update on the recent announcement that Apple Pay will soon be rolled out in the UK. CERT is keen to stress that Apple Pay appears to be a secure payment system but that users may well still expose themselves to greater risk of fraud simply because users don’t typically use strong enough passwords (and presumably because we’re all liable to misplace our phones every now and then). The weekly report concludes that “Modern secure payment systems are never a replacement for lax information security and this is yet another example of how the lucrative criminal marketplace can commit fraud from stolen credit details.” Read the full report here.
- According to a new market research report published by MarketsandMarkets, the cybersecurity industry will be worth $170 billion by 2020.
- Google Chairman, Eric Schmidt, is throwing his weight behind the cybersecurity company, “illusive networks”, after they raised $5 million in a Series A funding drive. Schmidt is reportedly impressed by the company’s “deception everywhere” technology that neutralises targeted attacks by creating a deceptive layer across the entire network.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.