The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
EU policy and regulatory developments
- General Data Protection Regulation (GDPR): The second trilogue negotiation is, according to this previously released (unofficial) timetable for completion, scheduled for today, 14 July. The second meeting will focus on the issues of territorial scope (Article 3) and international transfers (Chapter V). This 682 page document dated 8 July, but not yet uploaded to the Council’s website, has been leaked by Statewatch. It is a line-by-line table comparing the Commission, EP and Council’s respective negotiating positions on the whole Regulation. Regarding the issues of data security, data breach notifications and processor obligations contained in Chapter IV of the draft, according to the above unofficial timetable, these are due to be negotiated in September. Although there are some differences of detail between the institutions’ positions, this is one of the less contentious aspects of the Regulation, and the leaked document does not contain any surprises, as the relative positions have been known for some time. In this new article we set out a recap of the state of play on the security and breach issues as they currently stand.
- Network and Information Security Directive (NISD): perhaps understandably, given more pressing issues within the EU over the past week, it has been another quiet news week for the Network and Information Security Directive. There do not appear to be any new progress reports in the public domain. The draft Directive was mentioned in passing in this speech made on 9 July by Commissioner Avramopoulos after the informal Home Affairs Council in Luxembourg which highlighted a number of recent EU initiatives to fight cyber crime (see next item). However the speech does not give any clues as to the latest progress on adoption.
- Recent EU cyber crime initiatives: this speech made on 9 July by Commissioner Avramopoulos highlighted the following recent developments in terms of EU policy and initiatives: a successful joint international operation coordinated by Europol’s European Cybercrime Centre (EC3) and Eurojust to break up an international cybercrime ring operating in 5 EU states and Georgia; the planned launch in the autumn of an international forum to bring together Member states and ISPs to combat terrorist material on the Internet.
- The European Union Network and Information Security Agency (ENISA) has published its conclusions following the recent EU28 Cloud Security Conference. In order to drive the digital economy, ENISA has concluded that cloud computing policy must:
- Address users’ concerns regarding security;
- Raise awareness and educate users and SMEs on cloud security;
- Improve the transparency of cloud services via improved continuous monitoring mechanisms;
- Adopt flexible policy approaches that consider further technological development; and
- Reinforce the importance of diligent data protection.
Unfortunately, no indications were given as to how this agenda will be progressed.
UK policy and regulatory developments
- The Bank of England’s “Financial Stability Report” cites cyber-risk as an area of increasing concern for the banking sector (see pages 31-33). The report states “The threat from cyber attack is growing, as financial services are increasingly offered via complex and interconnected IT platforms, while access to the technology and skills needed to commit cyber attacks has spread.”
- GCHQ has announced that the first Cheltenham Cyber Summer School has now begun. The Summer School is a GCHQ, 10-week programme for computer science students. “The course has been designed to focus on areas which would be particularly relevant to people taking on roles as Computer Network Operations Specialists. It includes modules on advanced coding, malware, operating systems, reverse engineering, cyber defence, and penetration testing.”
Irish policy and regulatory developments
- Ireland recently published its Cyber Security Strategy 2015-2017. The Strategy sets out that, in the period 2015-17, the Computer Security Incident Response Team (CSIRT-IE) will be formally move from the Department of Communications to the National Cyber Security Centre, and will grow to include an accredited Government Computer Security Incident Response Team (g CSIRT) and then an accredited national CSIRT (n CSIRT). Given that 9 of the top 10 software firms in world have major operations in Ireland, the Irish government see cybersecurity as a key growth industry. In order to deliver on this potential growth the plan will also:
- Continue to improve the resilience of networks in critical infrastructure and the public service;
- Raise awareness of the importance of cyber security to business and citizens, and support them in securing their networks, devices and information;
- Further develop a culture of cyber security across society, including through cooperation with the education system, industry and academia; and
- Continue to build on Ireland’s global reputation as a technology and information security hub, and help promote Ireland as the location of choice for ICT businesses.
US policy and regulatory developments
- The US Chamber of Commerce announced the launch of its Cybersecurity Leadership Council on Tuesday, 7 July. The Leadership Council consists of a group of businesses and associations that are aiming to drive market-based cybersecurity solutions by creating a forum in which businesses can have an open dialogue. The group includes (to name just a few): the Alliance of Automobile Manufacturers, American Gas Association, American Petroleum Institute, BlackBerry, CTIA-The Wireless Association, Edison Electric Institute, Food Marketing Institute, National Cable & Telecommunications Association, Retail Industry Leaders Association, Schweitzer Engineering Laboratories Inc., The Boeing Company, J.P. Morgan Chase, and US Telecom Association.
Asia policy and regulatory developments
- Reuters is reporting that China’s parliament has published its new draft cybersecurity legislation. Following the recent passage of China’s sweeping National Security Law, the cybersecurity legislation is similarly comprehensive, strengthening “user privacy protection from hackers and data resellers but elevating the government’s powers obtain records on and block dissemination of private information deemed illegal under Chinese law.”
Attacks, reports and other news
- When the US Office of Personnel Management (OPM) was first hacked, reports suggested that 4 million government employees’ personal information had been put at risk. Later the number jumped to 10 million. Now, the US government has officially stated that 21.5 million current and former federal government employees’ records have been compromised, including their social security numbers. In a further development, it is now being reported that OPM director, Katherine Archuleta, has resigned in order help the department “move beyond the current challenges”.
- SC Magazine is reporting that the hacking group Morpho (aka Wild Neutron) has returned once more. The reason the group receives such attention is because, unlike most hacker groups that target credit card details and other easily monetised data, Morpho specifically target the intellectual property and high-level data of the world’s biggest tech companies. After a spate of attacks in 2012, 2013 and 2014, all appeared to have gone quiet until Symantec reported that Morpho recently hit 33 major organisations worldwide.
- CERT-UK’s weekly update has revealed that the Edinburgh Council was recently the victim of a cyber attack in which it lost 13,000 email addresses. The update also features an update on the UK government’s Cyber Essentials scheme and vulnerabilities relating to Adobe, Mozilla, IBM and Cisco software. Read the full report here.
- The Intelligent Insurer is reporting on Lloyd’s and the University of Cambridge’s recent report that a cyber attack on the US’s power grid could cost insurers up $1 trillion. The report, “Business Blackout”, sure to scare insurance companies, breaks down claimants into six primary categories: “power generation companies; defendant companies; companies that lose power; companies indirectly affected; homeowners; and specialty.”
- BBC News is reporting that a particularly audacious Finnish teenager has been convicted of cyber crimes after hacking into over 50,000 computers, including those at Harvard University and MIT. The Finnish District Court judge has handed down a two-year suspended prison sentence, taking into consideration the fact that the offender was 15-16 when he committed the crimes. Critics have been quick accuse the judge of being too lenient, arguing that such a short sentence, for such a large number of attacks, does little to deter other hackers.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.