The latest round up of legal and regulatory developments and news on cyber security from the Datonomy blogging team at Olswang LLP.

With thanks to Datonomy’s correspondents Tom Pritchard in London and Sylvie Rousseau (Paris and Brussels) for their contributions to this week’s update.

 EU policy and regulatory developments

  •  General Data Protection Regulation: ITProPortal and the Register are reporting that the trilogue negotiations on 14 July made “good progress” and culminated in agreement on Chapter 5 (territorial scope) and Article 3 (international transfers).  The Council’s Consilium website has posted a document detailing the debrief that the Council received on 15 July, however, this document is not yet publically accessible so we cannot report on the substance of the agreed compromise.   The Register’s article states that “there has been a notable push to get the GDPR onto the law books as soon as possible. Negotiators have set themselves an ambitious deadline – the Justice and Home Affairs Council meeting in October”.  In case any Datonomy readers thought this meant an unexpected and significant acceleration of the “by-the-end of 2015” timetable for the trilogue negotiations, Datonomy respectfully suggests that the mid October deadline referred to by the Register does not in fact refer to the GDPR, but the the other, less high-profile part of the DP reform package, namely the proposed Directive on police and judicial cooperation. That view is supported by this update from the European Parliament last month which states that Member states still have to agree their negotiating brief for the directive. MEPs urge the EU countries to come to an agreement on this by October 2015 and stress that the regulation and the directive should be negotiated as a package. The Register puts a date on the next trilogue negotiations on the GDPR – 1 September, straight after the Summer break. We will continue to keep you posted.
  • Network and Information Security Directive (NISD): It has been yet another quiet week for news on the NISD.  On 15 July the draft Directive got a mention as being one of the priorities of the new Luxembourg Council Presidency (which we already knew) in this presentation by Prime Minister Xavier Bettel.  On 16 July it got a passing mention in this Council Communication on Energy.  But there appears to be no public domain news on further progress towards adoption.


 UK policy and regulatory developments

 The Government has announced plans to launch a £1 million voucher scheme to protect small businesses from cyber attacks. The scheme is part of a package of initiatives intended to increase the cybersecurity within UK businesses. Micro, small and medium sized businesses will be offered up to £5,000 for specialist advice as well as help to adopt Cyber Essentials, the Government’s flagship scheme to protect businesses online.

  • GCHQ has announced that Northern Exposure, its Scarborough Cyber Summer School has now begun.  The Summer School is a 6-week programme which includes learning about the structure of the Internet, information assurance, malware and the cyber threat landscape.


  • While not strictly a cyber security measure, as Datonomy readers will by now be aware the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA) was overturned by the High Court on Friday 17 July, a year to the day after its controversial and hasty adoption.  It will continue in force until March 2016 to allow the Government to introduce replacement legislation, expected to be published for pre-legislative scrutiny in the Autumn. The judgment and order may be accessed on the Courts and Tribunals Judiciary website here.

US policy and regulatory developments

  •  Jeh Johnson, the Secretary of Homeland Security, has published an article on the Politico website claiming that American cybersecurity is “not where it needs to be” before advocating the wider implementation of the EINSTEIN defence system.  Partly in response to the recent OPM hack, Johnson is arguing that the EINSTEIN programme needs to be rolled out across the entire federal government.  The link above has a fuller description of the elements of the EINSTEIN.
  • SC Magazine has written a piece arguing that the diplomatic agreement between the US and Iran, signed on 14 July to create a nuclear pact, may have indirectly advanced Iran’s cyber capabilities.  In return for nuclear assurances, the pact grants Iran some sanctions relief that the US Senate Intelligence Committee chairman, Richard Burr, believes may be used to support “terrorism, whether that’s cyber, [or] whether it’s conventional weapons purchase.”


Attacks, reports and other news

 A selection of cyber stories from the past week’s news.

  •  Business Korea is reporting that the Korea Hydro & Nuclear Power Corporation has been hacked again (the last time being in December of last year.  North Korea is again implicated in the attack, that this time has compromised unspecified internal date.
  • BBC News is reporting that Darkode, a hacking site used to trade and share hacking tools and information, has been shut down following an investigation carried out by authorities in 20 countries. Described as “a sort of meeting ground for cybercriminals from different nationalities and languages”, the forum’s visitors included members of Lizard Squad, the hacking group that has been behind recent high profile attacks.  The FBI reported that up to 300 people had used the forum.
  • ITProPortal is reporting that Hacking Team, an Italy-based online security firm has become the victim of a cyber attack resulting in 400GB of information being stolen. The firm builds surveillance software for intelligence agencies and the police, thus the nature of the data is highly sensitive. Some information has already been released on WikiLeaks and similar websites, and Hacking Team has warned customers not to use its software. The firm believes that a foreign government may be responsible.
  • This week’s CERT-UK update features the actions of a hacking group calling themselves the Russian Guardians.  The group has recently been exploiting a vulnerability in OpenSSL to gain access to virtual servers, wipe the contents and then leave a single file demanding a ransom sum for their return.
  • SC Magazine has published an opinion piece about one of Datonomy’s pet topics, the cyber security threat within the supply chain.  Having recently found that 17% of cyber incidents occurred due to “weaknesses in vetting people”, 18% from “third-party suppliers” and 10% from malicious internal employees, the threat cannot be underestimated.  The article outlines the appropriate balance when trying to achieve commercial and security objectives.


M&A news

  •  Reuters is reporting that cybersecurity firm CrowdStrike Inc has raised $100 million in a funding round led by Google Capital. The company’s clients include five of the world’s 10 largest banks and three of the top 10 oil and gas firms. CrowdStrike already has a large following due to its work on some of the most sophisticated electronic intrusions, yet it may benefit further from Google’s input.


And finally…

  •  US airline United has rewarded two hackers with a million flight miles for privately disclosing to the airline security holes that they found in its website. BBC News is reporting that the ‘bug bounty’ scheme prevents these flaws from being shared publicly and is said to be a big step forward for online security. Critics argue that bug bounties discourage companies from hiring professional security staff, yet they also provide a solution for smaller companies that cannot afford to provide cash rewards.

With thanks to Datonomy’s correspondents Tom Pritchard in London and Sylvie Rousseau (Paris and Brussels) for their contributions to this week’s update.

One thought on “Cyber update for the week commencing 20 July 2015”

Leave a Reply

Your email address will not be published. Required fields are marked *