Another day, another massive personal data security breach… but how have law-makers and regulators reacted in developing cyber-security policies so far this year?
This week it was reported that Equifax – the US credit bureau – suffered a giant cybersecurity breach this summer compromising the personal information (including names, social security numbers, birth dates, addresses, as well as driver licence numbers) for nearly half of all American citizens – affecting a total of 143 million people living in the US! To add to the enormity of the implications of this news, also compromised was personal data belonging to millions of non-EU citizens (including those based in Canada and the EU). The cause, apparently, was a vulnerability on the agency’s website that led to data on its servers being accessed unlawfully. Surely this must be the biggest breach on record … (so far) and yet there is almost a sense of inevitability in the media that these type of stores will hit the headlines from time to time. Who could forget the outbreak of the ‘WannaCry worm’ ransom-attack a few months ago, and its effect on organisations globally? Whereas foreign states or state-sponsored groups regularly attempt to penetrate publicly or privately-owned critical infrastructure networks, targeting in particular defence, finance, energy, and telecommunications sectors.
So how are governments responding to major cybersecurity attacks that affect large portions of society this year, especially when – to use the words of a recent draft report by the European Parliament about the fight against cybercrime – “the lines between cyber crime, cyber espionage, cyber warfare, cyber sabotage and cyber terrorism are becoming increasingly blurred”?
The purpose of this blog post is to give an overview of what governments and their regulators on both sides of the Atlantic are doing to ramp up cyber-security initiatives in private and public arenas so far in 2017. As an overview from previous blog posts on this topic (see, e.g., here for 2016, and here for 2015), typically many sector-specific regulators have a mandate to oversee aspects of cybersecurity, with varying enforcement powers and responsibilities, whereas governmental support to the private sector focuses on promoting information sharing, issuing guidance, and assessment.
In the US, key developments included the following:
- Trump signed an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The Executive Order aims to bolster the government’s cybersecurity and protect critical infrastructure from cyberattacks. It also confirms that it is now US policy to manage cybersecurity risk at an executive branch (federal) level and introduces measures to support such agencies in this respect. The Order also requires the Department of Homeland Security to report on public-private partnership opportunities to support the cybersecurity efforts of critical infrastructure entities.
- The National Institute of Standards and Technology (NIST) has published a draft Framework for Improving Critical Infrastructure Cybersecurity as a resource to help organisations manage cybersecurity risks. Publication was followed later in the year by updates to the Framework intended to clarify key terms, introduce cybersecurity measurement methods, and provide new details on managing supply-chain cyber risks. A final version of the Framework is due to be published shortly (see here).
- On a more recalcitrant note, April saw the Trump administration repeal US privacy and data security rules for internet service providers (ISPs) previously issued by the Federal Communications Commission (FCC). Specifically, the now repealed rules: adopted breach notification requirements; prohibited ISPs from refusing to provide service if customers did not consent to information sharing; and required that ISPs provide customers with notice and choice regarding the personal information that they collect and how they will use and share such data (including alternative opt-in and opt-out consent modes prescribed according to the sensitivity of the personal information under consideration).
At the EU level, this year, efforts continue to push forward the vision for a harmonised approach to how Member States deal with growing cybersecurity threats:
- The European Commission indicated its intentions to further increase its role in directing cybersecurity policy and responses across EU Member States (for a January 2017 overview of its focus so far, see here). In June, the European Commission published a paper – entitled ‘Reflection Paper On The Future Of European Defence’ – setting out three standards of cooperation on defence and security arrangements to address the issue of rising cyber-attacks. These are intended to further facilitate information-sharing between bloc countries (excluding the UK post-Brexit) in coordinating responses to such attacks, technological cooperation, and joint doctrines on cyber-threats. The three standards set out as pillars of the vision for Europe in 2025 in moving towards a ‘Security and Defence Union’ are: 1) Security and Defence Cooperation, under which the EU Member States would simply cooperate on defence and security more often than previously; 2) Shared Security and Defence, under which EU Member States would transition to closer financial and operational integration with respect to defence and security measures; and 3) Common Defence and Security, under which solidarity and mutual assistance between EU Member States would become the default position on defence and security issues, ultimately involving a common EU defence policy.
- The European Commission has also implemented a decision (Decision (EU) 2017/179) laying down procedural arrangements necessary for the functioning of the Co-operation Group pursuant to Article 11(5) of the new ‘Cybersecurity Directive’ (formally, Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union – see my earlier post for more on the Directive). In particular, the Co-operation Group has been established to support and facilitate strategic co-operation and the exchange of information among Member States, as well as help them set up procedures for identifying ‘operators of essential services’ (a group of organisations to have heightened security obligations under the new legal framework) within relevant sectors. As a reminder, EU Member State must have implemented the provisions of the Cybersecurity Directive into their domestic law and apply its measures by early May next year.
- The EU cybersecurity agency – ENISA – is about to have its mandate renewed, as part of which it is currently in the process of presenting a wide range of new cybersecurity measures. Also this month, the Commission continues work on a legislative proposal on cross-border data access and an announcement is also expected shortly from it regarding a legal overhaul of EU cybercrime rules on hacking vulnerabilities, encryption, and information sharing between EU countries. This is to be part of a new EU cyber security strategy in response to the impending ‘Internet of Things’ (referring to the explosion of networked-connected devices for use in every aspect of our daily lives). A possible new ‘trust-by-design’ initiative is a (mandatory or voluntary, as yet unclear) EU labelling certification scheme to rank devices based on the strength of their cybersecurity features [something, incidentally, that smaller players are not happy with as they think it might preferentially benefit dominant suppliers).
In the UK:
- The Government has identified ‘cyber’ as a ‘Tier 1’ threat to national security and is taking steps to better understand the state of cybersecurity across critical infrastructure and update regulation. [Measures to improve the cybersecurity of the UK’s critical national infrastructures, and the perceived challenges in implementing them, together with international policy/legislation in this area, are usefully summarised in a new Parliament (POST) note now available here]. This follows last year’s publication of the UK’s five-year national cybersecurity strategy – the National Cyber Security Strategy 2016-2021 – outlining the Government’s aim to make the UK secure and resilient to cyber threats.
- The Department for Digital, Culture, Media, and Sport (DCMS) has published a consultation on plans to implement the Cybersecurity Directive into UK law. The consultation document sets out the government’s proposed approach and asks a series of questions on issues such as: the essential services the directive needs to cover; the penalties; the competent authorities to regulate and audit specific sectors; the security measures the government proposes to impose; the timelines for incident reporting; and how this affects digital service providers. The deadline for comments is the end of this month.
- DCMS has also published its Cybersecurity Breaches Survey for 2017 as part of a review into implementation of the national cybersecurity strategy. The survey found that almost half of British businesses (46%) discovered at least one cyber security breach or attack in the past year, but external reporting of breaches to agencies is uncommon (with only 26% of the companies surveyed taking this step). Furthermore, there is evidence of a continuing strong need for UK businesses to seek information, advice or guidance on cyber security risks, and to install adequate protection from such risks.
- The Information Commissioner’s Office (ICO) announced a record fine of £400K on TalkTalk for failing to protect customer data, after its well-published data breach last year. Following on this announcement, the ICO has produced guidance in this area including guidance on ransomware setting out tips for prevention and recovery.
With the introduction of new EU data protection rules (the GDPR) and the Cybersecurity Directive next year, together with the new E-Privacy Regulation currently in the legislative pipeline, the emphasis is plainly on public and private organisations active in the EU to ‘up their compliance game’ in line with the principle of organisational accountability (no ‘passing the buck’ to consumers in Europe). Not only in terms of organisations ensuring they carry out data/systems breach notifications to regulators (which will be mandatory in different circumstances and according to different timelines from next year), but also when it comes to ensuring the ongoing availability and resilience of processing systems and services post-breach. More than ever, therefore, it is critical that organisations investigating such incidents consider their legal obligations.
Interestingly in addition, what is notable this year as a departure from strategies of old, is a shift towards governments across the world in providing more support and intervention from the ‘top down’; whereas, the focus in previous cybersecurity strategies relied upon assuming that market forces would be the main driver in ensuring adequate cybersecurity efforts from the ‘bottom up’.
Same time, same place next year?