Cyber security affects all businesses and industries and is a Board level agenda item.
Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA.
EU Cyber Security Directive published in the Official Journal
The EU Network and Information Security Directive (otherwise known as the Cyber Security Directive) has been published in the Official Journal. Member States will now have until 9 May 2018 to adopt appropriate national legislation to comply with the Directive, with such legislation to apply from 10 May 2018.
The Cyber Security Directive requires certain "operators of essential services" to adopt risk management practices and report major security incidents on their core services to the appropriate national authority.
By 9 November 2018, for each sector and subsector referred to in Annex II to the Directive, Member States are required to identify the operators of essential services with an establishment on their territory. The sectors listed in the Directive are: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution and digital infrastructure. The criteria for the identification of the operators of essential services are that:
- an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- the provision of that service depends on network and information systems; and
- an incident would have significant disruptive effects on the provision of that service.
Digital service providers, being providers of online marketplaces, online search engines and cloud computing services are also subject to security requirements.
UK Information Commissioner issues record fine of £400,000 for TalkTalk's cyber security breach
On 5 October 2016, the UK's Information Commissioner's Office ("ICO") issued TalkTalk Telecom Group plc with a record £400,000 monetary penalty notice. The fine was a result of TalkTalk's cyber security breach in October 2015, which led to the theft of personal data of almost 157,000 customers, including the bank account number and sort code details of nearly 16,000.
In October 2015, cyber attackers accessed a database of Tiscali UK, a company acquired by TalkTalk in 2009, by compromising the company's unpatched version of MySQL through the well-known "SQL injection" method.
The Information Commissioner, Elizabeth Denham, found TalkTalk to have contravened both the fifth and seventh principles of the Data Protection Act 1998, which require data controllers to delete personal data that is no longer needed for a particular purpose, and take appropriate measures to prevent personal data being accidentally or deliberately compromised.
The Commissioner has exercised her power under the legislation to issue a fine, given that the volume and nature of the compromised data amounted to a serious contravention, of a kind likely to cause substantial damage or distress. The Commissioner lent particular weight to the fact that the contravention was foreseeable, in that TalkTalk had twice been compromised in 2015 through the same SQL injection vulnerability, and it was a well-documented method of attack for which defences are known. As such, the Commissioner's view was that TalkTalk knew or ought reasonably to have known of the likely risk of a breach causing substantial damage or distress, but failed to take preventive steps nonetheless.
TalkTalk has until 2 November 2016 to pay the £400,000 fine or appeal. Should it choose to pay by 1 November 2016, TalkTalk will benefit from a £80,000 reduction, but will lose the right to appeal.
The Commissioner has also warned that "cyber security is not an IT issue, it is a boardroom issue". The attack has cost TalkTalk over 100,000 customers and over £42 million so far.
European Court rules on storing dynamic IP addresses to help prevent cyber attacks
The Court of Justice of the European Union ("CJEU") has ruled that the operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks.
In the case of Patrick Breyer v Bundesrepublik Deutschland, Mr Breyer had brought an action before the German courts to prevent websites, run by Federal German institutions, from registering and storing his IP addresses. The institutions register and store the IP addresses of visitors to their sites, together with the date and time when a site was accessed, with the aim of preventing cyber attacks and to make it possible to bring criminal proceedings.
The main question before the CJEU was whether dynamic IP addresses constitute "personal data" for the data protection purposes. The court found that a dynamic IP address would constitute personal data where the website operator had the legal means of identifying the relevant individual with the help of additional information from the internet service provider. The court further found that, in the case, the German institutions had a legitimate interest in processing such personal data for the purpose of preventing cyber attacks.
Directors want companies to be held responsible for cyber security issues
According to research group ComRes, which surveyed 200 directors from companies with more than 500 employees, 71% of directors believe companies should be penalised for failing to meet basic cyber security requirements. An even bigger number (77%) believe that regulators should be tougher on companies that have inadequate defences.
At the moment, data protection breaches are enforced by the Information Commissioner's Office in the UK, which can fine up to £500,000 for serious breaches of data protection rules. However, these fines are due to increase up to EUR 20 million or 4% of annual worldwide turnover (whichever is greater) under the new General Data Protection Regulation coming into effect in the EU in May 2018.
The research follows the recent House of Commons report into the TalkTalk data breach, which recommended that CEO compensation should be linked to cyber security - something we reported on in our previous cyber security bulletin, available here.
UK Information Commissioner advises that Digital Economy Bill should hold directors personally liable for "nuisance call" fines
On 13 October 2016, Information Commissioner Elizabeth Denham appeared in a Public Bill Committee Hearing to discuss the latest draft of the UK Digital Economy Bill. The Digital Economy Bill seeks to improve internet connectivity and protections for internet users through a range of measures, including further regulation of direct marketing through a new Direct Marketing Code.
When asked by Member of Parliament, Kevin Brennan, if she would support moves to introduce director liability for nuisance calls, Denham agreed. Although the Information Commissioner's Office can impose fines of up to £500,000 on a company that seriously breaches data protection laws, and has issued £4 million in fines in the past year alone, a large portion of this money is not recovered due to companies going into liquidation and reappearing soon afterwards with the same directors. Denham agreed that an amendment to the Bill would be helpful to avoid such occurrences.
The Public Bill Committee is scheduled to conclude by 1 November 2016, with the aim of the Digital Economy Bill receiving Royal Assent by the end of spring 2017.
UK National Audit Office finds government data security lacking
In September 2016, the UK National Audit Office ("NAO") published its report in to the Government's approach to protecting information through digital security.
The document reported that 8,995 data breaches had been reported by the 17 largest government departments in the year 2014-15 and that the annual government department spend on IT security was £300 million (although it believes that actual costs are ‘several times’ this reported figure). However, the report found that the Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information.
Protecting the information government departments hold from unauthorised access or loss is a critical responsibility for departmental accounting officers. However, departments are increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. According to the NAO, too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. While the new National Cyber Security Centre will bring together much of government’s cyber expertise, according to the report, wider reforms will be necessary to enhance the protection of information further.
Awareness of cyber risk increases but more needs to be done to enable risk transfer to insurers
A recent report has shown that whilst awareness of cyber risk is still on the rise, only around half of companies have either bought cyber insurance cover or are engaged with the insurance market. This seems to be, in part, due to a lack of understanding by companies around the risks they face and what cover is available in the market.
The report by insurance broker Marsh published in September 2016 set out the results of its latest UK cyber risk survey of large and medium UK companies directed to attitudes towards the cyber threat, the management control processes they have in place and use of cyber insurance as a means of risk transfer. The report makes for interesting reading and can be accessed here.
In brief, awareness of cyber risk is still on the rise (30.3% of organisations have board-level oversight – up from 19.4% in 2015 – and 83.8% of organisations have a complete or basic understanding of cyber risk). However, only around half of companies have either bought cyber insurance cover (just over 20%) or are engaged with the insurance market. Marsh notes that without a complete understanding of the risk, companies are in a poor position to approach the insurance market. For example, nearly two-thirds of companies have not conducted an exercise to estimate the financial impact of a cyber attack – and the majority of companies have not assessed supply chain/third party risk. In order to minimise premium spend and potential overlapping cover, such an exercise may go hand-in-hand with reviewing the company's existing insurance policy suite, which will likely cover a number of cyber risks, in order to identify the gaps that might be plugged by a standalone cyber insurance policy. And it may well be worth working this through, as cyber insurance products are, broadly speaking, available to cover companies' greatest concerns in this area, which include breach of customer information (32.4%) and business interruption (19.1%).
Much, therefore, remains to be done for companies to factor cyber insurance into their overall enterprise risk management strategy – ultimately, the need to have a plan for how a major cyber loss is going to be funded – but there are some promising signs that things are moving in the right direction.
Ransomware and Business Email Compromise on the rise
IT security firm Trend Micro has reported that use of ransomware and business email compromise ("BEC") techniques means that email has become the number one threat vector for organisations.
According to its own research, Trend Micro found that 58% of the nearly 80 million ransomware threats Trend Micro blocked from January to June 2016 were email-borne ransomware. BEC scams, on the other hand, all arrive via email. Given the ubiquitous use of email on a daily basis in business, the threat is therefore exacerbated.
At the same time, a recent Europol report has also highlighted eight key cyber threats for business and consumers, being ransomware, crime-as-a-service, data theft and misuse, payment fraud, online sexual exploitation, abuse of the Dark Net, phishing and the use of virtual currencies for illegal purchases. Interestingly, the report also highlighted an increase in high-level attacks against critical infrastructure environments – something we reported on in our previous cyber security bulletin, available here.
However, the news is not all bad, as the report also found that law enforcement agencies were working together to tackle cyber issues in a more coordinated fashion.
UK National Cyber Security Centre launched
The UK's National Cyber Security Centre ("NCSC") officially became operational on 3 October 2016.
According to a spokesperson for the NCSC, the organisation has four main goals: (i) to reduce cyber security risk to the UK; (ii) to respond effectively to cyber incidents and reduce the harm they cause to the UK; (iii) to understand the cyber security environment, share knowledge and address systemic vulnerabilities; and (iv) to build the UK’s cyber security capability, providing leadership on key national cyber security issues.
It remains to be seen what role the NCSC will play under the regime to be introduced by the EU Network Information and Security Directive (the "NIS Directive"). The NIS Directive envisages that incident reports received by CSIRTs and competent authorities in Member States will be funnelled up to a designated national "single point of contact" responsible for coordinating network and information security issues and take charge of cross-border cooperation at EU level. The NCSC would seem be an obvious choice to act as the UK's national single point of contact. However, to the extent that the NCSC is designated for this role, regulated entities will be dealing with a regulatory authority (for example, the FCA) on the one hand and a national security and intelligence organisation on the other - a first for many industries.
Singapore – Singapore International Cyber Week
Singapore's Prime Minister Lee Hsien Loong is expected to launch Singapore's new cyber security strategy at the inaugural three-day Singapore International Cyber Week ("SICW"), which begins on 10 October.
SICW is being organised by the Cyber Security Agency ("CSA") of Singapore and is expected to be attended by over 3,000 political leaders, government and policy decision-makers, industry players and delegates, with a total of almost 200 sponsors and participating organisations represented.
SICW will bring together GovernmentWare, the Asia-Pacific region's premier conference and exhibition on cyber security, which is now in its 25th year, and five inaugural events. Key events include:
- The ASEAN Ministerial Conference on Cyber Security - ministers from ASEAN member states, together with the ASEAN secretary-general, will deliberate on cyber security issues facing the region and the wider international community as well as strategies for enhanced cyber security incident response and capacity building in ASEAN. More than 10 ministers are expected to be present at this high-level meeting.
- The International Cyber Leaders' Symposium - key cyber security policy and government decision-makers, selected private sector leaders, prominent academics, and influencers from NGOs from around the world will discuss and work towards identifying potential areas of partnership in cyber security policy, strategy, norms of behaviour, and technical collaboration.
Japan to launch Industrial Cybersecurity Promotion Agency
Japanese newspapers reported this year that the Japanese government is considering creating a new agency, the Industrial Cybersecurity Promotion Agency ("ICPA"), with the aim of protecting Japan's critical infrastructure in the lead up to the 2020 Tokyo Olympics. It is envisaged that the ICPA will being functioning in 2017 as a public-private sector body and will be divided into two divisions: research and active response.
According to the Japanese publication The Yomiuri Shimbun, the ICPA will begin functioning in 2017 with funding from private companies and will focus on protection of critical infrastructure, including electricity, gas, petroleum, chemical, and nuclear facilities.
Hong Kong regulator publishes review of brokers' internet and mobile trading systems
On 13 October 2016, the Hong Kong Securities and Futures Commission ("SFC") announced it had issued a circular (the "Circular") launching a cyber security review with a focus on assessing the cyber security preparedness, compliance and resilience of brokers’ internet and mobile trading systems (the "Review").
The Review has been prompted by an increasing number of reports to the SFC from securities brokers that the security of some customers’ internet/mobile trading accounts has been compromised, and unauthorised securities trading transactions were being conducted through these accounts. The 13 October circular sets out the components of the Review and, in light of the latest incidents, also states that firms should, as a matter of priority, critically review and enhance their controls to combat cyberattacks.
For further information about the Circular and the Review, please see our eBulletin, available here.
Melbourne office hosts Cyber Security Roundtable
On 8 September 2016, the Herbert Smith Freehills Melbourne TMT team hosted its fourth annual Cyber Security Roundtable, featuring Mike Burgess, Chief Information Security Officer, Telstra Corporation. The event focused on Mike’s well-known "Five Knows of cyber security", and also featured Kaman Tsoi, Special Counsel and Australia's head of privacy and data protection, who discussed legal risks and strategies.
Mike Burgess is widely respected in the field of cyber security. Prior to his role at Telstra, Mike worked as the Deputy Director for Cyber & Information Security at the Australian Signals Directorate and also led the establishment of the Australian Cyber Security Operations Centre, overseeing its development as a key cyber capability for Government.
The "Five Knows of cyber security" are designed to manage security risk from Board level down by focusing attention on five core issues:
- Know the value of your data.
- Know who has access to your data.
- Know where your data is.
- Know who is protecting your data.
- Know how well your data is protected.
Mike emphasised his view that, while the threat of cyber intrusion cannot be eliminated, the risk can be effectively managed. Mike’s key tip is to "ask the right questions", starting with the Five Knows.
Kaman Tsoi, a privacy law expert who regularly advises on cyber security issues, discussed the myriad of laws and regulations that arise in the context of data breaches, noting that old laws are now being applied to new scenarios.
Kaman highlighted a number of important issues, including:
- the Australian Securities and Investments Commission’s (ASIC) emerging role as a ‘cyber security regulator’;
- continuous disclosure laws, which may oblige listed entities who suffer a data breach to inform the market – this is despite the absence (so far) in Australia of mandatory data breach notification laws; and
- the boom in cyber insurance, which is rapidly expanding in Australia following recent high profile cyber attacks.
If you would like a copy of the presentation slides, or to discuss how Herbert Smith Freehills can help your business prepare for or respond to a cyber security incident, please contact Julian Lincoln, Partner, Kaman Tsoi, Special Counsel, or one of the global team in your region.
Australian mandatory data breach notification laws just around the corner
After years of being on and off the legislative agenda, it is expected that the Australian federal government will introduce mandatory data breach notification laws before the end of 2016.
The Department of the Prime Minister and Cabinet has indicated that the Privacy Amendment (Notifiable Data Breaches) Bill will be introduced for passage in the Spring sittings of Parliament (that is, not later than 1 December 2016).
At the time of writing, the Bill has not been introduced to Parliament. Its content is predicted to be substantially the same as an exposure draft released late in 2015. However, stakeholders will be keen to assess the extent to which the Bill has been modified to accommodate views expressed in public submissions made during the consultation period. For example, several submissions:
- expressed concern that the level of awareness triggering obligations under the Bill is too strict – namely, data breaches must be disclosed "as soon as practicable" after an entity becomes aware or "ought reasonably to be aware" of the breach;
- recommended that "psychological" and "emotional" harm should be removed from the definition of "harm"; and
- proposed an amendment providing that the notification obligations of joint holders of information should be met upon one such entity satisfying the notification obligations.
The 2016 #CensusFail
9 August 2016 was "Census night" in Australia. It was on this night that every household in Australia was to complete a Census form – the Australian Census of Population and Housing (Census) form – which is a large-scale statistical collection by the Australian Bureau of Statistics ("ABS") held every five years.
In 2016, the ABS estimated the Census would count close to 10 million dwellings and approximately 24 million people. Over 65% of households were expected to complete their Census form online via a specifically constructed portal. However, on the evening, users were faced with error messages when trying to access the portal and, reportedly, only 2 million households were able to complete the forms online. These error messages gave the impression that the Census system had crashed or failed.
Throughout the course of that day, the Census system faced three denial of service ("DoS") incidents, which were attempting to frustrate the collection of Census data. As protective measures were in place to prevent incidents of this nature, the service disruptions throughout the day were relatively minor. However, a fourth DoS attempt took place just after 7.30pm, alongside a hardware failure and a substantial increase in traffic to the Census website as people sought to complete their forms after work. The ABS decided to deliberately shut down the system, to protect the Census data and the system from further incidents. It was not until Thursday 11 August that the online Census form was restored and came back online.
Following the incidents, the ABS maintained that the security of the Census had not been compromised, and that no personal data had been lost or accessed in the attacks. It was maintained that the system had been shut down only as a precaution.
The Australian Privacy Commissioner has opened an investigation into the ABS, to ensure that no personal information has been compromised, and a Senate inquiry has been called into the preparation, administration and management of the 2016 Census by the ABS.
The #CensusFail demonstrates the importance for businesses to focus on threat intelligence and threat prevention in the current climate. As stated by Malcom Turnbull, PM, to 2GB radio on 11 August 2016, "the denial of service attacks were completely predictable [and] should have been repelled readily".
The reputational impact of the #CensusFail was heightened given the privacy concerns raised by at least six senators in the lead up to Census night, which related to the decision to retain personal identified data collected in the Census for four years (as opposed to 18 months).
New cyber minister for Australia’s cyber security space
In July 2016, we reported that the Australian federal government had released its Cyber Security Strategy ("CSS") which set out five themes of action for Australia’s cyber security over the next four years.
As foreshadowed by the CSS, the Prime Minister has now established a new role within his ministry to lead the Australian government in its implementation of the CSS.
On 18 July 2016, the Prime Minister appointed the Hon Mr Dan Tehan MP to the position of Minister Assisting the Prime Minister on Cyber Security. Mr Tehan will support the Prime Minister by strengthening the partnership between Government, business and academia. He will also work closely with the first Special Adviser to the Prime Minister on Cyber Security, Alastair MacGibbon, responsible for leading the development of cyber security strategy and policy.
The role of the "Cyber Ambassador" to champion opportunities for international cyber cooperation is yet to be filled.
New York State unveils proposed cyber security regulations
On 13 September 2016, New York unveiled new regulations that propose a cyber security governance framework for companies regulated by the New York Department of Financial Services ("NYDFS")
The proposed Cyber Security Requirements for Financial Services Companies requires banks, insurance companies and other financial services to: (i) establish a cyber security program; (ii) adopt a cyber security policy; (iii) install a chief information security officer; and (iv) comply with additional security levels when working with third-party providers.
More specifically, under the new rules, each regulated company is required to establish a cyber security program that performs the following core cyber security functions: identify cyber risks; protect against unauthorised access/use; detect cyber security events; respond to identified intrusions to limit damage; and recover from cyber intrusions and restore normal operations. This outline aligns closely with the requirements under the US Government National Institute of Standards and Technology ("NIST") Cyber Security Framework. Further, companies are required to adopt a cyber security policy that set outs a dozen areas, including data privacy, vendor and third-party service provider management and incident response, that must be addressed. The focus on third-party risks aims to ensure companies address a critical source of cyber risk. Additionally, the regulations also include a certification by the chair of the board of each company regarding compliance with the rules.
These rules are the latest in a cascade of cyber security standards for private companies (both required and voluntary), ranging from government standards like the NIST Cyber Security Framework, to industry standards like ISO-27000 and the Payment Card Industry Security Standards. In the financial services industry, regulators including the Security and Exchange Commission, the Federal Financial Institutions Examination Council, and the Commodities Futures Trading Commission also have issued cyber security rules and guidance. And last month, the nation's biggest banks, including JPMorgan Chase, Bank of America and Goldman Sachs, announced that they are joining together to share information on cyber security in an effort to prevent future cyber attacks.
A 45-day public consultation will follow the official publication of this rule.
US commodities regulator adopts cyber security rules
The Commodity Futures Trading Commission ("CFTC"), the US commodities and derivatives regulator, has adopted two rules (the "Final Rules") that expand cyber security requirements for designated contract markets, swap execution facilities, swap data repositories, and derivatives clearing organisations. The Final Rules have been introduced as part of a broader effort to protect markets against meltdowns, and comprise the: (i) System Safeguards Testing Requirement for Derivatives Clearing Organizations (Division of Clearing and Risks); and (ii) the System Safeguards Testing Requirements (Division of Market Oversight).
The Final Rules are designed to enhance existing cyber security testing and system safeguard risk analysis requirements and, to that end, they define five types of cyber security testing essential for a robust system safeguards program: (i) vulnerability testing; (ii) penetration testing; (iii) controls testing; (iv) security incident response plan analysis; and (v) enterprise technology risk assessment. Requirements for engaging independent contractors are also imposed.
The Final Rules were unanimously approved at the 8 September 2016 CFTC public meeting. CFTC Chairman Timothy Massad noted the importance of these Final Rules and emphasised the risk of cyber attack as the single greatest threat to the stability and integrity of the domestic and global markets. In the Chairman's view, the Final Rules are not "overly prescriptive," and "will serve as a strong and important complement to the many other steps being taken by regulators and market participants to address cyber security."
US Consumer Financial Protection Bureau proposes amendment to the Gramm-Leach-Bliley privacy provisions
The Consumer Financial Protection Bureau ("CFPB") has proposed regulations that would reduce the need for banks and other financial institutions to provide annual privacy disclosures to consumers as required by the Gramm-Leach-Bliley Act ("GLBA").
The regulations (proposed in July 2016) follow the adoption of the Fixing America's Surface Transportation Act ("FAST Act"), enacted December 2015, which amongst other things amended the GLBA. Previously, the GLBA required financial institutions to provide an initial notice, and then an annual update, describing its privacy policies and practices. If the institution shares customers' non-public personal information with unaffiliated third parties in ways other than specified by the GLBA, the institution generally must notify customers of their right to (and how to) opt-out of such sharing.
As noted in a statement by the CFPB, the FAST ACT amendments to the GLBA included a revision of the consumer privacy provisions that provide financial institutions that meet certain conditions with an exemption to the GLBA requirement to deliver an annual privacy notice. According to the amendments, a financial institution can use the annual notice exemption if it satisfies two main conditions: (i) the institution does not disclose non-public personal information of consumers to third parties, other than disclosure permitted by exempt categories; and (ii) the financial institution has not changed its policies and practices with regard to disclosing non-public personal information since the most recent notice. The CFPB proposal would establish deadlines for institutions to resume annual privacy notices if their practices subsequently change in a way that ceases to qualify for the exemption.
The CFPB's changes should streamline administrative procedures within financial institutions, but do not relieve financial institutions from the obligation to provide notices when privacy policies and practices are changed; nor does it lower the disclosure required when this happens.
US Homeland Security Committee approves Cyber Preparedness Act
A US legislative committee has approved an amendment to the Department of Homeland Security's ("DHS") existing laws to make it easier for the DHS to share unclassified cyber threat information with state and local authorities, and private sector stakeholders. The amendment is part of continuing efforts to improve detection and response to cyber attacks.
The bill (HR 5459) would amend the Homeland Security Act to expand the responsibilities of the DHS's State, Local and Regional Fusion Centre initiative to include serving as a point of contact to ensure the dissemination of cyber security risk information within the scope of its information sharing environment. The DHS fusion centres serve as a focal point within state and local governments for the receipt, analysis, gathering, and sharing of threat-related information.
As a consequence of the bill, state and local governments, as well as urban areas receiving grants to protect against terrorism under the Urban Area Security Initiative of the State Homeland Security Grant Program, would be able to use the funds to prepare for and respond to cyber security risks and incidents.
Internet of Things connected devices used in major DDoS attack
The recent distributed denial of service attack ("DDoS") that affected major websites including Twitter, Netflix, Spotify, Airbnb, Reddit and Etsy, used Internet of Things ("IoT") devices such as digital video recorders ("DVRs"), web cams and routers to mount the attack. The devices were infected with malware known as Mirai.
Rather than attacking the affected websites directly, this DDoS attack targeted the infrastructure of a company called Dyn, which provides an outsourced Managed DNS service for the affected sites. The Domain Name System ("DNS") is one of the protocols that underpins the entire internet, and converts human-readable domain names such as twitter.com into an IP address such as 22.214.171.124, an essential step to be able to access the websites. By launching a DDoS attack against Dyn's Managed DNS infrastructure and overwhelming it, any web user trying to access the websites would be slowed down or blocked completely.
IoT devices are an attractive target for hackers because:
- they tend to be permanently connected to the Internet;
- they generally do not have any anti-virus software;
- they often are not updated/patched as frequently as computers or laptops (if at all);
- they often have a number of vulnerabilities (such as hard-coded default passwords); and
- any infection is more likely to go unnoticed.
The Mirai malware is intended to facilitate DDoS attacks, but there is no reason in theory why IoT devices could not be infected in the same way with other types of malware, such as ransomware, or to provide a backdoor into corporate or other networks. This attack also highlights the dependence of even major websites on outsourced infrastructure.
The FBI and Department of Homeland Security in the US are now looking into the Dyn attack amid concerns that it was a practice-run for another DDoS attack to be mounted during the US elections against States that allow online voting for overseas voters.
Update: Suit challenging US courts' authority to issue gag orders to tech companies receives support from big names in tech world
Various well-known names in the technology, pharmaceutical, media and related sectors have filed briefs in support of Microsoft's suit against the US Justice Department over digital privacy and surveillance.
In April, Microsoft challenged the constitutionality of a provision of US federal law that authorises US courts to issue gag orders forbidding it, and similar companies, from advising their customers about search warrants, court orders or subpoenas that the government employs to obtain the stored electronic communications of those customers. SeeMicrosoft Corp. v. U.S. Department of Justice, Case No. 2:16-cv-00538(W.D. Wash. 14 April 2016).
Supporting Microsoft's position are, amongst others, Apple, Google, Amazon, Mozilla, Delta Air Lines, Eli Lilly, BP America, the Washington Post, Fox News, the National Newspaper Association, the US Chamber of Commerce, and the Electronic Frontier Foundation. For further information on the case to date, please see our previous update, available here.
Update: US Government weighs decision to appeal court ruling prohibiting it from seizing emails stored outside the United States
We previously reported (see our previous update, available here) on a US appellate court ruling (issued 14 July 2016) that handed a major victory to Microsoft by finding that US authorities cannot compel US tech companies to disclose email content they store on servers located outside the United States. The US government is now considering whether to appeal this decision, and has until 13 October to file a petition for rehearing.
Yahoo data breach highlights the importance of due diligence and supply chain risk
The recent Yahoo data breach involving the data of around 500 million users has highlighted once again the vulnerability of consumer data. It has also given rise to issues in the context of the recent sale of Yahoo to Verizon in July 2016.
In the immediate aftermath of the attack, Verizon told the BBC that it had only just learned of the attack and, itself, had limited information. It remains to be seen how the incident may affect the deal in this instance. However, it is clear that incidents such as this one highlight the importance of undertaking cyber security due diligence prior to reaching commercial agreement, as well as including contractual provisions in the sale documentation to protect the acquirer in the event that subsequent issues are uncovered which adversely impact the value of the business.
It also highlights issues in relation to supply chain risk. In the UK, a number of prominent internet service providers issued warnings to customers that they may be affected by the breach, as the ISPs had outsourced their email services to Yahoo. It is important to ensure that outsourcing and other contracts adequately deal with cyber security issues, including the division of responsibility for managing cyber security risks, cooperation and information sharing in relation to incident response and liability for any incidents that do occur.