Cyber Security Quarterly Round-Up - April 2016

Cyber security affects all businesses and industries and is a Board level agenda item.

Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA.

European Commission publishes Privacy Shield documentation

On 29 February 2016, the European Commission published the legal documents designed to implement the new EU-US Privacy Shield. The published documents include:

• The draft "adequacy finding" – This document summarises the obligations which companies will have to comply with and the protections given to personal data transferred across the Atlantic. If adopted, its effect will be that the safeguards for the transfer of data under the new EU-US Privacy Shield will be considered equivalent to data protection standards in the EU;
• The EU-US Privacy Shield Principles with which companies will have to comply; and
• Written commitments by the US Government on how the arrangements will be enforced, namely by:

1. Imposing strong obligations on companies and implementing robust enforcement mechanisms;
2. Ensuring there are clear safeguards and transparency obligations on the US government's access to personal data;
3. Ensuring that EU citizens have several redress possibilities, including providing them with a free ADR solution and the ability to contact the national Data Protection Authorities directly; and
4. Implementing an annual joint review mechanism of the EU-US Privacy Shield.

The next step will be for the Article 29 Working Party to analyse the documentation and publish its opinion. At the same time, the US will work on the necessary arrangements required for the Privacy Shield to operate, for example by setting up monitoring mechanisms. Among other things, the US is to create an ombudsman, within the US Department of State, to address complaints from EU citizens regarding US intelligence access to their data. Please see also below in relation to other US developments.

For further information regarding the proposed Privacy Shield, see our eBulletin, available here.

GDPR/Cyber Security Directive Update

Following political agreement on both the EU General Data Protection Regulation (the "GDPR") and the Network and Information Security Directive (the so-called "Cyber Security Directive") at the end of last year, we are still awaiting final versions of the texts of both pieces of legislation to be published.

Both the Regulation and the Directive are currently undergoing a legal-linguistic review, and will then need to be formally approved and published in the Official Journal, probably around mid-2016.

For the Cyber Security Directive, Member States will then have 21 months to implement the Directive into their national laws and six further months to identify "operators of essential services" in their jurisdiction.

For the GDPR, there will be a two year implementation period before it comes into effect, meaning that organisations should expect the new rules to apply from sometime in 2018.

For more information regarding the GDPR, please see our eBulletin available here. 

Investigatory Powers Bill introduced to the House of Commons

Against the backdrop of an ongoing global battle between public authority access to data for national security purposes and individuals' right to privacy, the controversial UK Investigatory Powers Bill has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place.

The Investigatory Powers Bill was introduced to the House of Commons on 1 March 2016. The Bill is intended to address the deficiencies of the Regulation of Investigatory Powers Act 2000, which was drafted before the advent of, for example, social media and over the top messaging services such as WhatsApp.

Some of the key provisions of the Bill include:

• The provision for interception of communications, which will be lawful when carried out with a warrant, with consent or in the exercise of any statutory power.
• The creation of a judicial oversight body, with Judicial Commissioners acting as a check for the Secretary of State's warrant decisions.
• The obligation on communications service providers to collect and store internet connection records.

The Bill was backed by 281 votes to 15 during its second reading in the House of Commons on 15 March 2016. A final vote is expected in April 2016, with the Home Office aiming for the new legislation to be in force by 31 December 2016.

To view a copy of the Home Office papers, please click here. 

Morrisons denies liability for cyber security breach in group litigation

As discussed in our previous quarterly cyber security round-up (available here), Morrisons supermarket is being sued by several thousand employees after some of their personal and financial details were posted online by a disgruntled ex-employee.

Morrisons has now filed its defence in the case, in which it reportedly denies any liability for the breach and claims that staff have not suffered any distress as a result of having their details leaked.

The number of individuals claiming compensation under the group litigation order has now exceeded 5,000, and a hearing to determine when a trial would take place is scheduled for May 2016.

National Cyber Security Centre announced for the UK

The UK Government has confirmed that its National Cyber Security Centre ("NCSC") will be headquartered in London and will begin operations in October 2016. This new body is designed to bring the UK's cyber expertise into one place and address current problems with the digital defences of companies and organisations.

GCHQ is currently the main organisation which deals with cyber security. However, as a secret intelligence service, there are challenges in terms of accessibility and encouraging communication between the relevant parties and the Government. The new centre is aimed at remedying this by taking advantage of its presence in both the intelligence world and the public space.

The new "authoritative voice on cyber security in the UK" will aim to implement its goals by informing the entire business community and public sector about emerging threats, providing support when attacks happen and educating everyone on how best to stay safe online. The NCSC will work with a variety of government departments and critical national infrastructure players, as well as with the business community and the public.

The organisation's first task will be to collaborate with the Bank of England in order to produce guidance on how financial institutions can manage cyber security more effectively. This will involve setting standards for the financial sector when responding to different types of cyber threats which could negatively impact the UK economy.

To view a copy of the Government's announcement, please click here. 

Social engineering used to steal engineering blueprints

Last year, a manufacturing company launched a specialist investigation to determine whether blueprints for a large piece of construction equipment were stolen from them and shared with a competitor that released equipment which was extremely similar. The results of the investigation indicate that the company was indeed the victim of a targeted cyber-attack and it is suspected that the stolen blueprints were sold to companies that are owned, operated and controlled by the Chinese government.

The cyber attackers had built a fake recruitment profile on LinkedIn and began liaising with the manufacturing company's chief design engineer, who had been looking for a new job. The engineer received an email with a document containing malware linked to a known malicious Chinese IP address. Once the document was downloaded, the malware enabled the attackers to access the engineer’s system and search and collect sensitive data from network file servers and attached USB hard disk drives.

The investigation also makes it clear that the attackers specifically identified the chief design engineer as the best target for the attack since he would usually work with those areas of the network that were compromised and this meant that accessing them would not appear suspicious.

Critical national infrastructure successfully attacked in the Ukraine

On 23 December 2015, Western Ukraine was the target of a cyber-attack at several of the country's main power distribution companies which caused a six-hour power cut for over 225,000 people. In total, approximately 30 substations were shut down. This was the first known power outage caused by a cyber-attack.

The attack was a highly sophisticated one which had its origins many months earlier in a spear-phishing attack. Workers were sent a malicious Word document which opened a backdoor for the hackers enabling them to control the workers' corporate PCs. Extensive reconnaissance followed, enabling the hackers to bridge the corporate network and the separate network upon which the SCADA (Supervisory Control And Data Acquisition) systems resided, ultimately enabling them to shut down the substations. When the attack was eventually launched, the hackers took steps to make it as difficult as possible to recover from, including replacing firmware in networking equipment with a malicious version in order to prevent the power systems subsequently being controlled remotely, changing the operators' passwords so they could not get back into their own systems, disabling uninterruptible power systems so that the power companies themselves were affected by the outage and launching a telephone denial of service attack to prevent incoming calls to the power companies.

The US Department of Homeland Security suspects that the attack was caused by a Russian hacking group called "Sandworm Team", on the basis of the malware that was used, and a history of targeting the Ukraine and SCADA systems.

It has recently been disclosed that a similar incident occurred in 2013, when Iranian hackers were able to take control of the flood gates of a dam outside of New York, although they did not manage to fully control the entire dam system.

These incidents have given rise to widespread fears that hackers are developing the ability to gain access to critical infrastructure, notwithstanding that it is not directly connected to the Internet, by leveraging weaknesses in associated corporate networks and the human factors associated with them. It also demonstrates that hackers are often playing the "long game", will exercise high degrees of stealth during the reconnaissance phase of any attack, and apply many barriers as part of a strategy to make the cyber-attack as difficult as possible to recover from. The Ukraine attacks show that it can take many months of reconnaissance to glean sufficient information to launch a successful attack, all of which went undetected.

As a result of the growing threat of these cyber-attacks, certain organisations made up of certified ethical hackers are being set up, such as CREST, which undertakes research into the security of the UK's infrastructure networks and seeks to identify all potential bugs and vulnerabilities. It is also important for such organisations simply to raise awareness of the dangers that the corporate IT systems face and use this to push infrastructure companies to establish appropriate digital defences.

France and Germany exposed to the "Locky" ransomware

In March 2016, the software security group Kaspersky Lab revealed that France and Germany are among the most exposed countries in the World to the "Locky" ransomware. This ransomware blocks and encrypts the documents and other data, then offers to unblock them only in exchange of the payment of a ransom.

The ransomware is mainly employed in two ways, being either:

• to introduce the ransomware into a computer system through the sending of an email to which a fake invoice is attached. As soon as the document is opened, the download of the ransomware begins; or
• to install the ransomware on web pages. When an internet user visits the web page, the ransomware automatically tries to install itself on his/her computer.

As explained by Kaspersky Lab, the month of February has seen a significant increase of the number of ransomware attacks, mainly in France and Germany, with at least 40,000 attempts to infect the computers of Kaspersky Lab's clients. In particular, the clients of the French telecommunications company Free have been targeted.

In January 2015, the French Ministry of Transportation's computer system was infected by the virus.

Kaspersky Lab pointed out that the usual security measures - avoiding opening the documents which are attached to emails sent by strangers, a comprehensive backup strategy for the documents and data, updating anti-malware software - must not be neglected by companies. Moreover, it recommended that companies should never give in to the blackmail and should inform the authorities of any attempt of racketeering.

To date, no solution exists to counter the encryption applied by Locky.

Protection of "white hats" hackers in a French bill

On 26 January 2016, the French National Assembly voted on a bill which, amongst other things, provides legal protection for "white hats" – hackers who specialise in identifying security weaknesses in information systems, and in exposing such weaknesses in a way that will allow the system's owner(s) to fix the breach.

In the past, several white hats have been involved in lawsuits initiated by companies to which they had revealed security weaknesses, or have been prosecuted for breaking into computerised systems.

The bill – called the "Bill for a Digital Republic" – provides that a person who penetrates a computerised system shall not be punished if he or she warns the competent authorities or the person in charge of the concerned website as quickly as possible.

In addition, since 21 January 2016, a matching service for companies and hackers, "B0unty Factory", has existed in France and is currently under testing. Any company will be able to join the platform. An internet user who discovers a weakness will be able to contact the concerned company registered on the platform. Any weakness pointed out and corrected will then give rise to the payment of a "bounty" to the well-intentioned hacker.

Implications of the Anti-Terrorism Law of China for telecom and internet companies

On 27 December 2015, the standing committee of the National People’s Congress ("NPC") of China passed the Anti-Terrorism Law of China, the first national law to combat terrorism, which came into force on 1 January 2016. The Anti-Terrorism Law imposes some specific obligations on operators of telecom and internet services.

The year 2015 saw national security and cyber security being brought to the top of the legislation agenda in China. In July 2015 the National Security Law and the draft Cyber Security Law were published, followed by the Anti-Terrorism Law at the end of the year, each of which contain provisions aimed directly at addressing cyber security issues. The newly-imposed obligations under the Anti-Terrorism Law on the telecom operators and internet service providers reflect the government’s determination to tighten its grip on cyber security and are bound to give rise to more legal compliance challenges.

Highlights of the obligations under the Anti-Terrorism Law include: (a) the provision of technical assistance and support to the Ministry of Public Security and the Ministry of State Security; (b) the prevention of dissemination of terrorist and extremist information; and (c) the verification of customer identity.

For further details regarding each of these requirements and their impact on telecom and internet service providers, please click here to read our eBulletin.

HKMA rolls out cyber security programme

The Hong Kong government announced in its February budget speech that the Hong Kong Monetary Authority ("HKMA") is currently working with the Hong Kong Applied Science and Technology Research Institute, the Hong Kong Institute of Bankers and the Hong Kong Association of Banks to set up a cyber security programme. This programme will include the establishment of a cyber intelligence-sharing platform and the development of initiatives around cyber security risk assessment and professional certification.

The HKMA has also recently established a Fintech Facilitation Office ("FFO") to boost Hong Kong's attractiveness as a fintech hub. The FFO will also be focusing on doing research in the area of cyber security. This is primarily because the HKMA is of the view that "in order to support the sustainable development of the fintech industry in Hong Kong and to keep the public confidence in fintech services and the banking system, it is crucial for the banking sector to maintain a high level of cyber security and data security."

Further details of the Cyber Security Programme are expected to be provided at the Cyber Security Framework Symposium in Hong Kong in mid-May.

SFC issues circular on cybersecurity concerns and recommended controls

The Securities and Futures Commission ("SFC") in Hong Kong has recently reviewed the cyber security environment of a number of larger sized licensed corporations ("LCs"). The SFC has shared its findings, including its concerns from these reviews, in a circular released on 23 March 2016.

The SFC identified the following key areas of concern that have arisen from its reviews:

• inadequate coverage of cyber security risk assessment exercises;
• inadequate cyber security risk assessment of service providers;
• insufficient cyber security awareness training;
• inadequate cyber security incident management arrangements; and
• inadequate data protection programs.

Worth highlighting in this list are the SFC's comments around the inadequacies of cyber security risk assessment of service providers and data protection programs. LCs did not seem to have adopted a proactive approach to integrate the risks associated with a service provider's systems into its own cyber security risk management framework. Rather, LCs appeared to rely on attestations from the service provider and did not conduct regular cyber security audits. With regard to data protection, LCs lacked controls and procedures to record and curtail internal and external data flows, and data was not being categorised (and consequently, not being protected) according to their particular characteristics (e.g. sensitive information, personal information etc). Further details of the areas of concern are set out in an appendix to the circular.

Nevertheless, the SFC noted that some LCs had in place a number of sound and effective cyber security controls and defensive mechanisms. The SFC has recommended that all LCs consider implementing similar controls, and has set out detailed recommendations in an appendix to the circular. We note that although they are described as "suggestions", the measures set out by the SFC are fairly prescriptive in nature.

The SFC has made it clear that cyber security within a LC "is increasingly being viewed … as a matter of priority given the ongoing occurrence of cyber security incidents being reported across the financial services industry". The SFC expects LCs to take appropriate measures to assess the effectiveness of existing cyber security controls.

To view a copy of the SFC circular, please click here. 

To view a copy of the Appendix detailing key areas of concerns and recommended cyber security controls, please click here. 

Hacking of Western Australia’s Public Transport Authority

In late March 2016, Western Australia's ("WA") Public Transport Authority ("PTA") was forced to disable various websites and online systems due to an attempted hacking. The likely target of the hack was SmartRider, by which riders can pay for public transport online, due to the scale of credit card transactions occurring on this system. Fortunately, the attempted hack was detected early and PTA took its systems offline to avoid any potential breach.

However, this attempted hack arouses further concerns surrounding the IT security practices of WA government departments and demonstrates their vulnerability to cyber attack.

The Information Systems Audit Report released by WA’s auditor-general, Colin Murphy, in November 2015 revealed that various government database administrator accounts had retained default usernames and passwords or used common passwords which are extremely easy to guess, such as "password1" or "test". Auditors were also able to twice hack into a particular database and download confidential information without being detected.

Andrew Cann, WA’s chief technology officer, has acknowledged that more needs to be done to improve security.

Speaking at a Perth AISA conference in November 2015, Mr Cann identified the steps being taken by the Office of the Governmental Chief Information Officer.

The key strategy identified was the introduction of security guidelines, which establish a standard for each agency to adopt. These guidelines would ensure that agencies have a common framework for managing security issues, identifying requirements and introducing security controls to mitigate cyber security risks.

Please click here to view a copy of Mr Cann’s presentation slides.

Australia and the US to hold annual cyber security talks

In January 2016, Australian Prime Minister Malcom Turnbull announced that Australia and the US would be holding annual talks focused on cyber security and cyber threats. The talks will be convened by the Australian Strategic Policy Institute and the US Centre for Strategic and International Studies.

The Prime Minister said that Australia must be ready to respond to cyber incidents when and if they occur. He said this means that Australians need to better understand how both countries would cooperate in the event of a significant cyber incident that would affect both Australia and the US.

According to the Prime Minister, "to achieve this, we agreed to improve our response efforts beginning with mapping our cyber incident response structures and mechanisms with the aim in the future to exercising our incident response measures. To meet the growing threat of cybercrime, we will also enhance cybercrime cooperation between our nations, including through increased exchanges between respective law enforcement and cybercrime experts and more collaboration on cybercrime investigations."

US extends certain privacy law protections to non-US citizens

As part of ongoing efforts to improve cooperation and restore trust with respect to transatlantic data privacy issues, the United States, on 24 February 2016, enacted the Judicial Redress Act, which extends to citizens of "designated" nations certain rights now accorded to US citizens under the US Privacy Act, most principally the right to sue US government agencies for privacy violations.

More specifically, under the Act, which is to take effect in 90 days (or 24 May 2016 ), a citizen of a "designated" country or organisation (such as the EU) may bring a civil action – in US federal court in Washington, DC – against: (i) a US agency that "intentionally or wilfully" violates conditions for disclosing records without the consent of the affected individual; as well as against (ii) a US agency that refuses an individual's request to review or amend his or her records.

The US Attorney General (with the concurrence of the US Departments of State, Treasury, and Homeland Security) is responsible for designating the countries whose citizens can take advantage of the Act. Such designation requires that the country: (i) has "appropriate privacy protections" for information shared for the purpose of preventing, investigating, detecting or prosecuting crimes, as provided for in an agreement with the US or else as determined by the Attorney General; (ii) "permits the transfer of personal data for commercial purposes" between itself and the US; and (iii) has data transfer policies that the Attorney General has certified do not "materially impede" US national security.

The Act was passed with wide bipartisan support in the US Congress. In signing the Act into law, the President remarked that the legislation "makes sure that everybody's data is protected in the strongest possible way with our privacy laws—not only American citizens, but also foreign citizens."

US voter database created and leaked

In December 2015, an independent computer security researcher discovered a database which is available on the open Internet and contains information on 191 million US voters, including names, addresses, birth dates, party affiliations, and phone numbers.

In the US, voter data is considered public information. Certain privacy regulations are in place in order to protect such data (such as prohibitions on commercial use of the information or disclosures outside the US), but this varies across the states and in many cases, no limitations are imposed at all.

In this case, it appears that the voter information included in the database was already publicly available from each state government, which means that no new or private information seems to have been released. However, it would be time-consuming and expensive to gather a database of American voters such as the one discovered, where multiple public datasets had been amalgamated. Such a database could be useful to criminals who are looking for lists of targets for various fraud schemes.

The Texas-based researcher who identified this database worked with US authorities to remove the data from the public domain, and per media reports, the database has since been taken down, though its owner has not been ascertained.

Dispute between Microsoft and US Government over customer emails remains pending on appeal

As discussed in one of our previous quarterly cyber security round-ups (available here), Microsoft has appealed a US federal court ruling requiring it to produce, to the US Government, Microsoft customer e-mails stored in the EU. The US Court of Appeals for the Second Circuit is expected to rule on the appeal soon.

Getting The Deal Through – Cyber security 2016 – United Arab Emirates Chapter

Herbert Smith Freehills' Stuart Paterson, Benjamin Hopps and Nihar Lovell have contributed to the United Arab Emirates chapter of the 2016 edition of Getting The Deal Through – Cyber security. The article gives an overview of the laws and regulations governing cyber security in the Emirate of Dubai (including the Dubai International Financial Centre (DIFC) free zone) and the measures that firms are recommended to take in order to protect themselves from cyberthreats or the loss of sensitive data.

Getting the Deal Through – Cyber security 2016 is an annual report that compiles in one place and in a systemic manner all of the key information on cyber security legislation and regulation in different jurisdictions around the world.

For further information please click here where you will be redirected to the article on our website, which has been reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through – Cyber security 2016 (published in February 2016).

Mossack Fonseca leak highlights global use of tax havens

The biggest data leak in history became public knowledge in April 2016, as it was revealed that files from Panamanian law firm Mossack Fonseca had been leaked through a cyber-attack. Mossack Fonseca is the world’s fourth biggest provider of offshore services, including incorporating companies in offshore jurisdictions such as the British Virgin Islands.

The records were obtained from an anonymous source by the German newspaper Süddeutsche Zeitung, which shared them with the International Consortium of Investigative Journalists ("ICIJ"). The ICIJ then worked for over a year with journalists from 107 media organisations in 76 countries, including UK newspaper the Guardian, to analyse the documents.

According to ICIJ, the documents make public the offshore accounts of 140 politicians and public officials, amongst other things. The documents don't necessarily detail anything illegal, but they do shine a light on the world of offshore finances.

The leaked data appears to have originated from the firm's email system and comprises approximately 11.5 million records consisting of emails, Word and Excel documents and PDF files containing financial information, amounting to in excess of 2.5 terabytes. This compares to the Edward Snowden leak which amounted to 1.7 million records. The data was exfiltrated electronically over a significant period of time without being detected and, despite initial news reports that the leak was the result of an inside job, a partner at Mossack Fonseca has since claimed that the firm was the victim of an external hack and has filed a complaint with the Panamanian attorney general's office.