If the first quarter of 2019 is anything to go by, cyber security risk is still a high-ranking board agenda item with no sign of abating and the regulatory landscape is becoming ever more complex as we strive to respond and mitigate the risks of cyber incidents. We provide a summary of the key developments from Europe, Asia, the US and Australia to help you keep abreast of changes and plan for preventative compliance measures.
Impact of a no deal Brexit on digital services providers
As we edge ever closer to the UK’s impending departure from the EU, in December 2018, the Department for Digital, Culture, Media and Sport issued guidance for digital service providers in a no-deal EU exit scenario.
Background: the EU Network and Information Security Directive
The EU Network and Information Security Directive (“NISD”) was adopted by the European Parliament on 6 July 2016. For the first time, the NISD seeks to set out a harmonised approach to cyber security across the EU and provides legal measures to this end to enhance the EU’s cyber security legal and regulatory framework. Member States had until 9 May 2018 to transpose the NISD into domestic legislation and then apply the relevant measures from 10 May 2018. In the UK, the Network and Information Systems Regulations 2018 (“Regulations”) transposed the NISD into English law.
The Regulations require certain “operators of essential services” (“OES”) to adopt risk management practices and report major security incidents on their core services to the appropriate national authority. OES include companies in the electricity, oil and gas, air, water, road and rail transport, healthcare, water and digital infrastructure sectors. A competent authority is designated for each sector. The Regulations also place certain obligations on digital service providers (“DSPs”), which include operators of online search engines, online marketplaces and cloud computing providers. The ICO has been designated as the regulator for DSPs and more detailed descriptions of digital services can be found in the ICO Guide to NIS, the text of the NISD, the Regulations and the UK Government’s response to the targeted consultation for digital service providers.
Fines of up to £17m can be imposed to ensure compliance. Organisations covered will need to consider both their own cyber practices and those of businesses in their supply chains.
DSPs established in the EU
Under the NISD, a DSP that is not established in an EU Member State, but offers services within the EU (and has 50 or more staff or a turnover or balance sheet of more than €10m per year), must designate a representative in the EU. This representative must be established in one of the EU Member States where the DSP offers services, the DSP will then be deemed to be under the jurisdiction of the EU Member State where that representative is established.
Establishment in an EU Member State implies the effective and real exercise of activity through stable arrangements. In principle, the “main establishment” of a digital service provider corresponds to the place where the company has its head office. A digital provider “offers services in the EU” if it offers, or is planning to offer, digital services to persons in one or more EU Member States. The guidance suggests this to be the case if: the DSP uses a language generally used in one or more EU Member States; the DSP uses a currency generally used in one or more EU Member States; customers have the possibility to order services in a language generally used in one or more EU Member States; and the DSP mentions customers or users who are in the EU.
DSPs in a no-deal scenario
Currently, the UK is an EU Member State and so DSPs established in the UK do not need to designate an EU representative. However, in the event of a no-deal Brexit, the UK will become a third country. In this scenario, the guidance suggests that any relevant DSPs that are established in the UK and offer services in one or more EU Member States, may be required to designate a representative in one of the EU Member States where they offer services. It remains unknown as to whether this will be required and may depend on the future agreements with each Member State of the EU.
DSP no-deal planning
Therefore in the event of a no deal, relevant DSPs ought to consider taking the following steps as part of their no-deal Brexit planning:
decide where they are established by looking at whether their ‘main establishment’ is in the UK or in an EU Member State:
if a DSP is established in the UK then it must register with the ICO and comply with the Regulations; or
if it is established in an EU Member State, then it must comply with the law in that particular EU Member State.
If the DSP’s main establishment is in the UK and it offers services to one or more EU Member States, then that DSP may be required to designate a representative in an EU Member State in which it offers services;
this representative must be established in one of the Member States in which the DSP offers services;
as the representative will be acting on the DSP’s behalf, it must be possible for competent authorities and/or the computer security incident response teams of the relevant EU Member State to contact the representative; and
when designating a representative, DSPs must write to the relevant EU Member State authority in accordance with that authority’s formal process.
Importantly, if a DSP designates a representative in an EU Member State, it will be under the jurisdiction of the Member State in which that representative is established but the DSP will also be subject to English law if its main establishment in the UK.
DSPs will also need to inform the ICO if their main establishment is in an EU Member State, they have designated a representative in an EU Member State; or if their network and information systems are located in one or more EU Member States.
EU: Commission announces agreement on draft Cybersecurity Act
In December 2018, the European Parliament, the Council and the European Commission reached a political agreement on the EU Cybersecurity Act (the “Act”), which reinforces the mandate of the European Union Agency for Network and Information Security (“ENISA”) so as to better support Member States with tackling cybersecurity threats and incidents.
The Act was first proposed in 2017 as part of a set of measures to deal with cyber threats and to build cyber resilience across the EU. The Cybersecurity Act includes:
a permanent mandate for EU Cybersecurity Agency, ENISA, to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfil its goals;
a stronger basis for ENISA in the new cybersecurity certification framework to assist Member States in effectively responding to cyber incidents with a greater role in cooperation and coordination at European Union level;
a right for ENISA to increase cybersecurity capabilities at EU level and support capacity building and preparedness; and
a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU.
The framework for European Cybersecurity certificates will be the first internal market law that has the aim of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through certification. This will allow EU citizens to ascertain the level of security assurance and it will ensure that the security features are independently verified. The aim is to encourage manufacturers to invest in the cybersecurity of their products enabling them to have a competitive advantage.
The European Parliament approved the new regulation in March 2019. It will now need to be approved by the Council of the EU and subsequently published in the EU Official Journal entering into force immediately.
Further information can be found on the Europa website.
New cyber security standards for self-driving vehicles
On 19 December 2018, the British Standards Institute published a new cyber security standard for connected and autonomous vehicles and their platforms, which contains fundamental principles for the provision and maintenance of cyber security measures for increasingly connected transport ecosystems (which comprise vehicles, related infrastructure and human elements).
The standard is applicable throughout the entire automotive lifecycle – from design through operation to decommissioning – to ensure that the vehicles and related systems remain protected once they have been delivered into the market and are eventually safely retired. This guidance is intended to “set a marker” for those developing self-driving car technology; it is not mandatory nor is it intended to apply retroactively to existing vehicles and platforms.
The standard joins a growing body of legislation and guidance around connected and autonomous vehicles, including the government’s Key Principles of Cyber Security in Connected and Automated Vehicles (alongside which the new standard is intended to be read) and the Automated and Electric Vehicle Act 2018. Further legislation is expected once the Law Commission of England and Wales and the Scottish Law Commission conclude their current review into the legal framework required to support the use of autonomous vehicles into the UK. The ISO is currently at the committee stage in its development of a similar standard: ISO/SAE CD 21434 (Road Vehicles – Cybersecurity Engineering).
UK Government announces driverless cars to be on UK roads by end of 2021
On 6 February 2019, the UK Government announced plans to move forward on advanced trials for automated vehicles. Whilst only limited scale trials of fully driverless cars have taken place to date in Europe and the United States, more extensive testing is expected on public roads in the UK by the end of the year. The Department for Transport (DfT) issued a statement confirming it is “on track to meet its commitment to have fully self-driving vehicles on UK roads by 2021”. This was accompanied by plans to strengthen the code of practice for testing automation safety.
The DfT described its announcement as a “major boost” to the UK connected and autonomous vehicles market and estimates the industry will be worth £52 billion by 2035. However, a number of commentators in the industry remain sceptical about whether the Government’s time scale is practical given the number of outstanding issues and areas still to finalise before driverless cars will be commonplace on UK roads (including in respect of the self-driving technology itself).
Appropriate data protection and cyber security measures also remain a key priority. The recent announcement follows the British Standards Institute publishing a new cyber security standard for connected and autonomous vehicles and their platforms in December 2018 (see 3 above), which contains fundamental principles for the provision and maintenance of cyber security measures for increasingly connected transport ecosystems (i.e. comprising vehicles, related infrastructure and human elements).
The standard joins a growing body of legislation and guidance around connected and autonomous vehicles, including the government’s Key Principles of Cyber Security in Connected and Automated Vehicles (which the new standard is intended to be read alongside) and the Automated and Electric Vehicle Act 2018. Further legislation is expected once the Law Commission of England and Wales and the Scottish Law Commission conclude their current review into the legal framework required to support the use of autonomous vehicles into the UK. The ISO is currently at the committee stage in its development of a similar standard: ISO/SAE CD 21434 (Road Vehicles – Cybersecurity Engineering).
The UK Government’s Cyber Security Skills Strategy
On 21 December 2018, the UK Government launched a Call for Views on its Initial National Cyber Security Skills Strategy. The closing date for responses was 6 March 2019, with the final strategy document expected to be published late in 2019.
Published alongside this strategy is the government’s response to the consultation on Developing the UK Cyber Security Profession (which included a proposal to develop a new UK Cyber Security Council). This and the Call for Views both feed into the broader National Cyber Security Strategy, which aims to ensure that “the UK has a sustainable supply of home-grown cyber skilled professionals to meet the growing demands of an increasingly digital economy, in both the private and public sectors, and defence.”
A recent government-commissioned study reported that 54% of businesses and charities face a “cyber security skills gap”, with employers either unable to find recruits with the necessary skills, or being able to do so but at a premium that some organisations are unable to afford.
The Call for Views frames this challenge as not only one of ensuring that there are sufficient cyber security professionals in the UK, but also ensuring that these professionals possess the correct level and “blend” of expertise. The challenge is heightened by the acceleration of the rate of technological innovation and adoption, such as the growing importance of AI, machine learning and the Internet of Things.
The aim is to address the broader cyber security skills gap to ensure that the workforce has (and will continue to have) the requisite skilled professionals so that organisations and their staff can manage cyber security risks effectively, and to ensure that individuals are equipped with a basic understanding of the value of their personal data and how to practise basic “cyber hygiene” to keep themselves and their employers safe.
Cyber insurance: the impact of evolving legal and regulatory risk
Cyber insurance is still (just about) the new kid on the block. It is commonly thought of as a tool to mitigate exposure to ever-evolving cyber risks. That is right, up to a point; but the increasing exposure of business to losses potentially covered by cyber insurance is, in our view, in material part driven by changes in the legal and regulatory risk environment.
Please see our recent article here discussing the legal and regulatory risks involved with cyber insurance.
EU recalls children’s smartwatch over data fears
In February 2019, the EU Commission ordered a recall of a brand of a children’s smartwatch because it left children open to being contacted and located by malicious users and posed a serious safety risk. It is believed that this is the first recall issued for a product that does not protect user data.
The device, which comes fitted with a GPS, microphone and speaker, comes with a companion app that allows parents to oversee the location of the wearer and contact them. The EU Commission has said that the data the smartwatch holds, such as location history, phone numbers and serial numbers, can be easily retrieved and changed.
The alert to the EU Commission was submitted by Iceland. The manufacturers of the watch, Enox, have stated that the watch had passed tests carried out by German regulators in 2018 allowing it to be sold and that the company plans to lodge an appeal with the EU Commission.
Japan adequacy decision adopted by the EU Commission
On 23 January 2019, the EU Commission adopted a decision confirming the adequacy of Japanese data protection laws for the purpose of transferring personal data from the EU to Japan in compliance with the international data transfer restrictions set out in Chapter V of the GDPR.
For further information, please see our blog post here.
Russia to test cyber-war defences
In October 2018, the UK Government published new measures to assist manufacturers to boost the security of internet-connected devices such as home alarm systems, fridges and toys.
Within the next three years, there is expected to be more than 420 million internet-connected devices in use throughout the UK and poorly secured devices can leave people exposed to security issues and large-scale cyber-attacks.
To deal with this, the Department for Digital, Culture, Media and Sport, working in collaboration with the National Cyber Security Centre, have published plans in a “Secure by Design” review to embed security in the design process rather than seeing it as an afterthought.
The new Code of Practice was developed with industry to improve cyber security, encourage innovation and keep consumers safe. It outlines thirteen guidelines that manufacturers of consumer devices should implement into their product’s design to enhance safety. This includes secure storage of personal data; regular software updates to make sure devices are protected against emerging security threats; no default passwords; and making it easier for users to delete their personal data from the product.
Technology companies HP Inc. and Centrica Hive Limited are the first companies to sign up to commit to the code. The Government has also published a mapping document to make it easier for other manufacturers to follow in their footsteps and further work is underway to develop regulations that will strengthen the security of internet-connected consumer products.
EBA publish revised Guidelines on outsourcing arrangements
In February 2019, the European Banking Authority (“EBA”) published revised Guidelines on outsourcing arrangements which aim to establish a harmonised framework for financial institutions, namely credit institutions and investment firms, as well as payment and electronic money institutions.
The Guidelines contain specific provisions relating to the security of data and systems of outsourcing providers. The Guidelines state that institutions and payment institutions should:
ensure that service providers comply with appropriate IT security standards;
define data and system security requirements within the outsourcing agreement and monitor compliance on an ongoing basis;
adopt a risk-based approach to data storage and data processing location and information security considerations when outsourcing to a cloud provider involves the handling of personal or confidential data; and
take into account differences in national provisions regarding the protection of data.
Please see the EBA Guidelines for further information.
NEW LAW ON CYBERSECURITY IN VIETNAM
Vietnam’s highly publicised Law on Cybersecurity became effective on 1 January 2019. The law prohibits the spread of ‘offending information’ (which includes anti-state information) and imposes a variety of obligations on businesses providing their services on a telecommunications network or on the Internet, including that they must:
verify users’ information;
disclose users’ information if requested by the Cybersecurity Task Force (“CTF”);
censor offending information within 24 hours and deregister the individuals responsible for the information; and
set up local offices in Vietnam.
While the law is drafted at quite a high-level, if it is implemented to the fullest extent, the Law on Cybersecurity stands to cause a significant burden for businesses. For example, the government has the power to inspect any IT system of a relevant entity and can also block or terminate the operation of any IT system. The Vietnamese government has signalled that it means business and will strictly enforce the new law, with a number of explanatory regulations apparently in the pipeline. Already, on 9 January 2019, the Vietnamese government accused Facebook of breaking the new Law on Cybersecurity by allowing Vietnamese citizens to post anti-government comments.
NEW CYBERSECURITY GUIDELINES FOR SINGAPORE BANKS
On 6 September 2018, the Monetary Authority of Singapore (“MAS”) issued a Consultation Paper which proposes requirements for Financial Institutions (“FIs”) in Singapore to implement certain minimum cyber security measures to protect their IT systems from malicious interference. The Consultation Paper encompasses a draft Notice on Cyber Hygiene (the “Draft Notice”) which prescribes a set of essential cyber security practices that FIs must put in place to manage cyber threats. While MAS has previously (in 2013) issued non-binding Technology Risk Management Guidelines and issued a Notice on technology risk management, the Draft Notice shows MAS’ renewed focus on strengthening FIs’ cyber resilience. Notably, MAS is also looking to make six of the measures from the Technology Risk Management Guidelines legally binding. The consultation period is closed.
In addition, the Association of Banks in Singapore, with support from the Monetary Authority of Singapore, has developed a set of cybersecurity guidelines titled the “Adversarial Attack Simulation Exercises (“AASE”) Guidelines” or “Red Teaming Guidelines” designed to strengthen the cyber resilience of the sector. The AASE guidelines provide FIs with best practices and guidance on planning and conducting simulated cyber-attacks to ensure they are testing for the most current threats.
NEW THAI CYBER WATCHDOG
Thailand’s junta has proposed a new cyber law regime that would grant the authorities the power to access any private sector computer system, a tool they say is needed to defend against hackers. The proposed legislation includes the creation of a National Cyber Security Committee (NCSC), which would be chaired by Prime Minister Prayut Chan-o-cha. The committee would oversee cyber defence capabilities and would be authorised to access any private company or citizen’s computer with a court order. While originally framed as a law which would stamp out Internet scams and fake news, some commentators and businesses are alarmed that the drafted law could have broader reach and consequences.
CHINA CYBERSECURITY AND DATA PROTECTION: UPDATE
Please click here to view our recent monthly update on Chinese cybersecurity and data protection.
US TREASURY DESIGNATES IRAN BASED FINANCIAL FACILITATORS OF CYBER ACTIVITY AND IDENTIFIES ASSOCIATED DIGITAL CURRENCY ADDRESSES
In November 2018, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that they had taken action against two Iran based individuals, who had helped exchange Bitcoin ransom payments into Iranian rial on behalf of Iranian malicious cyber actors involved with the SamSam ransomware scheme that had over 200 known victims in the US.
OFAC also identified the two digital currency addresses associated with the two individuals. Over 7000 transactions in bitcoin, worth millions of US dollars, were processed through the addresses. The digital currency addresses converted Bitcoin into Iranian rial and deposited the rial into Iranian banks.
To execute the SamSam ransomware attack, the individuals exploited computer network vulnerabilities to gain access and copy the SamSam ransomware into the network. Once in the network, the individuals were able to use the ransomware to gain administrator rights allowing them to take control of a victim’s servers and files, without the victim’s knowledge. The individuals would then demand a ransom be paid in Bitcoin in order for a victim to regain access and control of its own network.
FINRA REPORT: CYBERSECURITY PRACTICES 2018
In December 2018, the US Financial Industry Regulatory Authority (“FINRA”) published its Report on Selected Cybersecurity Practices - 2018 (the “Report”). The Report is a detailed review of effective information controls at securities firms and represents the newest initiative in FINRA’s ongoing effort to help broker-dealers (including small firms) to further develop their cyber security programs. The Report references five main topics:
cyber security controls in branch offices;
methods of limiting phishing attacks;
identifying and mitigating insider threats;
elements of a strong penetration-testing program; and
establishing and maintaining controls on mobile devices.
FEDERAL DATA CARE ACT MAY IMPOSE HEIGHTENED DUTIES ON TECH COMPANIES
Legislation has been introduced in the US Senate that, if enacted, would hold tech companies responsible under federal law for the security of the personal data they store, and which ultimately may inch the US closer to a federal data protection law.
In December 2018, several US Senators introduced the Data Care Act, which would “establish duties for online service providers with respect to end user data that such providers collect and use.” The bill broadly defines “online service provider” (“OSP”) as an entity that does business “over the internet or any other digital network” and collects “individual identifying data” (“IID”) about end users (IID being data which is linked or reasonably linkable to a specific end user, or to a computing device associated with or routinely used by such end user).
The bill lacks many specifics, including as to the security standards OSPs would be expected to follow. Instead, the statute would impose three duties on OSPs, which are modelled on fiduciary duties imposed on bankers, attorneys and health professionals with respect to data protection:
Duty of care: OSPs must reasonably secure IID from unauthorized access, and must promptly inform an end user of any breach that involves sensitive consumer information.
Duty of loyalty: OSPs may not use IID or data derived from IID in any way that will benefit the OSP to the detriment of an end user, and which either will result in reasonably foreseeable and material physical or financial harm to an end user, or would be unexpected and highly offensive to a reasonable end user.
Duty of confidentiality: OSPs may not disclose, sell or share IID with a third party, except where such disclosure is consistent with the duties of care and loyalty, and only after that third party agrees to abide by the same duties toward the end user imposed on the OSP. OSPs also would be required to take reasonable steps (including via audit) to ensure third party compliance.
The bill contemplates enforcement by the US Federal Trade Commission (“FTC”), the most active consumer privacy regulator at the federal level, and would authorise the FTC to issue regulations expanding the duty to notify end users about breaches involving IID other than “sensitive data” if warranted. State attorneys general also may bring enforcement actions against OSPs on behalf of state residents.
The bill was referred to the Senate’s Committee on Commerce, Science, and Transportation, and at present no vote is scheduled. At this point, it is unclear whether the bill will gather significant support in the Senate. It is possible that the bill will be folded into more encompassing federal privacy legislation. Such legislation, long a goal of US privacy advocates as well as some tech companies, would replace the current patchwork of state-based privacy laws and reduce complexity and the cost of compliance to regulated businesses.
CALIFORNIA ATTORNEY GENERAL CONSIDERS REGULATIONS TO ENFORCE STATE PRIVACY LAW, AS OTHER STATES PAY CLOSE ATTENTION
We previously reported on the enactment of the California Consumer Privacy Act of 2018 (“CCPA”), which expands the rights that California residents have with respect to their personal information. California’s Attorney General (“CA AG”) has since commenced a series of public hearings intended to inform regulations that the CA AG is expected to issue to implement various provisions of the CCPA and establish compliance regimens for regulated businesses.
Briefly, the CCPA (among other things) gives California residents the right to request a regulated business to disclose data collection and sharing practices, to request deletion of their personal information, and to opt out of the sale of their personal information by a business. Regulated businesses are also prohibited from selling personal information of residents under age 16 absent parental opt-in. As a practical matter, the CCPA will apply to businesses that do any significant online business with California customers, even if those businesses do not have a physical presence in the state.
The CA AG has scheduled a series of six public hearings, in January and February 2019, and has solicited public comments to inform the rulemaking process and the resulting regulation. The timing indicates that the CA AG intends to pursue regulations in short order, which is important since enforcement of the CCPA cannot begin until the earlier of 1 July 2020 or six months after the CCPA regulations are published. Among other comments, advertising industry organisations recently argued to the CA AG, in a 31 January 2019 submission, that while the CCPA enables consumers to opt out of the sale of their data or to delete their data, it does not permit a business to offer a consumer the choice to delete or opt out regarding some, but not all, of his/her data. Per the advertising groups, the CA AG should make clear that businesses may offer options to consumers to choose the types of sales they want to opt out of, the types of data they want deleted, or to completely opt out, and not impose what the advertising groups describe as an “all-or-nothing option.” These and other general contours of the CCPA will need to be addressed by the CA AG in the forthcoming regulations, and various stakeholders will be advocating their positions in the coming weeks.
California’s rulemaking process is also being watched by attorneys general and privacy regulators in other states, and some form of the CCPA and its attendant regulations may be adopted by other states frustrated by the slow pace of federal privacy regulation. The possibility of even more patchwork privacy regulation at the state level, in the view of most if not all businesses, further augurs for a uniform federal privacy standard.
NIST RELEASES DRAFT REPORT ON INTERNET OF THINGS CYBERSECURITY RISKS
As regulators, businesses and consumers continue to grapple with the proliferation of the devices, appliances and equipment that are connected in cyberspace, the US Department of Commerce’s National Institute of Standards and Technology (“NIST”) released a draft report which acknowledges the rapidly evolving and expanding collection of diverse technologies interacting with the physical world, along with stakeholders’ interest in reasonable but commercially practicable cybersecurity and data privacy measures for Internet of Things (“IoT”) devices.
The draft, formally known as Internal Report 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, leaves the term IoT broadly defined, given the wide variety of different IoT devices and applications across a broad range of business sectors. In addition, while the report calls for organisations to address relevant cybersecurity and privacy risks during the entire lifecycle of connected devices, its approach calls for businesses themselves to determine the particular security and privacy challenges presented by their respective devices using a device- and sector-specific approach.
The draft NIST report identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices. The first is that “[m]any IoT devices interact with the physical world in ways conventional IT devices usually do not.” Thus, organisations need to assess and address cybersecurity and privacy concerns regarding those IoT devices that make changes to physical systems. Second, “[m]any IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.” Having to undertake tasks manually for numerous IoT devices, expand familiarity and tools to address a broader range of IoT device software, and address risks with manufacturers and other third parties able to access or control IoT devices remotely, may be required. And third, “[t]he availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.” Thus, organisations may need to identify, implement, and manage additional controls, and decide an appropriate response to risk in the absence of sufficient controls for reducing risk.
The report additionally sets out three high-level risk mitigation goals in the context of cybersecurity and privacy risks, namely protecting device security, data security, and individuals’ privacy. In addition, the report notes that all IoT devices need to be prevented from being used to conduct attacks. Depending on the particular IoT devices and data at issue, in some cases, only device security may be required, while for others, data security may also be necessary, and in some cases privacy as well. The draft report, and the comments received in response to it, will likely result in further guidance documents and potential regulation to enable government agencies and other organisations to better understand and manage IoT device cybersecurity and privacy risks.
US GOVERNMENT REPORT DETAILS RISKS OF ECONOMIC ESPIONAGE IN CYBERSPACE
In its 2018 Foreign Economic Espionage in Cyberspace Report, the US National Counterintelligence and Security Center (“NCSC”) addressed current threats and future trends in state-sponsored espionage efforts to obtain US intellectual property, trade secrets, and proprietary information.
Per the NCSC report, international economic and industrial espionage continues to present a significant threat to both the US economy and global trade. The report identifies a broad range of threat actors operating in cyberspace, including adversarial nation-states, commercial enterprises under state influence, and sponsored activities by proxy hacker groups. It cautions that next generation technologies, such as artificial intelligence and IoT, will introduce new vulnerabilities “for which the cybersecurity community remains largely unprepared.”
The NCSC report singled out state intelligence services (and those working on their behalf) as representing the most persistent and pervasive cyber intelligence threat. In particular, it highlighted China, Russia and Iran as three of the most active cyber actors tied to economic espionage and the potential theft of US trade secrets and proprietary information, though the report noted that even countries with closer ties to the US have conducted cyber espionage seeking US technology.
Potentially disruptive threat trends, in NCSC’s view, include software supply chain infiltration, which per the report already threatens the critical infrastructure sector and may threaten other sectors, providing opportunities for cyber espionage and organisational disruption. In addition, the report advised that new laws and increased risks from non-US technology companies tied to local governments may pose new threats to US entities (citing to China’s 2017 cybersecurity law requiring foreign companies to submit their technology to the Chinese government for national security reviews, and Russia’s mandated source code reviews, overseen by Russian intelligence, to approve foreign technology to be sold there).
The NCSC Report highlighted energy, biotechnology, defence, environmental protection, high-end manufacturing, and information/communications technology as the US industrial sectors and technologies upon which non-US actors are likely to focus. In addition, US research institutions, universities, and corporations are regularly targeted in search of proprietary information.
As this report illustrates, the US perceives economic and industrial espionage threats from abroad, and that recognition may form the basis for further US government legislative, regulatory and intelligence action against state actors and others deemed responsible for such perceived threats.
US CREATES CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
President Trump has signed into law the Cybersecurity and Infrastructure Security Agency Act, which established a new agency, the Cybersecurity and Infrastructure Security Agency (“CISA”), within the US Department of Homeland Security. CISA’s mission will be to protect US critical infrastructure from physical and cyber threats, and to promote effective coordination among a broad spectrum of government and private sector organisations.
The Act, enacted in November 2018, established three divisions in the new agency: Cybersecurity, Infrastructure Security and Emergency Communications. The Cybersecurity Division will work with government and private sector organisations to ensure US cyber infrastructure security and resilience. It includes the National Cybersecurity Communications Integration Center, the primary US cyber defence, incident response and operational integration centre. The Infrastructure Security Division will coordinate security and other efforts via partnerships across the private and public sectors, while providing training, technical assistance, and assessments to federal entities and infrastructure owners and operators nationwide. Through the Emergency Communications Division, CISA enhances governmental public safety communications at all levels, providing training, coordination, tools and guidance in developing emergency communications capabilities.
The creation of CISA, which includes the elevation and expansion of existing resources and capabilities, reflects recognition and acknowledgement of the priority to defend and secure core infrastructure and cyber platforms from evolving and anticipated threats.
OATH (FORMERLY AOL) AGREES TO PAY RECORD CHILDREN’S PRIVACY SETTLEMENT
In December 2018, the New York State Attorney General (“NY AG”) announced a “record settlement” with Oath, Inc., formerly known as AOL, in connection with alleged violations of the federal Children’s Online Privacy Protection Act (“COPPA”), in what was described as the largest-ever penalty in a COPPA enforcement matter.
COPPA was enacted in 1998 to protect children’s online safety and privacy. The law prohibits operators of certain websites from collecting, using, or disclosing personal information (such as first and last name or e-mail address) of those under age 13 without prior parental consent. Operators of websites and online services directed to those under 13, or that have actual knowledge they are collecting personal information from those under 13, are subject to COPPA. COPPA can be enforced by the US Federal Trade Commission and by state attorneys general.
Per the NY AG, AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to those under 13. The NY AG alleged AOL thereby violated COPPA by collecting, using, and disclosing personal information from the websites’ users, enabling advertisers to track and deliver targeted ads to young children.
Oath Inc. agreed to pay US$4.95 million in penalties and to implement comprehensive reforms to its policies and procedures to protect children from improper tracking. The agreement requires that, among other things, the company establish and maintain a comprehensive COPPA compliance program including identification of risks that could result in violation of COPPA and design and implementation of reasonable controls to address such risks, as well as regular monitoring of the controls’ effectiveness; and development and taking of reasonable steps to select and retain service providers that can comply with COPPA. It also requires the company to retain an objective, third-party professional to assess the implemented privacy controls, and implement and maintain functionality to identify whether particular ad space is subject to COPPA. The agreement also requires destruction of all personal information collected from children in the company’s possession, custody, or control, unless such is required to be maintained by law, regulation, or court order.
The size of the penalty and the extent of the remedial measures imposed in this case reflect the prioritisation to protect children’s privacy in the face of allegedly improper targeting and tracking advertising.
US SECURITIES REGULATOR CONTINUES ITS PURSUIT OF CYBER FRAUD BY NON-US ACTORS
The US Securities and Exchange Commission (“SEC”) in January 2019 brought charges against several parties alleged to have participated in a scheme to infiltrate the SEC’s “EDGAR” database to extract non-public information to be used in illegal securities trading.
EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) performs certain automated functions with respect to the submissions filed by SEC regulated entities. Per the agency, nine defendants (two organisations, a Ukrainian hacker and securities traders operating in Ukraine, Russia and California) engaged in a scheme to bypass EDGAR controls that require user authentication, and thereafter obtained non-public test files, which securities issuers may submit in advance of making their official filings to help ensure that the EDGAR system will process the filings as intended. Test files can include confidential information as well as earnings results that have yet to be made public. The SEC asserts that after certain defendants illegally obtained the inside information, they passed it to various traders to buy and sell securities.
The SEC has charged the defendants with violations of US securities law, and among other things seeks restitution of the ill-gotten gains along with monetary penalties. Criminal charges also have been filed. The investigation shows the SEC’s continued emphasis on identifying and prosecuting securities violations originating in cyberspace, even where the actors are located outside the United States.
THE ASSISTANCE AND ACCESS ACT 2018
In December 2018, the Australian Federal Government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) which received Royal Assent (the “Act”). The Act amends the Telecommunications Act 1997 (Cth), among other Acts. The features of the Act that have captured the most public attention relate to the frameworks established in the Act for law enforcement and intelligence agencies to make voluntary and mandatory requests for the provision of industry assistance, via what are referred to as ‘technical assistance requests’, ‘technical assistance notices’ and ‘technical capability notices’.