Analysis: The National Audit Office (NAO) Investigation In To WannaCry

By Dan Hyde

The Breach

Friday 12 May 2017 was a Black Friday in the truest sense of the word, not a day of panic in trying to grab a bargain in discounted sales but a day that witnessed a global ransomware attack now known as WannaCry.  The attack was random and whilst one of the major victims was our NHS it was certainly not targeted.  The cyber-attack affected some 100 countries and in excess of 200,000 computers.  The exact numbers and full extent will never be known.  Perhaps more surprisingly the cost to the NHS will also not be known as, despite investigation by the Department of Health and a report from the National Audit Office, we are informed that the cost is not calculable; much of the data as to the full impact of the attack is seemingly lost or unavailable.  If true there are shoddy systems in place at the NHS. 

There were certainly shoddy systems in terms of IT and cybersecurity.  For a start the infection by the WannaCry ransomware was entirely avoidable.  Every single NHS organisation that was infected by WannaCry had unpatched or unsupported Windows operating systems that enabled virus infection.  Significantly in March 2017 Microsoft had issued updates that NHS Trusts using Windows 7 could have adopted to protect themselves.  Further, on 17 March 2017, NHS Digital had issued a CareCERT asking NHS Trusts to apply the Microsoft update.  If the Department of Health’s figures are to be relied upon, more than 90% of the devices in the NHS are operating on Windows 7 so that 90% of those devices would have been protected if they had been patched in line with the NHS Digital request.  Trusts running older windows XP operating systems on devices had been expressly notified that they were to migrate away from their use, yet when the attack came on 12 May 2017, approximately 5% of the NHS was still reliant on an outdated Windows XP operating system.  Windows XP can however be patched and following the attack, Microsoft issued an XP update that would have prevented the ransomware infection. 

This non-targeted ransomware attack was spread via the internet and caught the NHS which was exposed due to its unpatched windows systems.  Even this exposure would not have been fatal had effective firewalls been in place to repel the threat but there was no such line of defence because firewalls had not been maintained so that even this basic shield was missing. Prior to this Black Friday the NHS had no joined up cyber security and a culture of woeful non-compliance; as at 12 May 2017 only 88 out of 236 Trusts had been subject to a cyber security inspection by NHS Digital. Of the 88 inspected not a single Trust passed. The inspections were voluntary and CareCERTs requesting updates and other basic cyber security measures were treated as being voluntary and largely ignored. The NHS Trusts were silos and the Department of Health had no knowledge as to which had complied with the requests. The Department of Health was itself unprepared; it was warned a year before the attack that it was at risk yet did not provide any written report in response until two months after the attack in July.

The Breach Response

So what happened after the initial breach?

Sadly the NHS had no proper breach response plan or, if it did, it did not have one worth having.  History tells us that one of the key features of a cyberattack is the communication blackout that follows.  It was Maersk’s lack of preparedness for this that caused such bewilderment and the same was true of the NHS.  The very first hurdle, the loss of key communication systems, was not properly prepared for and staff were left scrabbling for personal mobiles in order to try and send WhatsApp messages, subject to the contact being within their personal contact list.  Roles, responsibilities and reporting lines were not properly defined with the result that emergency calls were made to various local, national agencies and emergency services in the uncoordinated disorganised panic that followed the attack. 

It is arguably better nor to have any breach response plan than one that is merely a box ticking exercise that leads, as here, to complacency and increased confusion when the attack hits. Incident response plans should be tested in a realistic way- there needs to be a drill where systems are not available for use and staff become familiar with who and how they make contact and a step by step means of limiting damage and restoring and recovering systems.
In conclusion, they had a woefully inadequate breach response plan which arguably wasn’t a plan at all but rather an unpractised and ineffective hypothetical policy that none of the key personnel were sufficiently familiar with. The recovery was aided by a cyber-security researcher who activated a kill switch; his action prevented WannaCry locking out further systems and devices.

That was by luck or intuition rather than design as it was not in pursuit of any implemented national cyber security policy, NHS England’s IT department did not even have on call emergency facilities in place so that there was a reliance on IT staff attending work voluntarily to assist in fire fighting. The National Cyber Security Centre and National Crime Agency also pitched in, assisting the NHS and other affected organisations- it is unclear just how much worse the lines of communication and impact might have been but for that external assistance.

Lessons learned?

The disjointed structure of the NHS gives little cause for hope. The Department of Health has overall responsibility for cyber security but this is delegated down to a myriad of Trusts, GP Practices and social care providers. History tells us that these organisations do not all march in step and have previously failed to heed warnings or requests. The NHS has now declared “the need to improve the protection from future cyber-attacks” but how will it actually implement such a statement of intent when it comprises silos that are seemingly ungovernable? It sets out a number of key measures namely:

  • To develop a response plan.
  • To ensure “critical” CareCERT alerts are implemented
  • To ensure essential communications get through during an incident when systems are down.
  • To ensure organisations, staff and boards take the threat of cyber-attack seriously, work proactively to maximise resilience and reduce the impact on patient care.

This all sounds rather trite. The NAO report found a cyber-breach response plan had already been developed on 12 May when the attack hit. It was not the absence of a plan but rather the inability to put any plan in to practice that was at the heart of the failure. That can only be taught through cyber drills that replicate the loss of communication and key system support.

There needs to be a scheme of regulation and a compliance regime with teeth to ensure that there are routine checks and sanctions for those who fail to adhere to CareCERTS. In terms of practical steps the Department of Health should be setting a minimum number of drill targets, rather like fire drills backed by mandatory inspections by NHS Digital or external inspectors; if an organisation fails inspection there should be immediate action to remedy and a follow up test. I have no doubt that the NHS and its constituent parts will take cyber-attacks more seriously going forward but deeds not words are required. On this evidence I remain unconvinced that this will happen.


Money Laundering and Virtual Cryptocurrencies

By Sam Thomas

On 12th October 2017, Bitcoin, a decentralised virtual cryptocurrency, soared above $5,000 to reach a record high. This came only a month after Jamie Dimon, the Chairman and CEO of JP Morgan Chase described the currency as a fraud that would blow up, and was only useful ‘if you were a drug dealer’.

Despite warnings cryptocurrencies are growing in acceptance. In September 2017, a London property developer, The Collective, said it would allow its tenants to pay deposits in Bitcoin and would soon accept rent payments in cryptocurrency. The very next day, entrepreneur Baroness Michelle Mone OBE indicated that properties within development Aston Plaza, Dubai, could be purchased using Bitcoin.

So are Bitcoins for the criminal class, or are they the payment method of the future?

There is little doubt that cryptocurrencies avoid many anti-money laundering (AML) provisions in relation to identity. Decentralised systems are particularly vulnerable to anonymity risks. By design, Bitcoin addresses, which function as accounts, have no names or other customer identification attached, and the system has no central server or service provider. The Bitcoin protocol does not require or provide identification and verification of participants or generate historical records of transactions that are necessarily associated with real world identity.

Identities can be further obscured through a ‘mixer’ or ‘tumbler’. Mixers sends transactions through a complex, semi-random series of dummy transactions that makes it difficult to link specific virtual coins (addresses) with a particular transaction. Bitcoin users have anonymity which is impossible with traditional currencies. 

Virtual currencies also exist online over multiple jurisdictions, leaving the responsibility for AML compliance and supervision as unclear, with the strength of AML provisions varying across borders. In the UK, a Bitcoin exchange is not required to follow AML or ‘know your customer’ regulations.  Within this jurisdiction Bitcoin is treated more like a commodity than a currency. If you tried to exchange Bitcoin for sterling you would not be charged VAT on the value of the Bitcoin but would be charged on the commission for exchange.

However, greater regulation is coming. In April 2017, Japan introduced legislation to protect users by making Bitcoin exchanges comply with AML regulations, while simultaneously authorising it officially as a normal payment method. Bitcoin exchanges are the easiest target for law enforcement agencies. Preventing criminal property from being converted into Bitcoin is far easier than distinguishing between legitimate and criminal currency once it has become virtual.

Russian hacking group ‘Fancy Bear’ has ‘Hit List’ including Secretary of State.

By Sam Thomas

A hacking group tied to Russian military intelligence that infiltrated the Democratic National Committee (DNC) servers had a broad "hit list" that targeted perceived enemies of the Kremlin, which included Secretary of State John Kerry, Ukrainian President Petro Poroshenko, anti-corruption activist Alexei Navalny, and half of the feminist protest punk rock group Pussy Riot.

In addition to high profile targets, Fancy Bear's American Hit List was aimed toward workers for defence contractors such as Boeing, Raytheon, and Lockheed Martin. The digital Hit List was discovered by cybersecurity firm Secureworks.

Secureworks attributed the DNC attack to Fancy Bear in March 2016; however, third party groups including the Trump campaign and WikiLeaks were keen to suggest other perpetrators. This was despite 95% of the malicious links being sent during Moscow working hours.

The Fancy Bear campaign against the DNC demonstrate again that no institution, regardless of the level of cybersecurity, are impervious to attack. Businesses must be aware of GDPR provisions, that will be in force from May 2018, which require that the ICO are notified of any breach within 72 hours.

Do Legal firms have sufficient protection from a cyber breach?

By Sam Thomas

A National Cyber Security Centre report indicates that 62 percent of Law firms have been subject to a cyber attack (this is 4.5 percent of UK data breaches) but only 35 percent have a response plan for a cyber assault.

The report, Cyber threats to the legal sector and implications to UK businesses, indicates that £85 million has been stolen from law firms in the 18 months to the end of 2016. And this does not even take into account firms who have chosen not to report to the Information Commissioner's Office (ICO).

With large firms such as DLA Piper subject to high profile attack, it appears that cyber security could be improved.

Under GDPR, a cyber breach must be reported to the ICO within 72 hours. Any professional services firm who does not have a reporting procedure ready for May 2018 should consider seeking legal advice as soon as possible. Fines for certain conduct under GDPR are as high as 4 percent of world wide annual turnover or €20 million, which ever is higher.

The State of Data

By Dan Hyde

Data sovereignty and data security should not be confused. They may sound similar and there may be overlap, but they are not interchangeable concepts. The principle of data sovereignty is that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. This, in effect, is the nation state exerting ownership and national macro regulation over information it regards as its property. There may still be micro regulation applied by individuals and/or organisations in order to secure or protect the data but data sovereignty is governmental: it regulates who may access or control the data.

The approach to the security of data is one of the most significant issues facing governments, corporate entities and individuals. Such has been the understandable fanfare around the pending implementation (25 May 2018) of the GDPR in all EU Member States, that many are acutely aware and fearful of the new regulatory landscape and fines that will follow non-compliance.

What far fewer appreciate is that it has wider cultural ramifications. We may be witnessing the start of a philosophical divergence in the treatment of information protection across the globe.

The GDPR is the first attempt at a unified law to govern the collection, control and processing of personal data. But law is rarely without politics, and politics can be geographically sensitive. Significantly the GDPR emphasises the individual citizen and the sanctity of an individual’s personal data. This runs root and branch through the GDPR; from the need to show an individual has given active and demonstrable consent through to the embedded rights of the data subject (individual) to ensure that organisations only keep data for the purposes specified in the GDPR and that a data subject has a ‘right to be forgotten.’ This development ought to ensure that there is a sea change in the way that entities who are subject to European jurisdiction treat personal data. They become mere custodians of someone else’s valuable property (the individual’s data) and they are required to deal with that personal data in a way that is consistent with handling someone else’s item of significant value.

There are individual rights of redress built into the GDPR and evidence will be required to show that dealings in personal data have been conducted appropriately. In Europe then, the rights of the individual in relation to their data have been recognised as paramount. The UK will similarly adhere to this edict (there is no doubt as to that) and one might have hoped for global uniformity on the regulation and philosophical treatment of information. Or perhaps not. Significant cyber security legislative initiatives have occurred in China, Russia and the United States. The result is a divergence in philosophy and a rejection of the European model of individual data protection values.

In the cases of China and Russia the role of the state in data protection and management has been placed at the epicentre of regulation. Data sovereignty or data of the state are the guiding, dominant policies at play.

On 1 September 2015, the Russian Federation passed a law which required personal data relating to Russian citizens to be stored on servers physically located within the country. For Russia, such information belonged to Russia and it would remain within its national borders. Companies including Viber and eBay complied, and moved relevant personal data to Russian servers. Google reportedly also complied. Facebook, Twitter and LinkedIn decided not to comply with the new requirements. Roskomnadzor, the Russian regulator, sued LinkedIn for non-compliance, and won its case twice, first in a lower court in August and then again, on 10 November 2016, in a Moscow city court. At this point access was blocked.

Roskomnadzor made it clear that compliance would require moving Russian users’ data onto Russian soil and by amending its user agreement that states that the company collects not only personal data of its users but also personal metadata (IP addresses and cookie files) of its website’s visitors. In Russia, then, nation state regulation - data sovereignty - trumps individual data rights. The GDPR, its notions and philosophies have no place in Russia.

China’s new Cyber Security Law commenced on 1 June 2017. It should be noted that prior to 1 June 2017, any European model of personal data protection law had not been recognisable in China. Indeed, China had not previously passed any meaningful comprehensive data protection legislation that regulated the collection, control and processing of personal information. On 1 June that changed, but whilst China’s Cyber Security Law does give a nod to the protection of an individual’s rights, it has State interest and sovereignty at its heart.
The new Chinese Cyber Security Law impacts on what it terms ‘network operators’ who, when handling personal information, must abide by regulations that chime with the GDPR, namely (in broad terms) that:

  • The collection and use of personal information must be lawful, proper and necessary.
  • That the purpose, method, and scope of collection and use is transparent and consensual.
  • That they do not disclose, alter, or destroy personal data without appropriate consent.
  • Report data breaches and effect remedial steps.
  • Deal with requests for deletion (akin to the right to be forgotten) or correction.

But this nod to the protection of the individual is secondary to the interests and sovereignty of the State. The definition of ‘network operators’ in the Cyber Security Law is so widely drawn that it would cover even the domestic user with more than a single computer (or indeed a device such as a phone) with access to a printer. In short, almost everyone is caught and those deemed ‘critical information infrastructure operators’ (‘CIIOs’) are forced to physically store within China (i.e. within its geographical borders) personal information and important data which was produced within China. In short this Chinese data must be physically kept on servers within China, thus chiming with the law in Russia. The State may also conduct what are termed ‘security risk assessments’ to trawl through all their data. The new Cyber Security Law allows extensive State intrusion and is aimed at keeping ‘critical’ Chinese data in China. Data sovereignty at its highest. The definition of CIIOs may be so broad as to ensure China can exert influence wherever it sees fit and it applies to non-Chinese operators as well as those in China as no distinction is made between internal or external networks. In practice the State will have to ensure personal information it regards as important remains on servers within China: any attempt to transfer will then be subject to the ‘genuine business need’ test after an intrusive State assessment.

In the US, the right of an individual in relation to data could be said to have been diminished by the repeal of regulations requiring internet service providers to do more to protect customers’ privacy than websites like Google or Facebook.

The initiative, founded during the currency of the Obama Administration, had sought to restrict the ability of internet providers to use information such as location, financial information, information in relation to health and web browsing history for advertising and marketing purposes. The rules made it unlawful to use such information without obtaining appropriate consent. The decision of the Senate to vote down these provisions was based on the assertion that it would lead to a different set of regulations for internet providers and websites. The sale of personal information collected by retailers is huge business in the US. The really significant issue is how to, and if it is even possible to, mesh these different approaches.

Whilst, certainly in the case of Russia and China, the centre of data protection and management is the State, that is not the case in Europe and seemingly, the United States. In Europe the individual is paramount. In the United States, corporations appear to have scored a major victory. So where does that leave the possibility of a consistent approach to data protection and management across the world? In tatters.

A global entity doing business in each of the jurisdictions discussed above will be faced with regimes and policies which are at odds with each other. How will, for example, an entity free to sell data in the US deal with the need to obtain active and demonstrable consent to such a course of action in Europe? The requirement in Russia or China to ensure that data is subjected to scrutiny by the State will impact on the rights of the subject if they are European. The GDPR envisages only allowing data transfers to jurisdictions that have ‘adequate’ measures to ensure consistency of approach. The ability to sell personal data for advertising purposes does not sit well with the cornerstone of the sanctity of an individual’s personal data.

How will it be dealt with if an organisation in Europe has dealings in Russia and has to subject itself to State scrutiny of personal data? Will the relevant supervisory authority allow that entity to trade in that jurisdiction without sanction?

The global economy is here to stay. However, the lack of a unified philosophical approach to data protection and regulation will be a serious hindrance to its development. So long as nation states decree that your information is their sovereign property and that data philosophies diverge as to the weight to be given to individual rights, there can be no uniformity in global data regulation. For me the only surprise is that anyone should be surprised.

US Government Bans Kaspersky Lab Software

By Sam Thomas

On Wednesday 13 September, through a binding directive, acting Homeland Security Secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks and, unless otherwise directed, must remove the software within 90 days.

The Department of Homeland Security indicated there were concerns "about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,"

Kaspersky Labs replied: “Kaspersky Lab has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,”

However, it is the identification of Russian legislation that might compel the company which is most important in a commercial context. Data sovereignty laws in Russia could potentially be used to access personal data, and are likely to be incompatible with US and EU legislation. Firms with a presence in Russia must be aware.

Chinese data law compliance to be reviewed within 2017

By Sam Thomas

Chinese data sovereignty laws, passed in November 2016, came into effect on 1 June 2017; however, Chinese authorities have previously indicated a grace period of 19 months before Beijing would enforce.

Now the National People's Congress (NPC) Standing Committee announced that six inspection teams will be sent to Chongqing Municipality, Inner Mongolia Autonomous Region and provinces of Heilongjiang, Fujian, Henan and Guangdong in September and October before an enforcement report is submitted to the NPC in December.

Under the cybersecurity and data laws restrictions apply to the storage and transfer of data by 'critical information infrastructure operators', which remains ambiguous with the legislation and guidance.

Similarly, critical information infrastructure operators must store personal information, and "other important data," that they gather or produce during their operations in China, in mainland China. However, what constitutes 'important data' is unclear. 

Cyber Counsel has been up-to-date with the new Chinese legislation since coming into force (See: Blog, 30 May) and have been published in the area of data sovereignty (See: The Sovereignty of Data, The Global Legal Post). 

Businesses trading from China must undertake an information audit as soon as possible to address whether information being transferred is truly necessary for business requirements. A sufficient security assessment is also crucial to meet the new legislation.

Turla: Advanced, active and targeting embassies.

By Sam Thomas

The Russian based espionage group, Turla, have been considered the most sophisticated and feared cyber assault team of the last two decades. Whereas other groups often use open source malware from GitHub, Turla spend time and money to develop spearphishing delivers, such as 'Skipper' which create a first stage backdoor, and secondary backdoors such as 'Carbon' and 'Kazuar' which strive to remain hidden for long periods after the initial attack has been detected.

ESET now report that a new secondary backdoor 'Gazer' has been active since February 2016 targeting consulates and embassies throughout Southeastern Europe, former Soviet states, and in parts of Latin America. The attack focus for this malware may lead many businesses to ignore the risks presented by Turla; however, Carbon, Kazuar and Gazer remain hidden by receiving instructions through legitimate websites that have been compromised by the Turla group.

Businesses using the Wordpress CMS should be aware that their websites maybe utilised as a first layer proxy for an advanced persistent threat (APT).

Cyber threat to Asia a warning to Europe and US

By Sam Thomas

In the last 18 months cyber attacks in Asia have affected a database of 55 million voters at the Philippines Commission on Elections, targeted the National Payment Corporation of India, and stolen US$81 million from the Bangladesh Central Bank. Shahmeer Amir, Veiliux Pakistan CEO, indicates: "Every organisation in Asia has been breached or is about to be breached." 

This threat is not limited to the biggest continent in the world. Large scale Automated Teller Machine (ATM) heists have been successful in Malaysia, Taiwan and Thailand because ATMs are running on old Windows operating systems, such as Windows XP, which are susceptible to attack. The Wannacry attack on the NHS highlighted that operations running on antiquated and unpatched software are vulnerable. Phobos Group founder Dan Tentler has described a borderless attack plain for cyber attacks: "Targeting a different country is just targeting a different website. They don’t care where the ransom comes from, they just want to get paid."

Success in Asia will embolden cyber attackers who will attempt similar techniques in Europe and the US. Further, a company's network is only as strong as its weakest point. Worldwide operations can be compromised by one office (eg DLA Piper)

China issue warning to e-commerce sites of "self-examination and correction"

by Sam Thomas

The Cyberspace Administration of China (CAC) have issued warnings to five websites, including Alibaba Holding Group Ltd's (BABA.N), over the sale of virtual private networks (VPNs), which allow users to avoid state censorship controls. VPNs are illegal in the communist state.

Reported through Reuters, the CAC regulator ordered five sites to: 'immediately carry out a comprehensive clean-up of harmful information' and to 'close corresponding illegal accounts,...'

The Chinese state passed laws, which will come into effect from early 2018, that require telecommunications providers and technology firms to play a greater role in removing VPNs. China is already investigating social media sites WeChat and Weibo, and has ordered Apple Inc to remove from its App Store foreign VPN apps.

With the 19th National Congress of the Communist Party later this year expect greater surveillance, and potentially the audit of companies, under new data sovereignty laws, which provide "critical" infrastructure.

Cyber warfare and cyber espionage: When self-defence may be used

By Sam Thomas

The international establishment of "cyber norms" by state actors continues to develop. Over the last six months, bilateral treaties have been signed by China and Canada, and there were indications towards co-operation (albeit indications that were quickly censured) by the USA and Russia.

The Tallinn Manual on the International Law Applicable to Cyber Warfare is without doubt the biggest step towards codification. However, with the collapse of the fifth session of the United Nations Group of Governmental Experts on strengthening the security of global information and telecommunications systems (UN GGE), in June 2017, multinational agreement appears to have stalled. Bilateral agreement now seems to be the most likely, if not only, approach towards greater progress.

Stefan Soesanto and Fosca D'Incau, in a recent article, The UN GGE is dead: Time to fall forward considered that unilateral, top-down, codification is untenable, and that the only method to establish cyber norms is through interaction between individual states, or trade blocks, such as the EU, which will lead to an international consensus.

The problem with this approach is that 'interaction' often means increasing cyber espionage (i.e. hacking and malware use) directed towards government, legislature and foreign relation (consulates and embassies) targets. Cyber norms will ultimately be established when a state responds to a cyber threat with a physical act.

Traditional diplomatic acts, such as the withdrawal of ambassadors may be the first step, but with increased military posturing, especially from rouge states such as North Korean, which also undertake cyber attacks, a military response to a cyber attack is not out-of-the-question. Whether such a response would be legal under international law is arguable. Drawing the line between cyber espionage and cyber warfare caused the collapse of the last UN GGE and may not be agreed through academic thought but rather through military action.   


Kaspersky Labs withdraws EU antitrust complaint against Microsoft

by Sam Thomas

On 12 July, I asked whether criticism ofKaspersky Labs by US Senators was xenophobia or economic protectionism? US lawmakers had suggested that the Russian Company, which is entirely separate from the state, could be subject to influence from the Kremlin. The accusations, perhaps co-incidentally, came after Kaspersky filed antitrust complaints against Microsoft in Russia, Germany, and to the European Commission.

Now, after discussions between the two companies, Microsoft have agreed to change how it delivers security updates to Windows users. In return Kaspersky have agreed to withdraw the complaints.

In a statement, Kaspersky said Microsoft's proposed approach had addressed its concerns raised with Russia's Federal Antimonopoly Service, and said that it was "taking all steps necessary" to withdraw its antitrust complaints made with the European Commission and Germany's national competition regulator.

Whether comments by US Senators influenced the discussions between the companies is moot. Reporting the story, Reuters commented: 'The detente comes as Kaspersky Lab is facing mounting accusations from U.S. intelligence officials and lawmakers that the company may be vulnerable to Russian government influence.'

Inventor of the "secure" password sorry for his advice.

By Sam Thomas

In 2003 Bill Burr, the former employee of the US National Institute of Standards and Technology (NIST), gave guidance on the "secure" password. His advice, to use a combination of letters, numbers and 'special characters' (£&@!) is still followed today. However, Mr Burr has now acknowledge that the number of different passwords people require, and the pressure of regularly updating passwords (often every 90 days), means people have adopted ones that are easily identifiable: P@55w0rd!

Mr Burr accepted, in an interview with the Wall Street Journal: "Much of what I did I now regret." Complex passwords are in fact easy to guess, and the incorrect assumption that the passwords are complex, and therefore secure, mean that individuals use them for multiple accounts, providing successful hackers access to multiple platforms.

A "real secure" password is a combination of three or four, random short (3-4 letter) words. Increase the number of letters to increase security.

NASA engineer, Randall Munroe, calculated it would take 500 years, at 1,000 guesses per second, to crack "correcthorsebatterystaple" but only three days for "Tr0ub4dor&3

UK Government publishes the rules for driverless cars

The Department for Transport have published the Privacy and Security Principles for Connected and Autonomous Vehicles. Although not legally binding, the principles will likely form the foundations for the Autonomous and Electric Vehicles Bill which was announced in the Queen's Speech.

The principles appear to require every participant within the automotive supply chain to work together to ensure security at the design stage and throughout the lifetime of the vehicle.

The eight broad principles, which cover organisational responsibility, design security and product aftercare, are then divided into sub-principles, for example, 1.2 requires that: 'Personal accountability is held at the board level for product and system security (physical, personnel and cyber)...' The following eight high-level principles are:

Principle 1 - organisational security is owned, governed and promoted at board level
Principle 2 - security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
Principle 3 - organisations need product aftercare and incident response to ensure systems are secure over their lifetime
Principle 4 - all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
Principle 5 - systems are designed using a defence-in-depth approach
Principle 6 - the security of all software is managed throughout its lifetime
Principle 7 - the storage and transmission of data is secure and can be controlled
Principle 8 - the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

It is strongly advised that those involved in this market take robust legal advice to ensure all products are legal by design.


Driverless Cars.jpg

New Data Protection Bill: The UK's Implementation of GDPR

By Sam Thomas

On 25 May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will become law across EU member states. The UK triggered Article 50 on 29 March 2017 to begin the two year process to leave the EU. As a result GDPR will become law in the UK.

Today (7 August 2017) the UK Government released its proposed Data Protection Bill, and consultation, which will be implemented to bring GDPR into UK legislation. I have debated whether there will be a significant impact on companies, with some suggesting that the focus of the  mainstream media on consumer rights is merely hyperbole (The Times: 'Online consent scam outlawed in fight over personal data'). However, having considered the proposed Bill, there can be little doubt that there is a significantly increased risk to businesses with an online presence.

Those reading the headlines will be drawn to the increased powers of enforcement given to the Information Commissioner Office (ICO): 'Enforcement will be enhanced, and the Information Commissioner given the right powers to ensure consumers are appropriately safeguarded.' Under the new Bill, the ICO could fine companies in breach up to 4 per cent of worldwide turnover, or £17 million, depending on which is higher.

But it is the expanded definition of 'personal information' which will, in fact, provide the greater exposure to businesses who have not taken proper advice. According to the 'Statement of Intent' released by the Minister of State for Digital, the Rt Hon Matt Hancock MP: 'Personal data is information that is attributable to an individual and may help to identify them. We will expand the definition of ‘personal data’, reflecting the growth in technology over the past 20 years to include IP addresses, internet cookies and DNA.'

The expanded definition of 'personal data' follows the Court of Appeal (Lord Dyson MR; McFarlane LJ; Sharp LJ) decision in Vidal-Hall and others v Google Inc [2015] EWCA Civ 311; [2015] 3 WLR 40, in which Google were challenged for using internet cookies within the operation of the 'Safari workaround' to collect private information about the claimants' internet usage. The Court of Appeal, deciding on a preliminary issue, rather than determining a substantive issue of fact, held that there was a serious issue of law to be tried, and that it was 'clearly arguable' that Google had misused private information in its use of cookies (See: Vidal-Hall, at [137]):

‘On the face of it, these claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion on autonomy has caused.’

The impact of the Bill's expansion of personal data to include cookies clarifies that consent for their use must be explicit, and that there must be clear explanation for the use of information collected. A tick-box consent to the use of cookies will unlikely be sufficient for the collection of personal information that can then be sold or distributed to third parties. This may not be controversial, or in fact greatly different from the protection currently afforded under the Data Protection Act 1998 (DPA); however, with the ICOs enhanced enforcement powers there is now a greater risk to companies in breach, with insurance for such a liability likely to be impossible to find.

It will also be interesting to see whether the Government's tactic approval of the judgment in Vidal-Hall also encourages an expansion in the concept of damages. Authorities prior to Vidal-Hall required that an individual who had suffered 'damages' as a result of a data protection breach (generally under section 13 of the DPA) must have at least nominally suffered pecuniary damage before any further award was granted. Vidal-Hall suggested that emotional distress resulting from the misuse of private information was sufficient without the claimant first having to establish pecuniary loss. This would have huge implication for claimants, and would again raise the risk of potential litigation for business.

The Bill will be debated and amended following consultation but the principles that will be made law are those contained within the GDPR. Those responsible for data protection should read Cyber Security: Law and Practice, chapter 12, as a starting point to consider appropriate risk management before taking advice on whether GDPR, and the associated UK legislation, will affect business operations.

FBI investigate "Game of Thrones" hack on HBO

Last weeks hack on media entertainment company HBO resulted in the compromise of 1.5 terabytes of data, the equivalent of an entire series of HDTV episodes or millions of emails.

The alleged hackers have released spoilers for upcoming episodes of Game of Thrones (pictured), and personal details for one senior HBO executive, including financial and health information.

HBO have sent legal notices, a precursor to potential injunctive relief, to Google to remove search results for the leaked data.

However, Alan Woodward, at the University of Surrey, has warned that an internal threat is as equally likely as an external attack. Reported in the Times: "Before assuming it is a "sophisticated" attack one should explore the insider threat fully: it is a lot more common." Prevention is infinitely better than cure.

Although injunctive relief may help, the information is still out there. For guidance on protecting data from internal threat, and action if there is a leak, read Cyber Security: Law and Practice.



Wannacry hero Marcus Hutchins arrested by FBI

By Sam Thomas

The UK based security consultant was arrested on Thursday 3 August by the FBI as he boarded a plane in Las Vegas following his attendance at the Black Hat Cybersecurity Conference. Speaking on Saturday 5 August, Adrian Lobo, Mr Hutchins US Lawyer said that he would plead not guilty to six counts of creating and sharing the malware known as Kronos.

Kronos was effective between 2014-2015 for obtaining banking passwords from personal computers, and retailed on AlphaBay for approximately $5,000. Kronos malware is now mainly redundant and properly defended against. AlphaBay was closed down by the FBI earlier this year.

Mr Hutchins rightly gained notoriety for finding and releasing the killswitch able to stop the wannacry attack software. Wannacry ransomeware infected 200,000 computers in 150 countries, with a target of up to 15 million.

Bail has been set for Mr Hutchins at $30,000.

Cyber honey trap "Mia Ash" linked to Iran

By Sam Thomas

Traditional espionage novels are resplendent with femme fatales sent to entrap unsuspecting diplomats and parliamentarians. Freelance photographer, Mia Ash (pictured), is the latest in the world of cyber espionage; however, like all the characters in James Bond, she is fictitious.

Senior figures in the US, Israel, India and Saudi Arabia have been contacted through social media, including LinkedIn, by the profile which explained 'a thing for older men in IT, utilities and aerospace'.

After initial conversation, a photography survey is sent, which must be opened on an office computer ("otherwise the technology plays-up"). Once the Excel spreadsheet is accessed, malware called PupyRAT, allows hackers access to the network.

DellSecureWorks, reporting through Reuters, has linked the persona to Cobalt Gypsy, also known as OilRig, which has links with Iran.

Victims failed to notice that none of Mia Ash's social media has a link to engage her as a photographer, which is essential as a freelancer. Closer observation, and some cyber education, could have protected otherwise compromised systems.

Mia Ash.jpg

'Devil's Ivy' allows hackers access into your laptop cameras.

By Sam Thomas

A software bug, named 'Devil's Ivy' by researchers, has been found in an open source software library called gSOAP. The software is used by some members of ONVIF, an electronics industry consortium that includes company Axis, as well as other giants such as Canon, Siemens, Cisco, and Hitachi.

Axis, a Sweden based multinational that sells more than 200 different products to millions of customers around the world, has accepted that 'Devil's Ivy' is a "critical vulnerability" that affects almost all its products.

The bug allows hackers to remotely access the video feed of a camera, install a backdoor in the device, or block the camera's owner from accessing it. Stephen Ridley, founder of security startup Senrio, said: "We basically have complete control of the camera as if it was our own computer,"

What's most crucial is that Devil's Ivy is not limited to cameras. Any Internet of Things connected device could be vulnerable. Protecting embedded devices is crucial to ensure a company's attack landscape is minimised (See: Cyber Security: Law and Practice, chp 7).

Apple sets up new data centre to abide by Chinese cyber security rules

by Sam Thomas

Apple have announced their first data centre in Guizhou, China, in collaboration with data management firm Guizhou-Cloud Big Data Industry Co Ltd. The data centre has been established to comply with China's new data security/ sovereignty legislation.

In a statement about the relocation, a spokesman for Apple said;

“The addition of this data center will allow us to improve the speed and reliability of our products and services while also complying with newly passed regulations,.... Apple has strong data privacy and security protections in place and no backdoors will be created into any of our systems.”

Firms have criticised the legislation for the wide interpretation of 'critical infrastructure' which can require disclosure to the state of material otherwise protected as intellectual property. However, LinkedIn fell foul to similar Russian legislation after failing to ensure citizens data was held on local serves. Establishing Chinese servers for local data is a move by Apple which will soon be followed by other major US and European firms.