This article was first published by Computerworld UK on 9 February 2015 and the full article can be found online here.
It's no use waiting for the law to sort it out - businesses need to act too.
Cybercrime and its consequences has gained a higher profile in the public consciousness after events like the Sony PlayStation and Microsoft Xbox hack at Christmas. The scope for cybercrime is also increasing as more products become connected to the internet. For instance, a German motoring association recently identified that certain BMWs could be unlocked remotely over the mobile phone network.
Regardless of size, the impact of cybercrime is felt by all businesses, though the risks are particularly important for those that hold large amounts of confidential information, including personal data, valuable intellectual property or sensitive commercial material. Security breaches can result in a range of legal consequences, including:
• unauthorised access or loss of confidential information, which may amount to a breach of contract or regulatory obligations, or the loss of commercial advantage;
• disruptive service denial attacks that cause excessive service downtime and breach of contract claims;
• attacks on operational control systems leading to physical damage to plant and machinery, with consequential claims for loss; and
• reputational damage caused by all of these.
The law is slow
Many countries have legislation in place to deal with cyber issues, such as the UK Computer Misuse Act 1990 and the Australian Cybercrime Act 2001 that establish criminal offences for unlawful or unauthorised access, tampering and data theft. The US Computer Fraud and Abuse Act 1984 and Electronic Communications Act 1986 are more limited in effect, but gaps in national laws can often be supplemented by laws relating to trespass, tort and contract. Governments worldwide have also been working towards the creation of new laws to prevent cyber-crime, such as the US Cybercrime Bill and the launch by the EU Commission of its Cybercrime Strategy andlegislative proposals.
However, changes in the law are slow to implement compared to the dynamic evolution of technology. Additionally, the borderless nature of the Internet exposes the biggest weakness in the legal framework: national laws are territorial. Even treaties and international conventions, like theBudapest Convention on Cybercrime 2001, require local ratification and implementation, and also rely on mutual co-operation and extradition laws to have effect. Consequently, criminals can exploit inconsistencies in approach and lack of jurisdictional authority to avoid or evade successful prosecution. The anonymity of the internet and the ease of execution of cyber events also provide an environment that enables and even encourages criminal activity.
However, suggestions that businesses, or individuals, should use the same methods and tools to strike back against a cyber-attack should be vigorously discouraged. It should be clear that this can never be the right solution; the rule of law would rapidly collapse. In any event there are too many problems involved in the use of such solutions. For example, denying service to a computer used as a botnet also prevents its legitimate use by the owner.
The Mandiant APT1 report dispelled some of the myth that acts on the internet are non-attributable. US banks fighting back against DDOS attacks have identified control servers allowing legal processes to be used to obtain information about the criminals behind the attacks. The next step, which companies like Microsoft have already taken, is to bring civil or private criminal proceedings against the attackers. Microsoft's Project MARS (Microsoft Active Response for Security) has brought a number of proceedings through the US courts to obtain temporary restraining orders to cut off internet domain names in the US and Czech Republic, and an order to allow seizure of botnet command and control servers. Such claims are unlikely to result in significant damages claims, but they do disrupt criminal activities for a period of time.
Culture change
Technological measures are an important part of the overall solution but they are not, and cannot be, the complete solution. This is because the weakest link in the security chain is the human element. Therefore, there is a need to develop greater awareness of the issues and to change the cultural approach to privacy and confidentiality. Changing a culture is a slow process that requires a combination of awareness and training together with constant reminders. This is something that the UK government is attempting to do with the awareness campaign that can be seen on London transport.
Changing awareness is a low cost but highly effective solution that can be implemented quickly and easily. It is also an area where a change in law could be beneficial - not by increasing legal obligations but by the use of tax breaks and financial incentives to encourage corporate responsibility. Companies may also find it more effective to train staff on the security of their home computers, with the resultant knowledge better retained and used in the workplace.
Like the internet, cybercrime is here to stay and we have to learn to live with it. That means looking afresh at the technological, procedural and regulatory steps needed to ensure cyber-security. There is no single solution, but a series of steps and measures that need to operate together - and like the internet, they need to evolve; continuously.