ICYMI: Google's Project Zero, ICO breach & sharing intel on critical infrastructure

This week's In Case You Missed It (ICYMI) column takes a look at Google's Project Zero, accusations of double-standards at the ICO and the need to share intelligence on critical infrastructure.

George Hotz
George Hotz

Google's Project Zero gets muted response

Google established ‘Project Zero', a team of security researchers that will seek to identify critical zero-day bugs and vulnerabilities on the World Wide Web and not just at the Silicon Valley search giant.

The “well-staffed” team includes George Hotz, a 24-year-old hacker best known for hacking Apple's iPhone and Sony's PlayStation 3 (as well as Google's Chrome browser), and will publish a public database of said vulnerabilities. This will detail how long it took companies to react to the bug and issue a fix.

The group has said that it will work to identify and alert companies on zero-day bugs, specifically those organisations facing cyber espionage campaigns.

The news hasn't been universally well-received, however. Some have accused the group as being a marketing stunt (via Forbes), while others say that they don't want Google prying on their vulnerabilities.

"Other companies may begrudgingly accept Google reporting vulnerability," BH Consulting's Brian Honan told the BBC.

"But at the same time, most companies do now have a progressive attitude to receiving reports - I don't see them looking at Google in a negative way."

Who regulates the regulator?

UK watchdog The Information Commissioner's Office (ICO) tried – and failed – to quietly reveal that it had suffered a data breach earlier in the year without drawing any attention.

The group burried a short message in its annual report into UK data breaches, which was initially spotted by journalists at The Times and which revealed that it had suffered a “non-trivial data security incident”.

Following an internal investigation, the ICO found that the “likelihood of damage or distress to any affected data subject was low” and did not find it in breach of the 1998 Data Protection Act (DPA).

A spokesperson apparently told the newspaper that it would have a FOIA before any info would be released, only for the ICO to later say that this would not be possible as the incident was “linked to an on-going criminal investigation.”

All of this has led to questions on ‘who regulates the regulator' and comes at a time when the ICO – which also investigated itself over another “non-trivial” incident back in 2011 – has been calling for more power and more money.

Government calls for intelligence sharing

A growing theme in the cyber-crime world is intelligence sharing, a topic that was highlighted at the UK Financial Services Cyber Security summit in London on Tuesday.

The event – which operated under Chatham House rules (hence quotes cannot be attributed) – saw high-profile speakers from the UK government, the European Commission, GCHQ and the banking sector talk on the importance of sharing information with and between private organisations.

Karen Bradley, the Minister for Modern Slavery and Organised Crime in the Home Office, published her speech and said:

“We are committed to working closely with you to reduce the threats to you,” the Minister told attendees. “But we need your help. We need you to share what you can with each other so you can protect yourselves, and we need you to share it with us so we can understand the evolving problems and work with you on how to protect your business.”

Page 1 of 2