Prosecution for breach-deniers says Liam Fox MP

Liam Fox had strong proposals for those that don't want to report cyber-attacks.
Liam Fox had strong proposals for those that don't want to report cyber-attacks.

“We live in a new world”, said former Secretary of State for Defence, Dr Liam Fox MP. He addressed the Royal United Services Institute (RUSI) yesterday afternoon, drawing for his audience a sketch of a world profoundly transformed by the very existence of cyber-threats and perhaps, some weapons with which to fight what he called “The War of the Invisible Enemy.”

Lectures by cabinet members on the importance of cyber-security are not uncommon these days and Dr Fox, rehearsed many of the well worn facts of today's threat landscape  but the Conservative MP for North Somerset made one particularly striking comment during his address to RUSI this afternoon. Specifically, that those businesses who don't confess to breaches, should be prosecuted.

Winding down his speech, the MP noted that “denial of cyber-intrusion is too often the response of companies worried about their reputation. This encourages the entirely wrong culture.” That is why, said Fox, “I believe the government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders."

Under the EU's recently passed Network and Information Security Directive, companies can already be punished for not reporting their breaches.

While Dr Fox seems to have a profound distaste for the European Union, this appears to be one thing that he may want to keep if the upcoming referendum on the EU turns out on his favour later this year. The MP stated his plain opposition to EU membership at the end of last year on his personal website: “Britain's laws should be made by those who are accountable to the British people, and by no others. It is time for us to recover our birthright.”

Aside from his former position as Secretary of State for Defence and his avowed Euroscepticism, Fox is known for being the victim of a burglary in which his laptop and mobile phone were stolen from his London flat, leading to fears of a data breach.

Dr Fox also proposed, considering cyber-criminals will invariably look for the weakest link in an organisation chain to penetrate, that any organisation doing business with the government meet the tenets of the Westminster-sponsored Cyber Essentials programme, which stipulates a number of basic precautions for all organisations to take in addressing their own cyber-security.

Finally, Fox put forward a restructuring of the way the UK government handles cyber-security. “I believe,” said Fox, “that the current structure of Whitehall and the way that our cyber-security is arranged is outdated, too complex and is an inefficient way of using taxpayers money.” Fox wants to see, “all government cyber-activity, including both its offensive and defensive capabilities, concentrated in one place and answerable to a single ministerial portfolio.”

The speech was met with broad approval by the industry, salad of conventional wisdom that it was. Pat Clawson, CEO of the Blancco Technology Group, a data security company told SCMagazineUK.com that he agreed with much of Fox's speech and that, “Traditionally, when companies thought about data privacy, it was less about being safe and more about ticking the compliance box off their checklists.” This kind of attitude will not be possible for much longer, with  proposals like Fox's being met with more and more credibility. It's not a bad thing either said Clawson: “The number of companies affected by cyber-crime is staggering so companies really need to be transparent and communicate regularly with consumers about what they are doing to protect their users data.”

“Whether you think Dr Fox's comments are inflammatory or not is beside the point,” Norman Shaw, CEO and founder of ExactTrak plainly told SC. This, is the new normal: “Companies need to get ahead of the ever-increasing data breach problem and sticking their heads in the sand to hide a breach isn't a security strategy.” While ultimatums are not an ideal way to get anyone to do anything, said  Shaw, “at this point, regulation is absolutely what is needed and I welcome the new EU regulations. The ICO has tried to enforce data protection in this country but it doesn't seem to have stymied the progress of hackers or the cases of human error - hopefully with the new EU laws, it will have more power to force companies to act responsibility.”

Technical director for Alert Logic, Richard Cassidy, was not quite as welcoming of Fox's comments: “Prosecution is not the answer to developing an effective working forum between businesses and government in the interests of improving security awareness and augmentation of existing practices to prevent exploits.”

That coercive instrument need not be there if only industry had a, “closer working relationship with key government intelligence agencies that that they turn to should they fear the worst”.  This, Cassidy told SC, will promote an environment where companies are forthcoming with their threat data: “The last thing we need is organisations sitting on key threat data that could be used by our national agencies to the benefit of other businesses, because they fear prosecution and will want to spend a far greater degree of time in assuring, before announcing.”

Meanwhile, Jens Puhle, UK managing director for 8MAN, an access right management specialists thinks that, “it may make a difference but it's unlikely. When something like this happens, I think the first step will always be trying to brush it under the carpet. One has to bear in mind that by not reporting it, if it doesn't come to light the particular company will not face a massive devaluation by the public / shareholder.”