Reporting cyber attacks should be "a legal requirement"

The opposition Labour party is calling for new laws to be introduced so that businesses are forced to report when they have been hit by a cyber attack.

Reporting cyber attacks should be "a legal requirement"
Reporting cyber attacks should be "a legal requirement"

Shadow defence secretary Vernon Coaker will today say that reporting cyber attacks should be “a legal requirement” for private companies, especially when these firms are tasked with protecting the UK's critical infrastructure.

This has led some companies, especially those in the financial sector, to worry about brand reputation and customer trust, and Coaker admits that there is “a balance between [needlessly worrying the public] and security.”

"One of the things we need to do is consult on whether to make it a legal requirement that people report cyber attacks," said Coaker, who took over the defence brief from Jim Murphy in the autumn of last year. "At the moment, there are just voluntary agreements."

Somewhat confusingly however, Coaker remains unsure if this obligatory reporting should be extended as far as government departments, despite the fact that attacks on public sector organisations – even those emanating from inside the network – are on the increase.

Coaker's speech, published before his appearance at the Royal United Services Institute, a defence and security think-tank based, in Whitehall on Monday, also reveals that he believes the country needs to look at defence strategy ahead of the next strategic defence and security review (SDSR), which is scheduled for autumn 2015. The last one was back in 2010.

“We must ensure that the review provides the long-term direction that UK defence and security requires – one that is fiscally realistic and strategically ambitious,” he will say.

Defence Secretary Philip Hammond has refuted Coaker's suggestions, and claims that the last SDSR provided an adequate cover for cyber crime.

 “The 2010 SDSR identified cyber threats and the need for upstream capacity building abroad as some of the priorities for the future,” said defence secretary Philip Hammond.

“That is why hundreds of millions have been invested in these areas. After four years in opposition, Labour is calling for measures we are already implementing.”

The government estimates that cyber crime costs the economy £27 billion a year, although that estimate was from 2011 and Met Police's Mark Jackson said last week that that figure is now as high as £81 billion.

The government has partnered with nine defence and security companies last July to help battle cyber attack and has been making strides to improve security awareness, and reduce the skills gap in the information security industry. In November 2011, it launched its Cyber Security Strategy, while more recently it has established the Cyber Security Information Sharing Partnership (CSISP), the Cyber Streetwise initiative - for citizens and SMEs, and a new research centre designed to protect the country's critical infrastructure. It's also making a big play at educating children on online fraud and cyber crime.

Such action appears to have paid off, with Trustwave reporting last week with 60 percent of FTSE 100 companies now highlighting cyber security in their annual report, up 11 percent from the previous year.

Andrew Rose, analyst at Forrester Research and a former CISO in the legal sector, told SCMagazineUK.com that the issue could cause confusion, especially with the European Union's data protection law reform soon to be ratified.

“It's not a redundant debate as the EU Data Protection Act will not cover thefts relating to IP or market sensitive data (such as M&A data being stolen),” he said via email. “The question is, once PII (personally identified information) and consumers are protected by the DPA, does government really need to force organisations to come clean about their non-PII related compromises?”

Rose agrees that companies could lose out from any new law, with share price and revenue potentially falling. “We need to consider what the benefits could be. If breaches are all publicly notified then firms may start to understand the severity of the situation as frequent breaches occur in their sector, they may be incentivised to close control gaps to avoid negative publicity and they may more willingly collaborate with peers to learn lessons and work as a team to avoid common enemies. 

“I have to admit, I'm torn. The benefits are considerable but sensible firms have already taken those steps based on information we see from overseas and UK government advice. Will mandatory breach reporting really help those who haven't 'seen the light' yet? I'm not convinced.”  

Dr Guy Bunker, CTO and SVP of products at Clearswift, meanwhile, called for business transparency, something Unilever's global privacy officer Steve Wright touched upon at last week's SC Congress London.

“There is a need for transparency, but not necessarily attribution as that can have more of a negative effect than positive,” he told SCMagazineUK.com. “There is a need to share not just the successful attacks, but also the unsuccessful one, as the attack vector used might have not been successful on the initial target organisation, but could be successful on another. 

“Ultimately, it is good to share information – forewarned is forearmed.”