ICYMI: Google's Project Zero, ICO breach & sharing intel on critical infrastructure

News by Doug Drinkwater

This week's In Case You Missed It (ICYMI) column takes a look at Google's Project Zero, accusations of double-standards at the ICO and the need to share intelligence on critical infrastructure.

Google's Project Zero gets muted response

Google established ‘Project Zero', a team of security researchers that will seek to identify critical zero-day bugs and vulnerabilities on the World Wide Web and not just at the Silicon Valley search giant.

The “well-staffed” team includes George Hotz, a 24-year-old hacker best known for hacking Apple's iPhone and Sony's PlayStation 3 (as well as Google's Chrome browser), and will publish a public database of said vulnerabilities. This will detail how long it took companies to react to the bug and issue a fix.

The group has said that it will work to identify and alert companies on zero-day bugs, specifically those organisations facing cyber espionage campaigns.

The news hasn't been universally well-received, however. Some have accused the group as being a marketing stunt (via Forbes), while others say that they don't want Google prying on their vulnerabilities.

"Other companies may begrudgingly accept Google reporting vulnerability," BH Consulting's Brian Honan told the BBC.

"But at the same time, most companies do now have a progressive attitude to receiving reports - I don't see them looking at Google in a negative way."

Who regulates the regulator?

UK watchdog The Information Commissioner's Office (ICO) tried – and failed – to quietly reveal that it had suffered a data breach earlier in the year without drawing any attention.

The group burried a short message in its annual report into UK data breaches, which was initially spotted by journalists at The Times and which revealed that it had suffered a “non-trivial data security incident”.

Following an internal investigation, the ICO found that the “likelihood of damage or distress to any affected data subject was low” and did not find it in breach of the 1998 Data Protection Act (DPA).

A spokesperson apparently told the newspaper that it would have a FOIA before any info would be released, only for the ICO to later say that this would not be possible as the incident was “linked to an on-going criminal investigation.”

All of this has led to questions on ‘who regulates the regulator' and comes at a time when the ICO – which also investigated itself over another “non-trivial” incident back in 2011 – has been calling for more power and more money.

Government calls for intelligence sharing

A growing theme in the cyber-crime world is intelligence sharing, a topic that was highlighted at the UK Financial Services Cyber Security summit in London on Tuesday.

The event – which operated under Chatham House rules (hence quotes cannot be attributed) – saw high-profile speakers from the UK government, the European Commission, GCHQ and the banking sector talk on the importance of sharing information with and between private organisations.

Karen Bradley, the Minister for Modern Slavery and Organised Crime in the Home Office, published her speech and said:

“We are committed to working closely with you to reduce the threats to you,” the Minister told attendees. “But we need your help. We need you to share what you can with each other so you can protect yourselves, and we need you to share it with us so we can understand the evolving problems and work with you on how to protect your business.”

A senior spokesperson for GCHQ explained how the intelligence services are looking to develop the delivery of timely and useful threat intelligence to the private sector, and further described how – in an effort to combat attacks – the surveillance agency is sharing classified secret intelligence with trusted providers of critical national infrastructure.

Others at the conference agreed that it's important to share information about attacks, but questioned the quality, timeliness and relevancy of much of the data that is currently available.

Elsewhere, some big figures were revealed, illustrating the significant investment taking place in cyber security from central government.

A UK government minister said that the country plans to invest £2 billion by 2016 on increasing UK cyber security exports, while a member of the European Commission said that the desire for policing tools and research on cyber-crime would see it invest some €500 million over the next seven years.

EBay breach opens eyes to reputational damage 

Speaking during eBay's second-quarter earnings call on Wednesday, company CEO John Donahoe  admitted that the data breach in May – which affected some 145 million users – had impacted usage and financial figures.

The company did see a decline in user activity, and this has in-turn had an effect on the balance sheet.

Donahoe said that 85 percent of buyer accounts had reset their passwords, but said too that some had yet to return to their previous activity levels, prior to the data breach.

Subsequently, this decline saw quarterly net revenue increase nine percent year-on-year to US$ 2.17 billion (£1.27 billion), a rise which has been dwarfed by PayPal's net sales increasing 20 percent over the same time-frame.

Given this and the recent closure of UK-travel website Hotel Hippo after a breach of its own, it would seem that firms are realising how such incidents can cause massive reputational damage and financial loss. And that's initially likely to get worse if and when the EU's General Data protection Regulation comes into effect.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews