At a panel discussion of the International Fraud Group (IFG) hosted by Mishcon de Reya Solicitors in its Red Lion Square offices in London last night, attendees discussed the wide ranging issue of securing confidential data in the digital age, the roles of government and the private sector, the need to share information, and who takes responsibility for information security. Under Chatham House rules, contributions cannot be attributed, but some below is a taste of the themes, comments and views expressed:
"The UK is using its skills in cyber defence to create and support the national economy – and is a leader in sharing private and public sector partnerships with 400 organisations sharing and exchanging intelligence and best practice."
Under the Commonwealth Cyber Team initiative it became apparent that some countries have entirely inadequate legal and regulatory frameworks (to deal with cyber threat).
"The waves of technological innovation (underway) create massive opportunities, and while these carry risks, risk is not threat."
Prioritising of risks is the key – where you put your controls, governance, investment.
"(Not long ago) 20 groups were at the highest level of threat – now there are 50 groups at that level. Techniques have spread."
As companies lose money, or share price, as shareholders are impacted, so cyber security rises up (the company priorities).
"A key distinction is between cyber-enabled crime and pure cyber crime. Cyber-enabled is all the pre-existing crimes that now use cyber (such as fraud etc), whereas Cyber Crime is when the attack itself is the threat, such as DDoS and hacking."
Key objectives (defined by one participant) include:
1) Investigate both cyber and cyber enabled threats, but treat them differently.
Cyber-enabled crime is pandemic, and should be dealt with by all police. Its not specialist, its mainstream and one of the biggest challenges is getting mainstream response.
Cyber crime is not mainstream, its very specialist and requires specialist agencies like GCHQ and the National Crime Agency (NCA) cyber crime unit. But we also need to create new capabilities for the state to access data to see what's going on and why.
2) There is a need to shape some aspects of the internet. We need to remove criminal and terrorist material (eg child pornography, incitement to violence) using the law when it is illegal. Most terrorist images are hosted in the US. The balance between protecting the individual and the state needs to be addressed.
3) There is a need to protect. This is a function of government to look at the cyber structure, the cyber information security flows, share malicious code, know about attacks, and work with the private sector to put measures in place to investigate, shape, prevent and protect.
3) Remediation is required. (eg the capacity of one organisation loosely associated with the Olympics was knocked out; the event was subject to a relentless cycle of attack.
"Government (agencies) do not have the appropriate powers they need, and there is not an appropriate balance of power between the state and the individual."
State threats and criminal threats are now ‘mixed up' and overlap.
"There is an economy of exploits which can be monetised. Breached data, eg credit cards, have a value. Lost IP has an impact. It is dealing with the impact that is more important (than finding the parties responsible)."
Currently, Cyber-enabled crimes often can't be investigated by the police when committed across international borders.
"We don't have a legal right to data held in other countries. We can't even get visas (for our investigators) for Russia, let alone data."
It's about international relationships (ie, how to resolve the issues, rather than legislation)
"The (Arabian) Gulf critical infrastructure is part of ours, and a national security concern for us (to protect). Its being done via the private sector."
Will competitors share information? asked a speaker from the floor. Responses emphasised the need to have a plan in place. Who do you disclose to and when do you disclose? Included the need to work with law enforcement, and an acknowledgment that while the National Cyber Crime unit was now in place, it was not yet where we would want it to be.
Microsoft's ending of support for 300 million XP users was criticised from the floor, raising the issue of ‘whose responsibility is it to be secure', and the response was that it is your own responsibility - not Microsoft's.