Should organisations be obliged to publicly admit IT security breaches?
It is a question that has not gone away since the 1990s when banks, retailers and other companies started conducting business over the internet.
The answer from industry has always been “no”. But in both the US and the UK the question is coming up, once again.
Shadow defence secretary Vernon Coaker has already pledged that if Labour is elected in 2015 businesses will be obliged to report “serious cyber attacks threatening UK national infrastructure”.
Indeed, in a recent speech to the Royal United Services Institute for Defence and Security Studies, Coaker framed the proposals very much in terms of national security. “New types of threat – such as cyber – will increasingly test the resilience of UK critical infrastructure networks,” he said.
He continued: “Serious questions need to be asked about the nature of the cyber threat facing the UK. What are the rules of engagement regarding cyber attacks? Does the concept of deterrence apply in cyber warfare as it does in conventional warfare? And is the Ministry of Defence doing enough to recruit the skilled people it needs to enhance cyber defence capabilities?”
In the US, the Data Security and Breach Notification Bill is intended to unify notification laws across the 52 states and to provide a federal standard for organisations to report data breaches.
These state laws follow the first, in California, which became law in July 2003. This requires organisations to inform customers in writing of any security breach in which personal information might have been acquired by an unauthorised group or individual. Although it caused uproar at the time, it provided the template for similar laws in states across the US.
The proposed federal legislation is intended to unify these disparate disclosure laws. According to one of its proposers, Senator Dianne Feinstein, it “will ensure that Americans’ sensitive personal and financial information is stored securely, that Americans receive prompt notification when this information is compromised and that law enforcement is promptly notified in order to prosecute cyber crime”.
New laws were required, she said, not just to unify states’ notification laws, but because serious security breaches were becoming more frequent.
In the European Union, meanwhile, proposals for breach notification schemes have been contained in not one, but two separate proposed directives, while the Directive on Privacy and Electronic Communications (also known as the eprivacy directive) was updated in 2009
to include notification requirements.
One of the new directives, the draft Network and Information Security Directive, partly addresses Coaker’s concerns regarding the IT security threat to national infrastructure. Under this directive, member states are required to establish their own computer emergency response teams (CERTs), which the UK has recently done, and set up “national alert platforms”. The notification requirements, though, are less clear-cut.
Originally, they explicitly included “downstream information society services or online activities, such as e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, [and] application stores”.
Later rewrites were less all-encompassing, but still require notification within 24 hours – even if the UK’s Information Commissioner does not seem keen to enforce that requirement.
At the same time, the draft General Data Protection Regulation is predicated on the belief that the EU Data Protection Directive takes insufficient account of technology developments and the impact of globalisation since it was passed.
But even the proposed disclosure requirements are hedged. For example, to take into account “cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach”.
Regardless, what Labour is suggesting does not go as far as either the proposed laws being put forward in the US, or either of the proposed directives currently wending their way around Brussels and Strasbourg. Indeed, they appear timid in comparison – focused as they are purely on the protection of national infrastructure, rather than personal data.
Either way, tighter notification laws are almost certainly on the agenda following the successful six-month-long attack on US retailers Target and Neiman Marcus, not to mention the critical flaw found in the OpenSSL tool, which is widely used to encrypt password-based authentication procedures – for retailers, banks and other organisations holding financially sensitive information.
With tough fines for contravention, at least in the EU, the aim is to make sure that computer security is organisations’ problem and to make sure that it is a top priority, not an after-thought.