How should we respond to cyber attacks on public bodies?
Fear around GDPR is being "hyped up by companies trying to sell solutions".
‘Beloved, I know you will be surprised to receive this message. We are unable to process your tax refund. I write with humility in respect of a business deal.’
We’ve all had scam emails from a Nigerian prince about a fortune he is trying to transfer to this country, about a lottery win where we only need transfer a small amount of money to facilitate its release or an unknown relation who’s died and, inexplicably, left everything to us.
On an individual level, we know about cyber security, the importance of protecting our personal data, even if we wouldn’t necessarily use that term to describe it.
Most people are aware of scams, messages from HMRC that don’t look quite right, spam emails we know we shouldn’t open, links we shouldn’t click on and, in the workplace, rules about what passwords you can use or blocks on downloading software without permission.
But in the last few years, the idea of a cyber attack hitting an organisation on a large scale and affecting us all has begun to take hold of the public consciousness, after a series of high-profile attacks hit the headlines.
In 2014 Sony staff details were stolen by a group intent on forcing the company not to release a spoof film about Kim Jong-un.
More recently was the news that a billion Yahoo accounts had been compromised in 2013, although the information only came to light in December 2016.
In November 2016 £2.5m was stolen from 9,000 Tesco bank customers, and other major companies such as Wonga and LinkedIn have been high-profile victims of attacks.
But the one with the most potential to affect public safety was the WannaCry ransomware attack which hit the NHS just a couple of months ago.
Eleven of Scotland’s 14 health boards, as well as NHS National Services and the Scottish Ambulance Service, were affected by the attack and parts of the NHS across the UK ground to a halt until systems could be restored.
As well as the NHS, more than 300,000 computers in 150 countries were hit by WannaCry, the biggest ransomware attack to date, which locked down computers, encrypted files and demanded a ransom, in this case in bitcoin, to restore the system.
Following the attack, the Scottish Business Resilience Centre (SBRC) said the WannaCry attack had been able to spread because routine software updates had not been carried out.
A patch had been issued by Microsoft in March that would have defended computers against the virus.
SBRC chief ethical hacker Gerry Grant said: “Thousands of computers were infected with the ransomware – and it was able to have such an impact because routine preventative measures had not been taken.
“We can’t recommend the practice of habitually updating systems enough, however disruptive or inconvenient at the time – as soon as those updates become available.
“It can be too easy to put this off and click the ‘remind me tomorrow’ option. Unfortunately, it can take a highly publicised attack such as this to affect behaviour.
“We say it so often, but the prospect of a cyber-attack can be incredibly daunting for the less tech-savvy and the temptation can be to bury heads in the sand.
“In reality, the simplest of measures such as those outlined in the Cyber Essentials scheme will put off the vast majority of criminal hackers – who tend to cast a wide net.”
In the wake of the attack, the Scottish Government reviewed its cyber resilience procedures. Justice Secretary Michael Matheson chaired a meeting of the National Cyber Resilience Leaders’ Board to discuss the impact of the attack on Scotland, a multi-agency response to it and formulate a plan to boost cyber resilience across all sectors.
He committed to take forward a public sector action plan, which includes developing a set of preventative guidelines and standards for all Scottish public sector bodies to achieve by 2018, provide support to all 121 public sector organisations to achieve accreditation to the ‘Cyber Essentials’ standard and to produce a public awareness strategy for public sector organisations.
The plan is due to be put before ministers this month.
The UK Government, too, has put an increasing emphasis on the importance of cyber security. It launched an updated cyber security strategy in November 2016, which was underpinned by £1.9bn of funding, double that for the previous strategy.
Tying in with the strategy launch, it also opened the National Centre for Cyber Security, part of GCHQ, in London.
The centre will lead the fight against cyber crime across the UK, with a role in both coordinating expertise on cyber security and to head off major cyber attacks.
In its first three months of existence, it had already responded to 188 attacks.
As part of this cyber security strategy, the UK Government also proposed creating government-approved academic centres of excellence in cyber security research to improve knowledge and capability in the area and last month it was announced that the University of Edinburgh is to become a centre of excellence – one of 14 across the UK and the first such centre in Scotland.
The title recognises the number of staff working in the area, the university’s research record, its commitment to the issue and the sustainability of funding to continue working on cyber security. The status will last for five years from June 2017.
The UK Government National Cyber Security Strategy suggests that a market-based approach has not been enough to keep abreast of the threat and government has to “lead the way and intervene more directly by bringing its influence and resources to bear to address cyber threats”.
It also highlights that the threat has moved from simply protection of devices as more interconnected and smart devices means the internet has become increasingly integrated into all of our lives.
It says: “The ‘internet of things’ creates new opportunities for exploitation and increases the potential impact of attacks which have the potential to cause physical damage, injury to persons and, in a worst-case scenario, death.
“The rapid implementation of connectivity in industrial control processes in critical systems, across a wide range of industries such as energy, mining, agriculture and aviation, has created the industrial internet of things.
“This is simultaneously opening up the possibility of devices and processes, which were never vulnerable to such interference in the past, being hacked and tampered with, with potentially disastrous consequences.”
This was also raised by Gartner research vice-president Tom Scholz at a Holyrood event on cyber security in February.
He said: “In conventional security, our objective is what we used to refer to as the ‘CIA’ model: confidentiality, integrity and availability. In the digital business world, increasingly, we also have to start at the element of physical safety.”
The UK cyber security strategy suggests that much of the hardware and software developed to facilitate an interconnected digital environment has prioritised efficiency, cost and convenience over security.
According to Rik Ferguson of security software company Trend Micro, who acts as an adviser to Europol on issues around cyber security, legislation is needed to protect the public from the increased security risk from these interconnected devices.
He told Holyrood: “The truth is if you’re going to buy a new fridge or if you’re going to buy Amazon Alexa or those kind of devices, you’re not going to ask questions about security, you’re going to ask questions about the functionality of the device for the reasons that you’re buying it and I think the same is probably true in enterprise as well, because enterprises are run by individual consumers, at the end of the day. We think in similar ways.
“So I think the thing that’s really going to advance security in the interconnected internet of everything has to be regulation and legislation, and it has to be the emergence of the equivalent of a kitemark, a BSI kitemark or a European standard that says this device conforms to European security regulation around securing information, securing connections, securing transfer of information and the mechanism exists for you to secure this device.”
One area where new legislation is already in place is the management of data by organisations.
In May 2018 the EU’s General Data Protection Regulation, or GDPR, comes into force, setting stringent new rules for what organisations must do to prevent data leaks.
Some of the key changes are that consent for use of data will have to be more explicit, clear records of data processing will need to be kept and organisations will have to inform the Information Commissioner within 72 hours of discovering a data leak or risk a fine.
It is the level of fines for data leaks in particular that has caused concern, with fines for the most serious breaches of up to €20m or four per cent of global annual turnover, whichever is greater.
Many organisations, both public and private sector, have a lot of work to do to ensure legacy systems and data are brought into compliance in less than a year’s time.
However, Martyn Wallace, chief digital officer at the Digital Office for Local Government in Scotland, suggests fear around GDPR is being hyped up by companies trying to sell solutions.
He told Holyrood: “I’m personally sick to the back teeth of ‘GDPR the ticking time bomb, the thorn in everybody’s side, the big usurper of data’. Stop with the fearmongering, suppliers!
“I’m hit every single week with four or five suppliers offering me the solution, the golden ticket to all my problems.
He adds: “Leave us, let us get on with it, and then when we are looking for a mass data management solution, or if we need to look for a mass data management solution, then we’ll come to market and we’ll look for it then and we’ll do it using agile procurement methods, not the scaremongering.
“The scaremongering is just ridiculous.”
Rachel Neaman of Corsham Institute believes that facing down the challenge of online misinformation needs a long-term and wide-ranging strategy
Sector organisation writes to Matt Hancock and other MPs to express concerns
Local Government Association issues advice to citizens
James Wickes of Cloudview believes regulators need to take steps to sharpen senior managers’ focus on cybersecurity