Analysis: Conflicting forces of cyber law and order
New EU initiatives may duplicate, or even undermine, efforts to protect the UK's financial services industry from cyber crime. And as Sooraj Shah and Andrew Charlesworth report, this is the last thing the sector needs
New EU initiatives may duplicate, or even undermine, efforts to protect the UK's financial services industry from cyber crime. And as Sooraj Shah and Andrew Charlesworth report, this is the last thing the sector needs
Security professionals fighting cyber crime could themselves be criminalised under plans being developed by the European Parliament. MEPs are considering proposals to make it a criminal offence to distribute hacking tools, such as scripts, with a minimum jail term of two years for convicted offenders.
That, of course, would hamper security software companies in their everyday work, as well as the security professionals employed to protect corporate and government systems.
"In an effort to combat cyber attacks, security researchers and ethical hackers are continuously seeking these tools to demonstrate weaknesses within an organisation's network and as a way to reverse engineer solutions to combat hacks," said Andrew Millar, chief operating officer of Corero Network Security.
If MEPs understand so little about the work of industries they seek to regulate, it is little wonder that efforts to fight cyber crime are in such disarray.
One idea to shut down the Sality botnet, one of the world's largest networks of malware-infected computers, involves using its update feature to inject code into the botnet's "zombie" PCs to automatically remove the Trojan that was used to take control of them. Such a technique could be used to clean up other botnets, but would effectively be outlawed under the proposals being considered in the European Parliament.
"It's insane. MEPs obviously don't know how security experts go about their work," one security researcher, who wished to remain anonymous, told Computing.
The debate over plans to criminalise the distribution of hacking tools comes as the European Commission announced a new dedicated centre to fight cyber crime. The European Cybercrime Centre will be based at Europol in the Hague and is expected to start operations in January 2013.
Its staff of 36 will focus on the activities of organised crime groups, particularly online fraud involving credit cards and attacks on bank accounts. It will help to protect social network profiles from criminal infiltration; help fight against online identity theft; support member states' law enforcement agencies in their fight against cyber crime; give technical advice to investigators, prosecutors and judges; and provide early warnings of new vulnerabilities.
FSA punishes security failings
Much of this work will inevitably overlap with efforts by the UK's Financial Services Authority (FSA) to protect the world's biggest financial services centre from cyber crime.
The FSA has been concentrating minds in the financial sector by handing out big fines to banks and insurers whose security has fallen short. Banking giant HSBC was fined more than £3m in July 2009 when it was found to have inadequate systems and controls in place to protect customers' details - it even lost customer data in the post on two occasions. Zurich Insurance, meanwhile, was fined more than £2m in August 2010 after losing sensitive data relating to 46,000 of its customers.
Analysis: Conflicting forces of cyber law and order
New EU initiatives may duplicate, or even undermine, efforts to protect the UK's financial services industry from cyber crime. And as Sooraj Shah and Andrew Charlesworth report, this is the last thing the sector needs
The FSA’s eagerness to get the sector to raise its game is understandable, given that cyber crime is the second most common type of economic crime in the financial services industry after “asset misappropriation”, according to research by consultancy PricewaterhouseCoopers (PwC). The same research also showed that only 18 per cent of respondents had in place all the security measures that PwC believes are essential to respond effectively to cyber crime.
Is the security message getting through?
This suggests the FSA’s efforts to boost IT security in the sector are only having a limited effect. One reason for this may be the authority’s seemingly lax approach to monitoring compliance with its own security guidelines. When Computing asked it how many financial services firms are fully compliant with its data security guidelines, the FSA responded that it “does not keep figures regarding enforcement action over IT security breaches”.
A spokesman said the FSA assesses compliance as part of its broader supervisory process, adding that it “expects all firms that are regulated by the FSA to be compliant”. The fines against HSBC and Zurich show that this was certainly not the case at the end of the last decade, but perhaps things have improved since then.
David Ragan, group compliance officer at Groupama Insurance, believes the fines succeeded in spurring firms into taking more steps to bolster their digital defences.
“There is a need to think outside the box, even though I think that the FSA rules mean that you are addressing most of the risks to a fairly high standard,” said Ragan. “For example, we are aiming for ISO27001 compliance, which is a native project that our IT security officer is engaging in and running out of the company, which should deliver additional levels of security.”
Groupama appointed a dedicated IT security officer 18 months ago after witnessing the impact security breaches were having in and around the industry.
“We thought that if we start losing data in ways that may not be our fault it would still point to a lack of proper security and that would give our organisation a major problem,” Ragan said. “It was at that time that we had our specialised audit by Ernst & Young, so instead of using our own internal people we used external data specialists. One of their key recommendations was that we needed somebody internally who would look at systems security on a daily basis. Ernst & Young said it was not sufficient to manage IT security on the basis of our own unspecialised knowledge.”
Ragan said that the insurer has since gone even further to protect itself. “We also have regular audits around IT security and we also have insurance to cover ourselves against cyber crime, because we’ve decided it’s such an important area of activity,” he said.
Ovum analyst Andy Kellett agrees that organisations need dedicated staff able to deal with the constant changes in technology and regulation.
“The most important factor in the financial sector is to maintain compliance daily and to make sure that the person or people who are dealing with IT security are up to date with the FSA rules, the Data Protection Act and any changes within those acts,” said Kellett.
“They also have to be up to date in their knowledge of threats and computer systems so they can understand what impact a change in their systems has on the compliance procedure of the organisation. Bringing the two points together is important.”
Computing says: Instead of writing directives that would see innocent people sent
to jail, maybe the European Parliament should instead consider legislating for heavier fines against organisations that are lackadaisical in their management of sensitive data. Or, better still, start taking advice from security professionals.