Cybercrime Generates Concern Over Attacks on Essential Services
Daily news of major hacks and cybercrime is generating a lot of concern about attacks on essential services and producing billions in revenue for organized…
October 19, 2017 at 10:23 PM
6 minute read
The original version of this story was published on Law.com
Daily news of major hacks and cybercrime is generating a lot of concern about attacks on essential services and producing billions in revenue for organized crime. So, it isn't surprising that Europe sees this as one of the top three existential threats it faces today, right above immigration and below climate change.
Unfortunately, there's no escaping the fact that commercial organizations remain a primary target for cybercriminals. Digital assets are usually the crown jewels of a business, especially when you consider the value of assets like IP, customer data and trade secrets. With many other types of organization, operators of essential services are developing increasingly digitalized business models, which acts only to widen the surface area for a cyber-attack. Consequently, the risk of an OES suffering a cyber incident is not going away, and there are right to be concerned about the possible consequences of this. Bryony Hurst, partner at Bird & Bird LLP, recently sat down with Inside Counsel to discuss this in more detail.
In Europe on May 9, 2018, the Network & Information Systems Directive (NISD) will come into force. This imposes strict obligations upon Operators of Essential Services to put in place appropriate and proportionate technical and organizational risk management measures, including measures to prevent and minimize the impact of incidents that affect the security of their systems and networks. It also obliges them to act swiftly when an incident occurs, both in terms of investigating the incident and reporting it to their regulator.
“If personal data of European citizens is impacted by the attack, then additional obligations under the General Data Protection Regulation (GDPR) are also likely to be triggered, which again relate to having appropriate measures in place and reporting incidents within a set period to the regulator and to any affected individuals,” explained Hurst. “Failure to comply with either the NISD or the GDPR provisions exposes OESs to severe financial penalties – depending upon the breach, as much as two or four percent of the company's annual global turnover. It is therefore imperative that OESs focus resources on achieving compliance with these laws as soon as possible after they are implemented in May 2018.”
According to Hurst, there are several ways that cyber criminals can generate income from carrying out attacks on businesses, but one method constitutes a growing threat – the use of ransomware (whereby a user is tricked into opening an infected email or pop-up, for example, which then downloads malicious code, locks down their device and generates a message containing demands in order to regain access. Sophisticated ransomware can infiltrate a company's entire system, as we witnessed in the May 2017 worldwide Wannacry ransomware attack. Statistics published by CNN recently noted that in Q1 2016 alone, over $209 million was paid to ransomware criminals.
“As the scale and sophistication of cyber-attacks continues to increase, it is easy to understand why fears are growing that, at some point, an attack will take place that not only temporarily brings downs a company's IT systems, but completely destroys them and leaves them unable to recover,” he said.
The Wannacry attack of May 2017 was followed by the Petya attack, which spread across over 60 countries in just days and brought down the operations of dozens of major corporations, including Reckitt Benckiser, FedEx and Maersk. Later, Maersk announced that its Q3 results were likely to be impacted by $200-300 million because of the attack, and certain of its operations were still not up and running more than two months after the attack. FedEx announced losses of a similar level.
However, it is not just the threat to the private sector that raises cyber to a top priority for Europe; the potential for attacks to paralyses essential public services is perhaps of even greater concern, per Hurst. For instance, during the WannaCry attack, the UK's National Health Service was subject to severe delays and disruptions and Germany's rail network was disrupted as a result of the infection spreading to its largest rail operator's systems. In a separate subsequent attack the UK Parliament was also hit by a massive cyber-attack, striking at the very heart of government. Fortunately, Hurst said, the fallout from these attacks was largely contained within a short period of time, but the potential for greater damage is something that cannot be ignored.
“The threats that accompany Europe's increased reliance upon secure digital systems cannot be underestimated,” he explained. “Not only could the next major cyber-attack bring down critical infrastructure but, as seen from the attack on the UK Parliament, it could also bring down the most fundamental organizations in our democratic systems.”
In addition, particularly as state-sponsored bad actors continue to target Western governments, it is not difficult to envisage an attack that focusses directly on the military capabilities of European Member States. In addition to these very serious concerns, the Commission's focus on cyber resilience is probably also fueled in part by its desire to establish and promote Europe as one of the world's leading digital economies. When it announced its Digital Single Market strategy in 2015, it identified cybersecurity as one of three main challenges to ensuring a fair, open and secure digital environment and described it as “essential to keep the online economy running and to ensure prosperity.”
The EU's various bodies are already at work to promote cyber resilience in many ways. ENISA was established in 2004 and given a significant mandate. The NISD was first proposed in 2013 and has been heavily debated and refined ever since. The driver behind expanding its focus on cyber-security is the need for greater co-operation between Member States to ensure that individual countries' efforts are part of a comprehensive program. Recent attacks have demonstrated that multiple countries and industries are likely to be targeted simultaneously going forwards, and it will only be by establishing a uniform set of standard and sharing knowledge that the EU can hope to win not only each battle, but eventually also the war.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Senate Panel Postpones Vote on Reconfirmation of Democrat Crenshaw to SEC
Trending Stories
- 1The Tech Built by Law Firms in 2024
- 2Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 3For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 4As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
- 5General Warrants and ESI
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250