A rising tide – the latest US and European initiatives to tackle cyber crime
Cyber security is grabbing the headlines, and it is easy to see why. The figures are startling. Reports indicate that cyber crime costs the UK economy up to £27bn each year, with the worldwide annual cost reaching around $388bn (£253bn). As mobile devices proliferate and cloud computing continues to develop, the threat presented by the hackers grows ever more acute. According to computing giant Cisco, in 2010 the number of devices connected to the internet stood at around 12.5 billion. This will grow to roughly 25 billion in 2015 and 50 billion by 2020, providing fertile ground for cyber criminals. Recent high-profile victims include The Wall Street Journal, The Washington Post and The New York Times, all reported to have been targeted by Chinese hackers. In addition to media organisations and social networks – Facebook and Twitter have recently been the subject of sophisticated attacks – infrastructure companies make particularly attractive targets.
April 18, 2013 at 07:03 PM
8 minute read
Amid an alarming rise in the number of computer hacking cases, Chris Forsyth and Laurence Kalman look at the latest European and US initiatives to tackle cyber crime – and why law firms should remain vigilant
Cyber security is grabbing the headlines, and it is easy to see why. The figures are startling. Reports indicate that cyber crime costs the UK economy up to £27bn each year, with the worldwide annual cost reaching around $388bn (£253bn). As mobile devices proliferate and cloud computing continues to develop, the threat presented by the hackers grows ever more acute.
According to computing giant Cisco, in 2010 the number of devices connected to the internet stood at around 12.5 billion. This will grow to roughly 25 billion in 2015 and 50 billion by 2020, providing fertile ground for cyber criminals.
Recent high-profile victims include The Wall Street Journal, The Washington Post and The New York Times, all reported to have been targeted by Chinese hackers. In addition to media organisations and social networks – Facebook and Twitter have recently been the subject of sophisticated attacks – infrastructure companies make particularly attractive targets.
Of the 198 cases reported to the US Department of Homeland Security's Cyber Emergency Response Team in the year to 30 September 2012, roughly 41% were targeted at the energy sector. It is perhaps no surprise that the US director of national intelligence has ranked cyber attacks at the top of a list of transnational threats.
The blame game
Cyber crime is taking on an increasingly geopolitical dimension, most strikingly in the growing war of words between the USA and China. According to Thomas Donilon, the US national security adviser, hacking of US companies from China is reaching "an unprecedented scale", while President Barack Obama has promised "tough talk" with China over cyber espionage.
These recent exchanges were sparked by the report released in February by Mandiant, the US cyber security firm, which linked China's People's Liberation Army with a campaign of cyber spying. China has denied these allegations.
Attempts to combat cyber crime have also created political controversy on a domestic level. This has been particularly pronounced in the US, where lawmakers have so far failed to bridge partisan divides.
The House of Representatives passed the proposed Cyber Intelligence Sharing and Protection Act (CISPA) last April, but the bill was threatened with a presidential veto and held up in the Senate. Opponents claimed that the measure would threaten citizens' privacy and allow the Government and private sector organisations to access swathes of private data.
A call to arms?
Against this backdrop, the European Union (EU) has seized the initiative and attempted to position itself as a world leader on cyber security. On 7 February, the European Commission (EC) and the EU's foreign affairs and security representative adopted a joint Communication on Cyber Security. The communication proposes a new directive on standards for network and information security across the EU.
EU member states will be required to adopt their own cyber security strategies. They will designate national authorities and establish computer emergency response teams, tasked with promoting security and dealing with cyber attacks.
The proposed directive also creates a framework for EU-wide co-operation and information sharing. The European Network and Information Security Agency is charged with working alongside standardisation bodies and stakeholders to develop technical guidelines and recommendations for cyber security benchmarks.
The member states' national authorities and the EC will form a 'co-operation network' to circulate early warnings, co-ordinate response strategies and organise regular reviews.
A mixed reception
The proposed directive requires critical infrastructure operators – including financial services, energy and health companies, and key internet enablers (such as e-commerce platforms and social networks) – to implement adequate security measures. Controversially, these companies will have to report significant security breaches to the new national authorities. Those authorities can then publicise incidents where this is in the public interest.
This will be the first time that businesses across key sectors will have had overarching incident reporting obligations. At present, there is only a patchwork of regulations that apply either to specific sectors (such as financial services or electronic communications providers) or to particular types of information (for example, under the EU data protection regime).
These proposed reporting requirements have met with a mixed response. Many have welcomed the prospect of a unified, cross-border approach to sharing information and combating costly cyber attacks. But some operators – particularly in industries that are not currently subject to similar reporting obligations – are worried about the increased regulatory burden. Many businesses are acutely concerned about the risk of reputational damage if they report a cyber attack which is then disclosed publicly.
Hot on the heels of the EU's draft directive, on 12 February President Obama used his State of the Union address to announce an executive order calling for stronger protections over vital US infrastructure. The measure is intended to boost American cyber defences but, unlike the EU's proposal, it imposes no new legal obligations on private companies.
The executive order paves the way for increased co-operation and information sharing between Government and the private sector. It requires the National Institute of Standards and Technology to develop a set of voluntary standards for critical infrastructure operators. The order directs the Department of Homeland Security and other infrastructure agencies to establish a programme encouraging operators to adopt those standards. The President also renewed pressure on Congress to act. CISPA was reintroduced in the House of Representatives on 13 February.
Impact on businesses
The cyber security initiatives that are under way in the EU and the US are ambitious in scope, and may be even broader in effect. Although both the directive and the executive order focus on critical infrastructure companies, the technical standards that they usher in will, in practice, set benchmarks across all industries. Parties to commercial transactions will demand assurances that their counterparties have suitable protections in place. All of this will require investment.
Cyber security is already big business – a recent study estimated that $30bn (£19.6bn) is invested in cyber security each year in the US, with spending increasing by around 10% per year. The EU estimates the private sector's additional costs of complying with the new directive to be between €360m (£307m) and €720m (£614m).
Some effects of these cyber security initiatives remain hazy. In the EU there is a risk that different regulatory regimes will overlap. Players in some industries (such as financial services) may find that they already comply with most of the directive's requirements. However, it is unclear how the new reporting requirements will tie in with their existing industry-specific obligations (or which would take precedence).
The proposed new Data Protection Regulation would require businesses throughout the EU to report breaches involving personal data to the data protection authorities. This raises the unwelcome prospect of multiple notification requirements, each subject to different triggers and timescales.
Future focus
It is unlikely that the proposed EU directive and the US executive order will crush cyber crime entirely, but they represent an encouraging step in the right direction. Increasing co-operation and information sharing across the private and public sectors will help to protect businesses against an online attack.
But the success of the campaign against worldwide cyber crime depends on international co-operation and harmonisation, and the European and American proposals show few signs of a co-ordinated approach. This means that multinational business won't simply be able to rely on complying with one set of rules.
Meeting US cyber security requirements will not necessarily satisfy the European authorities (and vice versa) if their standards are different. Companies with connections to both Europe and the US will need to make sure they are doubly compliant. This could prove to be a significant legal headache for firms and suggests that compliance will need to move up their corporate agenda.
Within the EU, the directive's effectiveness will rely on how it is implemented in national laws. Member states will invariably implement it at a different pace and with different degrees of rigour. This could well result in another case of multi-speed Europe and legal ambiguity for organisations operating across jurisdictions. Companies may seek ways to comply with those member states which take the most light-touch, low-cost approach to implementing the directive.
Right now, companies have an opportunity to influence the debate in the UK. In March, the Government launched a consultation to select and endorse an industry-led cyber security standard. Industry bodies and corporates can submit evidence in support of their preferred standard until 14 October.
However, law firms should not forget that they are among the potential victims of cyber crime. Of the 141 entities targeted by hackers and covered by Mandiant's report, four were law firms. They may have been targeted to obtain sensitive information about a large number of companies in one go.
As clients become subject to new obligations and increase their own IT security, they will demand that their lawyers adopt the same standards. Firms will ignore these changes at their peril.
Chris Forsyth is a partner and Laurence Kalman is a senior associate at Freshfields Bruckhaus Deringer.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute read'Never Been More Dynamic': US Law Firm Leaders Reflect on 2024 and Expectations Next Year
7 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250