Amid an alarming rise in the number of computer hacking cases, Chris Forsyth and Laurence Kalman look at the latest European and US initiatives to tackle cyber crime – and why law firms should remain vigilant

Cyber security is grabbing the headlines, and it is easy to see why. The figures are startling. Reports indicate that cyber crime costs the UK economy up to £27bn each year, with the worldwide annual cost reaching around $388bn (£253bn). As mobile devices proliferate and cloud computing continues to develop, the threat presented by the hackers grows ever more acute. 

According to computing giant Cisco, in 2010 the number of devices connected to the internet stood at around 12.5 billion. This will grow to roughly 25 billion in 2015 and 50 billion by 2020, providing fertile ground for cyber criminals.

Recent high-profile victims include The Wall Street Journal, The Washington Post and The New York Times, all reported to have been targeted by Chinese hackers. In addition to media organisations and social networks – Facebook and Twitter have recently been the subject of sophisticated attacks – infrastructure companies make particularly attractive targets.  

Of the 198 cases reported to the US Department of Homeland Security's Cyber Emergency Response Team in the year to 30 September 2012, roughly 41% were targeted at the energy sector. It is perhaps no surprise that the US director of national intelligence has ranked cyber attacks at the top of a list of transnational threats.

The blame game

Cyber crime is taking on an increasingly geopolitical dimension, most strikingly in the growing war of words between the USA and China. According to Thomas Donilon, the US national security adviser, hacking of US companies from China is reaching "an unprecedented scale", while President Barack Obama has promised "tough talk" with China over cyber espionage.  

These recent exchanges were sparked by the report released in February by Mandiant, the US cyber security firm, which linked China's People's Liberation Army with a campaign of cyber spying. China has denied these allegations.

Attempts to combat cyber crime have also created political controversy on a domestic level. This has been particularly pronounced in the US, where lawmakers have so far failed to bridge partisan divides. 

The House of Representatives passed the proposed Cyber Intelligence Sharing and Protection Act (CISPA) last April, but the bill was threatened with a presidential veto and held up in the Senate. Opponents claimed that the measure would threaten citizens' privacy and allow the Government and private sector organisations to access swathes of private data.

A call to arms?

Against this backdrop, the European Union (EU) has seized the initiative and attempted to position itself as a world leader on cyber security. On 7 February, the European Commission (EC) and the EU's foreign affairs and security representative adopted a joint Communication on Cyber Security. The communication proposes a new directive on standards for network and information security across the EU.

EU member states will be required to adopt their own cyber security strategies. They will designate national authorities and establish computer emergency response teams, tasked with promoting security and dealing with cyber attacks.

The proposed directive also creates a framework for EU-wide co-operation and information sharing. The European Network and Information Security Agency is charged with working alongside standardisation bodies and stakeholders to develop technical guidelines and recommendations for cyber security benchmarks.

The member states' national authorities and the EC will form a 'co-operation network' to circulate early warnings, co-ordinate response strategies and organise regular reviews.

A mixed receptionkalman-laurence-web

The proposed directive requires critical infrastructure operators – including financial services, energy and health companies, and key internet enablers (such as e-commerce platforms and social networks) – to implement adequate security measures. Controversially, these companies will have to report significant security breaches to the new national authorities. Those authorities can then publicise incidents where this is in the public interest. 

This will be the first time that businesses across key sectors will have had overarching incident reporting obligations. At present, there is only a patchwork of regulations that apply either to specific sectors (such as financial services or electronic communications providers) or to particular types of information (for example, under the EU data protection regime).

These proposed reporting requirements have met with a mixed response. Many have welcomed the prospect of a unified, cross-border approach to sharing information and combating costly cyber attacks. But some operators – particularly in industries that are not currently subject to similar reporting obligations – are worried about the increased regulatory burden. Many businesses are acutely concerned about the risk of reputational damage if they report a cyber attack which is then disclosed publicly.

Hot on the heels of the EU's draft directive, on 12 February President Obama used his State of the Union address to announce an executive order calling for stronger protections over vital US infrastructure. The measure is intended to boost American cyber defences but, unlike the EU's proposal, it imposes no new legal obligations on private companies.

The executive order paves the way for increased co-operation and information sharing between Government and the private sector. It requires the National Institute of Standards and Technology to develop a set of voluntary standards for critical infrastructure operators. The order directs the Department of Homeland Security and other infrastructure agencies to establish a programme encouraging operators to adopt those standards. The President also renewed pressure on Congress to act. CISPA was reintroduced in the House of Representatives on 13 February.

Impact on businesses

The cyber security initiatives that are under way in the EU and the US are ambitious in scope, and may be even broader in effect. Although both the directive and the executive order focus on critical infrastructure companies, the technical standards that they usher in will, in practice, set benchmarks across all industries. Parties to commercial transactions will demand assurances that their counterparties have suitable protections in place. All of this will require investment. 

Cyber security is already big business – a recent study estimated that $30bn (£19.6bn) is invested in cyber security each year in the US, with spending increasing by around 10% per year. The EU estimates the private sector's additional costs of complying with the new directive to be between €360m (£307m) and €720m (£614m).

Some effects of these cyber security initiatives remain hazy. In the EU there is a risk that different regulatory regimes will overlap. Players in some industries (such as financial services) may find that they already comply with most of the directive's requirements. However, it is unclear how the new reporting requirements will tie in with their existing industry-specific obligations (or which would take precedence). 

The proposed new Data Protection Regulation would require businesses throughout the EU to report breaches involving personal data to the data protection authorities. This raises the unwelcome prospect of multiple notification requirements, each subject to different triggers and timescales.

Future focus

It is unlikely that the proposed EU directive and the US executive order will crush cyber crime entirely, but they represent an encouraging step in the right direction. Increasing co-operation and information sharing across the private and public sectors will help to protect businesses against an online attack.

But the success of the campaign against worldwide cyber crime depends on international co-operation and harmonisation, and the European and American proposals show few signs of a co-ordinated approach. This means that multinational business won't simply be able to rely on complying with one set of rules. 

Meeting US cyber security requirements will not necessarily satisfy the European authorities (and vice versa) if their standards are different. Companies with connections to both Europe and the US will need to make sure they are doubly compliant. This could prove to be a significant legal headache for firms and suggests that compliance will need to move up their corporate agenda.

Within the EU, the directive's effectiveness will rely on how it is implemented in national laws. Member states will invariably implement it at a different pace and with different degrees of rigour. This could well result in another case of multi-speed Europe and legal ambiguity for organisations operating across jurisdictions. Companies may seek ways to comply with those member states which take the most light-touch, low-cost approach to implementing the directive.

Right now, companies have an opportunity to influence the debate in the UK. In March, the Government launched a consultation to select and endorse an industry-led cyber security standard. Industry bodies and corporates can submit evidence in support of their preferred standard until 14 October.

However, law firms should not forget that they are among the potential victims of cyber crime. Of the 141 entities targeted by hackers and covered by Mandiant's report, four were law firms. They may have been targeted to obtain sensitive information about a large number of companies in one go. 

As clients become subject to new obligations and increase their own IT security, they will demand that their lawyers adopt the same standards. Firms will ignore these changes at their peril.

Chris Forsyth is a partner and Laurence Kalman is a senior associate at Freshfields Bruckhaus Deringer.