SCL Event Report: Foundations of IT Law Programme – Module 5: Risk, Cyber-threat and Computer Misuse

July 20, 2014

This SCL event was hosted by Speechly Bircham LLP and chaired by Mark Bailey, a Partner at Speechly Bircham. Mark began by explaining that technological, human and physical factors all contribute to risk, cyber-threat and computer misuse. It is imperative that technology lawyers understand that a multifaceted approach is required to combat these factors, including using policies and technological measures. The speakers were Alexander Carter Silk, who focused on the misuse of computers, Gary Hawkins, who explored secure network design and common infection channels, Emiliano DeCristofaro, who provided insight on cyber terminology and approaches to threats and vulnerabilities and Laurence Rossini, who explained how underwriters assess the risk of computer misuse and breaches of data security.

Alexander Carter-Silk gave an overview of the law on computer misuse. He explained that the new information security directive treats the world as interconnected. Alex’s view, however, is that we need to ‘stop building the walls taller’ as regulation penalises the victim of cyber crime by focusing on what businesses should do to guard against cyber-attacks. A cyber breach leads to a loss, a business’ reputation is damaged, its clients leave and then it is fined by the regulator. Alex argued that this could not be right.

Alex described the different types of computer misuse and highlighted that this does not always relate to hacking. He explained that you can use a computer to commit a conventional crime and noted that offences regarding criminal misuse relate to computers themselves, not the consequences of the act. He highlighted that we link to networks more frequently than we think. The misuse of computers is therefore very broad. The Internet is a pipe that is open at both ends, and so will never be completely secure.

Alex explained that EU directives are increasingly high level. The legislation is fragmented, as European law takes precedence over local law. The principle of nationality, national boundaries and the jurisdiction of national courts is breaking down. Cyber law is moving away from the national and towards the individual, as demonstrated by ‘long arm’ jurisdiction in the US. Where crimes are committed and by whom is now a big issue.

Alex argued that we must be aware of the secondary effect of cyber attacks, particularly in the light of the proposed amendments to the Computer Misuse Act 1990. Under the amendments, enabling will become an offence (ie supplying botnets or supplying virus software to someone else) and extra-terrestrial jurisdiction will be extended (eg the Act will extend to offences by persons outside of the UK where there is no link to the UK other than nationality).

Alex went on to discuss whether a cyber attack constitutes an act of war. Alex explained that the Tallinn Manual advises that a cyber-attack can constitute an act of war (eg a cyber-attack against the electricity supply of a country could result in civil, criminal and international liability). There is therefore the potential to take a country to the international court for a cyber attack, as the country will be liable for its citizens. He finished his presentation by stating that building the walls higher does not work. The only options are either to stop the attacks or to insure against them.

Gary Hawkins‘ presentation explored secure network design and common infection channels. Gary explained that traditional firewalls, advanced firewalls and data loss protections are not implemented properly by the companies that use them. He argued that companies must monitor their security systems and implement end-to-end systems to ensure that they are protected.

Gary explained that it is very important for companies to separate the data at the back end of their networks. Companies should control outbound access by limiting what their employees look at and should also authenticate inbound access. He highlighted that a company’s internal network is where all the valuable information is. There is no end to the security that can be added at this level. However, the most important point is how this security is managed and maintained.

Gary stated that an attacker has two choices: to start outside and work in or to jump inside the network and have someone send the data out. The second option is much more common and effective. He explained that the stages of a cyber attack include renaissance, identification of a vulnerability, the exploitation of that vulnerability and the search for something of value to extract.

Gary set out various ways that attackers target businesses. There are tools that allow you to create malware and services that let you launch a botnet to allow you to deliver viruses to an audience. Attackers do not necessarily need to target individuals. They can target forums, news web sites or industry sites that people within the targeted industry use. The attacker can then infect everyone that visits a certain web site, or can be more targeted and infect only people from a certain company.

Gary argued that, in order to protect themselves, companies must partition their network. In practice very few companies actually do this completely. Companies should make sure that, once someone is in their network, they cannot get very far. Gary suggested that companies should pay people to try to hack all the web sites they use and that all security procedures should be tested regularly.

Emiliano DeCristofaro’s presentation dealt with the gap in how we reason about computer security. He argued that, because we patch our systems, we are always one step behind the attackers. He explained that there is a difference between security and correctness. We need to ensure that programmes and systems are correct – the systems must meet the specifications. Security, however, deals with the properties of the program that must be preserved in an attack.

Emiliano explained that security focuses on the fact that there is an adversary. In the presence of an adversary the system must behave how we expect. We must understand how to model the adversary in order to determine the properties that need to be maintained. We need to be able to understand what constitutes a threat. We need to determine the adversary’s resources, capability and strategy. Emiliano said that, additionally, we need to understand what we want to protect. He highlighted the importance of defining what you want to protect against.

He went on to explain that we need to consider threats versus vulnerabilities. Threats are determined by looking to who might attack, what assets might be attacked, with what goal, when/where/why and with what probability. We should take countermeasures to neutralise the threat, close the vulnerability or do both.

Emiliano argued that social engineering is emerging as one of the most popular attack methods. A security network is only as secure as its weakest link, which is usually the the network user. Insecure software depends on many different elements, including technical, economic and human factors. It is therefore very important to use a variety of methods to improve security such as improved tools, standards and metrics, education, policy and regulation. Emiliano highlighted that systems are often designed without security in mind. Organisations and individuals want systems to survive attacks, rather than being resilient to them. This mindset will need to change if improvements in security are to be realised.

Laurence Rossini’s presentation focused on how underwriters assess the risk of computer misuse and breaches of data security. Laurence explained that cyber liability policies cover two key areas: third-party liability and first-party loss. Third-party liability covers privacy liability, virus/hacking liability, IP infringement/defamation and content liability. First-party loss covers privacy breach notification, system damages, business interuption, cyber-crime and brand protection/crisis management.

Laurence explained that businesses will not be covered under their existing insurance policies for cyber-attacks. Underwriting cyber-attacks considers a company’s revenues, the data it holds, the areas it operates in and the security it implements. Individuals who have insurance are covered for negligent transmissions of viruses.

Laurence argued that lawyers need to make sure third-party providers are carrying out proper due diligence, as there is a need to pass on security standards. He highlighted that you cannot stop attackers getting into your system, but that you can limit where they go and track what they do once they are inside. Cyber insurance is therefore crucial, as it is one way to defend against cyber-attacks, and an alternative to ‘building higher walls’.

Laura Bruin is a solicitor in the IPTD team at Speechly Bircham LLP.