Prior to the start of the Millennium, businesses had to deal with the crisis issue that was known as the ‘Millennium Bug’. The dire predicted consequences of that event never materialised. However, the threat of a global collapse of computer-driven technology led many businesses to consider their current IT systems and to replace them with more modern solutions. One of the legacies of the ‘Millennium Bug’ was recognition of the pervasive use of computer technologies in all aspects of our lives, both business and private.
Developments in technology have advanced dramatically since then, and we live in an increasingly interconnected world dominated and controlled by computer code. An inadvertent demonstration of this came when the US Navy conducted a training exercise in San Diego harbour to block radio signals in 2007[1] – it also blocked the local telecommunications network, preventing mobile phone calls, and emergency pagers in the local hospital and high street ATMs ceased to function. More critically, it also disrupted GPS signals for shipping in the harbour and air-traffic control systems at the international airport.
While the threat from the ‘Millennium Bug’ was more theoretical than real, the threat from cybercrime is a global phenomenon that is a very ‘real and present danger’. It is a threat that has always existed, but it has grown exponentially over the past few years.
Nature of the Threat
As the use and understanding of computer technologies have evolved, so has the nature and scope of the threats – computer viruses, for example, have evolved from simple programmes easily detectable by anti-virus software to polymorphic programmes that change with each new infection that are specifically designed to hide from screening technologies.
Perhaps of more concern is the development of the type of attack known as an ‘advanced persistent threat’ or APT. The effect of a virus is generally disruptive, is experienced at the point, or soon after, the infection occurs but which can generally be resolved over a relatively short timescale (though the costs of doing so may still be considerable). By contrast, the aim of an APT is for the perpetrator to identify and exfiltrate valuable confidential information from the target site – attacks take time to develop and may be conducted over many months. The security company Mandiant identified, for example, one attack that is reported to have taken about ten months to complete and extracted 6.5 terabytes of data from the target.[2] This is industrial espionage, literally on an industrial scale.
There have been many reports in the press about the conduct of ‘cyber-war’, and one of the events that has attracted more comment than others is the use of the Stuxnet virus targeted to disrupt the Iranian nuclear programme. Less well reported is the fact that the distributed denial of service (DDOS) attacks on many of the larger US banks that occurred in September 2012 (and are still occurring) have been attributed[3] as a direct retaliation to the use of Stuxnet, thereby blurring the lines between conflict and commercial activities and placing businesses in the front line.
‘Hacking’ is frequently associated with the activity of bored teenagers using a home PC to gain peer-group kudos or looking for teenage kicks – a scenario dramatized by the 1983 film ‘War Games’. The reality is that hacking is now conducted by well-organised and resourced groups, whether the socially or morality driven activities of groupings like Anonymous or LulzSec or, the greater threat for businesses, as part of organised crime.
Cybercrime is now ‘big business’ conducted on the same lines as traditional, legitimate business. For example, it is possible to buy all the tools required to hack into a computer system, complete with service levels, ‘money-back’ guarantees and instructional videos (a YouTube search for ‘key loggers’ returns 3.3 million hits for free videos). ‘Hackers’ are organised by skills with different products offered around the components of a typical hack, including intrusion, exploitation and exfiltration.
Laws and Their Weaknesses
Governments across the world have been considering and have been working towards the creation of new laws to prevent cybercrime. For example, the US Cybercrime Bill that was rejected by the Senate in October 2012 led to the Presidential Executive Order in February 2013. At about the same time, the EU Commission launched its Cybercrime Strategy along with a proposal for EU legislation. Many countries already have existing legislation that deals with cybercrime issues; for example, the UK has the Computer Misuse Act 1990 and Australia has the Cybercrime Act 2001 (Cth), both of which establish criminal offences for unlawful or unauthorised access to computers, tampering with computers (modification and impairment) and data theft. US laws, such as the Computer Fraud and Abuse Act 1984 and Electronic Communications Act 1986, are more limited in their effect, but gaps in national laws can frequently be filled by reliance on laws relating to trespass, tort and contract.
However, although the existing legislation generally deals with the current issues of cybercrime and can be updated to meet new challenges, changes in the law are generally slow to develop and implement, and frequently get left behind in the dynamic environment of computer technology. Additionally, in practice the law does not work to deter criminals; it is a function of criminal activity to operate outside of the law, a fact which is facilitated by the jurisdictional limitations of national laws and the organisations employed to enforce it. The anonymity of the Internet and the ease of execution also provide an environment that encourages and even enables criminal activity.
The borderless nature of the Internet also exposes the greatest weakness in the legal framework: national laws are territorial in nature. Treaties and international conventions, such as the Budapest Convention on Cybercrime 2001, require local ratification, interpretation and legislation but also, in recognition of the sovereign authority of each member state, rely on mutual co-operation and principles of extradition to have effect. Consequently, criminals are able to exploit inconsistencies in approach and lack of jurisdictional authority to avoid or evade successful prosecution.
Targets and Risks
It is not just large businesses that are targeted; frequently SMEs present a more attractive target because they do not have the same protection in place as their larger brethren. Regardless of size, however, the impact is felt by all businesses, though the risks are particularly important for those that have large amounts of confidential information, including personal data, valuable intellectual property or sensitive commercial material. Security breaches can result in criminals accessing that information, leading to a range of legal consequences, including:
§ unauthorised access and/or loss of personal data held by or on behalf of clients, resulting in breaches of privacy law obligations and, potentially, individual loss claims. In 2005 a security breach exposed the personal data of TK Maxx’s 45 million customers. One estimate puts its losses at £800 million;[4]
§ unauthorised access and/or loss of confidential information, which may amount to a breach of contract, loss of commercial advantage and/or breach of regulatory obligations. In September 2010 the security of seven Canadian law firms was compromised with attacks targeting a major corporate transaction, a major M&A deal and a third aimed at high-profile litigation;[5]
§ unauthorised access to financial systems leading to financial fraud and other forms of ransom attack that have direct financial consequences. In December 2012 a medical centre in Queensland had its database of medical records held to ransom by Russian criminals.[6] Full details of the July 2013 Visa hack are yet to materialise;
§ denial of service and similar disruptive attacks, that prevent the use of operational systems and cause excessive service downtime and potentially breach of contract. The attacks on the US banks since September 2012, which I previously cited, are a good example of the ability to disrupt the operational activities of organisations;
§ attacks on operational control systems leading to physical damage to plant and machinery. The effect that the Stuxnet virus had on the centrifuges in the Iranian Natanz nuclear processing plant is a well-documented example of the damage that can be caused. Particularly vulnerable are the SCADA[7] industry controls employed in a range of industries such as the utilities and energy sectors. This might lead to a variety of contractual, tortious or regulatory claims; and
§ reputational damage caused as the consequence of any of these risks occurring.
A number of reports have tried to estimate the cost to business of these attacks; the results are inconclusive but do give an indication of the potential impact on business. Examples of these include the report produced by Detica for the UK Cabinet Office that estimated the annual cost of cybercrime to UK business at £27.1 billion[8]. More recently, the Ponemon Institute produced a series of reports on different nations that estimated, for example, that the average cost to Australian businesses of dealing with the cost of a cybercrime event was AU$3.2 million[9]. And Sony reported that the cost of the Playstation hack was US$171 million[10], though this doesn’t include any impact on its share value.
Protection and Advice
Lawyers therefore need to consider two aspects of the threat posed by information security risks: how to protect the information that they hold and how to advise their clients. The analysis and actions required to achieve either are the same, but the risk to legal advisers is that, as in the cases involving Canadian lawyers, they themselves often present a soft target for criminals seeking to gain access to the information owned by their clients. This risk therefore creates a collateral risk that a material reported breach would lead to a run on confidence in the firm with devastating effect. This is essentially what happened to the Arthur Andersen empire following revelations about its auditing of Enron.[11]
Logically, the starting point for lawyers supporting their clients will be to conduct an analysis of the legal and regulatory environment in which the business operates to identify the particular risks it faces and the likelihood of those risks occurring. This analysis will vary depending on the nature of the client and its business; for example, different regulatory issues apply to the financial sector when compared to the utilities sector, though both are equally at risk of attack.
The output from this legal and regulatory gap analysis will be an understanding of the risk profile of the business and the specific procedures, strategies and support that it needs to adopt, including from technology vendors and security consultants.
Naturally, ICT vendors have been promoting a range of technical solutions and services to businesses in an attempt to counter the threat, including better intrusion detection systems, identity access management and data encryption. However, while these are an important part of the overall solution, they are not, and can never provide, the whole answer to the problem. This is because the weakest link in the security chain is, and will always remain, the human element. The threats include criminals masquerading as legitimate employees, usually following a phishing attack, the careless or uneducated actions of employees and the actions of disgruntled staff.
Consequently, there is a need to change and develop the culture of security within a business in conjunction with, or even in place of, changes to its technical solutions. Changing a culture is a slow process that will take time to achieve and which requires a combination of awareness and procedural training together with constant reminders. This is a low cost but highly effective solution to the risk that can be implemented quickly and in conjunction with other procedural steps, such as taking action to comply with international security standards like ISO 27000.
Striking Back?
Suggestions that businesses, or even individuals, should have the right to strike back against a cyber-attack using the same methods and tools as the criminals should be vigorously discouraged. It should be clear that this can never be the right solution; the rule of law would rapidly collapse and there are too many problems attendant on the employment of such a solution. For example, what are the collateral consequences of directing a retaliatory DDOS attack against a server used by criminals? Like the San Diego harbour incident, the likelihood is that many other innocent activities would equally be disrupted.
By contrast, reports like the Mandiant APT1 report have identified that the Internet is not as non-attributable as it is portrayed to be. The experience of the US banks fighting back against the DDOS attacks is that control servers can often be identified and legal processes can then be employed to release information about the criminals controlling the attacks. The next step, which companies like Microsoft have already taken, is to bring civil or private criminal proceedings against the attackers. For example, Microsoft’s Project MARS (Microsoft Active Response for Security) has brought a number of proceedings through the US courts to obtain temporary restraining orders to cut off Internet domain names in the US and Czech Republic and an order to allow seizure of botnet command and control servers.[12] The conclusion of these claims is unlikely to result in significant damages claims, but they do have the important effect of disrupting the activities of the criminals.
Coping and Responses
No one wants to be the victim of a cyber-attack, but if it happens then it is important to have a plan to deal with the consequences. These can include the ability to switch over to back up or disaster recovery solutions, a process to deal with regulatory reporting and notification obligations and, importantly, plans to deal with and minimise the adverse reputational effect that publicity relating to the event can have.
This is an area where insurance can play its part. Not surprisingly the availability of cyber insurance has exploded from a $200 million market just four years ago; it is now worth an estimated $1 billion a year in premiums.[13] Specific cyber-insurance policies provide coverage against loss from theft of data and assets, and a range of other cybercrime related events. Nonetheless, despite the allure of the title ‘cyber insurance’, businesses still need to understand that insurers are also struggling to understand the risks and to design policies that address them. Therefore, legal advisers need to verify whether the policy provides comprehensive cover for the issues relevant to the business.
Law enforcement agencies are, of course, contributing to the response to the threat, and it is clear that there is now much greater co-operation between agencies. However, these agencies are typically resource constrained and are heavily reliant on businesses taking care of all but the most significant events. One area where the agencies are providing more assistance is in the dissemination of information about the threat. For example, the UK government recently launched a new government and industry partnership to share information and intelligence on cyber security threats.[14] Critically, the Cyber Security Information Sharing Partnership will be supported by the Security Service, GCHQ, the National Crime Agency and industry analysts from a variety of sectors.
Conclusion
Reliance on computer technology has grown insidiously over the last few decades. Without realising it, we have ceded control over every aspect of our daily and business lives – communications, utilities, transport, infrastructure, banking, business, health, education and government are all affected. Slowly, we are starting to wake up to this new paradigm and to understand the risks that sit alongside the rewards of a better connected world. Legal remedies have previously evolved to address the business risks as these have also evolved. Business will, and must, continue to develop the use of technology – it is our role as lawyers to support that development and to mitigate or remove the legal risks wherever possible.
Stewart James is a partner in the Intellectual Property & Technology Group at DLA Piper and is based in the Canberra office. His areas of expertise include: PPP/PFI projects, ICT services, outsourcing and re-tendering, business process re-engineering, information assurance (including strong authentication solutions, electronic signatures and Cyber Security), data privacy and freedom of information and intellectual property.
[1] ‘GPS chaos: How a $30 box can jam your life’, NewScientist, 6 March 2011,
http://www.newscientist.com/article/dn20202-gps-chaos-how-a-30-box-can-jam-your-life.html
[2] ‘APT1 – Exposing One of China’s Cyber Espionage Units’, Mandiant, 18 February 2013.
[3] ‘Bank Hacking Was the Work of Iranians, Officials Say’, New York Times, 8 January 2013
‘Iran blamed for cyberattacks on US Banks and companies’, Washington Post, 21 September 2012 http://articles.washingtonpost.com/2012-09-21/world/35497878_1_web-sites-quds-force-cyberattacks
[4] http://en.wikipedia.org/wiki/T.J._Maxx
[5] Julius Melintzer, ‘Law Firms: CYBER TARGET #1’, Lexpert, April 2013.
[6]http://www.theaustralian.com.au/news/breaking-news/clinic-hacked-by-russian-cyber-criminals/story-fn3dxiwe-1226533953554.
[7] SCADA – Supervisory Control and Data Acquisition. Used to monitor and control a wide range of industrial processes. The systems use Internet protocols to communicate but were not originally designed with security in mind.
[8] ‘The Cost of Cyber Crime’, Detica, February 2011
[9] ‘Cost of Cybercrime Study – 2012 (Australia)’, Ponemon Institute, October 2012
[10] ‘Playstation Network Outage’, Wikipedia
http://en.wikipedia.org/wiki/PlayStation_Network_outage
[11] http://en.wikipedia.org/wiki/Arthur_Andersen.
[12] Microsoft Corporation v John Does 1-27 (No 10) (2010) (Waledec Action); Microsoft Corporation v John Does N.1-11 (2011) (Rustock Action); Microsoft Corporation v Piatti et all (No 11) (2011) (Kelihos Action); Microsoft Corporation v John Does 1-39 (2012) (Zeus Action).
[13] The Betterley Report, ‘Cyber/Privacy Insurance Market Survey’, June 2012.
[14] ‘Government launches information sharing partnership on cyber security’, Gov.uk, 27 March 2013
https://www.gov.uk/government/news/government-launches-information-sharing-partnership-on-cyber-security
