News Stay informed about the latest enterprise technology news and product updates.

Ransomware plague exposes irrelevance of GDPR

The vulnerability of parts of the United Kingdom’s National Health Service to a piece of not-very-sophisticated ransomware was, in no small part, a consequence of the current obsession with the  priority given to the protection of data privacy as opposed to data availability and data accuracy.

Data availability and integrity are more important than privacy

Few patients die because their privacy has been breached. Several dozen may die because tests and treatment have not been carried over the past week. But that is many times less than die annually because errors in their records lead to erroneous dosage or mistreatment.  Also it is not just criminal behaviour that brings systems down. Both RBS and British Airways have had their ATMs and Booking Systems off air for days after closing down their in-house IT teams and moving the work to India to cut costs. Time lags in communication along sub-contracting chains led to minor problems escalating and clashing with overnight updating.

Meanwhile communications networks go off air because of power outages, cable breaks or bad weather with monotonous regularity. Reliance on cloud-based systems without multi-sourced communications and local back-up is hazardous. One of the lessons from the events of the week-end was the need for defence in depth.  The top priority for any security policy is availability and resilience, not “just” privacy. If the incumbent (BT in the UK) is the main supplier, the other suppliers should not share single points of failure with them.

Robust data governance, including the use of encryption, is about authentication and integrity, not just privacy.

Last year I argued that Brexit should include a more effective partnership with the rest of Europe to unravel the global politics of privacy, security and choice. I quoted from Gordon Carera’s book “Intercept” on how the order of importance of robust encryption was understood in the 1960s. The same order applies with regard to medicine and banking today.

1st Attribution – only the President can order a Nuclear Strike: you have to know it is him

You need to know who (or what) recorded the data so that you can decide on its reliability.

2nd Integrity – lest the text becomes corrupted and the missiles have the wrong target

Lest the text become corrupt and the patient gets the wrong medicine or the payment goes astray

3rd Non-repudiation – you cannot allow the President to say it was not him

You cannot allow the clinician or customer to say it was not them.

4th  Infinity/Availability – however many times you run the system it must give the same result

Clinicians and customers must be able to trust the system.

5th Secrecy – to provide reasonable confidence it will not be read by those not authorised to do so, bearing in mind the ways of getting at the text before it has been coded and after it has been decoded  

It must also be easier to do things securely than insecurely so as to remove the need to bypass security and/or give your keys to your colleagues or children – thus negating the 1st objective. In this context we need to recognise that organised criminals already have access to the information necessary to impersonate most of  us.  Over half of all UK 65-year-olds, for example, have already been targetted using data acquired from information on public record (e.g. Companies House and Shareholder registers), melded with that acquired from chugger clearing houses and adtech analytics, to identify whether their savings are likely to be worth looting and, if so, the most effective means of doing so.

Data breach notification is a menace which benefits only criminals

One of the “lessons”  from the Talk Talk incident was that a data breach notification “merely” provides the increasingly integrated operations of phishermen, vishermen and courier fraudsters with topical material for their scripts. Given that it takes an organisation an average of 205 days to know that it has had an actual breach, as opposed to an attack which may or may not have succeeded, notification is of no practical value in improving security or protecting victims.

In consequence the most important single recommendation in the  Culture Media and Sport Select Committee, in their report on Cybersecurity was probably:

“All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine.  This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.” (Para 14)

The members of the committee had little faith in ability of law enforcement to provide redress for those of their constituents who had been successfully defrauded. Instead they recommended that:

it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process.  It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach.  The ICO should assess if adequate redress is being provided by the small claims process.” (Para 25)

They also felt that the most effective way of bringing about the changes in corporate behaviour would be to have companies reporting what they were doing in a common, comparable format:

“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:

  • Staff cyber awareness training;
  •  When their security processes were last audited, by whom and to what standard(s);
  • Whether they have an incident management plan in place and when it was last tested;
  • What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
  • The number of enquiries they process from customers to verify authenticity of communications;The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).

Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened.  Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)”

Governments traditionally ignore the recommendations of Select Committees so the DCMS response response was disappointing, because so little was asked of it, but not unexpected. The response of the Information Commissioner’s Office was more disappointing, but the Commissioner was newly appointed and a report that went off a tangent from the accepted wisdom of the Article 29 Working Group and the forthcoming General Data Protection Regulation was clearly unwelcome

When I blogged on the report and its implications for business I said that my own elevator pitch to the Board of any major organization would begin:

  • have clear chains of responsibility for security processes, training, reporting and incident management and ensure they are practiced and updated at least annually.
  • use staff and customer education programmes to reduce the damage when breaches occur and report the results to the board and outside world.
  • report who audits your systems, to what standards, whether you have an incident management plan and when it was last exercised, to the board, your customers, your suppliers and the outside world.
  • check the processes of current and potential subcontractors: because you will be held liable and may not be able to get who-ever sold your information jailed, especially if they are off-shore.
  • prepare for when losses from impersonation replace whiplash and PPI as the target income stream for ambulance-chasing lawyers, so that you can rapidly sort the genuine claims from the rest.

Conclusion- the GDPR will make a bad situation worse by diverting resources and getting in the way of  effective action to protect potential victims and to obtain redress from those who aid and abet predators.

Instead we should use the opportunity of Brexit to encourage class actions using civil law to help victims obtain redress from those who aided and abetted the attackers by design or by neglect (whether Software Providers, ISPs, Telcos, Domain Name Registrars or local management and their outsourcing providers). The threat of civil action is likely to be far more effective than that of regulatory action in transforming attitudes among the Internet community towards their responsibilities for helping identify and “remove” on-line miscreants and predators.

At this point you can see, however, why Governments and Regulators find it so difficult to act. They will be taking on big commercial beasts who have grown rich from the current situation. The situation is akin to that when Ralph Nader took on the American automobile manufacturers. Even most of the “less challenging” recommendations from the ground-breaking EURIM – IPPR study into Partnership Policing for the Information Society remain unimplemented.

Meanwhile lawyers, looking for the low-hanging fruit of compliance consultancy for the gullible, have exaggerated the impact of  not implementing the GDPR. Over 99% of UK organisations, including  over 99% of those registered for VAT, do not trade with the EU. More-over, progress with creating a genuine Digital Single Market has been so sclerotic that it remains easier to route many transactions with other EU member states via New England than under “harmonised” (as in “same words, different interpretations”)  intra-EU directives and regulations.

Most organisations and their customers would be more competitive and secure if, instead, we could move to a Brexit deal under which those who trade with the EU or process/hold data on EU citizens/residents can comply, while those who do not can follow best global security practice.

Join the conversation

8 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is the mainframe's status in your organization?
Cancel
Agree with the article, core financial services systems and certain customer channel systems are mainframe centric due to their high transaction processing volumes. Also, with the IFL on the mainframes, you can also further leverage this platform for other transactional processing purposes. Leveraging the mainframe for SOA server and writing web portals to replace the green screens.
Cancel
Mainframe has been a much hit success to serve the business need at given point of time, but I think looking at today’s technology stack and business need we should move out from mainframe as sooner as possible. There are many reasons for looking change i.e. cost benefit, as mainframe is very expensive. We can have the same amount of work done at lower cost especially with distributed side. I can foresee one more thing, mainframe courses has been stopped from many universities syllabus, which may lead an issue in future.
Cancel
We look at the same adventages, security, low maintenance cost.
Cancel
Mainframe is still alive.
Cancel
Banking is in the world of sub-500.microsecond response time. Open System CAN NOT do it, ...and never will. 2015 will be sub-100microsecond. BIGDATA is BIG-Response-Time. Nothing to be very proud of.
Cancel
Reliability, high performance, cost-efectiveness, security....and....oh yes Virtualization...a concept that the IT industry is re-discovering ? Come on guys, virtualization is used in mainframes since the 70's. I want to say something in all seriousness, I feel sorry for you people who are not aware about how powerful, convenient and updated mainframe is, I mean because when you are dealing with all those distributed-based issues, that's all you gonna see in your IT career.
Cancel
This marvellously thought-provoking article has seven comments from 2012 appended to it – have you been hacked by the past, Philip?
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close