Ransomware plague exposes irrelevance of GDPR

The vulnerability of parts of the United Kingdom’s National Health Service to a piece of not-very-sophisticated ransomware was, in no small part, a consequence of the current obsession with the  priority given to the protection of data privacy as opposed to data availability and data accuracy.

Data availability and integrity are more important than privacy

Few patients die because their privacy has been breached. Several dozen may die because tests and treatment have not been carried over the past week. But that is many times less than die annually because errors in their records lead to erroneous dosage or mistreatment.  Also it is not just criminal behaviour that brings systems down. Both RBS and British Airways have had their ATMs and Booking Systems off air for days after closing down their in-house IT teams and moving the work to India to cut costs. Time lags in communication along sub-contracting chains led to minor problems escalating and clashing with overnight updating.

Meanwhile communications networks go off air because of power outages, cable breaks or bad weather with monotonous regularity. Reliance on cloud-based systems without multi-sourced communications and local back-up is hazardous. One of the lessons from the events of the week-end was the need for defence in depth.  The top priority for any security policy is availability and resilience, not “just” privacy. If the incumbent (BT in the UK) is the main supplier, the other suppliers should not share single points of failure with them.

Robust data governance, including the use of encryption, is about authentication and integrity, not just privacy.

Last year I argued that Brexit should include a more effective partnership with the rest of Europe to unravel the global politics of privacy, security and choice. I quoted from Gordon Carera’s book “Intercept” on how the order of importance of robust encryption was understood in the 1960s. The same order applies with regard to medicine and banking today.

1st Attribution – only the President can order a Nuclear Strike: you have to know it is him

You need to know who (or what) recorded the data so that you can decide on its reliability.

2nd Integrity – lest the text becomes corrupted and the missiles have the wrong target

Lest the text become corrupt and the patient gets the wrong medicine or the payment goes astray

3rd Non-repudiation – you cannot allow the President to say it was not him

You cannot allow the clinician or customer to say it was not them.

4th  Infinity/Availability – however many times you run the system it must give the same result

Clinicians and customers must be able to trust the system.

5th Secrecy – to provide reasonable confidence it will not be read by those not authorised to do so, bearing in mind the ways of getting at the text before it has been coded and after it has been decoded  

It must also be easier to do things securely than insecurely so as to remove the need to bypass security and/or give your keys to your colleagues or children – thus negating the 1st objective. In this context we need to recognise that organised criminals already have access to the information necessary to impersonate most of  us.  Over half of all UK 65-year-olds, for example, have already been targetted using data acquired from information on public record (e.g. Companies House and Shareholder registers), melded with that acquired from chugger clearing houses and adtech analytics, to identify whether their savings are likely to be worth looting and, if so, the most effective means of doing so.

Data breach notification is a menace which benefits only criminals

One of the “lessons”  from the Talk Talk incident was that a data breach notification “merely” provides the increasingly integrated operations of phishermen, vishermen and courier fraudsters with topical material for their scripts. Given that it takes an organisation an average of 205 days to know that it has had an actual breach, as opposed to an attack which may or may not have succeeded, notification is of no practical value in improving security or protecting victims.

In consequence the most important single recommendation in the  Culture Media and Sport Select Committee, in their report on Cybersecurity was probably:

“All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine.  This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.” (Para 14)

The members of the committee had little faith in ability of law enforcement to provide redress for those of their constituents who had been successfully defrauded. Instead they recommended that:

it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process.  It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach.  The ICO should assess if adequate redress is being provided by the small claims process.” (Para 25)

They also felt that the most effective way of bringing about the changes in corporate behaviour would be to have companies reporting what they were doing in a common, comparable format:

“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:

  • Staff cyber awareness training;
  •  When their security processes were last audited, by whom and to what standard(s);
  • Whether they have an incident management plan in place and when it was last tested;
  • What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
  • The number of enquiries they process from customers to verify authenticity of communications;The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).

Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened.  Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)”

Governments traditionally ignore the recommendations of Select Committees so the DCMS response response was disappointing, because so little was asked of it, but not unexpected. The response of the Information Commissioner’s Office was more disappointing, but the Commissioner was newly appointed and a report that went off a tangent from the accepted wisdom of the Article 29 Working Group and the forthcoming General Data Protection Regulation was clearly unwelcome

When I blogged on the report and its implications for business I said that my own elevator pitch to the Board of any major organization would begin:

  • have clear chains of responsibility for security processes, training, reporting and incident management and ensure they are practiced and updated at least annually.
  • use staff and customer education programmes to reduce the damage when breaches occur and report the results to the board and outside world.
  • report who audits your systems, to what standards, whether you have an incident management plan and when it was last exercised, to the board, your customers, your suppliers and the outside world.
  • check the processes of current and potential subcontractors: because you will be held liable and may not be able to get who-ever sold your information jailed, especially if they are off-shore.
  • prepare for when losses from impersonation replace whiplash and PPI as the target income stream for ambulance-chasing lawyers, so that you can rapidly sort the genuine claims from the rest.

Conclusion- the GDPR will make a bad situation worse by diverting resources and getting in the way of  effective action to protect potential victims and to obtain redress from those who aid and abet predators.

Instead we should use the opportunity of Brexit to encourage class actions using civil law to help victims obtain redress from those who aided and abetted the attackers by design or by neglect (whether Software Providers, ISPs, Telcos, Domain Name Registrars or local management and their outsourcing providers). The threat of civil action is likely to be far more effective than that of regulatory action in transforming attitudes among the Internet community towards their responsibilities for helping identify and “remove” on-line miscreants and predators.

At this point you can see, however, why Governments and Regulators find it so difficult to act. They will be taking on big commercial beasts who have grown rich from the current situation. The situation is akin to that when Ralph Nader took on the American automobile manufacturers. Even most of the “less challenging” recommendations from the ground-breaking EURIM – IPPR study into Partnership Policing for the Information Society remain unimplemented.

Meanwhile lawyers, looking for the low-hanging fruit of compliance consultancy for the gullible, have exaggerated the impact of  not implementing the GDPR. Over 99% of UK organisations, including  over 99% of those registered for VAT, do not trade with the EU. More-over, progress with creating a genuine Digital Single Market has been so sclerotic that it remains easier to route many transactions with other EU member states via New England than under “harmonised” (as in “same words, different interpretations”)  intra-EU directives and regulations.

Most organisations and their customers would be more competitive and secure if, instead, we could move to a Brexit deal under which those who trade with the EU or process/hold data on EU citizens/residents can comply, while those who do not can follow best global security practice.