Lessons from US cyber-law

The threat to organisations through hacking is severe, and in the US legal measures have been put in to address this threat. Is...

The threat to organisations through hacking is severe, and in the US legal measures have been put in to address this threat. Is it time the law in the UK is brought into line, asks Philip Hunter.

In the battle against hackers, businesses face one major difficulty - getting to know the enemy. Information on the number of attacks, the methods used, the purpose and severity of attacks remains scant. Firms are reluctant to reveal this kind of data because of the risk to their reputations, so any intelligence on hackers is, to some extent, guesswork.

But in some US states legal measures have been put in to address this problem, which raises the question over whether the UK could learn from this example.

Several US states, including California, now compel enterprises to report any security incident that may have compromised the privacy of confidential data they hold about customers or other individuals. The legislation also dictates certain aspects of the enterprise's information security policy, to ensure that adequate levels of protection for personal data are maintained.

In California, for example, organisations have to submit a formal plan for adding and deleting passwords for anyone authorised to access personal data on their networks in various categories defined in state legislation.

This goes much further than in the UK, where article 7 of the Data Protection Act 1998 requires organisations to implement adequate technical measures to protect against unauthorised access to confidential data, but does not define what those measures should be. Enterprises must determine what level of security they should have and how it should be implemented.

It is also up to organisations to decide whether to report security breaches that may have compromised confidential data, whether this is an external attack, or an internal system failure that exposes such information. Organisations are encouraged by the information commissioner (formerly called data protection registrar) to inform customers when such incidents have occurred.

"Disclosure is not mandatory but we advise companies coming to us to disclose full details to their customers," says Dave Clancy, strategic planning officer for the information commissioner's office. "Data controllers [responsible for information security within enterprises] are realising that when things go wrong, we are quite understanding, especially if they have been proactive at dealing with an incident. What makes customers angry is finding out six months later about an incident that the company holding their data did not report at the time."

In terms of overall business risk management therefore, enterprises are better off coming clean immediately, Clancy says.
Under review
However, many aspects of UK policy on computer crime and data protection are currently up for review, and policy makers are carefully monitoring the early experience of US states that have recently enacted legislation that does in effect dictate enterprise information security policy and overall approach to risk.

Computer Weekly has been leading an initiative, the Lock Down The Law campaign, urging the Government to review various aspects of IT legislation.

The campaign, backed by most of the UK's IT industry groups, urges the Government to review the Computer Misuse Act, which predates the popular use of the Internet, so that it can address hacking methods such as denial of service attacks, which at the moment are technically legal in the UK. It may also be an opportunity to review the way data is collected on hacking activity.

Several senior members of government agencies have stated that there is the need for a more co-ordinated approach to recording of security incidents. Speaking at a recent seminar held in London by information security supplier Symantec, Stephen Cummings, director of the National Infrastructure Security Co-ordination Centre, suggests that a lack of information is still an impediment in the global battle against both cybercrime and terrorism. "We know much less about the capabilities for perpetrating electronic attack than conventional attack," he says.

Cummings does not suggest that legislation enforcing incident disclosure is imminent in the UK, and at present the strategy here remains to encourage enterprises to report incidents that do not have a bearing on data protection anonymously via one of the various forums established for the purpose.

"I think the way it is done is through forums such as Security Focus or Bug Track, through which breaches remain anonymous but are known to the rest of the world," says Richard Archdeacon, director of technical services for UK and Eire at Symantec.

Guaranteed anonymity
Similarly the information commissioner has encouraged reporting of incidents that have may have compromised personal data, by guaranteeing anonymity. However, this is slightly at odds with the advice that enterprises inform their customers when their data might have been compromised.

Customers are not bound to respect the understandable desire of their bank or insurance company to remain anonymous when a breach has occurred. Indeed some cases involving credit card theft have come to light after the banks concerned informed their customers.

The question though is whether to widen the scope of reporting requirements, and back them up by law. Most experts oppose any blanket ruling on incident disclosure, in the belief that it would be unworkable. "I think it would be almost impossible to police, except where there has been a definite breach of existing laws," says Cisco's UK technical director Peter Nicholls.

He agrees though that many enterprises needed to put their houses in order to reduce the exposure of personal data, and adopt the kind of practices regarding identity and password management now required in California. "Many enterprises currently have separate islands of identification, with all their Windows NT logons in one place, and their e-mail logons somewhere else, for example. Then as soon as somebody leaves or if the security policy is changed, it is almost impossible to guarantee all the databases have been changed correctly," says Nicholls. The remedy is to implement a central security repository.

Another shortcoming, says Cummings, is a failure to keep protection measures totally up to date. "Organisations need to think continuously about how they protect against threats," he says.

According to Nicholls, there also has to be change from a culture of point solutions such as firewalls, to a more holistic distributed approach involving continuous monitoring and hardware-based intrusion detection. But all this costs money, and a fundamental issue identified by the Department of Trade and Industry in a survey carried out in May 2002, is that organisations outside the financial and defence sectors are not spending anything like enough on information security. The survey found that many enterprises were spending less than 1% of their total IT budget on security.

Whether a large increase in IT security spending can be justified will depend on the extent of the threat. Unless businesses make a concerted effort to disclose information about hacking incidents, through legislation or voluntary means, businesses will not know how real the threat is until they are hit themselves, by which time it may be too late.

Read more on Hackers and cybercrime prevention