High-level legal guru, Stewart Room, gave an excellent presentation at last week’s East-West Institute Global Cyber Security Summit. In it he called for a “general obligation for security”, saying:
“I believe that holders of sensitive data, the controllers of important networks, systems and infrastructures – and their supply chains – should face a clear legal requirement to keep these assets safe and secure. As well as describing the obligation, this general security law should describe the consequences of failure.”
He pointed out that:
“It is naive to think that all relevant actors will do what is necessary to protect these assets without a clear steer from the law. Ignorance, laziness, apathy, short sightedness and greed are all powerful counterweights to enlightened self interest.”
He also highlighted the dangers of simply addressing the problem through the prism of the protection of personal data only. Intellectual property is currently being leeched from corporate data systems all over the world – an issue repeatedly referred to at the Summit. Likewise the vulnerability of national infrastructure systems – including power grids and water supplies – is also now increasingly apparent.
He warned that:
“In the UK and most of the rest of Europe the law for security is effectively left to reside in the domain of privacy and data protection law. This is a grave mistake. … it gives the mistaken impression that the law only sees security as being important in the context of the handling of personal data. Of course, we all know that the substance of security extends much further that this. The impact of this problem is worsened by the fact that far too many people and organisations do not take data protection law seriously. Thus, the law is not properly driving behaviours.”
And there may be unintended consequences:
“This gives effective ownership of the field to people who are the least competent to manage it. I am talking about a small cadre of data protection regulators and bureaucrats, who are so slanted toward privacy that they may unwittingly encumber us with anti-security policies, which could jeopardise the health of cyberspace, our economies and our societies.”
He concluded byasking “what will a general obligation for security look like?”:
“Aside from removing the issue from the privacy and data protection domain and describing the nature of the obligation to secure assets and the penalties that may flow in breach, a general obligation for security will capture:
1. Critical definitions. We need to agree the parameters and make sure that we are all talking the same language.
2. The traditional “cyber crime” subject matter, dealing with the criminalisation and prosecution of unacceptable behaviours of hackers, botnets and others whom attack information and information systems. The interests of law enforcement should be properly served.
3. The role of the private sector cyber security industry, so that innovation in IT solutions can continue. We are totally reliant upon the private sector for security solutions, so we must give it our full support.
4. Intelligence sharing between the public and private sectors and across geographical boundaries.
5. The need for identification measures for people and machines operating in cyberspace. Privacy should not provide a cloak for criminals and anti-social behaviour.
6. The right for people and organisations under cyberattack to take offensive action in their defence. This is probably the most controversial point. But we need to ask ourselves whether it is morally right to tie the hands of those under attack. And we need to be sure that we do not open Pandora’s box.”
Whilst ideally this needs a solution in international law, a good start would be made by legal changes in this country to establish a better and more robust framework, whilst British Ministers argue for European-wide changes via Brussels and press the case through the G8 and G20 fora.
There was a palpable sense of urgency about the need for change at last week’s summit. I hope it was felt by Francis Maude MP, who is apparently now the Minister in charge of cyber-security, and that he takes it back to his Government colleagues.