Symantec helps the House of Lords tackle cyber warfare

By Greg Day, EMEA Security CTO for Symantec | March 19, 2010 | Leave a Comment 

Greg Day, EMEA Security CTO for Symantec

cyberwarfareYesterday the House of Lords released its report examining how to protect Europe against large-scale cyber-attacks. The publication of the report follows a committee meeting on the topic last year in which Symantec’s Director of Government Relations EMEA & APJ, Ilias Chantzos, was one of two cyber security experts invited to give evidence.

The report’s findings have been welcomed by Symantec, in particular the recommendation for an EU-wide approach to address cyber related issues that don’t just affect the UK. Ensuring industry and government are collaborating to address the issues will be crucial to success of such an initiative.

Commenting on the need for public and private cooperation to tackle cyber warfare, Ilias Chantzos said, “One of the biggest problems with supposed acts of cyber warfare is where and when to use the term. It is very difficult to determine the origin of an internet-based attack, and almost impossible to pinpoint either the identity or motivation of its perpetrators: whether they’re a criminal, an activist or a government agent.

“For security agencies, following the trail of evidence left by alleged cyber warfare operations is made doubly complex by the fact that this evidence typically crosses international jurisdictions. Tackling this requires international co-operation, but the current levels of co-operation between nation states are often not able to police cybercrime, much less track covert activities.”

“Another problem is that government no longer controls most of the critical infrastructure; much of it is under the control of the private sector. It is in the interest of industry and government to better cooperate to tackle these issues.”

The full recommendations from the House of Lords report can be viewed here.

Dominic Cook

The ICO Gets Some Teeth?

By Guy Bunker | November 13, 2009 | 1 Comment 

Guy Bunker

Up until now, the ICO has only really been able to levy a slap on the wrist and a “must do better” to those who lose people’s data. This looks to change next year, with the ability to fine the company £500,000 – which is no small chunk of change. However… is this really enough? The maximum was set to be less than 10% of a small company’s turnover – but if this is the maximum, then surely the value set for a breach can be less? So, why not set it either a lot higher, or as a percentage of revenue?

If we really want to stop data breaches, then the fines need to be such that attitudes towards data security actually change – before the breach occurs, not afterwards. Without this, the ICO’s teeth are not that scary.

The other interesting point here is that the fine can also be levied on those companies who keep the information longer than they should, accidently delete it and store it outside the EU (where the data protection legislation is not suitably strong).

So… time to revisit that data protection policy, especially if you are looking towards cloud services to deliver your next level of IT.

Guy Bunker

Lost Data – Pay Compensation?!?!

By Guy Bunker | August 22, 2008 | 7 Comments 

Guy Bunker

It was on the news today that a memory stick was lost with the details of 130,000 criminals. OK, so we should be used to this by now – the twist in this story was the thought of compensation. What? Firstly, the information has been lost – not compromised (i.e. used), at least it hasn’t yet. Secondly, what about the 25m who’s details were compromised in one go last year? Or the other 4m since then? What about them? What about the 45m TJX customers, or the ones from the other high profile cases – where the data was maliciously stolen (and in some cases used for fraud)? The answer is that there is already process in place for dealing with them. Legislation such as the data breach notification laws (disclosure laws) begin to define what is required – and it’s not to pay out random sums of money. Notification, measures to check credit ratings for 12-24 months and additional customer support all help – and it’s not cheap for the company. I’m not condoning data loss, far from it, there should be no excuse – but let’s not go over the top here.

We don’t want to move to an even more ridiculously litigious society (there was a story of someone delivering letters slipping over on a drive and sueing the owners). With data loss there does need to be some compensation if the data is used (but this tends to come from the banks / credit card companies at present – by default), there is also the need to check credit ratings – to watch if the information is used. But we don’t want to pay out – just for the heck of it.

This also brings up another couple of interesting points… In the US people regularly receive disclosure notices for lost data, but if your data is actuall used, who’s fault actually is it? Was it one from last week, or one from last year – was it one that hasn’t been disclosed yet – because the company doesn’t know they have been breached? Furthermore the long term effects of data loss are unknown at present – if the records of a child are compromised (name, address, NI number – the usual stuff), then at age 16 they can apply for a credit card, or rather a cyber-criminal could… of course, some would have moved by then and the incorrect data might be picked up… but it might not. What happens in this case – where fraudulent actions can take place more than a decade after the data loss occurred.

Perhaps it is time for banks and credit card companies to offer ‘free’ credit rating checks as part of their service - all the time? It’s also time for companies to stop thinking ‘it won’t happen to us’ and make the changes so they don’t become front page news – and perhaps subject to a massive compensation claim.