April 12, 2016 By FTI Consulting
From the Snowden Files and last week’s Panama Papers, to attacks on the dating website Ashley Madison and TalkTalk, the number of emerging threats and successful cyber-attacks has put nation states, governments, businesses and the public on notice like never before. As cyber-security comes to the forefront of international concern: how do governments, businesses and the public alike strike the right balance between security and privacy?
It began over a year ago, when an anonymous source contacted the Germany newspaper Süddeutsche Zeitung, offering encrypted internal documents from a Panamanian law firm. In the following months, the data leak grew in size – so much so that the 2.6 terabytes of data surpassed the combined total of all previous Wikileaks breaches.
A global team of 400 journalists from more than 100 media organizations in over 80 countries then set about analysing and researching the data – bringing us to the present, where 12 current and former heads of states, among others, have been named and shamed – with the Icelandic Prime Minister resigning, and the UK Prime Minister, David Cameron, under prolonged pressure over his tax arrangements.
The implications of this latest cyber security breach are far reaching and should also provide a huge wake-up call for governments and companies of all sizes and sectors – akin to the wake-up call Edward Snowden provided back in 2013.
The issue of cyber security is crucial now and will only loom larger in the coming years, as more and more information becomes electronic, and the ability to collect it, store it and analyse it grows rapidly. Not a week passes without news of some cyber security breach, some more infamous than others. NHS patient data leaked, Ministry of Defence’s vetting details of RAF officers leaked, police crime data leaked, TalkTalk, British Gas and Marks & Spencer customer details all leaked. Adultery websites are hacked. Communications between lawyers and their clients are hacked. Leaked diplomatic cables between the US and its embassies leaked, reverberating around the world.
But the need to discuss publicly what the rules should be for cyber security, and the accompanying state surveillance, how it should be controlled, and what the limits must be, have mostly been lacking just as much as commercial ignorance has compounded the rise of cyber security threats. The threat landscape is as extensive as it is elusive; from leaks which will topple a Prime Minister, to careless employees. But in an increasingly digital world, can the two – security and privacy – be balanced? And, frankly, should they be?
The natural starting point is to define what cybersecurity is – or at least how it is currently understood. This is surprisingly difficult. Cybersecurity encompasses a universe of different definitions, as the Global Cyber Definitions database (with 900 definitions and counting) demonstrates.
Broadly speaking, it is taken to mean the protection of digital information systems against attack, either by states or individuals.
The growth of the internet has been the biggest social and technological change in generation. But our increasing dependence on cyberspace has brought new risks, risks that key data and systems on which you and I now rely can be compromised or damaged, in ways that are hard to detect or defend against. Cybersecurity is an issue that goes to the very essence of what the internet is. The internet was never, after all, designed to be secure – by design it is interoperable, borderless, and horizontal, qualities which seldom conduce to security. But it is these qualities which make it valuable and worth fighting for. If it is to stay that way, a debate about cyber security is one that can no longer afford to be avoided.
FTI Consulting research has highlighted the depth of the problem within the business community. Board ignorance of cyber security remains stark, whilst 39% of companies having experienced data theft and 79% of investors are unlikely likely to invest in companies that have historically suffered a material data breach or hack.
Cyber security is encroaching on every aspect of modern life like never before, particularly as the nascent ‘internet of things’ develops, but also as the digital economy increasingly underpins business. This is seen in businesses as diverse as driverless cars, as more and more cars start connecting to the internet, through to how ‘smart cities’ will be cyber secure.
A pivotal moment, though, came in January 2015 when, following the Sony cyber hack, the UK prime minister, David Cameron met with the US president, Barack Obama, specifically to agree the sharing of intelligence and conducting of cyber security war games. With a global media spotlight on this event, cyber security suddenly rocketed upwards as a critical priority for governments and businesses and was propelled into the public eye from relative obscurity. The Sony cyber hack changed the way that attacks were viewed, from disrupting Sony’s ability to operate, through to threatening cinemas that showed the movie The Interview.
In the wake of devastating terrorist attacks in Paris and Brussels, security experts are increasingly discussing whether governments should have exceptional access to digital information and data in order to disrupt and intercept terrorists’ use of online communication to recruit members, raise funds and plan attacks.
The final grim text message and its digital footprint from one of the Paris attackers – “on est parti on commence” – helped security forces track down the attack’s mastermind. And, even before last month’s terrorist attacks, Belgium was planning to strengthen its data retention laws and give intelligence agencies and prosecutors broader powers.
In the UK, the Investigatory Powers Bill – or the ‘Snoopers Charter’ as it has successfully been labelled – has faced a tortuous route through Parliament. The Bill would represent not just an updating of surveillance, but a major peacetime extension of state power over individuals. Campaigners argue that such a Bill is likely to prove as much a threat to state security as to personal liberty.
But after these attacks, democratic societies can reasonably ask whether the right of security agencies to acquire and use such information should be near-absolute. As long as there is proper democratic oversight of those handling the information, citizens will have to give up some privacy to preserve the liberty and security that matter. In an open society, personal safety is best safeguarded by security services sharing information as seamlessly as do the terrorists.
Last January, an administrator at US health insurer Anthem noticed an unusually complex query running its computer network. It looked like a colleague was responsible, but a quick check revealed that it was coming from somewhere else.
Minutes later, Anthem was in crisis mode. Investigators believe the hackers were from China and had been operating undetected inside the company’s network for months. They had gained access by tricking the employee to click on a phishing email that was disguised to look like an internal message.
Anthem’s breach sent a wave of panic through the international healthcare industry. It exposed patients’ most sensitive and valuable personal information, and revealed just how unprepared the health industry was to threats from increasingly sophisticated cyber criminals — and from nation states.
In the UK, there have been no reported hacks at the NHS, but it has been fined £1.3m by the Information Commissioner’s Office. The fines are mostly for startlingly sloppy behaviour: lost laptops, files left at a grocery shop and records abandoned at a bus stop, to name but a few.
Last week, more than 15,000 expectant parents had their data stolen after a computer hack at a leading childbirth charity. Their details, including email addresses, usernames and passwords, were accessed during a breach at the National Childbirth Trust. In the digital world this episode was a reminder that it isn’t only security and businesses that are at risk, but expectant parents and their as yet unborn children.
There will always be a need to strike an appropriate balance between ensuring citizens’ freedom, access to information and privacy while at the same time protecting them, state institutions and critical infrastructures.
Cyber security needs to be strengthened by making cross-border cooperation and information exchange more efficient and by significantly increasing cyber resilience. At the same time, the right to freedom of information and adequate privacy remains essential for global, as well as individual, security.
The UK, through its Cyber Security Strategy, has demonstrated its commitment to ensuring the implementation of freedom of information, not merely through declarations, but also through concrete actions.
Breaches in cyber security, with the Panama Papers but the latest episode, are not restricted by geographic boundaries and are targeted at everyone from governments and global corporations to individual citizens. The threats seen today are at an all-time high in terms of sophistication and volume and these variables will only increase as our lives become ever more digital.
There will always be a question about how to balance the competing principles of freedom and security, and how – in a democracy – to achieve widespread political consent for the way in which that balance is struck. High profile examples of where cyber security has failed are driving it up the political and public conscious, and with that will come the accompanying – and difficult – debate on how to strike the right balance between ever-enhanced security and privacy.