Greater urgency needed in fight against cybercrime

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.irishtimes.com/news/crime-and-law/greater-urgency-needed-in-fight-against-cybercrime-1.1588522

The Edward Snowden affair has drawn worldwide attention to information
security and protection of personal data online. While the information and
communication technology of the digital age has transformed our lives for
the better and remains vital to economic growth and our future prosperity,
the security of that technology is of fundamental importance to the
individual, to businesses and to the State.

Intellectual property theft, data breaches and other kinds of cybercrime
are becoming increasingly commonplace and now pose a very real threat to
all sections of society. Only this week, it was reported that the credit
and debit card details of up to 43,000 people may have been compromised by
a large-scale cyber attack on an Irish company processing holiday bookings.

The Snowden revelations have highlighted that data is the new gold, and
that urgent action is required to ensure it is adequately protected.

There is increasing awareness of the enormous cost of failing to protect
ICT systems from attack and misuse for either terrorist or criminal
purposes. Ireland’s position as a hub in the global digital economy and
dependence on foreign direct investment in the ICT, pharmaceutical and
financial sectors, mean that it needs to be at the forefront in ensuring
its critical infrastructure is secure.

Both Ireland and the European Union face the challenge of keeping
legislation apace with rapidly-evolving threats. The European Commission
put forward a major new package of reform during Ireland’s EU Presidency.
The new EU Cybersecurity Strategy, published in February 2013, underlines
that cybercriminals are using ever more sophisticated methods for intruding
into information systems, stealing critical data and holding companies to
ransom. It calls for a more united approach to ensuring an open, safe and
secure cyberspace in Europe.

The Commission has also put forward a new directive on measures to ensure a
high common level of network and information security across the EU. The
new legislation aims to address disparities between individual member
states’ readiness to combat cyber attacks and to encourage better sharing
of information between businesses, operators of critical infrastructure and
governments on security incidents. The current lack of information-sharing,
the Commission claims, is aiding criminals, compromising vital services and
generating substantial financial losses for the EU economy.

New obligations
The directive would mean that Ireland and other EU members would have to
put in place structures to deal with the protection of network and
information systems, and that businesses would face new obligations to
report security breaches to those national authorities. It also sets out
the respective roles for the new European Cybercrime Centre, set up in
January 2013, and the European Network and Information Security Agency
(ENISA).

The EU’s proposed legislation faces intensive debate in the coming months,
but there is little question that urgent action is required at European
level. The Snowden revelations and unauthorised surveillance and collection
of European citizens’ data have given fresh impetus to moves to better
protect individuals and their personal information in the online world.

Closer to home, Ireland also faces the challenge of keeping up with new
kinds of cybercrime in its domestic legislation. Ireland has signed but not
ratified the 2001 Council of Europe Convention on cyber-crime, (known as
the Budapest Convention), which provides a model for cooperation in
combating cybercrime.

While Section 5 of the Criminal Damage Act 1991 and Section 9 of the
Criminal Justice (Theft and Fraud Offences) Act 2001 prohibits unauthorised
use of a computer with intent to access data or for personal gain
respectively, these Acts require constant updating if they are to capture
the ever-evolving range of cybercrimes.

The Data Protection Acts 1988 and 2003 are designed to regulate access,
collection and use of personal data and require appropriate security
measures be taken to prevent unauthorised use of such data. Given the rapid
development of social media, mobile technology and digital communications
in the last decade, the challenge of meeting new security and privacy
demands is clear.

These challenges will be explored in a major Cybersecurity Conference
organised by the Institute of International and European Affairs (IIEA),
which will take place this Friday at Dublin’s Mansion House. Speakers
include President Obama’s Cybersecurity Coordinator, representatives from
the European Cybercrime Centre and other EU agencies, security officers
from major financial institutions, and the NATO Assistant Secretary General
for Emerging Security Challenges. A key focus of the Conference will be the
need for greater cooperation between the private sector and state bodies in
addressing cybersecurity challenges.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.