Welcome to latest edition of Cyber_Bytes, our regular round up of key developments in cyber, tech and evolving risks.
The Government sets out a new legislative agenda with important implications for the UK tech sector
The UK Government has recently presented an updated legislative agenda, including new Bills for the technology sector, in the Queen’s Speech.
Among the Bills that will be included in the new session of Parliament, those that are relevant to the technology sector included a Data Reform Bill, an Electronic Trade Documents Bill and a Bill to boost competition in digital markets, the Digital Markets, Competition and Consumer Bill.
It is said that the UK General Data Protection Regulation and Data Protection Act 2018 are highly complex and prescriptive pieces of legislation. They encourage excessive paperwork and create burdens on businesses with little benefit to citizens. The UK Government states that the purpose of the Data Reform Bill is to create a data rights regime which will reduce burdens on businesses, such as reducing the number of reports that data controllers are required to make to the Information Commissioners Office (ICO) under the GDPR. It also aims to boost the economy and facilitate scientific innovation. There will be a move to modernise the ICO, ensuring that it has enhanced power to take stronger action against organisations who breach data rules. It will be interesting to see whether these changes to data protection legislation in the UK will have an impact on the European Commission’s adequacy decision that is ruled in favour of the current regime.
The Electronic Trades Documents Bill will place electronic trade documents on the same legal footing as paper documents, increasing efficiency and raising the security of trade by utilising the transparency and traceability benefits which electronic documents offer. This will be largely achieved by removing the traditional legal obstacles to the use of trade documents in digital form and allowing the adoption of new digital solutions which bypass the need for paper and wet ink signatures.
Click here to read full speech on the UK Government website and click here to read a summary from the TechUK website.
Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion
It has recently been announced, following assessment by the National Cyber Security Centre (NCSC), that Russia has been responsible for a series of cyber-attacks during the invasion of Ukraine, with the most recent attack being on Ukrainian communications company, Viasat.
On 24 February 2022, a cyber-attack against the company began around 1 hour before the Ukraine invasion was launched, with the primary target believed to be the Ukrainian military. The effect of this has spread across central Europe, causing disruption to wind farms and internet users.
Prior to this, the NCSC has stated that the Russian Military Intelligence was almost certainly behind various defacements of Ukrainian government websites back in January, as well as the deployment of Whispergate destructive malware.
This announcement comes as cyber security leaders gather at the NCSC’s cyber conference to discuss various global cyber threats. The UK has already sanctioned the GRU following their actions in Salisbury and has taken steps to freeze around £1.1 trillion in funds and assets from oligarchs who are connected to the Putin regime.
Click here to read the UK Government press release.
ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted
The ICO has fined Clearview in excess of £7 million for collecting more than 20 billion images of people from the internet and social media and using these to build a global online facial recognition database.
Services provided by the company include allowing customers to upload an image to an app which is then checked for a match against all the images in the database. The affected individuals were not informed that their images were being used in this manner. Clearview no longer offers its services to UK organisations but still has customers in other countries, meaning that it is still using the personal data of UK residents.
The ICO found that Clearview had violated UK data protection laws by:
- failing to use the information of people in the UK in a way that is fair and transparent;
- failing to have a lawful reason for collecting people’s information;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to meet relevant data protection standards;
- asking for additional personal information, including photos, when asked by members of the public if they are on their database, potentially acting as a disincentive to individuals who wish to object to their data being collected and used.
The ICO also issued an enforcement notice which ordered Clearview to refrain from using the personal data of UK residents that is publicly available on the web and to erase any existing data from its systems.
Click here to read the ICO’s article.
DCMS publishes new research on cyber security issues in use of internet-connected devices by businesses
The Department for Digital, Culture, Media & Sport (DCMS) has published research on cybersecurity in internet-connected devices used by businesses and organisations, with this forming part of the NCSC’s £2.6 billion strategy to protect and promote the UK online.
The DCMS has released two publications on cyber security issues in internet-connected devices used by businesses: “Literature Review on Connected Devices within Enterprise Networks” (here), as well as “Enterprise Connected Devices: Procurement, Usage and Management Among UK Businesses” (here).
These publications have revealed that, despite significant concerns from IT professionals about device security, enterprise connected devices are being deployed and relied on by a large number of organisations. A large volume of connected device deployments are unsanctioned. This is particularly noteworthy when considered alongside the fact that businesses reported a broad range of connected devices used within organisational networks, with numbers ranging from 6,000 to 50,000 devices.
The scale of the risk faced by business is amplified by the vulnerabilities which are found regularly in enterprise connected devices, with organisations lacking clarity on how to protect themselves against these exposures. Potentially vulnerable devices can provide a route for hostile actors to attack enterprise systems.
The DCMS also published research from the NCSC on the threat of enterprise connected devices (here). The NCSC has published industry principles that manufactures can use to identify which security mitigations should be included in their products.
Click here to see the DCMS press release.
NCSC significantly expands services to protect UK from record number of online scams
The NCSC’s Active Cyber Defence Programme (ACD) has successfully removed a record number of online scams from the internet last year. This rise is reflective of the expansion of the NCSC’s services to take down malicious online content, rather than an increase in scams overall.
The most common scams included fake celebrity endorsement scams and bogus extortion emails, as well as NHS vaccines and vaccine passports. The NCSC removed in excess of 1,400 NHS-themed phishing campaigns last year, an 11-fold increase on 2020.
Other key highlights from the fifth year of ACD’s operations include:
- More than 1.2 million domains linked with the Android malware Flubot (a malicious app) were blocked – this malware was distributed to the public posing as ‘missed delivery’ messages;
- 33 million events were flagged on the networks of several organisations as part of the NCSC’s Early Warning service, indicating something potentially malicious or vulnerable was on their systems;
- 10,000 users around the world have used the Exercise in a Box toolkit – a service which helps organisations practise their response to a cyber incident.
Click here to read the NCSC press release.