Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape. This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats.
Among the numerous lessons drawn from this carnage is that cyberattacks have become an existential threat to many countries as the attacks, on financial services to power generation facilities, threaten the fidelity and integrity of numerous industrial segments. As a result, regulators throughout the world are stepping in to try and drive meaningful action where they believe it is required. Normally these early efforts are the harbingers of future legislation and give birth to standard approaches and forums to debate the efficacy in approaches.
Since 2014 there have been 10 noteworthy efforts:
- Effort#1: National Institute of Standards and Technology’s Cybersecurity Framework (U.S.)
- Effort#2: Office of the Superintendent of Financial Institutions (OSFI) Memorandum (Canada)
- Effort #3: Federal Financial Institution’s Examiner Council (FFIEC) Joint Statement on DDoS Cyber Attacks, Risk Mitigation and Additional Resources (U.S.)
- Effort #4: Securities & Exchange Commission Cyber Exams (U.S.)
- Effort #5: Office of the Comptroller of the Currency (OCC) Guidance (U.S.)
- Effort #6: National Credit Union Administration (NCUA) Risk Alert (U.S.)
- Effort #7: EU’s NIS Directive (EU)
- Effort #8: EU’s GDPR (EU)
- Effort #9: EU’s Regulation Against Geo-IP-based blocking of EU member countries or economies (EU)
- Effort #10: Growth of Country Specific Cybersecurity Laws such as Korean Cyber Laws (KOREA)
Each of these efforts has taken different approaches but seem to have similar ethos. Let’s explore each in a little more depth:
National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
In response to a presidential directive, on Oct.22nd the U.S. National Institute of Standards and Technology (NIST) released the latest version of its cybersecurity framework which aims to better secure U.S. companies and government agencies. The new draft goes into significantly greater detail than the version released Aug. 28th, which laid out higher level principles of the framework, including items referred to as ‘pillars.’ The NIST laid out three central pillars to the framework which are designed to provide industry and government alike with common cybersecurity taxonomy, establish goals, intended targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders. The final framework was announced in February of 2014. Many thought this framework was viewed as the seed which would spawn numerous industrial requirements throughout the U.S.
Office of the Superintendent of Financial Institutions (OFSI) DDoS Memorandum
Earlier this year, large Canadian-based banks were hit by cyberattacks whereby one or more hackers used a brute force “denial-of-service” attack to disable some bank’s websites and mobile applications. Attacks such as these were reminiscent of Operation Ababil, which began in September 2012 and focused on attacking the websites of large U.S.-based banks. Those attacks were similar to the Canadian attacks and slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers. Mindful of this very real threat and the need to manage risk, on October 28, 2013, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum to federally-regulated Canadian financial institutions (FRFIs) discussing the measures that FRFIs should be taking to prevent, manage and remediate cyberattacks. The memorandum states that cybersecurity is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in our economy. As part of this memorandum, OSFI has required all FRFIs to conduct a self-assessment of the risks and take actions against those risks. OSFI also will be reviewing the fidelity of the assessment and the corresponding risk mitigation steps.
Back in 2005, the OSFI established the Canadian Cyber Incident Response Centre (CCIRC) with a mandate to collaborate with the private sector in responding to the threat of cyberattack.
Last year, however, a report from the country’s auditor general showed that the government had made only limited progress, with gaps in protection, especially at the CCIRC which at the time was only open during business hours, limiting its ability to provide timely information for stakeholders. OSFI suggests in its cybersecurity self-assessment that financial firms should work with the CCIRC, which had its hours extended.
FFIEC Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources (US)
The Federal Financial Institutions Examination Council (FFIEC) members are issuing statements to notify financial institutions of the risks associated with cyberattacks on Automated Teller Machine (ATM) and card authorization systems and the continued distributed denial-of-service (DDoS) attacks on public-facing websites. The statements describe steps the members could expect institutions to take to address these attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks.
The members also expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. More specifically, each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.
Specifically, the FFIEC is guiding its members to do the following:
- Maintain an ongoing program to assess information security risks that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
- Monitor internet traffic to the institution’s website to detect attacks;
- Activate incident response plans and notify service providers, including internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
- Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly, and sharing the information can help institutions to identify and mitigate new threats and tactics; and
- Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
Securities and Exchange Commission Cyber Exams (U.S.)
The SEC announced inaugural exams of member companies along with a list of questions they will use.
If you are not aware, the SEC governs most of the financial services which do not fall under the FFIEC jurisdiction. So, all mutual funds, wealth management and hedge funds (among many others) are regulated NOT by FFIEC guidelines, but rather SEC guidelines. Unlike the FFIEC and their regulatory arms (OCC, FDIC, OTS, & NCUA), up to this point the SEC did conduct ad-hoc reviews, however routine security reviews were maintained.
Office of the Comptroller of the Currency Guidance (U.S.)
In December 2012, the Office of the Comptroller of the Currency (OCC) notified it’s member financial institutions that DDoS attacks are on the rise and that they expect their members to take steps to identify the risks associated with the attacks and to provide notification to the OCC and others if they are under attack. The guidance reads as follows:
“Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance. The alert also reiterates the Office of the Comptroller of the Currency’s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.
The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.”
National Credit Union Administration Risk Alert (U.S.)
In February, 2013, the National Credit Union Administration (NCUA) issued a Risk Alert to member credit union institutions on “Mitigating Distributed Denial-of-Service Attacks.” The alert included the following verbiage:
“The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols. Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.”
Clearly the sense of urgency and ferocity of the attacks came through in the alert and provided for an understanding of the issues being broader than the availability of credit union systems.
No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume that regulators and government legislators will take head from public calls-to-action and will continue to drive prescriptive steps for all relevant organizations to follow.
European Union Security of Network Information Systems (NIS) Directive 2016/ 2018
In July 2016, the European Parliament set into policy the Directive on Security of Network and Information Systems (the NIS Directive).
The directive went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive’s regulations into their own national laws. The aim of the NIS Directive is to create an overall higher level of cybersecurity in the EU. The directive significantly affects digital service providers (DSPs) and operators of essential services (OESs). Operators of essential services include any organizations whose operations would be greatly affected in the case of a security breach if they engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting major security incidents to Computer Security Incident Response Teams (CSIRT). While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even if DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.
The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs). Such resources are given the responsibility of handling cybersecurity breaches in a way that minimizes impact. In addition, all member states of the EU are encouraged to share cyber security information.
Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventative manner. Both DSP and OES must provide information that allows for an in-depth assessment of their information systems and security policies. All significant incidents must be notified to the CSIRTs. Significant cybersecurity incidents are determined by the number of users affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.
European Union General Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes include the redefining of geographical borders. It applies to entities that operate in the EU or deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen’s data is being processed, the entity is now subject to the GDPR.
Fines are also much more stringent under the GDPR and can total €20 million euros or 4% of an entity’s annual turnover, whichever is higher. In addition, like in previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours.
The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.
Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer to them the right to back out of sharing data just as easily as when they consented to sharing data.
In addition, citizens can also restrict processing of the data stored on them and can choose to allow companies to store their data but not process it, which creates a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen’s data outside of the EU or to a third party without a citizen’s prior consent.
What Does It Mean for Online Business and Cloud Service Providers?
For online businesses and cloud service providers, GDPR compliance means adherence to the principles of “Privacy by Design” and “Data Protection by Design” during the design, development, implementation and deployment of web applications or services and any components or services associated with them. With the rapid adoption of cloud services, there is a heightened concern with regard to the readiness of these applications and services. A recent study conducted by Symantec/Bluecoat shows that 98% of today’s cloud applications do not even come close to being GDPR-ready.
WAF, DDoS and the GDPR
Based on recital 39 of the GDPR, personal data should be processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorized access to or use of personal data and the equipment used for the processing. Recital 49 goes further by requiring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. The recital literally says “This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.” This would include brute force login attempts and automated mitigation techniques outlined in the OWASP Top 10 requirement for PCI compliance.
Most businesses will face the urgent need for increasing protection on published applications and services on all topics and purposes of data leak prevention, access control, web-based attack prevention and denial of service prevention. Leading providers of cloud and on-premise web application and API protection services as well as on-demand, always-on cloud and hybrid denial of service mitigation services do provide an adequate solution for this acute need. A fully managed WAF and DDoS Cloud service provides a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy.
European Union Ban on Geo-IP Blocking of Member States 2018
In February 2018, The European Council adopted a regulation to ban unjustified geo-blocking in the internal market. The European Council has emphasized repeatedly the importance of the digital single market strategy and called for the speeding up of the implementation of the strategy, which includes the removal of remaining barriers to the free circulation of goods and services sold online and for tackling unjustified discrimination on the grounds of geographic location.
EU declared geo-blocking as a discriminatory practice that prevents online customers from accessing and purchasing products or services from a website based in another member state.
The new law will remove barriers to e-commerce by avoiding discrimination based on customers’ nationality, place of residence or place of establishment.
The end of geo-blocking of internet addresses of EU countries will significantly disrupt many mainline cyber defense strategies of many companies and countries. Moreover, this new complication is not well understood and alternatives are not always easy to implement.
The EU regulation goes into full effect in December 2018.
Payment transactions whereby:
Unjustified discrimination of customers in relation to payment methods will be forbidden. Therefore, traders will not be allowed to apply different payment conditions for customers for reasons of nationality, place of residence or place of establishment.
Non-discrimination for e-commerce website access whereby:
Traders will not be allowed to block or limit customers’ access to their online interface for reasons of nationality or place of residence. A clear explanation will have to be provided if a trader blocks or limits access or redirects customers to a different version of the online interface.
On the positive side, the EU believes that the end of geo-blocking will mean wider choice and consequently better deals for consumers and more opportunities for businesses.
Growth of Country-Specific Cybersecurity Regulations such as Korean Cyber Laws
In Korea, there are various laws, regulations and guidelines that promote cybersecurity: two general laws (the Network Act and the Personal Information Protection Act (PIPA)) and other laws targeting specific areas, as discussed below.
The Act on the Promotion of IT Network Use and Information Protection (the Network Act) plays an important part in promoting cybersecurity in terms of protecting personal information and enhancing data security in the context of IT networks. The Network Act also prohibits any unauthorized access to a network system by means of a transfer or distribution of a program that may damage, destroy, alter or corrupt the network system, or its data or programs. Under the Network Act it is prohibited to cause disruption of a ICN by intentionally disturbing network operations with large volumes of signal / data or superfluous requests. Any violation shall be subject to imprisonment of not more than five years or a penalty of not more than KRW 50 Million.
There are additional targeted statutes, such as the Electronic Financial Transactions Act (EFTA), which includes provisions prohibiting electronic intrusion into the network systems of financial companies, and data protection is mandated for financial companies in the Regulation on Supervision of Electronic Financial Activities (the RSEFA), which is an administrative regulation subordinate to the EFTA. Under the EFTA, any attacks on financial systems using programs such as viruses, logic or email bombs, with the intention of destroying or disrupting financial systems shall be subject to imprisonment of not more than 10 years or a penalty of not more than KRW 100 Million.
In contrast with the laws mentioned above, which are more focused on the protection of data, the Protection of Information and Communications Infrastructure Act (PICIA) is more engaged with the protection of information and communications infrastructure against ‘electronic intrusion’, which is defined as an act of attacking information and communications infrastructure by hacking, computer viruses, logic bombs, email bombs, denial of service, high-power electromagnetic waves and other means.