Cyber_Bytes - Issue 47

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

Can hacking victims retain anonymity using a 'persons unknown' action in court?

A company working in 'security-sensitive and highly classified projects of national significance' has successfully withheld its identity when obtaining summary judgment against the unknown perpetrators of a $6.8m 'ransomware' attack. In XXX v Persons Unknown, Mr Justice Cavanagh agreed, in paragraph 29 of the judgment, that a derogation from open justice was needed to prevent the court itself becoming 'the instrument of harm'. National firm Weightmans LLP, who acted for the company identified as XXX, said the verdict shows the value of 'persons unknown' injunctions in managing the fallout from cyberattacks. Previous injunctions have required the victims to be named in open court. In making their judgement the Court had to balance the overarching and fundamental public interest in open justice with the risk that disclosure of the Claimant's identity and of details of the evidence, might facilitate the very injury that the proceedings were intended to restrain.

The judgment, which followed a private hearing, cited paragraph 36 of Various Claimants v The Independent Parliamentary Standards Authority [2021] EWHC 2020 (QB) noting that derogations from open justice can be justified as necessary on two grounds: maintenance of the administration of justice and harm to other legitimate interests. The judge found that the mere fact that a business would suffer negative consequences if a cyberattack becomes public knowledge would not automatically justify secrecy (paragraph 25). However, in this case, anonymity was justified by the nature of its work and the risk that, if its identity was known, 'third parties with malign intent' might locate the stolen information on the so-called 'Dark Web'. ' The company in question was a 'multi-discipline company'... whose clients 'require the utmost discretion, secrecy and protection from external threats'. Some of the company's data was also protected by the Official Secrets Act (paragraph 28).

Industry professionals regularly debate the value of an injunction in cases of cyberattacks. There’s always the risk that, by virtue of seeking the injunction in open court, businesses draw attention to the fact their IT systems have been breached or that data has been stolen and give others an indicator of where the data can be found. However, this judgment provides authority that in certain circumstances at least, the risk of publicity arising from the making of the injunction application itself could be possible to navigate.

Click here to read the full case on Bailii.

Client losses from cyber-attacks on law firms continue to fall

The Solicitors Regulation Authority (SRA) has revealed that client losses resulting from cyber-attacks on law firms have fallen to £700,000 in the first 10 months of this year. This compares to £10m in 2017, a figure that has dropped most years since. A panel discussion at an SRA compliance officer conference in Birmingham on 8 November 2022, revealed an 'improving picture', adding that it tended to be clients who were targeted by email
fraudsters, rather than their solicitors.

Ransomware was identified as the main form of cyber-attack against law firms and the conference speakers maintained the stance that firms should not pay up. Rachel Clements, a regulatory speaker at the conference mentioned, 'not only are you essentially paying a criminal… but it could expose you, your firm, and your clients to additional risks'. Research cited indicated that 80% of businesses that paid ransoms were targeted again, often by
same attacker.

The GDPR requires firms to implement 'appropriate measures' to restore data, but the ICO's legal director confirmed that paying a ransom does not constitute an appropriate measure. William Wright, a partner at Paragon International Insurance Brokers, noted that cyber-insurers expect to see a raft of controls in place before issuing a law firm with an insurance policy, ranging from encryption and email scanning to intrusion detection and patch management. He also emphasised the importance of multi-factor authentication as increasingly becoming a pre-requisite to obtaining insurance. Lastly, he flagged the need for segregated back-ups and staff training, given that “most cyber-attacks we see are
human related”.

Click here to read the Legal Futures article.

EU boosts action against cyber threats

On 10 November 2022, the European Commission and the High Representative put fforward a Joint Communication on an EU Cyber Defence policy and an Action Plan on Military Mobility. This is in a bid to address the deteriorating security environment following the unstable Russia and Ukraine conflict and to boost the EU's capacity to protect its citizens and infrastructure.

Recent cyber-attacks on energy networks, transport infrastructure and space assets show the risks that they pose to both civilian and military actors. The new EU Cyber Defence Policy aims to strengthen coordination between military and civilian cyber communities. The aim is to reduce dependence on critical cyber technology while enhancing efficient cyber crisis management across the EU. The four pillars making up the policy are: increased coordination between cyber defence players, standardisation and certification across the whole cyber defence ecosystem (including non-critical software), investment in cyber capabilities in a collaborative way and partnering to address common challenges.

The Commission and the High Representative, including in his capacity as Head of the European Defence Agency (EDA), will present an annual report to the Council of the EU to monitor. They will also assess the progress of implementing the actions in the Joint Communication on the EU Cyber Defence Policy. Member states are invited to provide contributions on the progress of implementation measures taking place in the national
context.

Click here to read the European Commission article.

Ex-NATO general classifies cyber defences as important as missile defences

Retired U.S. General Ben Hodges commanded U.S. Army forces in Europe from 2014 until 2017 and has long argued that civilian infrastructure is an essential pillar of military strategy. He has now added that cyber protection is just as important as missile defence systems to guard the German North Sea ports. He highlights that a cyber-attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send
military reinforcements to allies.

With Russia increasingly threatening attacks on quasi-civilian infrastructure as part of its ongoing conflict with Ukraine, Hodges has flagged Bremerhaven and Hamburg as the most important seaports on which the alliance depends, for both military equipment and commercial cargo. A 2017 cyber-attack (NotPetya) attributed to Russia, first targeted Ukraine but rapidly spread to suppliers with operations across eastern Europe. Outages in computer systems meant Danish shipping giant, Maersk, lost track of its freight.

In light of this, Hodges has reacted with anxiety to Berlin's decision to allow Chinese group COSCO Shipping Holdings Co. Ltd to buy a stake in a terminal in Hamburg, noting that the Chinese may now be able to influence and disrupt activities at critical transportation infrastructure. The Chinese foreign ministry has however, confirmed that 'cooperation between China and Germany is a matter for the two countries and third parties have no right to meddle and intervene'. The threat of nation sponsored attacks on critical infrastructure continues to be watched closely across all nations.

Click here to read the Reuters article.

Current trends in ransom payments

Ransomware attacks which were prevalent in 2020 and 2021, partly due to increased remote working, have now decreased. In its mid-year 2022 Cyber Threat Report, US security company SonicWall identified a 23 per cent drop in the number of ransomware attempts. It attributed this to several factors, including a 'downward' trend in the number of organisations willing to pay cyber criminals.

Cyber security group Coveware, confirmed that 85 per cent of ransomware cases they handled in 2019 ended in payment, however by Q1 of 2022, the proportion had fallen to 46 per cent. Many organisations are now finding ways to recover their data via backups or establishing that certain data is not critical. Other factors contributing to the decrease in ransomware payments, include the slump in the price of difficult-to-trace cryptocurrencies which were the preferred pay-out method of threat actors. Russia's invasion of Ukraine has also hit the sector, as many Russian threat actors have been disrupted by sanctions or have focused on conflict related attacks rather than ransomware on private organisations. UK and US governments firmly advise against ransom payments as it does not necessarily guarantee victims will get their data back but rather emboldens attackers by rewarding them.

The US states of North Carolina and Florida have now explicitly banned state and local government agencies from paying hackers and other states are exploring similar policies. Deciding to pay is often on a case-by-case basis, involving an exercise of weighing up the price tag of the ransom demand against the potential cost of not paying.

For example, organisations with confidential client data, can opt to pay to avoid potential reputational damage. In some cases, it makes more economic sense to pay the ransom than to recover the data or systems from backups. IBM's Cost of Data Breach Report showed that average costs for victims opting to pay ransoms were $630,000 lower than those who chose not to pay.

Due to the fear of threat actor links to Russia, many are opting not to pay on ethical grounds, and also from fear of violating sanctions. According to Sophos, only 4% of victims were able to retrieve all their data from hackers. Hackers could also sell or leak stolen data at points in the future, leaving no guarantees. Deciding to pay relies on an element of trust in threat actors to delete data, which there is no reliable evidence that they will do. Many
experts warn that the total ransoms paid may be far higher than is currently known as there are no rules around disclosing payments.

Click here to read the FT article.

ICO and Cabinet Office reach agreement on New Year Honours data breach fine

On 15 November 2021 the ICO issued a fine to the Cabinet Office following an investigation into the 2019 data breach, where the Cabinet Office published a file a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Cabinet Office appealed against the amount of the fine to the First-tier Tribunal (General Regulatory Chamber) in December 2021, alleging the level of penalty was “wholly disproportionate”. The penalty was for failing to implement appropriate technical and organisational measures to keep personal data secure, in contravention of Articles 5(1)(f) and 32(1) of the GDPR. The appeal related solely to the amount of the fine and the facts leading up to the imposition of the penalty were not in dispute.

On 3 November 2022, the ICO announced its agreement to reduce the £500,000 Monetary Penalty Notice (MPN) imposed on the Cabinet Office in 2021 to £50,000, which the Cabinet Office has agreed to pay. In a bid to work more effectively with public authorities, the ICO's John Edwards commented that they acted pragmatically recognising 'the current economic pressures public bodies are facing' and the fact that 'in certain cases fines may be less critical in achieving deterrence'. He added that the ICO will continue to work with the Cabinet Office to ensure people’s information are being looked after. Edwards confirmed that the ICO is willing to use discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice.

Click here to read the ICO press release.