Cyber_Bytes - Issue 43

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

Solicitors urged to help stem the rising tide of ransomware payments

Solicitors have been asked to help combat a rise in payments being made to ransomware criminals. In some cases, solicitors have been advising clients to pay in the belief that it will safeguard data or lead to a lower penalty from the ICO.

The National Cyber Security Centre (NCSC) has requested that the Law Society reiterate to its members its advice on ransomware and highlight that paying a ransom will not keep data secure or be considered by the ICO as a mitigation in regulator action. Conversely, the ICO and NCSC have stated that paying ransoms can further incentivise criminals and will not guarantee that data is safely returned.

This advice comes as ransomware attacks are becoming more sophisticated and destructive, with the UK government working with partners across the board to mitigate the threat. In December 2021, the National Cyber Strategy was launched to strengthen the UK's role as a responsible cyber power.
Tackling cybercrime is at the heart of this plan, with the legal sector playing a key role in helping reduce the impact and scale of this threat.

Click here to read the NCSC's press release.

International data protection and privacy authorities provide guidance against the threat of credential stuffing attacks

The latest report from international data protection and privacy authorities, including the ICO, has recognised "credential stuffing" as a substantial growing cyber threat to personal information.

This cyber-attack method exploits people's propensity to use the same username and password combination across multiple online accounts. The attacks are automated and most commonly take place on a large scale, making use of credentials obtained from unrelated data breaches in order to gain access to online accounts across different websites or applications.

The report provides guidance for organisations (here) and the public (here) on how to prevent, detect and lessen the risk of these attacks. The guidance to organisations notes that the implementation of measures to protect personal data from credential stuffing attacks will generally be required, at least implicitly, under data protection and privacy laws. Among the recommended security measures listed, multi-factor authentication is identified as the most efficient method in securing online accounts against credential stuffing.

Click here to read the ICO's press release.

Commercial cyber capabilities must be used legally and responsibly, says UK NCSC CEO

The head of the UK's NCSC, Lindy Cameron, has highlighted the significance of legal and responsible use of commercial cyber capabilities.
In a speech delivered at the Cyber Week hosted by Tel Aviv University, Cameron has identified that the intersection between academia, industry and governments hold the key to responding to the latest cyber threats. Cameron commended Israel's sophisticated cyber capabilities, where export controls are tightened, making it more difficult for nations with troubling records on privacy and human rights to acquire intrusive spyware.

Cameron discussed the rising trend in ransomware and how the commercialisation of such capabilities dramatically lowers the technical knowhow required to conduct criminal operations. Cameron pointed out that ransomware remains the most significant global cyber threat most organisations have to contend with. Ransomware is now being offered by gangs as a service, making it easier than ever to perpetrate this type of crime.

In order to counteract these attacks, Cameron stressed the need to form partnerships, as well as to pool resources and skills in order to develop a network which is naturally resilient.

Click here to read the NCSC's press release.

Cyber-attack causes a fire in steel factory in Iran

On 27 June 2022, a cyber-attack on a steel maker in Iran caused a serious fire in a steel factory and damage to equipment.
A hacking group known as Predatory Sparrow has stated that it is behind the attack and has released a video to support this claim. The video footage of the incident shows factory workers escaping the plant before the machine started spewing molten steel and fire, as well as people pouring water on the fire with hoses.

Predatory Sparrow claimed that this attack was one of three attacks it had carried out against Iranian steel makers on the same day in protest of unspecified acts of "aggression" by the Islamic Republic. The group has since gone on to share data allegedly stolen from the companies, including confidential emails. The sophisticated nature of the attack, including apparent efforts by the group to shield people at the scene of the incident from injury, has led many to believe that Predatory Sparrow is either operated or sponsored by a nation state. If a state is proven to have caused physical damage to the Iranian factory, it may have violated international laws prohibiting the use of force and provided Iran with legal grounds to hit back. Investigations by the Iranian authorities are currently taking place in efforts to identify the state perpetrator behind the attack.

Despite there being previous incidents that have had a physical impact in the real world, such as the 2010 Stuxnet attack, nothing as serious as this has previously taken place, with there being very few confirmed cases of cyber-attacks causing physical damage.

Click here to read the BBC article.

Speech introducing the ICO's plan for the next three years: ICO25

On 14 July 2022, Information Commissioner John Edwards delivered a speech at Woburn House to introduce ICO25, the ICO's strategic plan outlining its regulatory approach and priorities for the next three years.

The plan includes a pledge to protect the information rights of vulnerable individuals, whilst affording organisations higher levels of certainty and flexibility to enable "businesses to invest and innovate with confidence". In terms of providing greater certainty, the aim is to clearly set out legal requirements and the approach that the ICO will take when enforcing these.

There are also plans to introduce "a series of services, tools and initiatives, allowing organisations to benefit from ICO advice and the experience of others".

The ICO25 plan's priorities over the upcoming three years include:

• Examining how the benefits system utilises algorithms;
• Tackling predatory marketing calls;
• Considering whether the use of AI within the recruitment sector adversely impacts ethnic minorities and neurodiverse individuals; and
• Continuing its support of children's privacy.

Click here to read the full speech by John Edwards.

Data Protection and Digital Information Bill introduced into Parliament

On 18 July 2022, the Data Protection and Digital Information Bill was introduced into Parliament. This followed publication of the government's response to its consultation, "Data: a new direction".

The Bill has been designed to update and streamline the UK GDPR and Data Protection Act 2018 in order to reduce legislative burdens on organisations whilst still preserving a good standard of data protection regulation. The purpose of the Bill will be to bring in higher levels of flexibility and introduce various measures involving personal data and other types of information, such as digital information.

Some various proposed amendments to the Bill as it stands, include:

• Reforming the ICO;
• Changes to PECR, relating to cookie rules, unsolicited direct marketing and communications security (for example, network traffic and location data);
• Clarification of the rules on international transfers and cross-border flows of personal data;
• Establishing a framework for the provision of digital verification services;
• Changes to Part 3 (law enforcement) and Part 4 (processing by the intelligence services) of the Data Protection Act 2018; and
• Changes to police use of biometrics.

The second reading is due to take place on 5 September 2022.

Click here to read the UK Government publication.