United Kingdom

Trends

British efforts towards confronting cybercrime have been ramped up in recent years following spates of high profile attacks on UK-based companies.

Organisations and government now realise that collaborative effort is necessary in order to ensure that UK individuals and organisations stay safe from the clutches of criminal entrepreneurs.

Questions and Government responses:

Cyber Attacks and Small Businesses

Question:
What assessment he has made of the adequacy of the UK’s defences against cyber attack?

Answer:
The persistence and ingenuity of those who would threaten us with cyber- attacks mean that we need to work even harder to keep pace with the threat. That is why we recently launched our five-year national cyber-security strategy—supported by £1.9 billion of investment—in which we set out ambitious steps to respond to that increasing cyber-threat.

Question:
Many local firms struggle to afford the very best in cyber-protection. Will the Minister explain what more the Government could do to share their expertise so that local small and medium-sized enterprises could benefit from their experience?

Answer:
It is a regrettable fact that, increasingly, cyber-security is an essential part of normal business operations. That is why we are trying to make it easier for small businesses. We have a new Cyber Essentials scheme, which helps businesses to understand what they need to do to protect themselves. We have a cyber exchange, which provides information about organisations and businesses, and directories that can help small businesses. We also have Action Fraud, which is the mechanism by which businesses can report malicious activity.

Question:
Is the government taking appropriate steps to protect businesses and individuals from the threat of such attacks?

Answer:
The purpose behind the setting up of the National Cyber Security Centre, where we bring together all the expertise across Government, is to make sure that we are protecting our national infrastructure. I am confident that we will be able to do that to a world-leading capacity.

Question:
We know that Russian cyber-attacks had an impact on the US election, and that Russian bombing in Syria had an impact on Brexit. What assessment has MI5 made of cyber-attacks in relation to the Brexit output and, indeed, the Scottish referendum?

Answer: 
We cannot comment on the operational details of what the security agencies are doing, but be reassured that our agencies have some of the best capacities and capabilities in the world. They are being funded appropriately, we are making sure that they are doing what they need to do, and they are doing what they need to do.

EU-U.S. Data Protection “Umbrella Agreement”

The EU-US data protection “Umbrella Agreement” puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation.

Question: 
What is the EU-US data protection “Umbrella Agreement”?

Answer:
The EU-US data protection “Umbrella Agreement” puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the US for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism.

The Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-US law enforcement cooperation and restoring trust.

In particular, EU citizens will benefit from equal treatment: they will have the same judicial redress rights as US citizens in case of privacy breaches. This point was outlined by President Juncker in his Political Guidelines, when he stated: “The United States must […] guarantee that all EU citizens have the right to enforce data protection rights in U.S. courts, whether or not they reside on U.S. soil. Removing such discrimination will be essential for restoring trust in transatlantic relations”.

Question:
How will the “Umbrella Agreement” make data transfers safer?

Answer:
This agreement will complement existing EU-US and Member State – US agreements between law enforcement authorities. It will create clear harmonised data protection rules and set a high level of protection for future agreements in this field.

The “Umbrella Agreement” will provide the following protections to make sure that everyone’s data are protected when exchanged between police and criminal justice authorities:

  • Clear limitations on data usePersonal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences, and may not be processed beyond compatible purposes.
  • Onward transferAny onward transfer to a non-US, non-EU country or international organisation must be subject to the prior consent of the competent authority of the country which had originally transferred personal data.
  • Retention periodsIndividuals’ personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be published or otherwise made publicly available. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests.
  • Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and will be able to request the data is corrected if it is inaccurate.
  • Information in case of data security breachesA mechanism will be put in place so as to ensure notification of data security breaches to the competent authority and, where appropriate, the data subject.
  • Judicial redress and enforceability of rightsEU citizens will have the right to seek judicial redress before US courts in case of the US authorities deny access or rectification, or unlawfully disclose their personal data. This provision of the Agreement depends on the adoption by US Congress of the US Judicial Redress Bill.

Question:
For what purpose can data be transferred across the Atlantic under the “Umbrella Agreement”?

Answer:
The data transferred between EU and US law enforcement authorities can only be shared for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The agreement also clearly states that this data cannot be further processed for other incompatible purposes.

Question:
What if the US decides to transfer data to a third country or international organisation, how will the “Umbrella Agreement” protect the data?

Answer:
The “Umbrella Agreement” introduces strong safeguards to protect EU citizens’ data transferred across the Atlantic when US authorities need to transfer it to a third country. In case a US authority intends to further transfer data it has received from the EU to a third country/international organisation, it will have first to obtain the consent from the law enforcement authority in the EU which has originally transferred the data to the US.

Question:
What is judicial redress? What will the “Umbrella Agreement” change?

Answer:
At the moment, if an EU citizens’ data is transferred to US law enforcement authorities and if their data is incorrect or unlawfully processed, EU citizens – non-resident in the US- are unable to obtain redress in US courts (unlike US citizens, who could ask for redress in European courts). The “Umbrella Agreement” will introduce the equal treatment of EU citizens, as called for by President Juncker in his Political Guidelines.

The Judicial Redress Act which extends the core of the judicial redress provisions of the US Privacy Act of 1974 to EU citizens was signed by President Obama on 24 February 2016. It will give EU citizens the right to seek judicial redress before US courts in case US authorities have denied access or rectification, or unlawfully disclose their personal data.

Question:
How will the agreement work in practice?

Answer:
Example: An EU citizen’s name is identical to that of a suspect in a transatlantic criminal investigation. Their data has been transferred from the EU to the US and erroneously gets collected and included on a US “black list”. This can lead to a series of adverse consequences from the refusal of an entry visa, to a possible arrest. The EU citizen should be able to have their name deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. Europeans should have them when their data is exchanged with the US too. The citizen who believes that their data is inaccurate can also authorise, where permitted under domestic law, an authority (for instance a Data Protection Authority) or another representative to seek correction or rectification on his or her behalf.

If correction or rectification is denied or restricted, the US authority processing the data should provide the individual or the data protection authority acting on their behalf with a response explaining the reasons for the denial or restriction of correction or rectification.

Question:
What are the next steps?

Answer:
The “Umbrella Agreement” will enter into force once each party has completed the necessary internal procedures.

On the European Union side, this is the adoption of a decision by the Council on the conclusion of the agreement, following the European Parliament’s consent vote. The US side now has to make the necessary designations under the Judicial Redress act.

Ransomware Viruses

Following  a number of Ransomware attacks, the question was put forward:

Question:
How many cyber-security breaches have government departments recorded that involved Ransomware viruses in the last 12 months, for which data is available?

Answer is pending.

Cybercrime and Elections:

After the impact of Hillary Clinton’s email hack on her presidential campaign, the question was put forward:

Question:
Has the Government made an assessment of the level of potential risk of cyber interference by foreign governments in elections in the UK?

Written Answer:
Our 2015 National Security Strategy confirmed that cyber remains a top threat to the UK’s economic and national security. The threat posed by cyber-attacks continues to grow in both scale and complexity. Cyber security is crucial for keeping the UK safe.

To meet the challenges of cyber security threats, the government launched its new National Cyber Security Strategy 2016-2021 on the 1 November. Supported by £1.9billion of transformational investment, the strategy sets out ambitious policies and capabilities to protect the UK in cyber space.

Yahoo! data breach:

In the aftermath of the Yahoo! information breach, the question was put forward:

Question:
1) Has the cyber security department within the department for Culture, Media and Sport investigated the recent hacking of Yahoo in order to inform policies?

Written Answer:
When a significant cyber security incident occurs, the NCSC works collaboratively with Government agencies, departments and industry to assist the victim and ensure any lessons learned from serious incidents are actively communicated to the sector affected and fed into policymaking. A full investigation into the Yahoo security breach is taking place in the US, UK and Ireland.

The forthcoming General Data Protection Regulation will introduce a system of mandatory breach reporting. The Government is working with the Information Commissioner’s Office and industry on how best to implement these changes.

Cybercrime, planning and strategy

The department of Culture, Media and Sport has provided these answers to questions raised in Parliament on the planning and strategy in place to tackle cybercrime.

Questions:
1) How many additional cybersecurity experts is the UK estimated to need to implement the National Cyber Security Strategy?
2) What priority is being given to the education and training of cybersecurity experts?
3) What is being done to encourage young people to study computer sciences at university and to recruit them to the cybersecurity industry?

Written response:
The National Cyber Security Strategy 2016 – 2020 outlines the government’s ambition to deliver a self-sustaining pipeline of talent providing the skills to meet our national needs across the public and private sectors.

Ensuring the UK has the cyber security experts it needs is a key government priority and much work was done to improve required skills at every level of education under the first 2011 – 2015 National Cyber Security Strategy. However ambitious new initiatives are still needed and being prioritised under the new strategy. This includes a national schools programme to provide intensive after-school training and mentoring; establishing cyber apprenticeships in critical sectors; and a re-training programme to attract and support people to transition into cyber security mid-career. To identify additional actions we will also develop a self-standing cyber skills strategy that will build on our existing work.

In universities we have ensured cyber security is an integral part of all computer science degrees accredited by the Institution of Engineering & Technology and British Computer Society. GCHQ have also established a certification programme, certifying nearly 20 courses to date, that will help students identify high-quality course to undertake in order to pursue a cyber security career.