Two significant cybercrime developments occurred this week. On 6 July 2016 the European Commission published the Directive on security of network and information systems. The Directive will enter into force in August 2016. Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services. The following day the National Crime Agency published a Cyber Crime Assessment for 2016. Both call for a collaborative approach between business and law enforcement to tackle cyber crime.
The NIS Directive
On 6 July 2016, the European Parliament adopted the Cybersecurity Directive, which will have to be transposed by member states by May 2018. There remains only speculation as to when the UK will leave the EU, but it seems unlikely to occur before May 2018, and consequently the UK will be obliged to implement the Directive. Regardless of other matters, the UK is likely to want to cooperate with the EU on cybersecurity to reduce the risk of cyber attacks on UK businesses. For more information see Legal update, European Commission Communication on cybersecurity.
On 5 July 2016, the Commission published a new Communication on cybersecurity. It contends that cooperation needs to be improved across the EU to enhance preparedness for and to deal with cyber incidents. The Directive provides for a cooperation group to work with all member states, and a cooperation blueprint will be proposed in 2017. As part of this, information and expertise on cybersecurity should be pooled in an “information hub” available to all member states, facilitated by the Commission, the European Union Agency for Network and Information Security and the Computer Emergency response Team. The Commission also proposes setting up a high-level advisory group, trusted channels for voluntary reporting on cyber theft of trade secrets and a cybersecurity training platform.
Under the Cybersecurity Directive, member states will be required to establish Computer Incident Response Teams responsible for rapid reaction to cyber threats and cyber incidents and promote the embedding of cybersecurity measures.
The Commission has also committed to promoting increased supply of products and services by the EU cybersecurity industry and is adopting a decision on public private partnership on cybersecurity (see Legal update, European Commission publishes consultation on cybersecurity public-private partnership).
The NCA Assessment:
The NCA is the UK law enforcement agency with the responsibility for cybercrime. For more information see Practice note, National Crime Agency: overview. Cybercrime is generally defined as any crime conducted via the internet or some form of computer network. For more information see Practice note, Cybercrime: overview.
The NCA published a Cyber Crime Assessment 2016 on 7 July 2016. The assessment highlighted the lack of reporting of cybercrime. The Office of National Statistics (ONS) included cybercrime in the annual crime survey for the first time in 2015. The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cybercrime in the UK in 2015. There were 16,349 cyber-dependent and approximately 700,000 cyber-enabled incidents reported to Action Fraud over the same
HM Government has pledged to invest £1.9 billion over the next 5 years on the UK’s cyber defences, including providing funding for enhanced capability within law enforcement to respond to cybercrime, a new National Cyber Security Centre, a partnership with internet service companies in the UK to enable them to implement a series of measures to divert known malware and block malicious sites.
However, the assessment is clear that businesses must take cybercrime as an ever-present challenge that needs to be addressed at board level. There have been several previously published resources to help tackle cybercrime:
- 10 Steps to Cyber Security
- Cyber Essentials Scheme
- Cyber Security Skills, a guide for business
- Get Safe Online
However, the assessment is clear that more needs to be done. It calls upon cybercrime to be treated as a strategic priority, to include a stronger private-public partnership, for greater reporting of cybercrime and for information sharing. The call for partnership is not new – see Legal updates, Cabinet Office Minister’s speech on cybercrime and Co-ordinating efforts to better combat cybercrime focus of Interpol working group.
For more information on the Cyber Crime Assessment 2016, see Legal update, NCA publishes Cyber Crime Assessment 2016.
Both the NCA assessment and the EU Directive’s broad theme is that cybercrime is not something that can be effectively tackled by government action, and needs a coordinated effort of both international and corporate interests, and proper partnership between the two. This theme has been raised previously: see Blog post, The responsibility of banks to prevent fraud.
However, the success of any public – private partnership will depend on the trust that can be established between both parties. Calls for greater information sharing and reporting are unlikely to be heeded if they result in Information Commissioner’s Office investigations for breaches of the Data Protection Act – see Practice note, Data Protection Act 1998: criminal enforcement. Perhaps the relevant authorities in the UK should commit to a standard position that criminal or civil action will not follow providing particular standards, for example the Cyber essentials scheme, are met.
Equally, the UK government’s pledge to invest £1.9 billion over the next five years is commendable, and it would be prudent to protect it. Whether the budget will be affected by recent events is open to question. Regardless of Brexit, it would seem logical to maintain a full relationship with EU partners and law enforcement institutions that also see cybercrime as a major threat, and to co-operate fully with the other EU member states on the implementation of the NIS Directive.