Police and NCSC to Breach Victims: We Won't Tell RegulatorsIncident Responders and Law Enforcement Promise Firewall With GDPR Watchdog
Nearly one year after the EU's new privacy law came into effect, Britain's National Cyber Security Center continues to assist data breach victims. Its mission is to help organizations understand what happened and mitigate the attack in its immediate aftermath.
The General Data Protection Regulation, which went into full effect in May 2018, gives regulators the ability to impose major fines on individuals and organizations that violate Europeans' privacy rights or to report breaches involving individuals' data in a timely manner. In the U.K., GDPR is enforced by the Information Commissioner's Office.
Both the ICO and NCSC say they're working to make it clearer how they support breach victims and the role of each in doing so.
"It's important organizations understand what to expect if they suffer a cybersecurity breach," said James Dipple-Johnstone, the ICO's deputy commissioner for operations, at his week's CyberUK 2019 conference in Glasgow, Scotland. "The NCSC has an important role to play in keeping U.K. organizations safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised."
Anyone who fails to report a breach involving European's personal details can face serious repercussions. "Organizations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren't followed," he added.
Law enforcement and intelligence officials say they don't want breach victims to worry about sanctions, but instead immediately seek advice.
"We absolutely see our key priority as helping the victim mitigate and get back on their feet," Adrian Searle, head of incident response for NCSC, said (see: Intelligence Agencies Seek Fast Cyber Threat Dissemination).
Confidential, Free Assistance
Officials at the NCSC, the public-facing arm of intelligence agency GCHQ, this week stressed that the center's breach victim assistance and incident response support is not only free but also confidential.
The center will not report any breach victims to either police or the ICO - the country's privacy regulator, officials stressed.
For anyone seeking NCSC's help, "'Is that an automatic referral to the regulator?' We've been asked that question more times than I can remember," Ciaran Martin, CEO of NCSC, told reporters during a Thursday press briefing at CyberUK, which NCSC organizes.
The short answer is that NCSC will always encourage organizations that suffer a breach to meet their requirements under both GDPR as well as the EU's Network and Information Systems directive.
The NIS directive, which also came into force in May 2018, stipulates that "operators of essential services" - typically critical infrastructure providers - must ensure that they "take appropriate and proportionate security measures to manage risks to their network and information systems," NCSC says, as well as notify relevant authorities about any serious incidents.
NCSC: Advice and Support, Not Enforcement
But encouragement is as far as it will go, Martin said, emphasizing that it's essential to keep designated roles and responsibilities intact. The mission of NCSC, which the government stood up in 2016, is to provide advice and support for the public and private sector in how to avoid computer security threats. Since 2016, the center has investigated about 1,500 security incidents.
NCSC has no enforcement or regulatory role. "That's right and proper," Martin told reporters.
At the same time, he added, "the ICO cannot do its job or OFCOM [the communications regulator in the U.K] its job without offering technical guidance" to British organizations. One of NCSC's areas of expertise is in such guidance, which is why it helps government agencies that do have regulatory or enforcement roles to help ensure everyone is on the same page.
"The state never contradicts itself technically - that's the route to madness," Martin said.
What Is a Breach?
After nearly 12 months of GDPR experience, "what is a breach?" is still an oft-repeated question, Paul Chichester, NCSC's director of operations, told reporters during the Thursday CyberUK press conference. "And you have to report a breach within 72 hours. 'When does the clock start ticking?' is a question we've also been asked."
Forthcoming technical advice from NCSC will attempt to add clarity. In shaping the new guidance, "we've tried to develop some areas where there is some ambiguity," Chichester said.
Police Lead Criminal Investigations
British organizations that suffer a breach can reach out to NCSC for assistance, but in many cases, they also must inform relevant authorities, such as the ICO, about the incident.
Law enforcement agencies say they want to be notified of breaches as quickly as possible to pursue the criminal angle.
"Where NCA and law enforcement come in is we lead the criminal investigation," said Mike Hulett, head of operations for the National Cybercrime Unit at Britain's National Crime Agency, during a CyberUK session. "NCSC have the lead for incident management."
Hulett heads all of the NCA's cyber investigations, covering digital forensics, incident response and coordinating across law enforcement agencies in England and Wales, as well as Police Scotland and the Police Service of Northern Ireland.
"There are certain things we need" at the beginning of a case if police are going to pursue the criminals responsible, he said. "To put it police-y, if your organization is attacked, you're a victim of crime, and where your IT is hosted, that's a crime scene."
While NCA and NCSC will manage the incident and respond to the crime, Hulett emphasized that law enforcement is not a regulator and will always maintain "a sterile corridor" between what it's doing and any regulatory bodies. In policing terms, sterile corridors refer to keeping certain operations - such as working with informants, or forensic examinations - behind closed doors to protect their integrity.
Speaking at CyberUK, other senior law enforcement officials reiterated that perspective.
"It is not our job to dob you in to the ICO," said Peter Goodman, the chief constable of England's Derbyshire Constabulary, and also the cybercrime lead for the U.K. National Police Chiefs' Council, speaking Thursday during a CyberUK panel discussion. "It is our job to help and support you and to investigate criminality."
Goal: Blunting Attacks
Going forward, the NCSC says it will soon also clarify its working relationship with law enforcement agencies.
Reporting incidents to the NCSC and allowing the NCA to investigate means that information about attackers can be used to help prevent others from falling victim.
Indeed, the NCSC's incident management mission, backed by more than 50 staff, is "to reduce the harm to victims caused by cyber incidents and use the insight gained to inform wider protection advice and counter operations," said the NCSC's Searle.