UK Urges Banks: Share Threat IntelGovernment Official Launches Financial Services Sector Appeal
When it comes to battling cyberthreats, the U.K. government has a message for the financial services sector: "We need you to share what you know."
See Also: The Global State of Online Digital Trust
So said Karen Bradley, the U.K. Minister for Modern Slavery and Organized Crime, in a July 15 speech at the U.K. Financial Services Cyber Security Summit in London.
"We are committed to working closely with you to reduce the threats to you," she told attendees. "But we need your help. We need you to share what you can with each other so you can protect yourselves, and we need you to share it with us so we can understand the evolving problems and work with you on how to protect your business."
Bradley characterized better information sharing as being the next step in the government's push to better secure private and public systems in the United Kingdom. She highlighted how the U.K. government launched its five-year National Cyber Security Strategy in 2011, with a budget of Â£860 million ($1.5 billion), to help "make the U.K. one of the most secure places in the world to do business in cyberspace," through a variety of assessment, law enforcement, partnership and legal strategies, including:
- Cyber Essentials: In June, the U.K. government launched the Cyber Essentials Scheme, which is designed to ensure businesses - as well as academic institutions, charities and public-sector organizations - practice information security essentials. "GCHQ estimates that 80 percent or more of successful attacks could be defeated by implementing simple best practice cyber security standards," Bradley said.
- Law enforcement: The government has also launched a National Cyber Crime Unit, a part of the National Crime Agency, which already disseminates threat intelligence information to industry groups, who then share it with members. The government has also launched a country-specific CERT-UK. CERT-UK also runs the Cyber Security Information Sharing Partnership, which Bradley billed as "the first secure government-industry forum for information sharing on key cyberthreats." As of December 2013, the government said the partnership counted 250 members - comprising "large firms and major organizations."
- Stronger penalties: Bradley also pointed to the "Serious Crimes Bill" the government introduced in June, which would hit cyber-attackers with stronger penalties, especially if their attacks caused physical damage (see UK Seeks Hacking Life Sentences). The bill is currently progressing through Parliament.
The one-day U.K. Financial Services Cyber Security Summit featured presentations from across the financial services and information security spectrum, including anti-fraud and threat intelligence specialists, economists, legal experts and officials from the Home Office, Bank of England and European Commission, as well as from U.K. signals intelligence agency GCHQ. Topics discussed ranged from the role of regulators and threat-sharing forums, to safeguarding London's physical infrastructure and better securing money-transmission, securities and derivatives markets.
Numerous attendees said it's important to share information about attacks, but they questioned the quality, timeliness and relevancy of much of the data that's currently available.
"Threat intelligence so far tends to be generic - there is something that's floating around that relates to a piece of malware or to a product," said one executive from a payments infrastructure provider. "I've seen very little threat intelligence ... that's very specific to a particular industry," he added, arguing that the financial services sector needs more "targeted threat intelligence." But he said he would be happy to work with security services - "nationally and internationally" - to get that type of information.
U.K. businesses that attempt to share information about threats with other businesses, government institutions or law enforcement agencies face legal questions. Notably, U.K. businesses face many fewer mandatory reporting obligations, for example, than businesses in the United States, especially when it comes to reporting data breaches.
"They need to be aware that if they share data without having a legal power to do so, whether that be with a law enforcement agency or another business, the Information Commissioner's Office could impose fines against them and they could face claims for compensation from individuals who have suffered damage or distress as a result of their data being shared," Luke Scanlon, a London-based consultant lawyer for Pinsent Masons LLP, tells Information Security Media Group. "It is possible that they could also be held accountable by the financial industry regulators - such as the FCA [Financial Conduct Authority]."
Businesses can share information if they're pursuing a legitimate business interest, Scanlon says. But they must beware of sharing any personal information, he stresses. "While the data protection authorities across Europe - through the Article 29 Working Party - view protecting IT and network security, the prevention of fraud, misuse of services and money laundering all as 'legitimate business interests', it is not clear that even these interests will override the right of individuals to privacy, particularly where exposure of their personal data could cause them significant harm or distress."
Two EU proposals - the Data-Protection Regulation and the Network and Information Security Directive - could introduce mandatory reporting requirements. "The regulation, if brought into force, will apply directly in the U.K.," Scanlon says, while "the directive will need to be implemented in the form of U.K. regulations." Regardless, both proposals continue to be debated, and it isn't clear when - or if - they might be passed.