Well, not wakes so much as stirs, mumbles, farts and rolls over, but it’s a start. What am I on about? Yesterday’s report from the Parliamentary Committee on Cyber Security. Here I go again, reading this stuff so you don’t have to.
First up is the thorny issue of Board responsibility for security. I’ve talked about this before, of course, and more than once with reference to TalkTalk. Well, yesterday is also the day that Dido Harding got her bonus – of £1.9m – and promptly gave a bit of it to charity. Which is laudable of her (although she hung on to £1.68m in shares), but you do have to ask how big the bonus would have been if she hadn’t completely dropped the ball on cyber last year. I mean, if you get £1.9m for a year in which your business makes the headlines for having essentially no meaningful cyber protection at all, what do you have to do to get nothing – or a P45?
Our marvellous parliamentarians have finally figured out that cyber-security needs dedicated supervision – with Board oversight – and suggest that: “a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.” They also suggest that the ICO should start fining firms for vulnerability to known exploits and expressed surprise that secure software development lifecycle isn’t standard practice. If only they knew how bad it really is out there.
In general the report makes sensible points, albeit saying nothing that hasn’t been said before – in a slightly despairing tone – by yours truly and many others. How much of this will actually turn into legislation, and then be effectively enforced, remains to be seen.
They do make one suggestion – that it be made easier for consumers to claim compensation in the event of a breach – which is interesting. It doesn’t require new legislation and could make for a nice replacement for PPI mis-selling when that lawyers’ gravy train finally runs out of steam. That might focus a few minds.
The report goes on to acknowledge supply chain risk. Duh, again. Well, it’s nice to hear it from someone else, I suppose. They propose using Cyber Essentials as a supplier-selection filter. Well, it’s better than nothing, but ISO 27001 would be better still. Particularly since the next section of the report recognises that Cyber Essentials “sets a low bar”. They make a general suggestion that it should be “regularly updated” to take account of all the things it currently doesn’t do, without any recognition of the difficulty that would present – if nothing else because of the political fall-out from having so many presently-compliant organisations lose that status once it actually became difficult to get.
Section 6 is about the tension between informing consumers and catching criminals – with a side-order of scare-mongering that if you tell people they’ve been compromised, you make them vulnerable to targeted phishing attacks. It’s a bizarre “what they don’t know can’t hurt them” line, led by the police who think that keeping it shtum will give them more of a chance to catch the hackers. The report then somewhat misrepresents the GDPR, misunderstanding the obligation to inform the ICO – written about here last week – with the obligation to inform the consumer, which only applies if material harm is likely, in the opinion of the organisation that has been hacked. Given the spectacular ineffectiveness of global law enforcement in catching hackers, this is absurd. Just tell us so that at least we can protect ourselves.
Section 7 will make me very happy, if anything comes of it. They make some suggestions for things the ICO should do that it probably can’t under current legislation, but then cotton on that the GDPR will give it much bigger teeth – which is a good thing. They go on to suggest that custodial sentences should be available for data theft and unlawful selling of personal data (and let’s not forget that the Computer Misuse Act already allows this in many cases). See previous point about lack of success in catching criminals in the first place, but nonetheless this would up the ante no end. I’d go further and suggest we should have custodial sentences for data controllers who flagrantly ignore basic security principles.
They go on to suggest that large data controllers should have to report annually to the ICO on their security budget and activity; this kind of transparency would give an amazing boost to the visibility of cyber at Board level. They also support the “privacy seal”, a kind of ICO kite mark, which sounds great in principle but has yet to have much flesh on its bones. Any kind of public recognition of cyber is good, but only if the recommendations are practical, respond quickly to changes in the threat environment and are actually enforced. Otherwise they give the same false sense of security as the lock symbol on an HTTPS website.
Finally they note that the ICO thinks that the Investigatory Powers Bill is horrid. The ICO is of course right; the committee has nothing useful to add, sadly.
TL;DR? We could get a real focus on cyber as a Board-level issue in UK businesses, with proper penalties for non-compliance and a beefed-up ICO audit and enforcement regime. Or we could not. This is a report, not a bill or a white paper. Let’s see if anyone has the will to take these issues forward.