Cyber Monthly Wrap-up (UK, EMEA and the US) – September 2024

Welcome to HSF’s September wrap up which features our top picks for cyber-related news in the UK, EMEA and US.

In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.

ICO & NCA sign Memorandum of Understanding

Information Commissioner's Office – 05 September 2024

The UK government has signed a Memorandum of Understanding (MoU) with the National Crime Agency (NCA) to improve the country's cyber resilience. The MoU aims to protect organisations from cyber criminals who steal data and hold it to ransom. The government is committed to providing up-to-date information on cyber security matters, supporting improved security, and providing guidance on implementation. The MoU encourages organisations to engage with the NCA on cyber security matters, clarifies that the NCA will always seek consent before sharing information, will support the NCA's visibility of UK cyber attacks, reduce the dual burden on organisation during cyber incidents, and work together to promote learning, provide consistent guidance, and improve standards on cyber-related matters. The agreement aims to protect the public from serious and organised crime.

Data centres to be given massive boost and protections from cyber criminals and IT blackouts

GOV.UK – 12 September 2024

The UK government has classified UK data centres as 'Critical National Infrastructure', marking the first such designation in almost a decade. This ensures that data stored and processed in these centres is less likely to be compromised during outages, cyber attacks, and adverse weather events. The data centres sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in the UK and helping generate economic growth for all.

The designation will see the establishment of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies, and coordinate access to emergency services should an incident occur. The government also welcomes a proposed £3.75 billion investment in Europe's largest data centre, as plans have been submitted to Hertsmere Borough Council for construction in Hertfordshire by data company DC01UK.

CNI status will deter cyber criminals from targeting data centres that may house vital health and financial data, minimising disruption to people's lives, the NHS, and the economy. In the event of an attack on a data centre hosting critical NHS patients' data, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients' appointments or operations.

The new protections will boost business confidence in investing in data centres in the UK, which already generates an estimated £4.6 billion in revenues a year.

For further detail please refer to our longer article "Data Centres to be classed as 'critical national infrastructure' in the UK".

UK Parliament introduces a new bill regarding digital assets as a third type of property

Parliament – 12 September 2024

The Property (Digital Assets etc.) Bill will allow digital holdings, including cryptocurrency, non-fungible tokens, digital art, and carbon credits, to be considered personal property for the first time in UK history and, if passed, would be one of the first countries to recognise these assets in this manner. The new law will enable further legal protection against fraud and scams, and help judges handle complex cases where digital holdings are disputed or part of settlements. Justice Minister Heidi Alexander emphasised the importance of keeping the UK legal sector up to date with evolving technologies to maintain its position as a global leader in cryptoassets and bring clarity to complex property cases. By granting owners of digital assets greater legal protection, the new Bill will help the UK legal sector respond better to new technologies, attracting more business and investment to the legal services industry.

UK signs first international treaty addressing risks of artificial intelligence

GOV.UK – 05 September 2024

The UK signed a new international agreement on AI, aiming to protect human rights, democracy, and the rule of law from potential threats. The Council of Europe has agreed to a framework that commits parties to collective action to manage AI products and protect the public from potential misuse. While AI is expected to bring significant benefits like increased productivity and cancer detection rates, it also includes safeguards against risks such as misinformation and biased data. The treaty will ensure countries monitor AI development and manage technology within strict parameters, protecting the public and their data, human rights, democracy, and the rule of law.

The UK will work closely with regulators, devolved administrations, and local authorities to implement its new requirements. The UK continues to play a key role in safe, secure, and trustworthy AI, having hosted the AI Safety Summit and co-hosted the AI Seoul Summit. The Convention will further enhance protections for human rights, rule of law, and democracy, strengthening the UK's domestic approach to the technology while furthering the global cause of safe, secure, and responsible AI.

The UK's commitment to supporting Ukraine and ensuring Russia is held accountable for its full-scale invasion is also reiterated. The treaty will be ratified and brought into effect in the UK, enhancing existing laws and measures.

UK, US and Canada to collaborate on AI and cyber security

ComputerWeekly – 23 September 2024

The UK, US, and Canada have signed a collaboration agreement to jointly research, develop, test, and evaluate new technologies for artificial intelligence (AI), cyber, and information domain-related technologies. The UK's Ministry of Defence’s Defence and Science Technology Laboratory (DSTL), the US Defence Advanced Research Projects Agency (DARPA), and Defence and Research Development Canada (DRDC) will lead the work in their respective countries.

The collaboration aims to exploit new methodologies, algorithms, and tools to address current and future challenges in a changing geopolitical landscape and enhance the defence and security of the three nations. The agreement also includes plans to reduce technological risks to expedite the introduction of new capabilities. Current projects include training AI to autonomously defend networks against persistent cyber threats and exploring areas such as human-AI teaming, trustworthy AI systems, and increasing the resilience and security of systems.

The collaboration agreement follows the UK signing two other collaboration agreements with Canada to join efforts in relation to AI compute (an essential component in the development of AI) and science and innovation. 

SolarWinds security chief calls for tighter cyber laws

Financial Times – 29 September 2024

SolarWinds CISO Tim Brown is advocating for stronger global cybersecurity laws following his victory over the US Securities and Exchange Commission (SEC) in court. In the now largely dismissed case, the SEC had sought to hold Brown personally responsible for a Russian hack that compromised SolarWinds' systems in 2020.

Brown argued for the need for clear rules in the rapidly evolving digital landscape, highlighting the novelty of cyber issues compared with other regulatory issues having had hundreds of years of evolution and refining. The SEC's cyber rules introduced in 2023 mandated the disclosure of data breaches and required public companies to outline their cyber risk management processes. However, most claims against SolarWinds and Brown were dismissed in July, limiting the SEC's reach in cybersecurity.

Brown's call for clearer regulations echoes recent demands from the insurance industry for government support in managing cyber risk. The balance between regulatory oversight, personal liability, and effective risk management remains a pressing challenge in the industry, highlighting the need for public-private partnerships and innovative solutions to secure the cyber sphere.

France uses tough, untested cybercrime law to target Telegram's Durov

Reuters – 17 September 2024

Telegram CEO Pavel Durov is under investigation in France under the country's new LOPMI law – a tough law that criminalises tech giants whose platforms allow illegal products or activities. The law, enacted in 2023, is unique globally and has yet to secure a conviction.

Durov is charged with "complicity in the administration of an online platform to allow an illicit transaction, in an organised gang," which carries a maximum 10-year sentence and a €500,000 fine. The LOPMI law is seen as a powerful tool against organised crime groups operating online. Michel Séjean, a French professor of cyber law, said the toughened legislation in France was introduced after authorities grew exasperated with companies like Telegram and prevents the authorities from being impotent when faced with platforms refusing to cooperate.

The LOPMI law is part of France's tougher stance on cybercrime, which includes real-time geolocation of people suspected of serious crimes. The law has enabled high-profile cases, such as the shutdown of anonymised chat forum Coco, which was cited in over 23,000 legal proceedings since 2021 for crimes including prostitution, rape, and homicide.

Subscribe