The threat escalates

Identified as one of the four biggest threats to UK security, cyber attacks are not limited to corporate giants or election tampering. Chambers are equally at risk, as Colin Nicholls QC explains

Cyber security is acknowledged to be one of the greatest threats to business around the world, with a global cost estimated at $445bn, according to the World Economic Forum’s 2016 Global Risks Report

The cost has been estimated to have risen by 200% in five years and has been projected to reach $6trn by 2021.

In 2010 the Internet of Things was in its infancy. In 2015 it was estimated that in 2016 over 6bn connected devices would be in use worldwide, and that by 2020 that number is set to rise to over 20bn. As the pace quickens, the threat escalates.

Cyber security underpins every aspect of our professional and private lives; our smart phones, ipads, laptops, and methods of payment – there are already 27 Bitcoin ATMs in and around London. Cyber security protects not just our privacy, but our homes, means of travel, health service, and even our fridges.

In 2010 the government identified cyber attacks as one of the four biggest threats to UK security, along with war, terrorism and natural disaster. The 2015 National Cyber Security Strategy Report confirmed the threat was increasing in scale and complexity ‘at such a pace that we must run simply to stand still’.

National Cyber Security Strategy

On 1 November 2016 the Chancellor of the Exchequer Rt Hon Philip Hammond MP formally launched the government’s new five-year National Cyber Security Strategy (NCSS) setting out the government’s plans to protect the economy against cyber attacks. At the same time he announced the doubling of the government’s funding commitments from £860m between 2011 and 2016, to £1.9bn between 2016 and 2021.

He encouraged industry to up its game and added predictably that the government ‘cannot do it alone; everyone has a key role in keeping our society safe’.

Although the policies, institutions and initiatives developed under the previous strategy helped to establish the UK as a leading global player in cyber security, the scale and dynamic nature of the threats, and the increasing dependency of our economy and society on digital products and services, required the previous approach to cyber security to be further strengthened.

The new strategy sets out the government’s objectives for strengthening the security of the UK over the next five years and is being delivered through government working in partnership with the devolved administrations, the wider public sector, industry, academia and the public.

It explains the government’s approach to tackling and managing cyber threats in the UK, how it aims to be one of the most secure places in the world to do business in cyberspace, and includes policy announcements that will help to prevent and raise awareness of fraud. In particular:

  • how the UK will use automated defences to safeguard citizens and businesses against growing cyber threats;
  • support the UK’s growing cyber security industry;
  • develop a world class cyber workforce; and
  • deter cyber attacks from criminals and hostile actors.

At the same time as he launched the strategy the Chancellor announced the following measures:

  • The creation of a new National Cyber Security Centre to coordinate the national cyber effort and provide a unified source of advice and support for the private and public sector. The centre, which is based in London, became operational in October 2016 and is part of GCHQ with a team of 700 people with an ‘open door’ policy to make it easier for businesses of various sizes to get the best support on cyber issues.
  • Two new UK Cyber Security Innovation Centres, the first to be based in Cheltenham, and a Cyber Innovation Fund to develop innovate technologies and products to promote training and support for cyber start-ups and academics to help them commercialise cutting edge research and attract investment from the private sector.
  • A new Cyber Security Research Institute – a virtual collection of UK universities which will look to improve the security of smart phones, tablets and laptops through research that could one day make passwords obsolete.

Chambers – and small firms – at risk

Corporate giants are obvious targets for the cyber attacks which are constantly in the headlines with their consequent disruption of services, huge losses of personal data and cash and subsequent reputational damage.

Cyber attacks, however, are not limited to large-scale businesses. The government’s most recent Information Security Breaches Survey found that 74% of small businesses and 90% of major businesses had suffered a cyber breach in 2015.

Small businesses – and these include small and mid-size solicitors firms and barristers’ chambers – are just as vulnerable, if not more so. They hold highly sensitive personal information and can provide an easy gateway to obtaining information about their clients including government, corporates, and people suspected of criminal offences. They are seen as softer targets as they have smaller IT budgets and less likely to invest in the necessary preventive infrastructure.

In small as in large organisations, the human factor is usually the weakest link in a business’s cyber defences and staff breaches, malicious or inadvertent, are just as likely to occur in either, taking into account factors such as holidays and temporary staffing and the requirement to ensure the required protocols are observed.

Clients are becoming increasingly demanding as to the resilience of their law firm’s networks and security. As this takes hold, barristers must expect that solicitors instructing them will become equally exacting and in order to enable them to meet the ultimate client’s requirements they will need not only to ensure that protocols in place are observed, but to state that this is the case.

Cyber Essentials Schemes

In 2014 the government launched its online Cyber Essentials Schemes to help organisations of all sizes to measure their defences against common forms of cyber attacks.

The two schemes, the Cyber Essentials Scheme and more advanced Cyber Essentials + Scheme, include self-assessment questionnaires enabling organisations to judge whether they measure up to a set of controls which, when properly implemented, will provide them with basic protection from the most prevalent forms of attack. On completing a verified self-assessment they are awarded a certificate providing them with an assurance that their controls have been implemented correctly. Verification is essential in the case of government procurement projects.

Since its inception, the scheme has been adopted by insurers and auditors as a guide when assessing risk.It stipulates repeat checking for compliance which is recommended yearly. It is not a ‘one shot deal’. It is clearly desirable that organisations which handle personal data should consult their IT team suppliers and technical support on whether they should be certified under the scheme and, if not, the means whereby they can demonstrate that they are less likely to be victims of a cyber attack or suffer a loss of client data.

The new National Cyber Security Centre website provides a unified source of advice, guidance and support on cyber security including the management of cyber attacks and recommends certification under the Cyber Essentials Schemes.

Cyber security and the Bar’s responsibilities

Eighty per cent of barristers are self-employed and belong to a set of chambers where they share central resources. The majority of information they hold is in a digital form and is a lucrative target for potential criminals. Barristers invariably have their own PCs, smartphones and other devices and invariably use them when working in chambers, in court, at home and when travelling.

They have a professional duty of confidentiality to their clients under the rules of the Bar Standards Board (BSB) and an individual responsibility to preserve their clients’ confidentiality as ‘data controllers’ under the Data Protection Act 1988. They must register with the Information Commissioner and failure to comply with the requirements of the Act or the Bar Standards Board Rules can result in heavy financial and disciplinary penalties.

Barristers’ individual responsibilities impose a crucial burden on chambers administration to ensure chambers have a written cyber security policy in place affecting all their members, pupils and staff and an infrastructure committee with project management and support outsourced to specialist consultants and the maintenance of up to date IT and communications and facilities.

The Attorney General’s Guidelines on Information Security and Government Work set out the steps barristers and their staff should take to meet the particular requirements of government agencies including a summary of requirements for the receipt, handling, storage, copying, and disposal of material, use of email, reporting loss, the disposal of physical or electronic material and material taken outside the UK and a security incident policy.

The Information Technology Panel of the Bar Council publishes documents to assist barristers on IT issues, although its assistance is not ‘guidance’ for the purposes of the Bar Standards Handbook and neither the BSB nor a disciplinary tribunal nor the Legal Ombudsman are bound by any views expressed in it.

Cybercrime Practitioners’ Association (CPA)

In March 2016 a group of lawyers routinely engaged in advising on cybercrime issues formed a Cybercrime Practitioners Association to include non-lawyers, members of the IT industry and others with the object of fostering awareness, exchanging information, and providing education on cybercrime issues. Recent seminars have included in addition to cybercrime, specific issues such as threats to the marine industry and cyber insurance.

The formation of this association confirms not just the demand for cyber resilience, but the growth of a body of lawyers ready to take up the task.

Contributor Colin Nicholls QC, Three Raymond Buildings

Category: 
Author details: 
Colin Nicholls QC

Colin chaired the Commonwealth Expert Group on Cybercrime, whose report was adopted by Commonwealth Law Ministers in 2014. He is currently chairing the Commonwealth Expert Groups on Virtual Currencies and the Revision of the Model Law on Computer and Computer Related Crime.