EU: We'll force power plants, Apple and pals to admit hack attacks

New rules on reporting breaches proposed in cyber-strategy


Power stations, banks, online shops, cloud providers, search engines, app stores, social networks and governments may soon be required by law to disclose ALL major security breaches.

In a strategy titled An Open, Safe and Secure Cyberspace, the European Commission proposed this new directive for the continent:

Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.

The strategy also calls for every Euro nation to put together a crack team to tackle big tech security emergencies and share intelligence with neighbours, among other cyber-desires.

Most, but not all, EU member states already have their own Computer Emergency Response Team (CERT) so this major policy push seems to primarily involve forcing companies to notify the authorities of any data breaches or significant security incidents.

The strategy also advocates applying existing international laws to "cyberspace" as well as promoting international cooperation with countries outside the union.

The policy builds on other EU initiatives including establishing a European Cybercrime Centre, proposing laws on attacks against information systems, and the launch of a global alliance to fight child sex abuse. The strategy also seeks to develop and fund training schemes to combat online crime.

In a statement, Cecilia Malmström, EU commissioner for Home Affairs, said: "Many EU countries are lacking the necessary tools to track down and fight online organised crime. All member states should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre, EC3."

During a 30-minute press conference, Euro bigwigs were grilled on what they were doing to end corporate espionage; Chinese hackers are consistently accused of accessing companies' private servers and swiping secrets.

Catherine Ashton, high representative of the union for foreign affairs and security policy, refused to comment on investigations by Europe's spooks into these intrusions, but said the EU was monitoring the situation closely and is in talks with China, India and the US. Officials in Brussels have, we're told, come to the conclusion that these attacks are increasing and damaging economies.

Last year, 56.8 per cent of businesses in Europe suffered a computer security breach that seriously derailed their operations. Yet only 26 per cent of the union's enterprises had a formal ICT security policy. That's according to Eurostat figures from January 2012.

Chinese networking kit giant Huawei, occasionally on the end of a shoeing from Western politicians, put out a statement supporting the EU’s call for greater international cooperation.

“The strategy comes at a crucial moment, providing the public and the private sector with the tools they need to move beyond debating the problem and take concrete steps to tackle security issues,” said Huawei’s global security officer John Suffolk. “The time has come to stop talking about the threat, stop talking about the challenges and start talking about the actions we have taken and will take.”

Jason Hart, VP of cloud solutions at SafeNet, also welcomed the EU strategy but said that it needed to be supplemented with a greater increase of encryption to protect sensitive data.

“This move is a welcome change as past breaches have demonstrated that delays in reporting may have exacerbated the initial problem," Hart said. "However reporting the breach itself is only a small part of the equation. What is of real importance is preventing the damage that the exposure of unencrypted data can cause in the event of a security breach.

"Therefore, a key solution to tackle cyber security issues lies within pushing for more wide-scale mandatory encryption of all data, including soft data which has been aggressively targeted by cybercriminals over the last few years. New legislations that come into play will need to provide a comprehensive set of measures based on the fundamentals of information security to ensure wider adoption of encryption and authentication as a way of mitigating the damage of a potential security breach." ®

Similar topics

Broader topics


Other stories you might like

  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Feds raid dark web market selling data on 24 million Americans
    SSNDOB sold email addresses, passwords, credit card numbers, SSNs and more

    US law enforcement has shut down another dark web market, seizing and dismantling SSNDOB, a site dealing in stolen personal information.

    Led by the IRS' criminal investigation division, the DOJ, and the FBI, the investigation gained control of four of SSNDOB's domains, hobbling its ability to generate cash. The agents said it raked in more than $19 million since coming online in 2015.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022