Cambridge International Law Journal

I am indebted to the Cambridge International Law Journal for publishing my article ‘A Right to Bear Cyber Arms?‘ on its blog http://cilj.co.uk/2019/11/19/a-right-to-bear-cyber-arms/

Image by Pete Linforth from Pixabay

The article addresses the reintroduction of the Active Cyber Defense Certainty Act (ACDC) to the 116th U.S. Congress in June 2019 and concludes with the call for a common platform to be agreed on the more aggressive defensive cyber actions (hacking back/Offensive Cyber/legal right to bear cyber arms) that SMEs should and should not be permitted to conduct in defence of trade secrets.

Examples of recent IP Wales impact on the Welsh Innovation Economy

Reading the IP Wales SME Guide to IP Cybersecurity, underpinned by Beale A., Ratcliffe S., Tettenborn A., The Protection of Data in our Digital Age [2017] Journal of Business Law, Issue 6, 2017 p.461-472, has resulted in each of the following businesses seeking to adopt new methodologies and processes to protect their online commercial activities:-

Benchmark Skincare Limited (Managing Director: Peter Friswell) “By seeking to be certified for Cyber Essentials will enable our business to become “GDPR compliant, protect itself from phising emails, protect itself from external cyberattacks, creating an effective and robust backup data storage process.”

Boyns Information Systems (Director: Robert Boyns) “Reading the IP Wales SME Guide to IP Cybersecurity helped increase our awareness on the importance of cybersecurity in the field intellectual property. As a result, we have adopted new methodologies and processes to allow Boyns Information Systems to grow our cybersecurity infrastructure, whilst protecting us from online harm. Being awarded the IP Wales grant assisted our bid to achieve the Cyber Essentials Plus accreditation, preparing us more fully to mitigate any cyberattack.”

Cadmhas Limited (Director of Services: Elfed Williams) “We are a registered charity and company limited by guarantee and as the Director of Services of CADMHAS I have a duty of care and responsibility to both my Directors, Staff and Service Users that we mitigate the threat of a Cyber Attack. I have spoken to our suppliers Boyns Information Systems Ltd., and they have assured me that by following the 5 pillars of the Cyber Essentials Scheme this will help towards my goal of having a system secured to government guidelines. By having the certification and adhering to it, I will be able to focus on the development of our day to day operations and plan towards the future with a good IT foundation to move forward.”

Castell Howell Foods Limited (Head of IT: Paul Rankin) “Having read the IP Wales SME Guide to Cybersecurity, we decided to increase our protection to Cyber Essentials Plus to reduce the risk of being infiltrated or having data breaches in line with GDPR. With an ever-increasing rise in cybercrime it makes sense to do as much as we can to prevent attacks on our company. I can honestly say that I feel much more confident in our security now and would highly recommend others to carry out this process. Thanks again for considering us for the funding, much appreciated.”

CCTV Wales Limited (Compliance Supervisor: Steve Gallagher) “…to ensure that all customer data and company information is properly protected allowing the company to enhance their service and support Cybersecurity in the area.”

David W.Harris & Co. Solicitors (Practice Manager: Neil Startup) “We are now in the process of undertaking risk analysis and management relating to cyber security. We have updated our internal governance to include more detail on IT security, such as: maintenance of an asset register to include the addition or removal of any assets, Updated IT security and systems policies, Implementation of remote access control, Implementation of a protocol to manage remote devices with access to exchange accounts, Implementation of server password policies, Implementation of automatic screen lock down through user inactivity, Introduction of periodic penetration testing, Password Protection introduced for all electronic documents.”

Daydream Education (Operations Director: Wesley Paetel) “Reviewing and updating all internal cybersecurity awareness and reporting processes, reviewing all third-party anti-virus and malware applications, ensuring system security is reviewed regularly, and reviewing our disaster recovery processes as well as educating staff members about the dangers of cybersecurity and how to become more aware of threats.”

Guardian Property Services Limited (Business Development: Lauren Thomas) “It’s apparent that cybersecurity should be a priority of any business, irrespective of size. Having the right level of knowledge and preparation is vital to minimise and control damage, as well as an understanding of the consequences of a breach and how to recover.”

Health & Her Limited (Marketing Director: Kate Bache) “Collecting, protecting and processing sensitive customer data to improve our understanding in the therapeutic areas of female health, including menopause and menstrual wellbeing.”

Masons Moving Group Limited (Financial Controller: Robert Power) “Protecting the business from online harm is of paramount importance and the Guide has enabled us to implement new security and knowledge to ensure cyber threats are eliminated. These new systems will be monitored frequently and updated when necessary.”

Masons Self Storage Limited (Marketing Manager: James Mason) “The Guide has been extremely helpful in helping our business truly understand the impact cyberattacks can have on a small business. We have ensured brand new office procedures have been put in place with efficient regimes of how we hold and process all types of data.”

PLF Wealth Management Limited (Director: Jeremy Freeman) “Your Guide has made me appreciate the myriad of potential cybersecurity attacks that my small firm has to be aware of, and the steps we as a company need to take to protect our data and network from becoming a victim of these attacks. As a small business our in the financial services arena, we control large amounts of personal data and sensitive data which could make us a viable target to such attacks.”

The Business Centre (Cardiff) Limited (Centre Manager: Emma Mason) “Reading the Guide has given me great knowledge on how to protect our business from online harm. Using this knowledge has enabled us to put new office processes and procedures in place to ensure that we are protected. We have looked closely at how we hold and process our data.”

IP Wales Online Initiative (2017-2020)

IP crime is traditionally viewed as counterfeiting (false branding) and piracy (illegal copying) but cybercriminals (& some state players) are increasingly coming to recognise the value of confidential data held by businesses, be it sensitive information about the business operation (trade secrets) or customer information such as passwords and credit card details (made even more topical with the arrival of the EU General Data Protection Regulation 2016).

These attacks on confidential data are happening globally with increasing rapidity and ever more complexity. Zero-day vulnerabilities (where hackers have discovered and exploit a software security breach before a fix is available) are increasing exponentially.

In response our award-winning business support initiative IP Wales has launched a new Online Initiative 2017-2020, the aim of which is to help small/medium sized enterprises (SMEs) to protect their IP from online threats.

SMEs are particularly vulnerable to cyberattack, with our research (commissioned by the Welsh Government) showing that many take little or no precautions against cyber threats, in the mistaken belief that they are too small to attract the cybercriminal’s attention, or that they don’t possess any data worth stealing. Examples of cyberattacks on SMEs have included:-

• IP ‘Theft’ (i.e. trade secrets), the loss of which seriously undermines a company’s attractiveness to both investors and prospective buyers of the business.

• Ransoming of Data, where the business is coerced into paying off hackers in order to retrieve or access stolen or encrypted data.

.• ‘Theft’ of Customer Data (including payment details) which exposes the business to lawsuits, regulatory fines for improper handling of personal data, and reputational damage.

Our website www.ipcybersecurity.co.uk is dedicated to helping SME Boards of Directors to better understand and better protect their business from this increasing threat of IP cybercrime. It also acts as a repository for our research into emerging trends in Cyber-Risk oversight, offering free Briefing Guides for the IP Service Community (IP active Solicitors and Patent Attorneys) on:-

Protecting Trade Secrets Using Employment Law

Cyber Defence

SMEs Outsourcing Cybersecurity Incident Response & Data Recovery Activities

Who is threatening SME Clients & Why?

SMEs Reporting IP Cybercrime

First Intergovernmental Standard on AI & Cyber Risk Management

In giving evidence to the Public Accounts Committee (PAC) on Cybersecurity in the UK Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) asserted, “the law of the sea 200 years ago is not a bad parallel” for the “big international question” of cyberspace governance today (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).

In making this assertion Sir Mark may have had in mind articles such as Dr. Florian Egloff’s Cybersecurity and the Age of Privateering: A Historical Analogy in which the author asserted: 1. “Cyber actors are comparable to the actors of maritime warfare in the sixteenth and seventeenth centuries. 2. The militarisation of cyberspace resembles the situation in the sixteenth century, when states transitioned from a reliance on privateers to dependence on professional navies. 3. As with privateering, the use of non-state actors by states in cyberspace has produced unintended harmful consequences; the emergence of a regime against privateering provides potentially fruitful lessons for international cooperation and the management of these consequences.”

In our IP Wales Guide on Cyber Defence we note: “Since 2004, a UN Group of Governmental Experts (UN GEE) has sought to expedite international norms and regulations to create confidence and security-building measures between member states in cyberspace. In a first major breakthrough, the GGE in 2013 agreed that international law and the UN Charter is applicable to state activity in cyberspace. Two years later, a consensus report outlined four voluntary peace time norms for state conduct in cyberspace: states should not interfere with each other’s critical infrastructure, should not target each other’s emergency services, should assist other states in the forensics of cyberattacks, and states are responsible for operations originating from within their territory.

The latest 2016-17 round of deliberations ended in the stalling of the UN GGE process as its members could not agree on draft paragraph 34, which details how exactly certain international law applies to a states’ use of information and communications technology. While the U.S.A. pushed for detailing international humanitarian law, the right of self-defence, and the law of state responsibility (including the countermeasures applying to cyber operations), other participants, like China and Russia, contended it was premature.”

Indeed China has gone further and condemned the U.S.A. for trying to apply double standards to the issue, in light of public disclosures of spying by their own National Security Agency (NSA).

Sir Mark went on to reveal that because cyberspace governance is being only partly addressed through the UN, “we are looking at coalitions of the willing, such as the OECD and some other countries that have similar systems to ours, to try to approach this.”

Evidence of this strategy in operation can be seen at Ministerial Council Meeting of the Organisation for Economic Co-ordination and Development (OECD) on the 22nd May 2019 when 42 countries adopted five value-based principles on artificial intelligence (AI), including AI systems “must function in a robust, secure and safe way throughout their life cycles and potential risks should be continually assessed and managed.”

The recently created UK National Cyber Security Centre (NCSC) has sought to give substance to this principle through offering new guidance on cybersecurity design principles. These principles are divided into five categories, loosely aligned with the stages at which a cyberattack can be mitigated: 1. “Establishing the context. All the elements that compose a system should be determined, so the defensive measures will have no blind spots. 2. Making compromise difficult. An attacker can target only the parts of a system they can reach. Therefore, the system should be made as difficult to penetrate as possible. 3. Making disruption difficult. The system should be designed so that it is resilient to denial of service attacks and usage spikes. 4. Making compromise detection easier. The system should be designed so suspicious activity can be spotted as it happens and the necessary action taken. 5. Reducing the impact of compromise. If an attacker succeeds in gaining a foothold, they will then move to exploit the system. This should be made as difficult as possible.”

Alec Ross (Senior Advisor for Innovation to Hillary Clinton as U.S. Secretary of State) warns that, “small businesses cannot pay for the type of expensive cybersecurity protection that governments and major corporations can (afford)” A Ross, Industries of the Future (2016). It remains to be seen to what extent cybersecurity design principles will become a financial impediment to small business engaging with AI developments in the near future.