Cyber_Bytes Issue 68

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber App: Breach Counsel at Your Fingertips

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

Cyber Security and Resilience Bill scheduled for 2025 parliamentary introduction

On 30 September, the UK Government confirmed that the Cyber Security and Resilience Bill (the Bill) will be introduced to Parliament by 2025. The Bill was introduced during the King's Speech in July, and largely aims to update the UK’s cyber defences and digital infrastructure following European legislation such as the Network and Information Security (NIS2) Directive and Cyber Resilience Act.

The Bill is anticipated to impose stricter rules regarding technical security and incident notification on a bigger pool of organisations classified as operators of essential services or relevant digital service providers.  The wider applicability of the Bill is set to foster higher cybersecurity standards and promote a better understanding of ongoing cyber threats, particularly in relation to the increasing targeted threats on the UK's critical infrastructure.

Click here to read the government's recent update on the Bill.

Long-awaited changes to Australian Privacy Act

Following the Australian Federal Government's Privacy Act Review which commenced four years ago, the Government has finally introduced its first substantial amendments in an 81-page bill. The key changes include:

• New statutory tort to address serious invasions of privacy which previously did not exist. This is to assist individuals in seek recourse for losses arising from breaches of privacy and will likely make businesses with large amounts of data more susceptible to class actions.
• Development of a Children’s Online Privacy Code to better protect children from online harms.
• Increased transparency for individuals on automated decisions which affected them.
• Streamlined information sharing during emergencies.
• Stronger powers for the Australian Information Commissioner.
• Criminalisation of 'doxxing' – i.e. releasing personal data in a menacing or harmful manner.

The proposed changes are mostly welcome, however some expected implementations have been omitted from the draft bill. Click here to read more on this from Colin Biggers & Paisley - part of RPC's Global Access Network and click here to learn more about the Network.

UK and allies issue joint cyber security warning amid China-linked campaign botnet

The NCSC and relevant bodies in the US, Australia, Canada, and New Zealand have issued a joint advisory informing organisations and individuals that Integrity Technology Group, a Chinese based company with links to the Chinese government and state actor, Flax Typhoon, has managed a botnet with over 260,000 compromised passwords around the globe.

The compromised devices are said to include firewalls, routers, webcams, and CCTV cameras – all devices which threat actors can use for a multitude of malicious activities. The joint advisory shares technical details to help organisations and individuals defend against the malicious activity as well as providing mitigation advice. It also highlights how unpatched and of end-of-life systems can be exploited by threat actors.

Click here to read more from the NCSC and click here to read the joint advisory.

FGS Global's Leadership in Crisis report reveals cyber security remains key concern among business leaders

In FGS Global's recent report, 'Leadership in a crisis', around 500 business leaders have been polled and interviews have been conducted with several of the UK's most prominent CEOs; unsurprisingly, cyber risk has been pinpointed as the biggest threat due to the financial, reputational, regulatory and operational impact that a single attack can potentially cause to a business.

The report reveals that 36% of the businesses polled have faced a cyber-attack and, despite growing prevalence, there is still a limited understanding of cybersecurity and cybercrime. FGS further comment that not enough companies learn as much as they could from crises. Despite emphasis on cyber security, only 40% of companies have implemented technological updates, 33% have strengthened security measures and 31% enhanced their data protection initiatives.

Click here to download the Leadership in Crisis report to read more about cyber risks and other current concerns prevalent in business leaders.

TFL still feeling the effects of last month's cyber-attack, but NCA makes first arrest

On 1 September, TFL fell victim to an aggressive cyber-attack which is still impacting its key IT infrastructure and affecting live tube arrival times, refunds for contactless pay-as-you-go journeys, photo applications for new Oyster cards and staff access to systems. The incident has also exposed 30,000 employees' passwords and bank details for around 5,000 customers. So far, the incident is said to have cost several millions of pounds.

But in an unusual turn of events, the NCA may have found the first culprit behind this attack.  It confirmed the arrest of a 17-year-old male who has since been questioned and bailed. Further details on the arrest have not been provided. However, Paul Foster, NCA deputy director and head of the agency's National Cyber Crime Unit has commented that "The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing."

Click here to read more from the NCA and click here for the latest update from TFL.

Ireland to expand scope of NCSC's powers in times of emergency

The Irish Government's General Scheme for the National Cyber Security Bill has revealed it plans to place the NCSC on a statutory basis and allow the security agency to monitor all internet traffic in the event of pressing national security threats. This update comes amid rising cyber-attacks and an uptick in foreign interference during general elections. Richard Brown, director of the NCSC has stated these powers are similar to those granted to France's security agency during the Paris Olympics.

The powers will not be automatic.  The NCSC will have to apply to the High Court for the monitoring powers and will only be granted them where there are real and persistent risks to security of the state, integrity of public sector data or continuity of essential services. It is not yet known when this Bill will become law.

Click here to read more from Finextra and click here to read the Irish Government's General Scheme.