- Email: [email protected]
Mid-Atlantic security
z o n e
SA Mathieson [email protected]
Mid-Atlantic security Information security concerns in the UK and the Republic of Ireland bear similarities and differences within a common context — shaped by the US on the one hand and the EU on the other. SA Mathieson takes a comparative look at the infosec cultures of the two territories.
he two nation states which occupy the British Isles may be just a few dozen miles from continental Europe, but linguistically and culturally they lie somewhere across the Atlantic. Given US dominance of computing, the tension between Europe and America, seen in both Britain and Ireland, affects IT more than most industries.
T
The Republic of Ireland is perhaps more comfortable with the tensions. Despite having once rejected a European treaty in a referendum, it seems more comfortable with a European identity. For one thing it swapped the punt for the euro, while the UK still runs on sterling. American influence on the Republic comes from a host of hightech firms with bases in the country, including Apple, Dell and Google, as well as particularly strong historical and cultural links.
Infosecurity Today March/April 2005
The UK's economy is less dominated by American inward investment, but parts of its military — including its signals intelligence capability —often act as if they were wholly-owned subsidiaries, following a deal established at the end of the Second World War. Indeed, Echelon, a global eavesdropping network run by the US with the UK and other English-speaking nations (but not Ireland), is alleged to have been used to spy on French commercial interests for American ones.
Boston or Berlin
When it comes to civilian information security,America's influence is more pronounced in Ireland than the UK. Owen O'Connor, vice-president of the Information Systems Security Association (ISSA) in Ireland comments that:“The question that always comes up is the 'Boston or Berlin' one,” says. His answer is that European laws are gaining in importance, but that US ones still have a greater impact:“We were hit by things like HIPPA (the US federal Health Insurance Portability and Accountability Act) over the last few years,” he says.
European laws are gaining in importance, but [in Ireland] US ones still have a greater impact However, the European Union 1995 directive on data protection has produced a recent, substantial change in Irish information security law. It was implemented through the 2003 Data Protection Act, which augments rather than replaces the 1988 act of the same name.“The 1988 act established the concept of data controllers keeping data secure,” says Philip Nolan, a partner at Irish law firm Mason, Hayes and Curran. However, he adds that it was largely ignored by many companies.“The
climate in the last two or three years has changed — now, this is taken quite seriously.” This may be because section 2C of the 2003 act provides much more detail on data controllers' obligations, and obliges them to make these rules clear to staff, contractors and outsourcers.With the last group, data controllers must have a written contract with the outsourcer, and the act provides details of what that contract must include.“The upshot of that is, when we draft commercial contracts now, we tend to look at this statutory provision and draft the clause around it,” says Nolan, who adds that many organisations have got their houses in better order as a result of the new law. Brits light on law, heavy on compliance
The UK's version of the 1995 directive was passed in 1998. Shelagh Gaskill, a partner at UK law firm Pinsent Masons, says that the Data Protection Act is lighter than those of other EU countries — the European Commission wrote to the UK government to complain about deficiencies — but with much more rigorous compliance. “The rest of Europe would think our data protection law is a bit wishywashy, but companies spend a fortune implementing it,” says Gaskill. “Other lawyers from elsewhere in Europe tell me that their clients would not spend anything like so
22
22
z o n e
much money.” For example, the UK arms of continental European motor manufacturers tell Gaskill that the cost of compliance is “much higher than in other EU member states”. However, she adds that as long as this stricter compliance is taken into account when a database is under construction, it need not greatly increase the cost of data protection in the UK compared with other EU states. Gaskill says that extra regulations in other countries often concern issues such as consulting works councils about transfers of personal data:“But it doesn't mean that employees' personal data is any worse protected, it's just that the administration is different,” she says of the UK.
“The rest of Europe would think [UK] data protection law is a bit wishy-washy, but companies spend a fortune implementing it”
Penalties
There are differences between the two countries on penalties for computer misuse. Ireland has newer legislation: section 9 of the Criminal Justice,Theft and Fraud Act of 2001, while the UK's
Richard Starnes, president of the UK chapter of ISSA, complains that the UK act is weak.“We've been talking about increasing the penalties for the Computer Misuse Act for a number of years, and that's now been pushed back,” he says.“Sections two and three of the act have a maximum penalty of a five-year custodial sentence. Criminal misuse of copyright has a maximum penalty of 10 years. If a hacker breaks into a company and changes the system so that company can't operate and goes to the wall, are you telling me that it's a greater societal harm for someone to sell copies of Word out of a car boot?” And the 1990 act pre-dates the web, meaning there is some doubt as to whether a denial of service attack is covered. Richard Allan MP, IT spokesperson for the Liberal Democrats, a UK opposition party, describes the British legal framework as “fairly robust”, adding:“Most of the areas of concern are around enforcement.We do have strong data protection legislation, but there are questions around whether the information commissioner can enforce that.” Richard Starnes says that the police are understaffed and underfunded, even though the quality of squads such as that within London's Metropolitan Police is high. He says a detective sergeant doing a lot of overtime earns around £50,000, but could get £65,000 to £80,000 in the private sector.“There are only so many hours in the day, and only so many computer crimes officers for the case-load.They are simply spread too thin.Add to this their secondment to projects like paedophilia rings and
terrorism, and that exacerbates the issue.” Richard Allan agrees, and says the All-Party Parliamentary Internet Group, of which he is a member, has encouraged more self-policing.“When businesses are the target of e-crime, such as with the attempts to blackmail online betting sites, we wanted to look at to what extent cooperative work can take place,” he says, such as encouraging businesses to gather evidence to the standards required in court. Ripa
UK infosec is also touched by the Regulation of Investigatory Powers Act (Ripa) of 2000, which set out the powers of police, spies and other government investigators: the legislation came from the UK's justice ministry the Home Office, which under the current Labour government has developed a hard-line reputation. Ripa caused rows on implementation over who would pay for internet service providers to store months-worth of all their traffic data, in case investigators want to examine it, which look like they may now be re-enacted across Europe.* And one specific section allows government investigators to demand encryption keys through a secret process, which reportedly caused US investment bank Goldman Sachs to move its encryption key system from the UK to Switzerland (the bank refused to comment at the time).
Richard Allan MP: enforcement moot
Infosecurity Today March/April 2005
Both Ireland and the UK have data protection officers, as the 1995 directive instructs, and both tend to attempt to solve complaints by consensus, rather than legal action. However, Ireland's data protection commissioner, Joe Meade deals only with this subject, whereas Britain's information commissioner, Richard Thomas, also has to cope with the Freedom of Information Act, which came into force on 1 January this year: Ireland's equivalent was phased in between 1998 and 2002, and anyway has a separate information commissioner.As a result,Thomas and his staff may have less time to devote to data protection for a while.
Computer Misuse Act dates from 1990. “It has very strict penalties: unlimited financial penalties, 10 years in prison or both,” says Pearse Ryan, a solicitor for Irish law firm Arthur Cox, of the Irish act.“Whether it will be used is another matter.” He notes that the 1990 UK act has not been heavily used, although he adds that the Irish law provides “enough building blocks” to cope with varieties of computer misuse.
23
z o n e
Education
Away from the legal side, Owen O'Connor says that Ireland lacks the UK's specific Masters courses in information security. Partly as a result, he adds, the UK is leading on creating an institute to create a profession of information security.
Inforenz’s Clark: business is business Andy Clark, the co-founder of UKbased info-forensics investigator Inforenz, says he knows of no cases under the act. However, he says:“If I was a business, and I had a key infrastructure, I would want to comply with the laws in all territories in which I work. However, my major business is running my business.”And if a warrant under a law specific to one territory could seriously disrupt that business, he says it could be prudent to move that infrastructure outside that territory.
But that isn't stopping O'Connor from taking an MSc in forensic computing through a UK institution, illustrating his point that there is a considerable flow of people and ideas between the two countries.“We've a number of people who work in the UK, and we have UK citizens who come over here do security work,” he says, adding that “the UK is where we are most comparable to — I would see more differences between Ireland and continental Europe”. Although there are still tensions within Northern Ireland — and these are slowly diminishing, with a stuttering peace process having apparently ended major terrorist action — elsewhere, the British and
Irish tend to get on pretty well. Andy Clark says Ireland was the first place Inforenz chose to open an overseas subsidiary; he says that establishing relationships of trust is the key to getting business, and the firm felt Ireland was the best place to start.“Although one maybe very proficient and capable in a second language, when trust is involved, I think it's helpful to have a common language. It's easier to understand the cultural context.” UK information commissioner: www.informationcommissioner.gov.uk/ Irish data protection commissioner: http://www.dataprivacy.ie/ © SA Mathieson 2005. Supplied on the rights basis previously agreed with the publisher. * See http://www1.elsevier.com/homepage/saf/i nfosecurity/news/260105.ISPtrafficcollecti on.html
Infosecurity Today March/April 2005 25
SA Mathieson [email protected]
Mid-Atlantic security Information security concerns in the UK and the Republic of Ireland bear similarities and differences within a common context — shaped by the US on the one hand and the EU on the other. SA Mathieson takes a comparative look at the infosec cultures of the two territories.
he two nation states which occupy the British Isles may be just a few dozen miles from continental Europe, but linguistically and culturally they lie somewhere across the Atlantic. Given US dominance of computing, the tension between Europe and America, seen in both Britain and Ireland, affects IT more than most industries.
T
The Republic of Ireland is perhaps more comfortable with the tensions. Despite having once rejected a European treaty in a referendum, it seems more comfortable with a European identity. For one thing it swapped the punt for the euro, while the UK still runs on sterling. American influence on the Republic comes from a host of hightech firms with bases in the country, including Apple, Dell and Google, as well as particularly strong historical and cultural links.
Infosecurity Today March/April 2005
The UK's economy is less dominated by American inward investment, but parts of its military — including its signals intelligence capability —often act as if they were wholly-owned subsidiaries, following a deal established at the end of the Second World War. Indeed, Echelon, a global eavesdropping network run by the US with the UK and other English-speaking nations (but not Ireland), is alleged to have been used to spy on French commercial interests for American ones.
Boston or Berlin
When it comes to civilian information security,America's influence is more pronounced in Ireland than the UK. Owen O'Connor, vice-president of the Information Systems Security Association (ISSA) in Ireland comments that:“The question that always comes up is the 'Boston or Berlin' one,” says. His answer is that European laws are gaining in importance, but that US ones still have a greater impact:“We were hit by things like HIPPA (the US federal Health Insurance Portability and Accountability Act) over the last few years,” he says.
European laws are gaining in importance, but [in Ireland] US ones still have a greater impact However, the European Union 1995 directive on data protection has produced a recent, substantial change in Irish information security law. It was implemented through the 2003 Data Protection Act, which augments rather than replaces the 1988 act of the same name.“The 1988 act established the concept of data controllers keeping data secure,” says Philip Nolan, a partner at Irish law firm Mason, Hayes and Curran. However, he adds that it was largely ignored by many companies.“The
climate in the last two or three years has changed — now, this is taken quite seriously.” This may be because section 2C of the 2003 act provides much more detail on data controllers' obligations, and obliges them to make these rules clear to staff, contractors and outsourcers.With the last group, data controllers must have a written contract with the outsourcer, and the act provides details of what that contract must include.“The upshot of that is, when we draft commercial contracts now, we tend to look at this statutory provision and draft the clause around it,” says Nolan, who adds that many organisations have got their houses in better order as a result of the new law. Brits light on law, heavy on compliance
The UK's version of the 1995 directive was passed in 1998. Shelagh Gaskill, a partner at UK law firm Pinsent Masons, says that the Data Protection Act is lighter than those of other EU countries — the European Commission wrote to the UK government to complain about deficiencies — but with much more rigorous compliance. “The rest of Europe would think our data protection law is a bit wishywashy, but companies spend a fortune implementing it,” says Gaskill. “Other lawyers from elsewhere in Europe tell me that their clients would not spend anything like so
22
22
z o n e
much money.” For example, the UK arms of continental European motor manufacturers tell Gaskill that the cost of compliance is “much higher than in other EU member states”. However, she adds that as long as this stricter compliance is taken into account when a database is under construction, it need not greatly increase the cost of data protection in the UK compared with other EU states. Gaskill says that extra regulations in other countries often concern issues such as consulting works councils about transfers of personal data:“But it doesn't mean that employees' personal data is any worse protected, it's just that the administration is different,” she says of the UK.
“The rest of Europe would think [UK] data protection law is a bit wishy-washy, but companies spend a fortune implementing it”
Penalties
There are differences between the two countries on penalties for computer misuse. Ireland has newer legislation: section 9 of the Criminal Justice,Theft and Fraud Act of 2001, while the UK's
Richard Starnes, president of the UK chapter of ISSA, complains that the UK act is weak.“We've been talking about increasing the penalties for the Computer Misuse Act for a number of years, and that's now been pushed back,” he says.“Sections two and three of the act have a maximum penalty of a five-year custodial sentence. Criminal misuse of copyright has a maximum penalty of 10 years. If a hacker breaks into a company and changes the system so that company can't operate and goes to the wall, are you telling me that it's a greater societal harm for someone to sell copies of Word out of a car boot?” And the 1990 act pre-dates the web, meaning there is some doubt as to whether a denial of service attack is covered. Richard Allan MP, IT spokesperson for the Liberal Democrats, a UK opposition party, describes the British legal framework as “fairly robust”, adding:“Most of the areas of concern are around enforcement.We do have strong data protection legislation, but there are questions around whether the information commissioner can enforce that.” Richard Starnes says that the police are understaffed and underfunded, even though the quality of squads such as that within London's Metropolitan Police is high. He says a detective sergeant doing a lot of overtime earns around £50,000, but could get £65,000 to £80,000 in the private sector.“There are only so many hours in the day, and only so many computer crimes officers for the case-load.They are simply spread too thin.Add to this their secondment to projects like paedophilia rings and
terrorism, and that exacerbates the issue.” Richard Allan agrees, and says the All-Party Parliamentary Internet Group, of which he is a member, has encouraged more self-policing.“When businesses are the target of e-crime, such as with the attempts to blackmail online betting sites, we wanted to look at to what extent cooperative work can take place,” he says, such as encouraging businesses to gather evidence to the standards required in court. Ripa
UK infosec is also touched by the Regulation of Investigatory Powers Act (Ripa) of 2000, which set out the powers of police, spies and other government investigators: the legislation came from the UK's justice ministry the Home Office, which under the current Labour government has developed a hard-line reputation. Ripa caused rows on implementation over who would pay for internet service providers to store months-worth of all their traffic data, in case investigators want to examine it, which look like they may now be re-enacted across Europe.* And one specific section allows government investigators to demand encryption keys through a secret process, which reportedly caused US investment bank Goldman Sachs to move its encryption key system from the UK to Switzerland (the bank refused to comment at the time).
Richard Allan MP: enforcement moot
Infosecurity Today March/April 2005
Both Ireland and the UK have data protection officers, as the 1995 directive instructs, and both tend to attempt to solve complaints by consensus, rather than legal action. However, Ireland's data protection commissioner, Joe Meade deals only with this subject, whereas Britain's information commissioner, Richard Thomas, also has to cope with the Freedom of Information Act, which came into force on 1 January this year: Ireland's equivalent was phased in between 1998 and 2002, and anyway has a separate information commissioner.As a result,Thomas and his staff may have less time to devote to data protection for a while.
Computer Misuse Act dates from 1990. “It has very strict penalties: unlimited financial penalties, 10 years in prison or both,” says Pearse Ryan, a solicitor for Irish law firm Arthur Cox, of the Irish act.“Whether it will be used is another matter.” He notes that the 1990 UK act has not been heavily used, although he adds that the Irish law provides “enough building blocks” to cope with varieties of computer misuse.
23
z o n e
Education
Away from the legal side, Owen O'Connor says that Ireland lacks the UK's specific Masters courses in information security. Partly as a result, he adds, the UK is leading on creating an institute to create a profession of information security.
Inforenz’s Clark: business is business Andy Clark, the co-founder of UKbased info-forensics investigator Inforenz, says he knows of no cases under the act. However, he says:“If I was a business, and I had a key infrastructure, I would want to comply with the laws in all territories in which I work. However, my major business is running my business.”And if a warrant under a law specific to one territory could seriously disrupt that business, he says it could be prudent to move that infrastructure outside that territory.
But that isn't stopping O'Connor from taking an MSc in forensic computing through a UK institution, illustrating his point that there is a considerable flow of people and ideas between the two countries.“We've a number of people who work in the UK, and we have UK citizens who come over here do security work,” he says, adding that “the UK is where we are most comparable to — I would see more differences between Ireland and continental Europe”. Although there are still tensions within Northern Ireland — and these are slowly diminishing, with a stuttering peace process having apparently ended major terrorist action — elsewhere, the British and
Irish tend to get on pretty well. Andy Clark says Ireland was the first place Inforenz chose to open an overseas subsidiary; he says that establishing relationships of trust is the key to getting business, and the firm felt Ireland was the best place to start.“Although one maybe very proficient and capable in a second language, when trust is involved, I think it's helpful to have a common language. It's easier to understand the cultural context.” UK information commissioner: www.informationcommissioner.gov.uk/ Irish data protection commissioner: http://www.dataprivacy.ie/ © SA Mathieson 2005. Supplied on the rights basis previously agreed with the publisher. * See http://www1.elsevier.com/homepage/saf/i nfosecurity/news/260105.ISPtrafficcollecti on.html
Infosecurity Today March/April 2005 25