17 January Weekly podcast: US government websites, Liberia DDoS attacker and no-deal Brexit

This week, we discuss how the US government shutdown is affecting federal websites’ security, the sentencing of a man who knocked Liberia’s Internet offline with a botnet, and what a no-deal Brexit means for data protection

Hello and welcome to the IT Governance podcast for Thursday, 17 January 2019. Yes, I did just say Thursday. It’s taken a while, but as we record and release these podcasts on Thursday afternoons, we thought might as well say so.

Here are this week’s stories.

The US government shutdown, caused by the funding row over President Trump’s wall, has rendered dozens of federal websites “either insecure or inaccessible” because expired digital security certificates have not been renewed – according to an investigation by Netcraft.

With 800,000 federal employees – including IT staff – on full or partial leave thanks to the shutdown, websites belonging to NASA, the US Department of Justice and the Court of Appeals, as well as numerous others, have been affected.

According to Netcraft’s Paul Mutton, more than 80 TLS certificates used by .gov websites have now expired and not been renewed. For instance, the DoJ’s website uses a certificate that expired on 17 December last year and, thanks to Chromium’s HSTS preload policy – a security measure that prevents browsers such as Chrome and Firefox from visiting HTTPS sites with expired certificates –many users now can’t access it.

This is a sensible, if inconvenient precaution: as Netcraft points out, if you have to choose between security and usability, security has to win. Far better to restrict users’ access than leave them open to the risk of man-in-the-middle attacks.

However, not all federal sites implement correctly functioning HSTS policies. As Mutton added: “As more and more certificates used by government websites inevitably expire over the following days, weeks – or maybe even months – there could be some realistic opportunities to undermine the security of all U.S. citizens.”

Wired, meanwhile, goes further, warning that “sophisticated hackers may use the shutdown as an opportunity to infiltrate inconspicuous, backwater federal networks, which they could then use as a launchpad to penetrate more valuable government targets”.

A criminal hacker who knocked an entire country offline has been jailed for 32 months. Thirty-year-old Daniel Kaye, from Egham in Surrey, admitted conducting a DDoS (or distributed denial of service) attack on Liberia’s leading mobile phone and Internet company, Lonestar, in 2016 at the request of an employee of Lonestar’s competitor Cellcom.

However, the Mirai-based botnet he used sent so much traffic to Lonestar’s systems that the entire Liberian Internet was disrupted.

According to the BBC, Liberia’s Internet at the time “was dependent on both a small number of providers and a relatively limited Atlantic cable. European nations, by comparison, have a vastly more secure internet because traffic can reach users through many different connection routes”.

Thanks to Kaye’s actions, “the country’s internet repeatedly failed between 3 November and 4 November 2016 – disrupting not just Lonestar but organisations and ordinary users up and down the state.

“This is believed to be the first time that a single cyber attacker had disrupted an entire nation’s internet – albeit without intending to do so.”

Kaye’s botnet was also linked to a series of other attacks, including those on Deutsche Telekom and the British banks Lloyd’s, Barclays and Halifax, but charges relating to them were formally dropped at Blackfriars Crown Court last Friday.

Kaye’s lawyer, Jonathan Green, tried to downplay the incident. “We say that a relatively slow internet service became slower,” he said. “It is not accepted that this was a direct threat to Liberia.”

However, Mike Hulett, the head of the National Cyber Crimes Unit at the National Crimes Agency, said: “I regard Daniel Kaye as one of the most significant cyber criminals arrested in the UK. He has a significant level of skill. The attacks that he carried out were not victimless.”

And finally, we can’t ignore this week’s Brexit developments. A reminder, then, that even if we leave the EU with no deal, the EU GDPR (General Data Protection Regulation) will still apply in the UK – its requirements have already been incorporated into UK law by the Data Protection Act 2018, and the Regulation itself will be amended by the proposed Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and enacted in UK law by the European Union (Withdrawal) Act 2018 as the UK GDPR.

If your organisation processes personal data, it still needs to comply.

An important area to consider is cross-border data transfers. The government has stated that it will permit personal data to continue to flow from the UK to the EEA (European Economic Area) and Gibraltar post Brexit, so if you rely on EU data processors you shouldn’t be affected. However, if your organisation processes personal data relating to residents of the remaining 27 EU member states, things get more complicated.

At the point the UK leaves the EU, it will be classified as a third country. Chapter V of the GDPR states that personal data can be transferred to third countries under two circumstances:

  1. On the basis of an adequacy decision – a mechanism that allows the transfer of personal data to third countries that afford it adequate level of protection (as set out in Article 45 of the GDPR); or
  2. When subject to appropriate safeguards (as set out in Article 46). These may be provided by:
    • Legally binding and enforceable instruments;
    • Binding corporate rules (explained further in Article 47);
    • Standard data protection clauses;
    • Approved codes of conduct; or
    • Approved certification mechanisms.

(There are also a number of derogations for specific circumstances, which are listed in Article 49.)

The UK government has said it will seek an adequacy decision from the European Commission, but the Commission has stated that a decision cannot be taken until the UK is a third country – i.e. after 29 March. And the process takes time: the last third country to strike such a deal was New Zealand, and that took about four years. In the event of a no-deal Brexit there will be no transition period and therefore no time.

Organisations in the UK that receive personal data from the EU (including data centres) will therefore need to make sure that alternative lawful mechanisms for data transfers, such as standard contractual clauses or binding corporate rules, are in place by 29 March.

For more information on how you’ll be affected, read our blog GDPR: What will happen after a no-deal Brexit?

And you might also be interested in our new GDPR FAQ pages. If you have a question that hasn’t been answered, do let me know and I’ll try to add it. Alternatively, if you have a more complex query, you can ask one of our consultants via our GDPR Ask Us service.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.