Part 3 - How cybersecurity transcends personal data breaches, and why hacking is not a crime: A Conversation with Cyber Lawyer Annie Haggar.
This blog concludes our 3-part series interview featuring Annie Haggar, Principal at CyberGC. In Part 3, we get Annie’s insights on consumer versus contract breaches and the idea of safe harbor for security researchers.
Vaughan: On another note, DP World is intriguing because we often discuss data breaches where citizens have their data stolen, and more often than not, the company bears no direct consequences. It usually involves fines, sanctions, and other subsequent actions. But what about situations like DP World, where ransomware, as far as we know, didn't result in a data breach? The only impact on citizens was the inability to get freight delivered. Similarly, considering the disruption of operations to critical infrastructure, a denial-of-service attack on a bank, for instance, can also be a concern. We've witnessed major DDoS attacks lately, seemingly politically or ideologically motivated, beyond pure data breach and ransomware.
Can you elaborate on how these denial-of-service or disruptive operations can affect an organization from a legal standpoint?
Annie: Certainly. The reason why we often emphasize personal data and privacy breaches is due to existing legislation and consequences in that area. Cyber breaches involving personal data loss or compromise are typically under legal scrutiny, mandated to meet specific standards and carry legal ramifications. However, I've long argued that cybersecurity extends beyond personal data breaches.
Examining risks to critical infrastructure, such as those addressed by initiatives like SOCI, involves dealing with threats like denial of service or compromise of systems, leading to system interruption. Instances like the Florida water attack or the Colonial Pipeline attack focused on taking critical systems offline, causing significant disruption.
While there's a national security angle to this, from a legal perspective, an organization facing a breach that isn't a personal data breach, and thus not particularly liable under the Privacy Act, introduces a unique scenario. Although it's rare to have a cyber breach without some compromise of personal data, scenarios like DP World, where it's not millions of records but involves small numbers or actual systems lockup preventing normal operations, present a different legal profile.
The legal ramifications stemming from such incidents, beyond reputational damage and loss of trust, primarily lean towards contractual breaches. For instance, if a port provider has contracts specifying container delivery timelines and daily processing quotas, the aftermath of a cyber breach that locks up systems might result in contract breach claims. These claims would arise from companies facing losses due to their reliance on the expected goods and services not being delivered as agreed upon.
Vaughan: Likely resulting in smaller damages, right? I mean, if a payment network goes down, businesses could be losing thousands or even millions of dollars per hour. Consider the recent Optus outage where entire businesses couldn't operate for an entire day, leading to significant revenue losses. There have been discussions in the media about whether or not Optus should compensate those affected businesses.
Annie: The resolution of this issue hinges on their terms of service and contracts with consumers and businesses for telecommunications and internet services. Hence, it comes down to a contract breach rather than a personal data-related concern. The progression and viability of potential contract breach claims remain uncertain. Those considering such claims must demonstrate significant loss, link it back to a breach of what Optus had agreed to provide, and show how it aligns with the terms of the contract.
Vaughan: Yeah, okay. Makes sense.
Shifting the focus to the liability of the individuals involved, let's discuss a recent US case. A few weeks ago, the SEC brought charges against SolarWinds' CISO, Tim Brown, charging him with security fraud for allegedly making knowingly false statements about the vulnerability of the SolarWinds software platform. Do you think we might see similar actions in Australia?
Annie: It's highly likely that regulators like ASIC will explore such actions against directors and officers of companies in Australia. They've already signaled their intention to hold directors accountable for ensuring their organizations take reasonable steps. It will be intriguing to observe whether they extend this accountability down the organizational hierarchy.
Annie: In the SolarWinds case involving Tim Brown, he had expressed security concerns internally, detailing them in internal reports sent to management. Subsequently, he was asked to sign off on market-facing documentation affirming the absence of security issues. What he did was knowingly sign a document that was not true.
The SEC isn't taking action against him for being a negligent CISO or for not prioritizing the right things. That's not what the action is about. The focus is on the fact that he knowingly made false and misleading statements in market documentation, including reporting to the securities regulator, akin to ASIC here, and that is considered fraud. It's crucial for anyone in the position of a CISO in Australia not to succumb to any pressure from executives to sign anything or include information in an annual report or public statement that contradicts what they know to be true within the organization.
Not only does it impact their personal integrity, but it's also deemed fraudulent, and no amount of insurance can protect an individual when they've engaged in fraudulent, criminally false statements in official documentation.
Vaughan: Right. Some individuals in the security industry have portrayed him as a victim, suggesting that being a CISO is no longer safe. When someone can face jail time for lacking complex passwords in the workplace, it raises concerns about the state of things. However, that's not the core issue here.
Annie: Absolutely. It boils down to deception. Even if you were attempting to safeguard your job by deceiving on behalf of your employer, it's comparable to a CFO concealing a factory fire to preserve profits. A similar case occurred with the Uber CISO who faced criminal charges, was found guilty, and received a jail term. The underlying theme was deception, covering up a breach with false statements, leading to criminal charges.
Vaughan: Can you elaborate on the Uber case? There seemed to be some creative manoeuvring where the threat actor approached him to extort money from Uber, and he turned it around, almost suggesting, "Thanks for the vulnerability assessment. How about a bug bounty?"
Annie: Exactly. Instead of asserting that the security research on their system was unauthorized and required reporting under US obligations, he took a different route. Denying it was a breach, he presented it as something they supported. He even offered a bug bounty as a token of appreciation. This is where the fraudulent aspect comes into play. It raises an interesting question, and I had hoped to see potential regulatory changes in the strategy that would establish a safe harbor for legitimate security researchers.
It would be beneficial for Australia to create a structured safe harbor arrangement that encourages necessary security research while safeguarding researchers. Currently, security researchers may unwittingly commit crimes as they conduct research, unless they are part of an officially sanctioned bug bounty program. It's a precarious situation for security researchers worldwide, and Australia has an opportunity to address this gap comprehensively.
Vaughan: So, Annie, can we expect your next CyberGC hoodie to say, "Hacking is not a crime" in summary?
Annie: Hacking should not be a crime. It just should not be a crime. Hack, hack, but don't do crimes. Right? Ethical hacking. Hacking by the good guys. But fitting "Ethical hacking is not a crime" on a hoodie might be too much text. Some marketing creativity is needed!
Vaughan: Now, shifting to matters closer to home, our local counterpart to the SEC is ASIC. Just last week or the week before, ASIC reported alarming gaps in corporate Australia's cyber resilience. So, how can we address this? How can cyber defenders prepare not only to defend their organizations against cyberattacks but also for the inevitable regulatory consequences that will follow?
Annie: The alarming gaps identified by ASIC reflect a maturity level of around one point something, which is disappointingly low compared to the desired level four. This vulnerability spans Australian companies, primarily regulated by ASIC. The situation is critical, as indicated in the strategy, especially for small and medium businesses. ASIC, being the regulator for all companies in Australia, from small sole director entities to large corporations, uses powers under the Corporations Act. Sections 180 and 181 are pivotal, with 180 emphasizing that directors and officers must take reasonable steps to protect against cybersecurity threats. Failure to meet this standard makes them personally liable under the Corporations Act. Other parts of the act apply to various organizations, like those holding a Financial Services license. In the recent RA Advice VIAC case, ASIC demonstrated that directors have a duty to protect against cyberattacks.
Vaughan: The fines in that case were substantial, right? Around $700,000?
Annie: The exact figure escapes me, but there were significant fines for individuals, and they faced potential sanctions on their Financial Services license, risking business operations being halted.
Vaughan: While some might consider it a mere slap on the wrist for wealthy companies, it sends a strong message to every organization.
Annie: Absolutely. It's about showcasing regulatory power and the potent individual liability of directors. Companies may have resources, but individuals don't. Threatening directors with personal consequences for neglecting cybersecurity responsibilities has shifted the landscape since the RA Advice case.
Vaughan: Well, a lot to ponder, Annie. Any final thoughts?
Annie: A piece of advice for cyber defenders—focus not only on the technical aspects but also on people, processes, and technology. Consistency is key; having great policies means nothing if they aren't followed. Cyber risk management should be holistic, considering the unique risk profile, data held, and available resources. It's not just about spending; it's about fostering a cybersecurity culture. Remember, cybersecurity is a team sport in 2024.
Vaughan: Excellent insights, Annie. Thank you for your time and expertise.
For those wanting to get in touch, visit www.cybergc.au. Wishing you all the best. Thanks again.