Maria Grazia Porcedda, Trinity College Dublin
At the onset of the pandemic several websites purporting to provide information on Covid-19 appeared overnight; while some aimed at spreading fake news, others intended to infect users, in cybercrime parlance, with computer viruses. This was an early sign of the wave of cybercrimes to come, as demonstrated by data published by the Central Statistics Office in June. Cyber offenders impersonated WHO officials and did not spare hospitals, which led European Commission President Ursula von der Leyen to publicly denounce the attackers. Europol was among the first organizations to issue early warnings against increased exposure to cyber attacks, which spanned the full gamut of cybercriminals’ modus operandi and stressed the importance of cyber security at a time of increased reliance on digital infrastructure. This blog discusses a number of the legal questions raised by the cyber security implications of learning and working from home, contact logging and tracing.
Increased risks when Learning and Working from Home
The sudden move of students and the workforce to online environments en masse offered abundant opportunity for cyber offenders, which led the National Cyber Security Centre to issue dedicated advice to support teleworkers – and arguably also their children. How many, however, will know and be able to implement the advice? Moreover, new platforms to work (and socialise) took hold perhaps too quickly for the adequate performance of due diligence; for instance, it was only after the many vulnerabilities and privacy-unfriendly settings were exposed that Zoom took steps to patch its software. The human is the weakest link in security, and a grounded and pressurised workforce can easily lower its guard online, thereby becoming vulnerable to attacks. According to the latest data released by the Central Statistics Office, for instance, account takeover frauds were up by +56% in Q1 2020.
A unified approach to cybercrime transposing Directive 2013/40/EU into Irish law only came into effect three years ago, thanks to the Criminal Justice (Offences Relating to Information Systems) Act 2017. Convictions for cybercrime take years to be reached and are notoriously low (a case in point being the UK CMA 1990), which questions the deterrent effect of the law. Under the circumstances, the need for prevention cannot be overstated. There is no overarching legal obligation to secure computer and information systems, though there are a number of provisions to this effect deriving from the patchwork of laws with cyber security import (also available here). Could the protection of the workforce from cybercrime be part of the obligations incumbent upon the employers to provide "equipment, tools, machinery and technology commensurate with the tasks" discussed by Desmond Ryan in his blog on Working from Home?
Incidents with reporting obligations
Cybercriminals stop at nothing, as shown by the attack suffered by research institutions developing a Covid-19 vaccine aimed at gaining access to intellectual property and attributed to APT29. Sometimes the protection offered by IT services is not enough, but workers’ home connection and personal devices may be even more vulnerable to offenders – whether they are after trade secrets or payroll data. Some of these incidents are subject to notification and reporting obligations, and the victim may pay dearly if such incidents happened as a result of their failure to implement adequate technical and organisational measures, as is the case with the GDPR and The Measures for a High Common Level of Security of Network and Information Systems Regulations 2018. Earlier this year Ireland ranked second in Europe for data breach notifications under the GDPR; this may simply mean that Irish firms are more compliant, but it should not be forgotten that Ireland houses data-intensive services. The likelihood that designated employees of Operators of Essential Services may work from home is low, but the scenario of cyber security breaches resulting from working from home is not. This raises important liability questions to be explored in further work by the Observatory.
Increased risks from data and technology-driven responses to Covid-19
Increased exposure to cybercrime may also derive from the attempts to log and trace contacts to ease pandemic lockdown. The first and foremost thought goes to contact-tracing apps Ongoing research from Stephen Farrell and Doug Leigh at Trinity has revealed that Google may be able to harvest data from the Irish app through Google Play Services. Their research uncovered issues with the Bluetooth standard which, for instance, reduce the efficacy of the contact-tracing app and expose it to replay attacks. Bluetooth is not immune to flaws. In August 2019 a team of researchers unveiled the Key Negotiation of Bluetooth, a vulnerability affecting the majority of devices supporting Bluetooth. Ars Technica reported that the weakness, which is invisible to Bluetooth apps and operating systems, allows “hackers to intercept keystrokes, address books, and other sensitive data sent from billions of devices”. Quickly released software updates allowed vulnerable systems to be patched, but this reminds us of the fact that ‘mobile devices’ are at least as insecure as other machines, and that whoever has access to the machine, whether legitimately or not, can jeopardise the security of the information stored therein. This could undermine the uptake of contact-tracing apps as well as, as Andrea Pin rightly notes, eventually prevent them from passing a proportionality test.
Technology is not the only source of risk, however. In an earlier post I suggested we need to pay attention to manual contact logging operations, which are currently taking place under the radar. The fact that the collection of these data do not adhere to data protection standards (and follow unclearly worded advice, discussed by Oran Doyle in several posts), may raise the risk of their improper disposal. This would be a treasure trove for potential offenders and worsen the tally recorded by the Central Office of Statistics for Q1 2020, whereby phishing (email)/Vishing (voicemail)/Smishing (text messaging) frauds were up by 45%.
Conclusion
Moving the bulk of learning and working activities online during lockdown was tied to the necessity of the moment and people willingly made the sacrifice. However, trust is as important an ingredient for operating in cyberspace as it is for public life. In a recent Dáil Éireann debate, Minister Eamon Ryan was asked about “the level of preparedness of Ireland to protect against cyberattack”. A comprehensive response to the question needs to embrace defence and civilian matters alike. Students, workers (and employers) cannot be left to fend off cyber attacks on their own insecure devices and connections, and with unclear distributions of liability. This question is certainly bigger than the pandemic, though it may foster legislative responses that put the protection of users at the forefront.
Maria Grazia Porcedda is Assistant Professor of Information Technology Law at Trinity College Dublin.
Suggested citation: Maria Grazia Porcedda, ‘Covid-19 and cyber security: averting cybercrime, safeguarding data and protecting people’ COVID-19 Law and Human Rights Observatory (31 July 2020)
Return to home page of the COVID-19 Law and Human Rights Observatory.