Wednesday 14 November 2018

'Cyber attacks are hard to defend against. It's like a goalie in a penalty shoot-out, only one needs to go in'

Ireland is the nexus of tech firms but we need to remain on alert to cyber attacks

Michael Bahar, Washington-based US leader of Eversheds Sutherland’s global cybersecurity arm
Michael Bahar, Washington-based US leader of Eversheds Sutherland’s global cybersecurity arm
Ailish O'Hora

Ailish O'Hora

In the past couple of weeks, a number of high-profile cyber attacks have highlighted the problems these aggressions pose for both governments and businesses alike. The city of Atlanta in the US is still reeling a week after a cyber attack locked the city out of its own computer system until a Bitcoin ransom was paid to the hackers.

Fitness brand Under Armour recently said that the personal details of about 150 million users of its MyFitnessPal nutrition website and app had been accessed in a breach.

As we know, these attacks are often complex, sophisticated and are indiscriminate - and can be extremely costly.

But according to Michael Bahar, the Washington-based US leader of Eversheds Sutherland's global cybersecurity and privacy practice, because Ireland is the nexus of international technology companies that understand cyber power, this makes us well positioned when it comes to understanding evolving cyber threats and the global regulatory environment.

"In general, by many indications, Ireland as a whole is ahead of the curve," he said.

"Also, while I am not commenting on the merits of the decision, Schrems II demonstrates a sophisticated understanding of the complex interplay between and among global regulations, which is also playing out in the US v Microsoft case before the US Supreme Court over Microsoft data held in Ireland," Bahar added.

Schrems II is a reference to a relatively recent decision by the High Court to grant the Data Protection Commissioner permission to refer a number of questions to the CJEU in the case of DPC v Facebook Ireland and (Austrian lawyer) Max Schrems.

Having said that, Bahar is under no illusions when it comes to the cyber security environment and warned that threats are becoming increasingly commonplace and are often perpetrated by nation state actors like North Korea and Russia.

"Cyber attacks present an ever increasing threat especially when you are up against determined nation-state actors," said Bahar, who previously worked as an adviser to former US president Barack Obama. "There are targeted attacks and they are really hard to defend against. It's like a goalie in a penalty shoot-out, only one needs to go in."

Last year's cyber attack at retail giant Musgrave Group brought the issue home, and it is feared that two-thirds of all economic crimes suffered by Irish businesses will be cyber-related by 2019. The attack on Musgrave, Ireland's biggest grocery distributor which operates household brands like SuperValu, Centra and Daybreak, involved malware, or malicious software, on a central network that was attempting to extract debt and credit card numbers, as well as expiry dates.

However, the software involved was not looking for the cardholder name, PIN or CVV numbers. While there is no evidence that any data has been stolen, Musgrave urged all customers to check their bank statements carefully as a result of the attack.

But there have been a number of high-profile cyber-crimes against leading Irish businesses, banks and State agencies.

In an earlier example, a group associated with the North Korean regime is the main suspect behind the €4.3m attack on Meath County Council.

Hacker attacks like WannaCry and Petya are becoming household names, and as Bahar highlights, many of them are indiscriminate.

A serious, global cyber-attack could result in damages of $121bn (€102bn) in economic losses, according to a report from Lloyd's of London.

According to Bahar, chief executives and boards of firms are increasingly concerned about cyber-security. They are "freaked out", he said.

"That and political instability, they are some of the major concerns and they are interlinked."

He added that the rise of political instability is largely a function of a return to great power politics in countries, and one of the primary tools these countries have is cyber tools.

"These countries are now engaged in competitive struggles for power and cyber is now an asymmetric tool," Bahar added.

"And they are willing to use them to advance their political agendas, not necessarily their economic agendas."

He said that in many ways data is the new commodity and there's competition to control it.

In the meantime, Europe is on the verge of introducing new data protection rules that will come into effect on May 25.

The General Data Protection Regulation is a set of rules designed to strengthen and unify data protection for all individuals within the EU while also addressing the export of personal data outside the region.

Businesses or organisations could face fines of up to €20m or 4pc of annual global turnover for non-compliance.

"A lot of these regulations are trying to figure out data transfer flows," said Bahar.

Although GDPR is an EU regulation, it will also have significance in the US, as it applies to any organisation in the world that processes the data of EU residents.

"GDPR is one attempt to deal with data, the Chinese have a different way but it is not as dissimilar as some people like to think, different states have different ways to deal with it.

"And corporations are increasingly caught in the middle of having to comply with conflicting regulations in different regions," he said.

Michael Bahar is a keynote speaker at the Dublin Data Sec 2018 conference where the GDPR is a central theme. Other speakers include Data Protection Commissioner Helen Dixon. Dublin Data Sec 2018 is an Independent News & Media event, please visit www.independent.ie/datasec2018 for further information and for ticket details.

Sunday Indo Business

Business Newsletter

Read the leading stories from the world of Business.

Also in Business