2019 end of year wrap

It’s the end of another year (and another decade).

Close out your final tasks, prepare for the inevitable summer feasting, and join us as we recap five cyber security and privacy themes that captured our attention in 2019.

  1. The fractured world of cyber affairs – is cooperation fraying just as things heat up?
  2. The scourge that won’t go away – clearing bins, paving footpaths and paying ransoms: a checklist for city councils in 2019
  3. Play with your toys – on privacy regulators who are unafraid to fine
  4. An inconvenient comparison – the emerging parallels between climate change and digital issues
  5. And then a hero comes along – we pose a question: ‘who will be our Greta?’


The fractured world of cyber affairs

Let’s start on the world stage.

Did it feel like cyber security and privacy was overshadowed in 2019, without a global-scale, highly disruptive cyber-attack to catch our attention? After all, this is decade that gave us Stuxnet, the Sony Pictures breach, Cambridge Analytica and WannaCry.

In 2019, more column inches seemingly went to non-digital matters – ongoing civil dissent in Hong Kong, trade wars, and the US going perilously close to military action against Iran.

But peer a little closer and it was far from quiet on the cyber front.

In June, Israel responded to Hamas cyber-attackers with a physical strike. Hackers also caused disruption at a US power grid. Neither incident was of the scale of a “Cyber Pearl Harbour” – the kind we’re told repeatedly to fear, even here in Australia. But both were firsts of a kind –  physical retaliation to digital aggression and the first cyber disruption of the US power grid.

Then there was the cyber-attack on Australia’s Parliament, reportedly by China. Coming just months before Australia’s May Federal election, the hack raised the spectre of election interference akin to the 2016 (and 2020) US elections.

It all leaves us pondering the state of diplomacy in cyberspace in 2019. Co-operation and leadership on the global stage have arguably weakened, not just in cyber affairs but in matters of defence generally (see the prognosis on NATO).

Traditionally strong leadership from the US on cyber affairs has been under the spotlight. Key roles like that of White House cyber coordinator have been eliminated (by President Trump’s national security adviser John Bolton, who himself was eliminated as adviser by Trump halfway through 2019).

The result appears to be a strengthening of the hand of China, North Korea and Russia in discussions about how the internet will be governed. A few months ago the United Nations adopted a cybercrime resolution against the wishes of the US and civil liberty advocates.

The Australian Government’s contribution to this dialogue also came under fire from policy analysts this year. The critics decry that the future national cyber security strategy appears to have dropped its commitment to a free and open internet.

 


The scourge that won’t go away

Stepping down from the rarefied atmosphere of global affairs and nation states, let’s turn our attention to cities and towns. “All politics is local” goes the saying in the US, and in 2019 a sizeable number of cyber-attacks were too.

Baltimore, Pensacola, Atlanta and, most recently, New Orleans are just a few of the dozens of US cities and counties brought down by ransomware attacks in 2019. The attacks caused widespread disruption – halting property transactions, crippling the court system, preventing the payment of bills and costing millions of ratepayer fund in recovery costs.

The vulnerability of these US cities to ransomware is attributed to their reliance on ageing, legacy infrastructure that isn’t patched.

The spate of ransomware incidents also elevated the discussion about the merits of paying ransoms. Official advice (and some polling) comes out strongly against forking out. But hell hath no fury like a rate-payer scorned – and the pressures of explaining disrupted services to angry residents proved too onerous for many officials, with more than one city opting to pay the ransom.

Sadly, more ransomware infections and even higher ransoms are likely on the cards again in 2020. Solutions exist – both technical and human – but it appears they are not always so easily implemented.

 


Play with your toys

An inflatable pink flamingo for the pool, a USB-powered toothbrush or wifi-enabled socks – what odd trinkets and strange gadgets lie under your tree, waiting to be unwrapped on Christmas morning?

Data protection authorities got some big toys last year, like the General Data Protection Regulation (GDPR) and Notifiable Data Breaches scheme. By mid-2019 they were giving those toys a solid work out, especially the shiny new fining capabilities. The UK’s Information Commissioner’s Office (ICO) used GDPR to whack British Airways over the head with a sizeable £183 million fine for its 2018 breach. It then shot a £99m Nerf dart at Marriott for its breach in the same year.

Across the Atlantic, the Americans weren’t about to miss out on the fun. The US Federal Trade Commission warmed up by slapping a US$575 million settlement payment on Equifax for its 2017 breach. Then they fined Facebook US$5 billion (self-described as a “record-breaking” penalty) for a series of privacy violations, including the Cambridge Analytica scandal.

Closer to home, the Australian Government has just given privacy advocates an early Christmas gift by affirming its commitment to increase penalties under the Privacy Act.

 


An inconvenient comparison?

The year 2019 saw the convergence of major issues. When thousands of school children marched in support of action on climate change in September, our principal Melanie Marks noticed the links to our collective digital challenges:

I pondered why the climate rally had delivered so many to the streets now, when we have known about climate change for years?

Privacy harm is more nebulous. The potential policy issues are hard to solve for and engaging the public even more difficult.

– Melanie Marks, elevenM

Consensus, coalitions, cooperation, a need to address externalities … the ingredients for progress on climate change appear to overlap with our challenges in privacy and cyber security.

There was progress this year in establishing a standard for climate-change related financial risk disclosures. It’s a project driven by the Financial Stability Board, a G20 body that is also driving a coordinated approach to managing cyber security in the global financial system.

The premise is to make more transparent the financial risks posed by climate change. A local investor group puts it this way: “When you have the data around assets, countries and companies, you change the way you allocate capital, it changes the way you assess risks, and it ultimately changes the economy.”

The same moves towards more data and more transparency were clearly apparent this year in efforts to protect the Australian economy against digital risks. The Australian Prudential Regulation Authority’s new information security prudential standard CPS 234, which took effect in July, is a clear example of this.

“We’ll be increasingly challenging entities in this area by utilising data driven insights to prioritise and tailor our supervisory activities. In the longer term, we’ll use this information to inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences.”

– Geoff Summerhayes, APRA executive board member

We see the same trend playing out with businesses we work with. At executive level there’s a strong desire for better quantification of digital risks and of how they’re being managed. Non-executive directors want to see privacy and cyber security measured and articulated like other risks in their enterprise risk frameworks.

Measuring the value and return of security investments also poses a challenge. There’s been a boom in security tools and products, but we’re now hearing more from Chief Information Security Officers who want to measure and extract value from that tooling –  a problem our Senior Project Manager Mike Wood delved into earlier this year.

 


And then a hero comes along

Greta Thunberg is 2019’s person of the year. “Meaningful change rarely happens without the galvanizing force of influential individuals”, said TIME magazine’s editor-in-chief in awarding the honour.

Maybe what we’re lacking is a figurehead for privacy, someone to catalyse global opinion and press for changes in how companies handle our personal information.

Audaciously, Mark Zuckerberg looked like he was trying to claim this mantle in April, when he stood under bright lights and a large banner proclaiming “The future is private”.

Social media might have atrophied attention spans, but not so much that we’d forgotten Cambridge Analytica, or missed Facebook’s other repeated privacy scandals this year. Most people clicked ‘thumbs down’ at Zuck’s proclamation and moved on with their day.

But our champion might have emerged, just less recognisable. Lacking the chutzpah of Miss Thunberg, but still much like an earnest school kid, Rod Sims raised his hand again and again in 2019 to be privacy’s biggest stalwart.

The ACCC chairman faced off against Google and Facebook repeatedly this year, arguing that they haven’t been playing nicely. In its Digital Platforms Inquiry, the ACCC and Sims laid bare how privacy is being fundamentally undermined in the digital age.

“It’s completely not working anymore. You are not informed about what’s going on and even if you were, you’ve got no choice because your choice is getting off Google or Facebook and not many people want to do that.

“We need to modernise our privacy laws, we need proper consent…we need new definitions of what is personal data, we need an ability to erase data and we need to require the digital platforms to just tell us very clearly what data is being collected and what’s being done with it.”

– Rod Sims, ACCC Chairman

This merging of privacy and consumer issues may well be the development of 2019.

Using Australia’s highly-regarded consumer law framework to prosecute the case for privacy would add the considerable muscle of the ACCC to the efforts of the Office of the Australian Information Commissioner in standing up for the privacy rights of Australian citizens.

Happily, in its response to the inquiry, the Government last week committed to many of the ACCC’s recommendations.

These steps forward on the enforcement of privacy are welcome. It’s still useful and crucial to remind ourselves why privacy matters to begin with. On Human Rights Day this year, elevenM Senior Consultant Jordan Wilson-Otto argued that we must go beyond advocating for privacy because of its utility as competitive differentiation or as a driver of innovation. Privacy is fundamentally about guaranteeing dignity and respect and preserving that which is important to us as humans.

 

Signing off

And that’s a fitting note on which to end our thoughts for the year.

Throughout 2019, we’ve been privileged to work with terrific people from a diverse set of clients. These are people who are highly talented, well respected in their industries, and passionate about protecting their customers and staff from digital risks.

We’re grateful for the opportunities we’ve had to be part of your journeys, and look forward to continuing our conversation and collaborations in 2020.

Have a safe and joyous festive season.

The team at elevenM.

 

News round-up December 2019 — Ransomware attacks, phishing and online data breaches

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up:

It’s that time of year when the familiar faces who’ve been with you throughout the year get together to see you off into the holiday season. And so it is with the last news roundup for 2019. Regulars of the roundup – ransomware attacks, phishing and online data breaches – pop their heads up for one last hurrah, while focus sharpens just a little more on privacy and the ethical use of consumer data.

Privacy: The moral guidepost for a just society

On Human Rights Day, elevenM Senior Consultant Jordan Wilson-Otto highlights privacy’s fundamental role in human dignity and respect. He argues that advocating for privacy without recognising its position as a human right may prove unfruitful in the long term.


Today is Human Rights Day. It marks the day, in 1948, on which the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR), which lies at the heart of the promotion of human rights under international law.

Privacy is one of the human rights articulated under the UDHR, and this year was a big one for privacy in Australia. We’ve seen a major shift in the regulatory landscape, which brings some exciting potential but also great risk should we take our eye off privacy’s origins as a human right.

Yes, privacy is having something of a revival. Over the last few years, we’ve seen a substantial increase in public awareness and renewed interest from lawmakers and regulators across the globe. Privacy is being talked about in a lot of new places, and in a lot of new ways. This is unsurprising. Data has become so central to modern economies that data (and therefore privacy) is now a key driver of productivity, and user data is so essential to the advertiser funded digital ecosystem that it is both a measure of market power, and a focus for consumer protection.

This year, the Australian Competition and Consumer Commission (ACCC) released its Digital Platforms Inquiry Final Report, which highlighted the intersection of privacy, competition and consumer protection. The ACCC recognised that strong privacy laws can support and even drive competition and consumer protection objectives – for example by addressing sources of market inefficiencies such as information asymmetries and bargaining power imbalances and by empowering consumers to make informed choices about how their data is processed. This, in turn, can increase competition and encourage innovation.

These themes were echoed and reinforced in the ACCC’s Customer Loyalty Schemes Final Report, released this month. Together, the reports signal a sustained focus on the ways in which data practices can raise competition and consumer issues. This represents a significant shift in the regulatory landscape and is likely to weigh heavily on how our privacy rights are managed in the coming years.

Principle and utility

Both the ACCC and the Productivity Commission argue for privacy in a way that is quite distinct from its position as a human right. They argue that privacy should be protected, but not because it is essential for our dignity and autonomy as individuals, or because it protects us from discrimination or preserves rights such as freedom of expression and freedom of association. They value privacy for its economic contribution, rather than as a necessary precondition for individual freedom and democracy.

And that’s fine, up to a point – there’s no harm in talking about the utility of human rights protection. For privacy advocates this can even be an effective strategy. Hitching privacy protection to these economic objectives provides a concrete and quantifiable argument for the protection of privacy, which may resonate in ways that the language of rights does not.

But arguments from utility are fragile. They only work when everything is pulling in the same direction. When the trade winds inevitably change and privacy is seen to stand in the way of competition or innovation, its utility falls away. By ignoring privacy’s intrinsic value, utilitarian arguments give us no way to weigh privacy against competing interests.

So it’s important that utility doesn’t become our only strategy. We need to keep view of the intrinsic value of privacy as a fundamental human right. As a human right, privacy carries a unique moral weight. It forms part of a universal baseline of dignity and respect that to which we are all entitled. A baseline that has endured, with near universal consensus for over 70 years. Human rights like privacy provide the moral guideposts for a just, equitable and humane society.

If we become too focused on the practical utility of privacy, we risk losing sight of its deeper significance. If that happens, we risk trading it away for less than it is worth.