As some of you probably know, or perhaps even have been affected, American retail giant suffered massive security breach as much as 40 millions might have suffered form their credit and debit card data stolen. As reported by KrebsOnSecurity, hackers gained access to company’s data infrastructure. What’s worth of interest is that theft did not affect online shopping, but actual in store operations as data from magnetic strips – if attackers managed to also intercept pin numbers they might be able to recreate cards and siphon money straight from ATM’s. Yesterday the official statement has been issued by company’s CEO Gregg Steinhafel.
Recent EP directive which replaced Council Framework Decision 2005/222/JHA at first glance doesn’t seem too differ much than retired document – specifically it attempts to push the law into territory of more sophisticated attacks without tinkering too much with already set guidelines and nomen omen framework. Most significant is probably mention of botnets. Approach to up-to-date network security problems gives hope of reasonable and professional law. Unfortunately, the directive copies many troubling solutions that were part of the original document.
Some attention should be paid to preamble, which in most cases is – and let’s face it – padding. Here however, it is important to get a grasp of thought process behind the law, as unfortunately its purpose is not always obvious. First of all, lot of pressure is directed towards larger scale, more economically damaging attacks, including mentioned botnets. It seems that current trend of cybercrime prevention will be set more to protect enterprise targets rather than individual, ‘private’ networks. Even though it might seem almost cliche – big corporation gets more from law than common citizens, it is hard not to agree with the assessment. Attacks on single computers are common and almost impossible to trace most of the time. Furthermore in purely quantitative terms, damages to economy are certainly more significant when companies are affected. It is almost needles to say that in modern times, with increasing reliance on digital services a successful breach can disable smaller company. Second, as usual with EP directives, need of harmonization is emphasized. Again, it is quite obviously fair point, especially because of borderless nature of cybercrimes. Perhaps more important point is underlining importance of providing adequate training for law enforcement and judiciary. In Poland problem of lack of qualifications becomes especially visible when dealing with lesser crimes. These are reported to local police stations, where common officers does not even know how to approach the subject. Observing current situation it becomes obvious that significant shift in policy is required – it is no longer possible to afford not to train every policeman in at least basics of cybercrime. Finally, compared to earlier act, part about respecting privacy and protecting fundamental rights has been extended. To what degree is it reaction to NSA leaks remains open case.