Cyber-threat: a new collective responsibility

In our digital age, data now represents both wealth and opportunity. In its Science and Technology Outlook from the autumn of 2016, the OECD highlighted four digital technologies as particularly influential in the upcoming years: artificial intelligence, big data, the Internet of things, and blockchain. It is striking that all four of these have data as their fundamental element.

However, the use and processing of information is now generating an increasing number of significant risks. Events such as the spread of the WannaCry malware has made this clear. Furthermore, and for these same reasons, few would now dispute the idea that WannaCry represents the boundary between before and after, in terms of the general perception of cyber-threats and the need to react to them. Virtually overnight, the appearance of this event on the front pages of newspapers all over the world has “done the job” for those of us who, for a long time now, have been “evangelising” about these subjects from our specialised settings.

In the same report mentioned above, the OECD points out that cyber-threats now present unique risks to our security and privacy. Of course they do. If entities such as IDC have spent years identifying “information overload” as a challenge, then our current “digital universe” is now giving us a first look, one step further, at a new “intelligence overload”. They may have a point: processing of information by a classic Big Brother government; compilation of profiles by an increasing number of companies and with an increasing level of detail; the emergence of each and every one of us as authentic “Big Others” (as they say in France) thanks to the great information processing power that our smartphones alone now give us; and of course, the blame placed on the growing sophistication of cyber-crime.

It is essential for our regulations to confront these massive challenges.

Along the same lines as other models, and using the Council of Europe’s 2001 Convention on Cybercrime as a template, European countries are taking on this issue through the creation of crimes adapted to these new realities. As en example, let´s take the case of Spain where (and to limit the discussion here to the exploitation seen with ransomware attacks such as WannaCry), it is clear that such offences would fall under article 264 of the Spanish Criminal Code (Código Penal) (which covers damage to computer data and computer systems). More debatable, and despite some supporting jurisprudence, would be the possible combination of this (and if payment for “ransom” is made) with the offence of fraud (article 248 of the Spanish Criminal Code).

In 2016 the European Union approved two key regulations along these same lines: the General Data Protection Regulation (GDPR) and the NIS Directive on cybersecurity.

The main novelties found in the GDPR can be summarised in three basic ideas: a) enhanced empowerment of the owners of data, by means of new rights designed to increase their effective control over their own personal information; b) strengthening of the link between privacy and cybersecurity by incorporating, among other measures, an obligation to provide notification of security breaches; and c) the principle of pro-active responsibility (accountability), which goes beyond mere “compliance” formalities to impose ex-ante obligations, which if not respected, would lead to significant reparations, above all in the form of sanctions payable to the government.

The NIS Directive subjects those known as “operators of essential services” (hospital care, energy, water, transport, banking and financing, and digital infrastructure) and those known as “providers of digital services” (e-commerce platforms, search engines, and cloud computing services) to two key obligations: to adopt suitable technical and organisational measures on the subject of cybersecurity; and to notify the competent authorities regarding security breaches.

In our digital world, all security is already cybersecurity. WannaCry has demonstrated that everyone, including private citizens, must internalise (cyber)security. This is no longer a matter that only concerns the “IT people”. Everyone working for a company or for the government (by developing plans created for such purposes), and all of us as netizens and Internet users, must now “protocolise” our precautions. Recently, a number of government agencies (even intelligence agencies) have shown us how to do this in an exemplary manner.

And in terms of privacy, it is worth remembering that the European Commission has determined that around 90% of all consumers believe it is important to be able to supervise and control their personal data online. This makes it essential for organisations that process consumer data to do so with transparency, in a manner that allows user empowerment (something hardly achieved so far) to become a generalised reality.

Finally, there is no reason to think that the new obligations developed in these regulations will present obstacles to the multiple benefits we now derive from data and information. To the contrary, their very existence is oriented towards ensuring the free circulation of data itself.

1. This article was originally published on 8 June 2017 in Spain’s national business newspaper Cinco Días: https://cincodias.elpais.com/cincodias/2017/06/08/legal/1496937602_048500.html