Maria Grazia Porcedda scite author profile

Wall

2019

Big data and cybercrime are creating 'upstream', big data related cyber-dependent crimes such as data breaches. They are essential components in a cybercrime chain which forms a cybercrime ecosystem that cascades 'downstream' to give rise to further crimes, such as fraud, extortion, etc., where the data is subsequently monetized. These downstream crimes have a massive impact upon victims and data subjects. The upstream and downstream crimes are often committed by entirely different offending actors against different victim groups, which complicates and frustrates the reporting, recording, investigative and prosecution processes. Taken together the crime stream's cascade effect creates unprecedented societal challenges that need addressing in the face of the advances of AI and the IoT. This phenomenon is explored here by unpacking the TalkTalk case study to conceptualize how big data and cloud computing are creating cascading effects of disorganized, distributed and escalating data crime. As part of the larger CRITiCal project, the paper also hypothesizes key factors triggering the cascade effect and suggests a methodology to further investigate and understand it.

Patching the Patchwork: Appraising the EU Regulatory Framework on Cyber Security Breaches

2018

SSRN Journal

ReuseThis article is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs (CC BY-NC-ND) licence. This licence only allows you to download this work and share it with others as long as you credit the authors, but you can't change the article in any way or use it commercially. More information and the full terms of the licence here: https://creativecommons.org/licenses/ TakedownIf you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request. ABSTRACTBreaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches (Framework Directive, e-Privacy Directive, eIDAS Regulation, PSD2, GDPR, NIS Directive) is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information securityone of the three pillars of the EU cyber security policythe question is whether the legal 'patchwork' is helping to 'patch' the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity. This is the final manuscript for academic use only. Please always refer to the published version:M. G. Porcedda, Patching the patchwork: appraising the EU regulatory framework on cyber security breaches, Computer Law and Security

Lessons from PRISM and Tempora: the self-contradictory nature of the fight against cyberspace crimes. Deep packet inspection as a case study

Porcedda¹

2013

Lessons from PRISM and Tempora: the self-contradictory nature of the fight against cyberspace crimes. Deep packet inspection as a case studyThe leaks about the Tempora 1 and Prism 2 programmes, conducted by the UK and US government respectively, sparked a public outcry 3 that resumed the 'security vs. privacy' debate 4 and underlined the importance of the fundamental rights 5 to (informational) privacy and data protection to democracy. 6 Surprisingly, however, the potential for policy discussions deriving from the (albeit scant) information on the technology used to perpetrate surveillance was not fully harnessed. Tempora allows "the GCHQ (…) to tap into and store huge volumes of data drawn from fibre-optic [transatlantic] cables for up to 30 days so that it can be sifted and analysed" 7 for information relevant to "security, terror, organised crime…and economic well-being". 8 The National Security Agency (hereafter NSA)'s Xkeyscore allows "realtime interception of an individual's Internet activity", 9 e.g. based on "name, telephone number, IP address, keywords". These accounts hint at the use of deep packet inspection (hereafter DPI), even when the target is traffic data, or data stored by private companies, 10 since Internet Service Providers (Internet access providers, hereafter ISPs) "could reroute the traffic through an encrypted IPsec VPN installed to enable security agencies to have direct access to the [email messages] sent there." 11The first policy inference that can be drawn is that PRISM and Tempora are old wine in new bottles. Last year, the UK government proposed a programme compelling ISPs

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Computer Law & Security Review

2018

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches (Framework Directive, e-Privacy Directive, eIDAS Regulation, PSD2, GDPR, NIS Directive) is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information securityone of the three pillars of the EU cyber security policythe question is whether the legal 'patchwork' is helping to 'patch' the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.

Law Enforcement in the Clouds: Is the EU Data Protection Legal Framework up to the Task?

2012