This report investigates whether UK anti-hacking legislation provides adequate protection for victims using the recent hacking of Microsoft's Exchange Server by a Chinese group as a case study. It discusses social, economic, technological, ethical and legal issues. While UK laws like the Computer Misuse Act aim to protect data privacy, the report concludes that UK legislation has not kept up with modern cyber threats and needs reform to better protect citizens' data and privacy in the face of hacks like the Microsoft breach.
This report investigates whether UK anti-hacking legislation provides adequate protection for victims using the recent hacking of Microsoft's Exchange Server by a Chinese group as a case study. It discusses social, economic, technological, ethical and legal issues. While UK laws like the Computer Misuse Act aim to protect data privacy, the report concludes that UK legislation has not kept up with modern cyber threats and needs reform to better protect citizens' data and privacy in the face of hacks like the Microsoft breach.
This report investigates whether UK anti-hacking legislation provides adequate protection for victims using the recent hacking of Microsoft's Exchange Server by a Chinese group as a case study. It discusses social, economic, technological, ethical and legal issues. While UK laws like the Computer Misuse Act aim to protect data privacy, the report concludes that UK legislation has not kept up with modern cyber threats and needs reform to better protect citizens' data and privacy in the face of hacks like the Microsoft breach.
Introduction • Hacking of Microsoft’s e-mail system of Microsoft Exchange Server by a Chinese hacking group called Hafnium on 2nd March 2021 • This report investigates issues related to social, economical, technological, ethical, and other issues • Special emphasis on United Kingdom’s Legal structure on protecting data and privacy of Citizens and Businesses in UK Discussion of areas with issues Social • Hafnium’s hacking has imposed threats of several Microsoft customers' data at risk. Hacking of Microsoft's Exchange Server email has exploited thousands of customer data and also compromised privacy security • Even though Microsoft has released recovery or strategic software updates for every customer worldwide following the hack in their Exchange Service email, customers still express their resentment towards Microsoft's privacy policies • UK's anti-hacking legislation was also blamed by customers due to its inability to prevent hacking even though they had stated possible hacking threats before the incident Discussion of areas with issues Economic • Effect of Microsoft's hacked Exchange Server responsible for calendar services and cloud-based email has resulted in loss of several worldwide customers and consequently decreased potential brand value • Decrease in number of customers reduced total revenue income of Microsoft. It is estimated that loss due to hacking costs around $400 billion every year (assets.publishing.service.gov.uk, 2021) • £27 billion costs per year due to hacking of targeted industries and government sectors in UK Discussion of areas with issues Technological • Common Vulnerability Scoring System (CVSS) has identified 26855, 26857, 26858 as affected server addresses of Microsoft's hijacked server (news18.com, 2021) • Microsoft stated that hackers used classical Remote Code Execution Structure (RCES) to hack into Microsoft's server • several codes such as CVE-2021-26855: CVSS 9.1, CVE-2021-26857: CVSS 7.8, CVE-2021- 26858: CVSS 7.8, and CVE-2021-27065: CVSS 7.8. has enabled hackers to hack and take away required data or information and also installed malware and web shells. Discussion of areas with issues Ethical and Others • Frustration and anxiety arose in customers as their privacy and data were exposed and many were seeking for resolving the matter and acting according to their needs (Azad, M.M., Mazid, K.N. and Sharmin, S.S., 2017) • Focusing on customer ethics and protection Microsoft released an immediate software update to be installed by every user worldwide in order to protect them from possible loss of further information • Other issues such as, unauthorized transactions from banks, uninstallation of several essential software from hacked server, smuggling of data, etc . Has also been identified Discussion of legal issues • The United Kingdom’s legal actions against cyber- crime have mainly developed under two criteria namely, Cyber-Dependent Crimes and Cyber- Enabled Crimes (cps.gov.uk 2019). • UK's laws and regulations have been outdated and thus are unable to deal with online hacking or cyber- crime threats effectively (Ngejane et al. 2018) • It is also observed that Police in UK do not often investigate several cyber-crimes due to lack of resources • UK government's legal responses in mitigating cybercrime and hacking have not been up to the definite requirements maintaining citizen’s data privacy and protection (reuschlaw.de/en/news 2021) Covered laws • Computer Misuse Act 1990 • Fraud Act 2006 • IT Act 2000 • Serious crime act 2015 • Regulation of Investigatory Powers Act 2000 Covered laws • Data Protection Act 1998 • Communications Act 2003 • Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) • Investigatory Power Act 2016 Laws objective fulfillment • UK's General Data Protection Regulation (GDPR) allows data to be transferred out of country to be used and passed in other European countries and rest of the world but does not apply processing of data that is carried outside of UK increasing the vulnerability of piracy of data and smuggling of the same • Computer Misuse Act (CMA) allows legal access to an individual's data and information by an organization and government body in accordance with any liability attributed to the individual (lexology.com) • Citizens of UK have been accused under Communications Act as they were imposing threats to the country by means of media transfer and communication Conclusion
• It is evident from this investigative report
that UK has not been up to the requirements and measures in defending from cyber attacks such as Microsoft’s breach by Hafnium • Affecting technology and economy of affected servers all around the world has led Hafnium affect Microsoft on their business and shares worldwide • From this investigative report it can be concluded that UK’s ability to protect its citizens from data piracy and smuggling is not up to the necessary requirements and needs to proper reforms and advanced changes. Reference List • AKDEMİR, N., SUNGUR, B. and BAŞARANEL, B.U., 2020. Examining the Challenges of Policing Economic Cybercrime in the UK. Güvenlik Bilimleri Dergisi, (International Security Congress Special Issue), pp.113-134. • Alfaro, D.L., 2019. Is ethical hacking in conflict with data protection? Clarifying issues and resolving conflicts. Philosophy and Practice of Bioethics across and between Cultures, p.194. • Allhoff, F. and Henschke, A., 2018. The internet of things: Foundational ethical issues. Internet of Things, 1, pp.55-66. • Almeida, V.A., Doneda, D. and de Souza Abreu, J., 2017. Cyberwarfare and digital governance. IEEE Internet Computing, 21(2), pp.68-71. • Apau, R., Koranteng, F.N. and Adu, S., 2019. Cyber-crime and its effects on E-commerce technologies. Journal of Information, 5(1), pp.39-59. • Azad, M.M., Mazid, K.N. and Sharmin, S.S., 2017. Cyber crime problem areas, legal areas and the cyber crime law. International Journal of New Technology and Research, 3(05), pp.01-05. • BBC NEWS, 2021, March, 11. Exchange email hack: Hundreds of UK firms compromised [online], Available at: https://www.bbc.com/news/technology-56365372 [Accessed on: 17.04.2021] • Bonakdarpour, B., Deshmukh, J.V. and Pajic, M., 2018, November. Opportunities and challenges in monitoring cyber-physical systems security. In International Symposium on Leveraging Applications of Formal Methods (pp. 9-18). Springer, Cham. • Bradshaw, P., 2017. Chilling Effect: Regional journalists’ source protection and information security practice in the wake of the Snowden and Regulation of Investigatory Powers Act (RIPA) revelations. Digital Journalism, 5(3), pp.334-352. • Button, M., Brooks, G., Lewis, C. and Aleem, A., 2017. Just about everybody doing the business? Explaining ‘cash-for-crash’insurance fraud in the United Kingdom. Australian & New Zealand Journal of Criminology, 50(2), pp.176-194.