December 9, 2011
Currently, there is a lot of chatter in military, civilian, political, and business circles on “Cybersecurity” and how best to exploit and secure the cyber-realm or “Cyberspace”. I wrote in an earlier blog post on the big picture of Cybersecurity, and avoiding data disasters, in general.
Unfortunately, however, while everyone may “think” they are talking about the same thing, I dare say that they are not. It is, of course, important to know and understand what we are all talking about, before we attempt to secure it with any hope of success. So, then, what is Cyberspace, we ask? The answer: almost anything, and nearly everything. Let me explain, as Cyberspace in its totality, comprises 5 Domains, multiplied by 3 Bundles, to give 15 “e-Compartments”; which e-Compartments should be the focal points of and for, specific protective and exploitative techniques and technologies, as appropriate. This is a different, flexible approach better attuned to the rapidly changing world of technology. It will take an extremely momentous event or series of events closely related in time and space, to change and re-align all e-Compartments at once, or to render techniques and technologies used for exploitation and security in more than a handful of these, all obsolete at one and the same time. I will also discuss cyber-breach consequences, and make commonsense recommendations.
(a) The Internet (“Net”) is its own domain, and comprises all systems and services accessible through same, as well as being the catch-all category for everything “online”.
(b) A second domain is the telecommunications networks (“Telco”), which cover phone, fax, voicemail, voice over I.P., videoconferencing, webcasting, and so forth. The Net and Telco are becoming increasingly intertwined and to a large extent, near indistinguishable.
(c) Third, is that complex of computers, servers, and thin and thick clients (“I.T.”) that drive and serve and access the above 2 (“two”), and the remaining 2 (“two”) domains
(d) The fourth domain, is that of mobile devices (“Mobile”), or the plethora of “steadily richer clients” in smartphones, PDAs, Notebooks, Tablets, and so forth; along with all the portable drives with capacities ranging from a few megabytes to many terabytes (or even “quigaflops”, as I have also blogged, elsewhere).
(e) The fifth domain of Cyberspace may well surprise some of you, but it shouldn’t. It includes paper! Yesterday, today, and tomorrow are not the first times that people will walk critical papers, performances, paintings and portraits, and other personal or positive assets including intellectual property out of monitored or even secure locations, by taking their pictures. This is the world of “P2ED”, where those papers, performances, paintings and portraits, and other personal or positive assets (collectively being the “P”), can be converted into Electronic Documents (meaning “2ED”), and thereby, in essence: “made to move, to order.” Modern rapid scanning technologies, the camera-capture tools on almost every mobile data device now available on the market, and the staggering storage capacity of portable drives as earlier stated, mean that almost anything can be relocated in time and space almost instantly and quite completely; often without the victim or “targeted subject” being the wiser. When you add-in the abilities of three-dimensional printers working with multiple pictures from multiple angles, or simple panned video footage, that “P” can be very easily reproduced in and as an “infringing facsimile”, in any place, at any time, and very many times.
An Electronic Document, I would therefore and expansively, define as: 1 (“one”) or more items of data that may include meta data, created or collected or compiled by electronic means from a paper source or sources, an electronic or other source or sources, or a combination of these and that is:
(i) organized in the same or substantially the same way as the original source or that otherwise characterizes and represents or presents the data in a cognizable format; and
(1) of being provided or published or posted or displayed or distributed or otherwise transferred by or to, or retained or reviewed as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others; or
(2) of being received or retrieved or acquired or accessed or analyzed or processed or altered as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others;
in such a way that makes it capable of being stored and therefore used for subsequent reference; and
(iii) capable of being replicated as is or in an alternate format by its creator or compiler, or by any other party or parties with the appropriate access permissions and utilities, or by both of the creator or compiler and others.
The three bundles by which to multiply each of the five domains, are: Hardware (“HA”), Software (“SO”), and Services (“SE”).
A full treatment of this multiplication into the 15 e-Compartments, would take a very long time; and so, I gladly leave it to the reader. However, and as a much abbreviated series of examples:
(i) securing one compartment of the hardware (HA) in any or many domains may include access barriers or credentials verification, whether with keys and passes, or by biometric or other technical means.
(ii) Exploiting one compartment of the software (SO) in any or many domains may include knowing and using the vulnerabilities found and from time to time exposed in certain types of programs, where updates and antiviral or other protections are lacking, and in people, by means of social engineering.
(iii) Services (SE), you can further divide into at least 6 (“six”) sub-elements to create “sub-compartments” after the multiplication, of: (a) internal; (b) contracted; and (c) outsourced accredited service personnel, and then the same 3, once again, for actual services performed. To secure your internal personnel, you would of course, have conducted background checks, and engage in some sort of “lawful” ongoing and periodic monitoring. Securing contracted services, would involve due diligence of the providers, perhaps additional checks and balances on the personnel to do the actual work, and then of course, there is insurance, appropriate contractual terms including warranties and indemnifications from the provider, and other steps as are reasonable, and sometimes seen as unreasonable by the other side. When they protest, it can be reassuring to see that they are paying attention and not so desperate for your business as to accept any and all conditions without a word. Similar steps can also be taken to secure outsourced services, with additional precautions where offshoring or a sensitive industry (such as healthcare, or involving personal information or an especially vulnerable and protected class of persons like children, the disabled, the mentally-challenged, or the elderly), is involved.
(iv) If one were to look at Radiofrequency Identification (RFID) and Near-field Communications (NFC) for example, it becomes obvious how one size does not fit all e-Compartments when trying to secure HA (smart phone passwords), SO (against hacking, tampering, and redirection of funds or data sent or received), and SE (challenge and handshake protocols, and perhaps using geolocation – to the extent lawful – to guard against someone’s account being accessed with the same credentials, and apparently from the same device, in two or more jurisdictions at the same time, as spoofed, or in less time than one could reasonably be expected to travel between them). Each Domain must therefore have and maintain its own set of techniques and technologies to secure Ha, So, and Se in RFID and NFC, as and where applicable, inter alia.
3 CONSEQUENCES OF CYBER-BREACH:
Remediation: This can include the costs of any combination of cash settlements; credit monitoring; credentials replacement for the impacted parties or persons; and changes in the compromised (or absent or insufficient) policies, procedures, personnel, and platforms.
Reputation: Reputational damage can be felt by its effects on clients, who may leave or reduce their business dealings; labor markets where it may become harder to get the best and brightest talent; media and social media circles, not just the late night talk shows, which may all combine to continue and compound a storm that would otherwise have passed-by and been forgotten more quickly; and of course, insurance deductibles paid and heavier premiums going forwards. Depending on the specific facts of the situation, the insurer may or may not seek to decline coverage or reduce the available benefits under the applicable policy or policies for errors and omissions, general liability, privacy, and otherwise. Additional economic impacts may also be felt by issuers in greater “activism” of their shareholders. The share prices may take a hit, impacting upon debt covenants, debt to equity ratios, leverage ratios – with or without ensuing margin calls – solvency, and directors and officers liability insurance policies, as well. This, again, could build upon itself in a negative direction if not properly and timely managed.
Regulatory: The possibility of heavy fines and penalties is always there, whether before or after grueling regulatory investigations that sap time, and resources, and money. An entity may also face ongoing monitoring and operational restrictions that may go as far as mandatory supervision or takeover. Suits at law or in equity, or both, may also accrue at a very fierce pace.
4 KEY COMMONSENSE RECOMMENDATIONS:
Systemic Security: Secure the systems, and those who use and maintain the systems. This involves the personnel security, the access controls, and educating everyone in the organization on the benefits of compliance with policies, as it could impact upon their salaries and bonuses, the viability of the business, and their jobs. Where there is a tie-in to their personal realities, stakeholders who see and appreciate potential downsides will be more likely to buy-in to those business practicalities.
Active Management: Have an Active (and not reactive) Management. It is never a good recommendation to wait until something bad happens, before thinking about what you will do and how you will react when something bad happens. More and more jurisdictions are enacting breach notification laws, and so this luxury is no longer an option; even if your jurisdiction has been slow to follow-suit. Business, today, is hardly so uni-locational as to allow you to be ignorant of global best practices, and still expect to compete and succeed against the competition. Join and form reputable local industry groups; develop a relationship with a good Public Relations firm; find and retain inside and/or contract and/or outside legal counsel that can cover you on the 3 (“three”) prongs of litigation and e-Discovery, regulatory compliance in your industry, and your contracting and labor practices – in all jurisdictions where you operate; have a solid Social Media presence and policy; and adopt and prepare and plan for, an all-hazards disaster response.
Internal Controls: Active Management must monitor and verify the Systemic Security through internal controls, inter alia. Your people must be following these wonderful policies and procedures, otherwise you have just been wasting paper in employee handbooks and handouts, and storage space on your intranet or bulletin board system. Is Social Media being used responsibly during work time, and regarding work but outside the office? Are employees following your portable data policies and mobile device policies? Are contractors being properly segregated from physical areas, online accounts, and specific data that they are not authorized to access? Are those with authority acting within and not exceeding their access, alteration, and audit authorities? These and other questions must be asked and answered. Industry-specific internal controls should include, for any entity with developers writing software or an I.T. department, a policy on Open Source Software (OSS), as I will further explain, below.
Legal and Regulatory Compliance: Compliance is also very important. If and when something goes wrong, it always helps to show that you did or were doing the right things, in accordance with law. The hammer generally tends to fall harder on those who were lax in their compliance, as the weight of culpability becomes significantly harder to avoid. This is especially important for entities that do not have any in-house legal personnel, which could mean that there is nobody keeping a regular eye on practices and policies that may well slip or dip from time to time, in the ordinary course of business. The value of regular legal audits becomes that much greater, for a periodic “compliance fine-tuning”. One area that requires careful scrutiny, tracking, and audits, is Open Source Software (OSS), which is far from being the “free software” that so many may think it is. Incorporating someone else’s Intellectual Property in company products, or inadvertently contributing the employer’s Intellectual Property to an outside product, through off-time or online collaboration projects, could have dire results. Some open source licenses will then require that you post all the source code for free and further use by all and sundry; damming a revenue stream and giving away valuable I.P. rights. Employees and contractors who’se contracts state that all they create belongs to the employer, should be made aware of this “significant risk area”, and have some restrictions placed on what they can and cannot do in terms of OSS, collaboration, and their skills as co-mingled with employer property. The penalties for I.P. infringement, whether of copyright, patent, trademark, or trade secrets, can be severe.
This different, flexible approach to Cyberspace and its 15 e-Compartments should serve as a roadmap, in guiding your conceptual approach to the issues in a logical, and step-by-step or compartment by compartment strategy. As the fields of e-Commerce, Cyberspace, and Cybersecurity grow by leaps and bounds and expand into, above and beyond the “Clouds” – at least until we are all hardwired to be and remain online, at the same time, and all the time – the above basic typologies should suffice and remain the same; and the 5 Domains of Cyberspace, as set out and identified so far, should hold fast, again absent any “category-killer-app” as a caveat.
Happy (belated) Cyber-Monday; and Merry Christmas, 2011!
Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.
This article does not constitute legal advice or create any lawyer-client relationship.
 Ekundayo George, Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3). Published on September 1, 2011. Available at: http://ogalaws.wordpress.com/category/strategic-consulting/cybersecurity/
 Ekundayo George, “M”edia Effectiveness. (Blog Tab). Available at http://ogalaws.wordpress.com/media-effectiveness/