Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3)

September 1, 2011

Introduction.

Hurricane Irene of late August, 2011, has come and gone, devastating the Eastern seaboard of the United States of America– especially Vermont and the Carolinas, and also causing damage in Quebec and the Canadian Maritime Provinces (Eastern Canada).[1]  As Hurricane Irene came at the start of hurricane season and shortly after the 5.8 magnitude earthquake of Tuesday, August 23, 2011, centered some 40 miles to the Northwest of the City of Richmond, in the State of Virginia,[2] this is as good a time as any to discuss and promote a more comprehensive approach to our collective Cybersecurity.  I will cover the specific topic of portable data security in another post.

In addition, 2011 has witnessed successful Cyber-hacks on notable businesses, national governments, and government agencies and departments that were thought to be tech-savvy, very well protected, and up to date in their Cybersecurity practices.[3]  However, we should distinguish the “hacktivists”[4] from the “covert snoops”[5] and from the “news-related snoops”;[6] even though they may all look and sound and feel the same, to the hacked.  In essence, we must all realize and always remember that “Destabilizing Data Disaster” (D3) can actually touch anyone, anytime, and as a result of almost any cause or event.  Fortunately, destabilizing need not mean or equal debilitating, if adequate, reasoned, directed planning and preparation have been done; as do BIRDS for the BEES.

BEES & BIRDS.

BEES:

Destabilizing Data Disaster (D3), can be caused by 3 (“three”) main event groupings and 5 (“five”) specific elements, under a “BEES” typology.  These are: (i) Breach Entries; (ii) Environmental, or Economic, or Exported Strictures; and (iii) Engineering Social.

(i) Breach Entries, are intentional intrusions that may or may not be targeted at data retrieval.  The breach factor, refers to the intentional circumvention or disabling of security protocols and barriers to entry.  Examples include denial of service, defacing after gaining administrator privileges, and physical removal, alteration, or destruction of critical hardware, software, or information.  This category also covers the actions of disgruntled employees or contractors; the actions of whom exceed their authority, occur outside the law, or appear to be lawful and legitimate but are done with malicious intent.

(ii)(a) Environmental Stricture, is defined as a compromised functionality due to an environmental event, be it flooding (such as with a swollen river), loss of power due to some weather-related incident (such as with a snowstorm that takes-down power lines), or extreme heat that compromises a power substation or transformer to the point of failure, where there is no backup power, or there is insufficient backup power, on hand.

(ii)(b) Economic Stricture, is defined as a compromised functionality due to an economic event, whether or not foreseeable, such as a bank foreclosure on one’s own premises and assets for non-payment of debt; a dispute with a critical vendor that has a delayed or immediate operational impact; being the subject of a legal injunction; or, being the target of any government action of a regulatory or enforcement nature, including but not limited to investigation or nationalization, with a delayed or immediate data operational impact.

(ii)(c) Exported Stricture, is defined as the impact suffered by the subject entity, when any or all of the other 4 (“four”) other BEES options here listed, befall a critical vendor, a critical customer, or a group of vendors or customers to the point of criticality, such that the stricture cascades in data impact and is exported one or more times along the chain.

(iii) Engineering Social, is defined as the tools and technologies that lure people into sharing or divulging critical access information, or otherwise personal or confidential information that can lead to access or identity theft, phishing, or data mining in the hands of a knowledgeable recipient with malicious intent.  The result can be a loss of secret, confidential, or otherwise proprietary information, which will certainly cause great embarrassment; which may bring legal action from aggrieved parties; and, which may ultimately need to be reported and publicly disclosed across multiple jurisdictions in accordance with then applicable data retention and protection laws.[7]

BIRDS.

As the BEES can occur and swarm in combination, the means to guard against them must be similarly flexible and comprehensive.  From my consultations with and work for corporations and executives in various jurisdictions, I have been able to use a variety of privacy impact assessments of events, reactions, advances in technique and technology, and adaptations, to devise a “BIRDS” Cybersecurity typology for dealing with the BEES.  Individual client circumstances will, however, vary, as the steps must be specifically tailored with additional, custom inputs.  In addition, a comprehensive Cybersecurity policy must be well-structured, well entrenched, well managed, and actively monitored with comprehensive follow-up, in order to have optimum results.  This general scheme, below, though, should get the appropriate Cybersecurity professionals, employees, and managers with budgetary authority, all on the right train of thought, and at the same time.

The 5 (“five”) below points must be taken and comprehensively assessed and addressed in the order that best fits the entity, in light of its then current position, its future plans, and other custom metrics and analyses beyond the scope of this basic introduction.  Presented here simply in the order that gives them their name, these points, are:

Point 1: “Backup and hardening”, mean it is vital to ensure that any data farm always has an adequate system for emergency power and management, and offsite data backup.  Remote operation and re-boot, as well as using cloud technologies, may be considered.

Point 2: “Imperatives of full compliance with law”, should be paramount for the entity concerned.  There may be legal and regulatory requirements specific to the industry (such as data retention and protection laws), there may be industry or professional standards or best practices that have the force of law (such as with self-regulatory professional and licensing bodies), or, there may be specific requirements related to investigations or legal proceedings (such as for search warrants and document production in Discovery), or in relation to specific corporate events (as with due diligence on a merger or acquisition).

Point 3: “Rights of verification and correction”, for the data gathered, data held, and data that must or may be disclosed, should be specifically assigned and well-known across the entity.  To the extent prescribed by law in the applicable jurisdiction, the persons on whom and on behalf of whom the data is held, may also have a right to verify and correct.

Point 4: “Data integrity”, as a mandate, makes it similarly vital to follow industry best practices to the extent that they exist, and ensure that all employees know them and are trained to stay up to date (which may give some protection against legal claims, and perhaps, a reduction in premiums from insurers).[8]  This point also involves having, using, and maintaining reliable systems and protocols for input management regarding the data, intrusion prevention and detection, incident management, and then following-up to push through the requisite improvements in policies and procedures from lessons learned.

Point 5: “Site and System access protocols”, should, likewise be paramount for the entity.  Passwords, became pass keys, then combinations and security tokens,[9] and now, the field is being populated by an ever-expanding array of biometric applications.  Here, again, it is important to know the local law of the applicable jurisdiction.  In Canada, for example, certain occupations and procedures can mandate a Certified Criminal Record Check.[10]  In all cases, it remains vitally important for an entity to control who has access to the data system and from where.  Staggered edit authorities and segregated levels of both physical area access and system and subsystem access, are and will ever remain, highly advisable.

Summary.

The writing is on the wall, and everyone, as data consumer, handler, and producer, should take personal data security and the collective Cybersecurity, very seriously; especially as we see that top corporations and governments with access to significant technical talent and financing, have been and continue to be, hacked on an alarmingly frequent basis.  The above, however, are some steps and “BIRDS” that any entity may take in hand, alone, or a group of entities or industry may take in hand together, as a “flock”, in order to guard against “Destabilizing Data Disaster” (D3), and to hold off and discourage those troubling swarms of “BEES” gathering, ominously, on the horizon – at least for a time.

Author:

Ekundayo George is a Lawyer and Strategic Consultant.  He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[3]http://www.bbc.co.uk/news/technology-13686141 (“A Brief History of Hacking”).

[4] Id.

[5]http://www.upi.com/Top_News/World-News/2011/02/17/Canadian-government-computers-hacked/UPI-21551297945502/ (Government of Canada suffers major hack attack); http://www.bbc.co.uk/news/technology-13626104 (Top United States Government employees and private sector company executives suffer email hacks).

[6]http://www.bbc.co.uk/news/uk-14685622 (Public figures in theUnited Kingdom suffer from the intentional hacking of their voicemails).

[7] Many jurisdictions operate under highly complex webs of privacy and data retention laws and regulations covering such areas as: banking information, health information, law enforcement and national security, employment-related information, tax information, electoral rolls, and so forth.  It is important to know the laws of the jurisdiction or jurisdictions within which one operates, or more frequently nowadays – “is deemed to be operating”.  You should always consult competent local legal counsel for specific guidance that is pertinent to your situation, and the facts.

[8] Numerous industries in North America, Canada, and Europe, have specific industry groups – and lobbyists – that enable the meeting of stakeholders and governments on a regular basis to formulate best practices, establish limits on liability, and otherwise shape applicable legislation and regulations in a way that protects the consumer, provides a degree of legal certainty, and enables the industry to thrive by ensuring direct participants that a given level of risk-taking will not be unduly thwarted, and ensuing investors that their investments will be both protected and rewarded.

One example of a health and safety standard is the concept of ALARA (“As Low As Reasonably Achievable”), which received a detailed analysis at the United States Supreme Court, in the case of Silkwood v. Kerr-McGee, 464 U.S. 238 (1984), in reference to workplace radiation exposure in the nuclear energy field.  The concept has since been adopted across other industries using radioisotopes, such as the medical field (See, for example the Health Canada Guidelines on using diagnostic ultrasound): http://www.hc-sc.gc.ca/ewh-semt/pubs/radiation/01hecs-secs255/rec-eng.php

The concept is also used, as modified, in the field of health and safety in the United Kingdom, where it is termed “As Low as Reasonably Practicable” (ALARP) http://www.hse.gov.uk/risk/theory/alarp.htm, or “So Far as Is Reasonably Practicable” (SFAIRP).  The two are often used interchangeably http://www.hse.gov.uk/risk/theory/alarpglance.htm

Similarly, in a Report published on June 8, 2011, the Internet Policy Task Force of the United States Department of Commerce proposed best practices for the Internet, that, if followed, would reduce an entity’s Cybersecurity insurance premiums due.  That report is available at: http://www.nist.gov/itl/upload/Cybersecurity_GreenPaper_FinalVersion.pdf

Additional background on the thinking behind this initiative, can be found here http://www.darkreading.com/cloud-security/167901092/security/security-management/230500089/commerce-department-proposes-voluntary-security-best-practices-for-businesses.html

[9] Of note, is the embarrassing fact that a purveyor of security tokens used to protect banking and corporate network access, was recently hacked http://www.bbc.co.uk/news/technology-12784491 (“Hackers tackle secure ID tokens”).

[10]http://www.rcmp-grc.gc.ca/cr-cj/fing-empr2-eng.htm (Background information on the Certified Criminal Record Check procedure, from the Royal Canadian Mounted Police (RCMP)).

3 Responses to “Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3)”

  1. MO Says:

    Keep the posts coming. +1


  2. […] [1] See e.g. Ekundayo George.  Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3).  Published September 1, 2011, on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2011/09/01/cybersecurity-avoiding-destabilizing-data-disaster-d3/< […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: