The story recently broke of an employee (former employee) who had high-level system access as a “software programmer and system manager”.  The allegation is that he retaliated after being passed-over for promotions, which led to his resignation in December, 2011; with a final day of work in January, 2012.[1]  According to a Criminal Complaint in the incident as filed by the Federal Bureau of Investigation (FBI) in the District Court for the Eastern District of New York, the accused had worked there for several years, and was actually “one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business—including its production planning, purchasing, and inventory control—operated efficiently”,[2] showing just how much free system access he really had.  The estimate puts a cost to the former employer of his alleged activities at some $90,000.00 in damages.  Admittedly, it could have been significantly more than this.  That number is not insignificant.  However, we may or may not ever come to know whether it stopped there due to self-imposed limitation(s), or inability to do anything more destructive or wide-ranging due to security impediments.

 

On to the questions:

1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?

2. Is that the same if you have high IT turnover?  Things can get pretty hectic in that case!

Bob[3] was an “ongoing insiders”.  The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.

3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?

 

There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace.  Events will doubtless continue to present teachable moments.  I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis.  However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.

The above-referenced and linked allegations remain allegations.  All parties are innocent until proven guilty in a court of law.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[2] Federal Bureau of Investigation (FBI).  Press Release.  Long Island Software Programmer Arrested for Hacking into Network of High-Voltage Power Manufacturer.  Published by the FBI on fbi.gov, May 2, 2013.  Online: >

http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-arrested-for-hacking-into-network-of-high-voltage-power-manufacturer<

[3] Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”.  Published January 17, 2013, on ogalaws.com.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

I would say there are essentially 7 (“seven”) stages in this trajectory, being:

(i) SaaP;

(ii) SaaS;

(iii) SaaR;

(iv) S3aUR;

(v) PcSS;

(vi) SaEE/SaEA;

(vii) PC3S.

Kindly allow me to explain.

SaaP – Software as a Product:

(i) Software was originally a product, although many in the younger generations may have little to no recollection of those days.  It was separately shrink-wrapped and sold first in hard copy format, on disks (you might recall the almost never-ending deluge in your snail mail of all those free and unsolicited AOL, Earthlink, and MSN discs of yore), amongst others; and then, it moved online, with click-wrap licensing.

SaaS – Software as a Service:

(ii) Software as a Service developed with the outsourcing trend, and it has actually been with us for at least a good decade.  Value-added through offshoring, near-shoring, and contracting-out for the design of software to run CAD and CAM applications (as well as the machines on which to run them), all after first hiring the outside management consultants to advise on how to better streamline and align critical line and staff functions to increase ROI, boost productivity, and maximize shareholder value.

SaaR – Software as a Right:

(iii) Although many don’t quite see it – due to the fact that Stage 4 is already taking the limelight ahead of its time – Stage 3 is when we start to see Software as a Right (SaaR).  Software is becoming a right because cost-cutting has led to several European and North American governments cutting funds for hardcopy libraries, both public and at educational institutions.  As this happens, older collections are being shredded to save space and funds (sometimes with and sometimes without ensuring that they are first put to the expensive process of scanning and digitization, and very often without any public disclosure, comment, or opportunity for interested parties and departments to offer to raise the funds or find the space to preserve them).  As more and more knowledge goes online and becomes accessible only for a fee (see the recent moves of certain provides of news and commentary to dispense with the printed versions of their publications); and as more and more public government services (information, forms, e-filing, e-refunds) and even private sector services (banking, customer service, event and school registration and RSVP), then software becomes a right, to the extent that people need it for access to these essentials of daily living.

S3aUR – Software and Systemic Security at Undue Risk:

(iv) We are now seeing multiple, concatenating, and overlapping tangible and virtual instances of Software and Systemic Security at Undue Risk in multiple Availability Zones (AZ), due to hacking and malware, Advanced Persistent Threats (APT), insider fraud and disgruntled employees,[1] apparent personal grudges,[2] blatant BYOD misuse, and just bad design, mismatched configuration, or absent/inactive management.  There are climatic and other intervening “exigent events”.  However, the argument will always be made that these (including climate change), were predictable, and could therefore have been better planned for and their effects, controlled.

PCSS – Persistent Cloud Security Systems:

(v) As a result of Stage 4, discussions have already commenced and are well underway,[3] on how to best structure,[4] roll-out, and govern a Persistent Cloud Security (PCSS) that (a) works in real-time, (b) is networked to involve end-users, private sector providers, and public sector actors of various profiles, and (c) is truly multinational and achieves massive regulator and government buy-in to work consistently and predictably with common rule or principles to drill down on, rein-in, and prosecute actors in the under-most belly, of the Deep Web.[5]  Monitoring as a Service, Alerts as a Service, and like offerings will not, alone, suffice to stem Stage 4s insecurity tsunami.

SaEE/SaEA – Software as Embedded Enabler or Enhancement/Appendage or Augmentation:

(vi) Of course, being a non-Wizard, I cannot say what term precisely, will be used.  It is possible, just as is the current case with the Phase 2 SaaS variants, that different terms will be used by different providers and commentators, unless and until some sort of standardization is agreed-upon.  The need for constant updates, patches, and other communications with the thin, thick, and virtual clients running all of this massively-dispersed computing power, whether by pull-down or push-out from the update source, will eventually start to fall too far behind the developing threats and vulnerabilities presented.  At that point, one or more governments may “force” this Stage 6.

There are already “some” people experimenting with themselves by embedding RFID chips, and the agriculture industry has lots of experience on their use with farm animals.  Anecdotal stories on the internet about additional experimentation by early-adopters with pets, children, and the elderly, are yet to be proven for the most part …. I think?!  A number of nations are reportedly also spending copious amounts of declared and undeclared moneys on brain-mapping, brainwave scanning, and methods to understand, predict, and control human brainwaves and human behavior without being detected.

Whatever the case, once the critical point of the implantation quotient is achieved or nearly-achieved, there may come a time when governments “mandate” that people embed or append the software through a chip implantation of some sort.  This will be resisted on a number of fronts and may cause unrest in several jurisdictions.  However, judging by the way some governments can tend to proceed with their plans despite the protests of millions, the effects on their citizens, and the horror of other nations, things may still get pretty ugly.

As we have already seen in the case of consumer products (from smokeables, through manufactured goods and automobiles, to even fresh food), not all dangers in end-use and the potential side-effects that could and should have been disclosed, were disclosed.  Let us therefore hope that these “implants” do not create a globe of rabid zombies under the remote control of whoever can hack the system best, or hostages to brain-frying hacktivists.

PC3S – Pure Collectivized Communications Culture System:

(vii) Then, once everyone who counts or wants to count, is wired-up (or at least, all who want to be able to eat & drink, fully & freely exercise inalienable rights, or buy & sell in a fully-tracked, value-stacked, government-backed, and supposedly hard-to-crack, pay as you go system with monthly user fees and transaction levies (ePayment only in a cashless society, with interest-bearing pay-day-loans preferred so as to keep everyone happily hard at work for their own self-serving purposes) that by definition includes all but the “obvious terrorists”, we will have that Stage 7, in a Pure Collectivized Communications Culture System.  If software becomes embedded to get around hacking, then who is to say that a person’s brain will actually be able to remain free and clear of the hackers; or that interested parties with the access (such as corrupt insiders), will resist the temptation to hack someone’s brain for profit, or to create a robot on demand”, with credible and provable amnesia?  A number of 20th and 21st Century books and movies may quickly come to mind.[6]

SUMMARY:

Of course, all of this is a work of fiction and can never happen in this modern world …. except of course, for those stages in these above 7, that have already taken place, or that are …. “something of a work in progress, by someone, somewhere, for some specific purpose, and at the behest and request of some sort of sponsor”!  It is said that being fore-warned is to be fore-armed, but nobody really remembers things they read on the internet, unless there is some sensual stimulant or celebrity endorsement, right?

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] See e.g. Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published on ogalaws.wordpress.com, January 17, 2013.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[2] See Adam Edelman/New York Daily News.  Cyberbunker hosting site said to be dropping virtual ‘nuclear bomb’ on Internet with massive, global denial of service attack.  Published Wednesday, March 27, 2013 on nydailynews.com.  Online: >http://www.nydailynews.com/news/national/internet-nuked-massive-ongoing-cyber-attack-experts-article-1.1300372 <  It is “alleged” that a private dispute of some sort between Cyberbunker (a Dutch internet hosting business that will take all-comers, “except child porn and anything related to terrorism”), and The Spamhaus Project (a non-profit centred in London and Geneva, but with operating nodes in ten nations, that “works to help email providers filter out spam”), has led to the largest DDOS in history with a data stream attack magnitude of 300 billion bits per second, when 50 billion bits would suffice to bring-down the online service of many significant online businesses, including major banks.  The fact that most people have seen no significantly noticeable disruptions due to this “attack”, just goes to show the added resilience built into the system since this kind of attack was first noticed, understood, and responded to by industry and regulators. Personally, I saw some emails come through on device group “A”, but they were delayed on others – thankfully, nothing time-sensitive, and I was aware of them due to my own system of redundancies in having those multiple email access points and service providers.  Microsoft also just switched a “massive” few more users over to Outlook, so that may have also played a part in my own delayed email receipt.  In any case, investigations are ongoing into the source of the current and sustained attacks, but as with others, the true perpetrators may remain hidden.  See Infra, note 5.  See also The Spamhaus Project homepage.  Online: > http://www.spamhaus.org/organization/<; The Cyberbunker Data Centers homepage.  Online:  >http://www.cyberbunker.com< (the Cyberbunker website was verified by this author as unreachable online, at the time this SaaS Visioning-out article posted).

[3] See e.g.  Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right, at Note 17.  Posted March 11, 2013, on ogalaws.com.  Online:> https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<

[4] See e.g. Mikael Ricknäs, IDG News Service.  AWS takes aim at security conscious enterprises with new appliance.  Published on itworld.com, March 27, 2013.  Online: >http://www.itworld.com/cloud-computing/349894/aws-takes-aim-security-conscious-enterprises-new-appliance?goback=.gde_1864210_member_226976359<  Amazon Web Services has introduced a standalone, secondary cloud-based system to manage cryptographic keys that will be used in the cloud, with limited AWS access through “strict” separation of administrative and operational duties between the vendor and the client, and segregation and limitation of access according to business need.  SOD best practices are thus clearly translated into the cloudsphere.

[5] See Gil David.  The Dark Side of the Internet.  Published on israeldefence.com, December 1, 2012.  Online:

>http://www.israeldefense.com/?CategoryID=483&ArticleID=1756<  This article provides a fairly good overview of what we are all dealing with on a daily basis, with regard to the Deep Web.  I will post at a later date, regarding some of my thoughts on how this might spur and/or impact upon, that promised “Internet of Things” to come.

[6] I think I will also have to post at a later date on what might constitute “work”, when machines do so much of one type of work, and many of the other types are outsourced to someone, somewhere else.  As automation really took hold on a massive scale in the industrial west (Japan, Europe, North America, South Korea) in the 1960s and 1970s, much was said about the coming leisure society as machines did so much, that people would have more time on their hands to relax and actually enjoy life.  Now, the “massively unemployed, migrating mass populations” in almost all geographic zones and nations, mean something clearly went very wrong.  We are a few steps away from chaos; one that may well start in the European Union –or with one or more of its “pending former” members.  Should this happen and spread as political leaders continue making very bad calls, Anonymous, Environmentalists, Occupy, and the Anti-Globalization folks will look like child’s play, even when first combined and then multiplied.

What about hospital BYOD?

October 7, 2012

WOW!

I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]

WHAT?

BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.

WHY?

Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]

WHOA!

Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.

WHITHER?

Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

Currently, there is a lot of chatter in military, civilian, political, and business circles on “Cybersecurity” and how best to exploit and secure the cyber-realm or “Cyberspace”.  I wrote in an earlier blog post on the big picture of Cybersecurity, and avoiding data disasters, in general.[1]

Unfortunately, however, while everyone may “think” they are talking about the same thing, I dare say that they are not.  It is, of course, important to know and understand what we are all talking about, before we attempt to secure it with any hope of success.  So, then, what is Cyberspace, we ask?  The answer: almost anything, and nearly everything.  Let me explain, as Cyberspace in its totality, comprises 5 Domains, multiplied by 3 Bundles, to give 15 “e-Compartments; which e-Compartments should be the focal points of and for, specific protective and exploitative techniques and technologies, as appropriate.  This is a different, flexible approach better attuned to the rapidly changing world of technology.  It will take an extremely momentous event or series of events closely related in time and space, to change and re-align all e-Compartments at once, or to render techniques and technologies used for exploitation and security in more than a handful of these, all obsolete at one and the same time.  I will also discuss cyber-breach consequences, and make commonsense recommendations.

5 DOMAINS:

(a) The Internet (“Net”) is its own domain, and comprises all systems and services accessible through same, as well as being the catch-all category for everything “online”.

(b) A second domain is the telecommunications networks (“Telco”), which cover phone, fax, voicemail, voice over I.P., videoconferencing, webcasting, and so forth.  The Net and Telco are becoming increasingly intertwined and to a large extent, near indistinguishable.

(c) Third, is that complex of computers, servers, and thin and thick clients (“I.T.”) that drive and serve and access the above 2 (“two”), and the remaining 2 (“two”) domains

(d) The fourth domain, is that of mobile devices (“Mobile”), or the plethora of “steadily richer clients” in smartphones, PDAs, Notebooks, Tablets, and so forth; along with all the portable drives with capacities ranging from a few megabytes to many terabytes (or even “quigaflops”, as I have also blogged, elsewhere).[2]

(e) The fifth domain of Cyberspace may well surprise some of you, but it shouldn’t.   It includes paper!   Yesterday, today, and tomorrow are not the first times that people will walk critical papers, performances, paintings and portraits, and other personal or positive assets including intellectual property out of monitored or even secure locations, by taking their pictures.  This is the world of “P2ED”, where those papers, performances, paintings and portraits, and other personal or positive assets (collectively being the “P”), can be converted into Electronic Documents (meaning “2ED”), and thereby, in essence: “made to move, to order.”  Modern rapid scanning technologies, the camera-capture tools on almost every mobile data device now available on the market, and the staggering storage capacity of portable drives as earlier stated, mean that almost anything can be relocated in time and space almost instantly and quite completely; often without the victim or “targeted subject” being the wiser.  When you add-in the abilities of three-dimensional printers working with multiple pictures from multiple angles, or simple panned video footage, that “P” can be very easily reproduced in and as an “infringing facsimile”, in any place, at any time, and very many times.

An Electronic Document, I would therefore and expansively, define as: 1 (“one”) or more items of data that may include meta data, created or collected or compiled by electronic means from a paper source or sources, an electronic or other source or sources, or a combination of these and that is:

(i) organized in the same or substantially the same way as the original source or that otherwise characterizes and represents or presents the data in a cognizable format; and

(ii) capable:

(1) of being provided or published or posted or displayed or distributed or otherwise transferred by or to, or retained or reviewed as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others; or

(2) of being received or retrieved or acquired or accessed or analyzed or processed or altered as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others;

in such a way that makes it capable of being stored and therefore used for subsequent reference; and
(iii) capable of being replicated as is or in an alternate format by its creator or compiler, or by any other party or parties with the appropriate access permissions and utilities, or by both of the creator or compiler and others.

3 BUNDLES:

The three bundles by which to multiply each of the five domains, are: Hardware (“HA”), Software (“SO”), and Services (“SE”).

15 E-COMPARTMENTS:

A full treatment of this multiplication into the 15 e-Compartments, would take a very long time; and so, I gladly leave it to the reader.  However, and as a much abbreviated series of examples:

(i) securing one compartment of the hardware (HA) in any or many domains may include access barriers or credentials verification, whether with keys and passes, or by biometric or other technical means.

(ii) Exploiting one compartment of the software (SO) in any or many domains may include knowing and using the vulnerabilities found and from time to time exposed in certain types of programs, where updates and antiviral or other protections are lacking, and in people, by means of social engineering.

(iii) Services (SE), you can further divide into at least 6 (“six”) sub-elements to create “sub-compartments” after the multiplication, of: (a) internal; (b) contracted; and (c) outsourced accredited service personnel, and then the same 3, once again, for actual services performed.  To secure your internal personnel, you would of course, have conducted background checks, and engage in some sort of “lawful” ongoing and periodic monitoring.  Securing contracted services, would involve due diligence of the providers, perhaps additional checks and balances on the personnel to do the actual work, and then of course, there is insurance, appropriate contractual terms including warranties and indemnifications from the provider, and other steps as are reasonable, and sometimes seen as unreasonable by the other side.  When they protest, it can be reassuring to see that they are paying attention and not so desperate for your business as to accept any and all conditions without a word.  Similar steps can also be taken to secure outsourced services, with additional precautions where offshoring or a sensitive industry (such as healthcare, or involving personal information or an especially vulnerable and protected class of persons like children, the disabled, the mentally-challenged, or the elderly), is involved.

(iv) If one were to look at Radiofrequency Identification (RFID) and Near-field Communications (NFC) for example, it becomes obvious how one size does not fit all e-Compartments when trying to secure HA (smart phone passwords), SO (against hacking, tampering, and redirection of funds or data sent or  received), and SE (challenge and handshake protocols, and perhaps using geolocation – to the extent lawful – to guard against someone’s account being accessed with the same credentials, and apparently from the same device, in two or more jurisdictions at the same time, as spoofed, or in less time than one could reasonably be expected to travel between them).  Each Domain must therefore have and maintain its own set of techniques and technologies to secure Ha, So, and Se in RFID and NFC, as and where applicable, inter alia.

3 CONSEQUENCES OF CYBER-BREACH:

Remediation:  This can include the costs of any combination of cash settlements; credit monitoring; credentials replacement for the impacted parties or persons; and changes in the compromised (or absent or insufficient) policies, procedures, personnel, and platforms.

Reputation:  Reputational damage can be felt by its effects on clients, who may leave or reduce their business dealings; labor markets where it may become harder to get the best and brightest talent; media and social media circles, not just the late night talk shows, which may all combine to continue and compound a storm that would otherwise have passed-by and been forgotten more quickly; and of course, insurance deductibles paid and heavier premiums going forwards.  Depending on the specific facts of the situation, the insurer may or may not seek to decline coverage or reduce the available benefits under the applicable policy or policies for errors and omissions, general liability, privacy, and otherwise.  Additional economic impacts may also be felt by issuers in greater “activism” of their shareholders.  The share prices may take a hit, impacting upon debt covenants, debt to equity ratios, leverage ratios – with or without ensuing margin calls – solvency, and directors and officers liability insurance policies, as well.  This, again, could build upon itself in a negative direction if not properly and timely managed.

Regulatory:  The possibility of heavy fines and penalties is always there, whether before or after grueling regulatory investigations that sap time, and resources, and money.  An entity may also face ongoing monitoring and operational restrictions that may go as far as mandatory supervision or takeover.  Suits at law or in equity, or both, may also accrue at a very fierce pace.

4 KEY COMMONSENSE RECOMMENDATIONS:

Systemic SecuritySecure the systems, and those who use and maintain the systems.  This involves the personnel security, the access controls, and educating everyone in the organization on the benefits of compliance with policies, as it could impact upon their salaries and bonuses, the viability of the business, and their jobs.  Where there is a tie-in to their personal realities, stakeholders who see and appreciate potential downsides will be more likely to buy-in to those business practicalities.

Active ManagementHave an Active (and not reactive) Management.  It is never a good recommendation to wait until something bad happens, before thinking about what you will do and how you will react when something bad happens.   More and more jurisdictions are enacting breach notification laws, and so this luxury is no longer an option; even if your jurisdiction has been slow to follow-suit.  Business, today, is hardly so uni-locational as to allow you to be ignorant of global best practices, and still expect to compete and succeed against the competition.  Join and form reputable local industry groups; develop a relationship with a good Public Relations firm; find and retain inside and/or contract and/or outside legal counsel that can cover you on the 3 (“three”) prongs of litigation and e-Discovery, regulatory compliance in your industry, and your contracting and labor practices – in all jurisdictions where you operate; have a solid Social Media presence and policy; and adopt and prepare and plan for, an all-hazards disaster response.

Internal ControlsActive Management must monitor and verify the Systemic Security through internal controls, inter alia.  Your people must be following these wonderful policies and procedures, otherwise you have just been wasting paper in employee handbooks and handouts, and storage space on your intranet or bulletin board system.  Is Social Media being used responsibly during work time, and regarding work but outside the office?  Are employees following your portable data policies and mobile device policies?  Are contractors being properly segregated from physical areas, online accounts, and specific data that they are not authorized to access?  Are those with authority acting within and not exceeding their access, alteration, and audit authorities?  These and other questions must be asked and answered.  Industry-specific internal controls should include, for any entity with developers writing software or an I.T. department, a policy on Open Source Software (OSS), as I will further explain, below.

Legal and Regulatory ComplianceCompliance is also very important.  If and when something goes wrong, it always helps to show that you did or were doing the right things, in accordance with law.  The hammer generally tends to fall harder on those who were lax in their compliance, as the weight of culpability becomes significantly harder to avoid.  This is especially important for entities that do not have any in-house legal personnel, which could mean that there is nobody keeping a regular eye on practices and policies that may well slip or dip from time to time, in the ordinary course of business.  The value of regular legal audits becomes that much greater, for a periodic “compliance fine-tuning”.  One area that requires careful scrutiny, tracking, and audits, is Open Source Software (OSS), which is far from being the “free software” that so many may think it is.  Incorporating someone else’s Intellectual Property in company products, or inadvertently contributing the employer’s Intellectual Property to an outside product, through off-time or online collaboration projects, could have dire results.  Some open source licenses will then require that you post all the source code for free and further use by all and sundry; damming a revenue stream and giving away valuable I.P. rights.  Employees and contractors who’se contracts state that all they create belongs to the employer, should be made aware of this “significant risk area”, and have some restrictions placed on what they can and cannot do in terms of OSS, collaboration, and their skills as co-mingled with employer property.  The penalties for I.P. infringement, whether of copyright, patent, trademark, or trade secrets, can be severe.

SUMMARY:

This different, flexible approach to Cyberspace and its 15 e-Compartments should serve as a roadmap, in guiding your conceptual approach to the issues in a logical, and step-by-step or compartment by compartment strategy.  As the fields of e-Commerce, Cyberspace, and Cybersecurity grow by leaps and bounds and expand into, above and beyond the “Clouds” – at least until we are all hardwired to be and remain online, at the same time, and all the time – the above basic typologies should suffice and remain the same; and the 5 Domains of Cyberspace, as set out and identified so far, should hold fast, again absent any “category-killer-app” as a caveat.

Happy (belated) Cyber-Monday; and Merry Christmas, 2011!

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Ekundayo George, Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3).  Published on September 1, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/cybersecurity/

[2] Ekundayo George, “M”edia Effectiveness. (Blog Tab).  Available at https://ogalaws.wordpress.com/media-effectiveness/

Introduction.

Hurricane Irene of late August, 2011, has come and gone, devastating the Eastern seaboard of the United States of America– especially Vermont and the Carolinas, and also causing damage in Quebec and the Canadian Maritime Provinces (Eastern Canada).[1]  As Hurricane Irene came at the start of hurricane season and shortly after the 5.8 magnitude earthquake of Tuesday, August 23, 2011, centered some 40 miles to the Northwest of the City of Richmond, in the State of Virginia,[2] this is as good a time as any to discuss and promote a more comprehensive approach to our collective Cybersecurity.  I will cover the specific topic of portable data security in another post.

In addition, 2011 has witnessed successful Cyber-hacks on notable businesses, national governments, and government agencies and departments that were thought to be tech-savvy, very well protected, and up to date in their Cybersecurity practices.[3]  However, we should distinguish the “hacktivists”[4] from the “covert snoops”[5] and from the “news-related snoops”;[6] even though they may all look and sound and feel the same, to the hacked.  In essence, we must all realize and always remember that “Destabilizing Data Disaster” (D3) can actually touch anyone, anytime, and as a result of almost any cause or event.  Fortunately, destabilizing need not mean or equal debilitating, if adequate, reasoned, directed planning and preparation have been done; as do BIRDS for the BEES.

BEES & BIRDS.

BEES:

Destabilizing Data Disaster (D3), can be caused by 3 (“three”) main event groupings and 5 (“five”) specific elements, under a “BEES” typology.  These are: (i) Breach Entries; (ii) Environmental, or Economic, or Exported Strictures; and (iii) Engineering Social.

(i) Breach Entries, are intentional intrusions that may or may not be targeted at data retrieval.  The breach factor, refers to the intentional circumvention or disabling of security protocols and barriers to entry.  Examples include denial of service, defacing after gaining administrator privileges, and physical removal, alteration, or destruction of critical hardware, software, or information.  This category also covers the actions of disgruntled employees or contractors; the actions of whom exceed their authority, occur outside the law, or appear to be lawful and legitimate but are done with malicious intent.

(ii)(a) Environmental Stricture, is defined as a compromised functionality due to an environmental event, be it flooding (such as with a swollen river), loss of power due to some weather-related incident (such as with a snowstorm that takes-down power lines), or extreme heat that compromises a power substation or transformer to the point of failure, where there is no backup power, or there is insufficient backup power, on hand.

(ii)(b) Economic Stricture, is defined as a compromised functionality due to an economic event, whether or not foreseeable, such as a bank foreclosure on one’s own premises and assets for non-payment of debt; a dispute with a critical vendor that has a delayed or immediate operational impact; being the subject of a legal injunction; or, being the target of any government action of a regulatory or enforcement nature, including but not limited to investigation or nationalization, with a delayed or immediate data operational impact.

(ii)(c) Exported Stricture, is defined as the impact suffered by the subject entity, when any or all of the other 4 (“four”) other BEES options here listed, befall a critical vendor, a critical customer, or a group of vendors or customers to the point of criticality, such that the stricture cascades in data impact and is exported one or more times along the chain.

(iii) Engineering Social, is defined as the tools and technologies that lure people into sharing or divulging critical access information, or otherwise personal or confidential information that can lead to access or identity theft, phishing, or data mining in the hands of a knowledgeable recipient with malicious intent.  The result can be a loss of secret, confidential, or otherwise proprietary information, which will certainly cause great embarrassment; which may bring legal action from aggrieved parties; and, which may ultimately need to be reported and publicly disclosed across multiple jurisdictions in accordance with then applicable data retention and protection laws.[7]

BIRDS.

As the BEES can occur and swarm in combination, the means to guard against them must be similarly flexible and comprehensive.  From my consultations with and work for corporations and executives in various jurisdictions, I have been able to use a variety of privacy impact assessments of events, reactions, advances in technique and technology, and adaptations, to devise a “BIRDS” Cybersecurity typology for dealing with the BEES.  Individual client circumstances will, however, vary, as the steps must be specifically tailored with additional, custom inputs.  In addition, a comprehensive Cybersecurity policy must be well-structured, well entrenched, well managed, and actively monitored with comprehensive follow-up, in order to have optimum results.  This general scheme, below, though, should get the appropriate Cybersecurity professionals, employees, and managers with budgetary authority, all on the right train of thought, and at the same time.

The 5 (“five”) below points must be taken and comprehensively assessed and addressed in the order that best fits the entity, in light of its then current position, its future plans, and other custom metrics and analyses beyond the scope of this basic introduction.  Presented here simply in the order that gives them their name, these points, are:

Point 1: “Backup and hardening”, mean it is vital to ensure that any data farm always has an adequate system for emergency power and management, and offsite data backup.  Remote operation and re-boot, as well as using cloud technologies, may be considered.

Point 2: “Imperatives of full compliance with law”, should be paramount for the entity concerned.  There may be legal and regulatory requirements specific to the industry (such as data retention and protection laws), there may be industry or professional standards or best practices that have the force of law (such as with self-regulatory professional and licensing bodies), or, there may be specific requirements related to investigations or legal proceedings (such as for search warrants and document production in Discovery), or in relation to specific corporate events (as with due diligence on a merger or acquisition).

Point 3: “Rights of verification and correction”, for the data gathered, data held, and data that must or may be disclosed, should be specifically assigned and well-known across the entity.  To the extent prescribed by law in the applicable jurisdiction, the persons on whom and on behalf of whom the data is held, may also have a right to verify and correct.

Point 4: “Data integrity”, as a mandate, makes it similarly vital to follow industry best practices to the extent that they exist, and ensure that all employees know them and are trained to stay up to date (which may give some protection against legal claims, and perhaps, a reduction in premiums from insurers).[8]  This point also involves having, using, and maintaining reliable systems and protocols for input management regarding the data, intrusion prevention and detection, incident management, and then following-up to push through the requisite improvements in policies and procedures from lessons learned.

Point 5: “Site and System access protocols”, should, likewise be paramount for the entity.  Passwords, became pass keys, then combinations and security tokens,[9] and now, the field is being populated by an ever-expanding array of biometric applications.  Here, again, it is important to know the local law of the applicable jurisdiction.  In Canada, for example, certain occupations and procedures can mandate a Certified Criminal Record Check.[10]  In all cases, it remains vitally important for an entity to control who has access to the data system and from where.  Staggered edit authorities and segregated levels of both physical area access and system and subsystem access, are and will ever remain, highly advisable.

Summary.

The writing is on the wall, and everyone, as data consumer, handler, and producer, should take personal data security and the collective Cybersecurity, very seriously; especially as we see that top corporations and governments with access to significant technical talent and financing, have been and continue to be, hacked on an alarmingly frequent basis.  The above, however, are some steps and “BIRDS” that any entity may take in hand, alone, or a group of entities or industry may take in hand together, as a “flock”, in order to guard against “Destabilizing Data Disaster” (D3), and to hold off and discourage those troubling swarms of “BEES” gathering, ominously, on the horizon – at least for a time.

Author:

Ekundayo George is a Lawyer and Strategic Consultant.  He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[3]http://www.bbc.co.uk/news/technology-13686141 (“A Brief History of Hacking”).

[4] Id.

[5]http://www.upi.com/Top_News/World-News/2011/02/17/Canadian-government-computers-hacked/UPI-21551297945502/ (Government of Canada suffers major hack attack); http://www.bbc.co.uk/news/technology-13626104 (Top United States Government employees and private sector company executives suffer email hacks).

[6]http://www.bbc.co.uk/news/uk-14685622 (Public figures in theUnited Kingdom suffer from the intentional hacking of their voicemails).

[7] Many jurisdictions operate under highly complex webs of privacy and data retention laws and regulations covering such areas as: banking information, health information, law enforcement and national security, employment-related information, tax information, electoral rolls, and so forth.  It is important to know the laws of the jurisdiction or jurisdictions within which one operates, or more frequently nowadays – “is deemed to be operating”.  You should always consult competent local legal counsel for specific guidance that is pertinent to your situation, and the facts.

[8] Numerous industries in North America, Canada, and Europe, have specific industry groups – and lobbyists – that enable the meeting of stakeholders and governments on a regular basis to formulate best practices, establish limits on liability, and otherwise shape applicable legislation and regulations in a way that protects the consumer, provides a degree of legal certainty, and enables the industry to thrive by ensuring direct participants that a given level of risk-taking will not be unduly thwarted, and ensuing investors that their investments will be both protected and rewarded.

One example of a health and safety standard is the concept of ALARA (“As Low As Reasonably Achievable”), which received a detailed analysis at the United States Supreme Court, in the case of Silkwood v. Kerr-McGee, 464 U.S. 238 (1984), in reference to workplace radiation exposure in the nuclear energy field.  The concept has since been adopted across other industries using radioisotopes, such as the medical field (See, for example the Health Canada Guidelines on using diagnostic ultrasound): http://www.hc-sc.gc.ca/ewh-semt/pubs/radiation/01hecs-secs255/rec-eng.php

The concept is also used, as modified, in the field of health and safety in the United Kingdom, where it is termed “As Low as Reasonably Practicable” (ALARP) http://www.hse.gov.uk/risk/theory/alarp.htm, or “So Far as Is Reasonably Practicable” (SFAIRP).  The two are often used interchangeably http://www.hse.gov.uk/risk/theory/alarpglance.htm

Similarly, in a Report published on June 8, 2011, the Internet Policy Task Force of the United States Department of Commerce proposed best practices for the Internet, that, if followed, would reduce an entity’s Cybersecurity insurance premiums due.  That report is available at: http://www.nist.gov/itl/upload/Cybersecurity_GreenPaper_FinalVersion.pdf

Additional background on the thinking behind this initiative, can be found here http://www.darkreading.com/cloud-security/167901092/security/security-management/230500089/commerce-department-proposes-voluntary-security-best-practices-for-businesses.html

[9] Of note, is the embarrassing fact that a purveyor of security tokens used to protect banking and corporate network access, was recently hacked http://www.bbc.co.uk/news/technology-12784491 (“Hackers tackle secure ID tokens”).

[10]http://www.rcmp-grc.gc.ca/cr-cj/fing-empr2-eng.htm (Background information on the Certified Criminal Record Check procedure, from the Royal Canadian Mounted Police (RCMP)).

%d bloggers like this: