Intellectual Property Theft Soars as Cyber-Attacks Against Businesses Increase

Verizon recently released its 2013 Data Breach Investigations Report, and the outlook for organizations trying to protect their intellectual property is dire.  Cyber-based corporate and industrial espionage has risen so dramatically in the last year that intelligence officials are asking boardrooms across the U.S. to be more vigilant against cyber-criminals who are motivated by financial gain to steal intellectual property and trade secrets.  Former U.S. intelligence chief, John “Mike” McConnell stated that “unless urgent action is taken, the U.S. faces a ‘cyber’ equivalent of the World Trade Center attack.”

The Chinese and U.S. economies are so inextricably linked that China naturally is the main culprit for targeted theft of confidential business information and proprietary technologies.  However, there are many other state-sponsored and political “hacktivist” groups that are actively stealing corporate digital assets.  The proliferation of employee-owned mobile devices in the workplace, along with antiquated network systems, has allowed cyber-criminals to access corporate databases at unprecedented levels.  Saudi Arabian oil producer, Aramco, was recently a victim of a massive cyber-attack where 30,000 desktop PCs were wiped in what some can only presume was designed to disrupt oil production.  Additionally, JP Morgan Chase, Wells Fargo, and Bank of America were victims of a sustained distributed denial of service (DDoS) attack that appears to have been commenced overseas.

What frustrates investigators most when a breach of corporate data occurs is the lack of internal and external controls within the organization.  While readily available technology allows organizations to address security issues, it is often a failure to properly train and educate employees that makes theft of intellectual property so easy for cyber-criminals to obtain.  Technology alone will not prevent the theft of intellectual property.  Organizations must have a tone at the top mentality when it comes to awareness training and policy creation around cyber-security.

SEC Ruling on Social-Media Disclosures Offers Little Guidance for Businesses

As reported in The Wall Street Journal today, Netflix, Inc., has filed documents with the Securities and Exchange Commission (“SEC”) stating its intent to disclose “material information” on its corporate Twitter feed, Facebook page, and blog, as well as the Facebook page of its CEO.  The Los Gatos-based company will continue to file traditional disclosures, regarding important company information, but the filing is a first for any publicly-traded company and will likely not be the last.

How quickly other organizations adopt Netflix’s example will be dependent upon an internal assessment of risk for potentially running afoul against decades-old rules that are designed to protect consumers and investors from fraudulent activities.  The SEC has signaled an unwillingness to update years of regulatory legislation, in response to new technology, out of fear that doing so would create a slippery slope of deceptive or “puffed” disclosures/activities.  Frustrated by this unwillingness, many financial industry and Wall Street firms are trying to seek guidance on how to apply social-media disclosures to antiquated regulatory requirements.

An example of this frustration is whether a third-party’s use of the “like” button on a financial services company Facebook page, or endorsing an advisor’s skills on LinkedIn, could be viewed as an improper testimonial defined under applicable regulations.  Such an act, could potentially subject the company, and/or individual, to penalties and jail time.  Financial services firms seek relief from these regulatory bans that prohibit testimonials in advertisements, but the SEC considers them to be “inherently misleading,” and suggests they get pre-clearance before posting on social media sites.

Therefore, while the SEC seems to have acknowledged the presence of social media in our daily routines, it still remains skeptical on how it is going to be applied in our everyday world and will leave it up to the organizations to police themselves.  In this regard, a proper assessment of social-media use within an organization is an emerging talking point across most boardrooms in America.

The Lessons ‘Joe Camel’ Will Teach Developers of ‘Kids Apps’

On July 1, 2013, the Federal Trade Commission (“FTC”) will begin enforcement of new regulations pertaining to the Children’s Online Privacy Protection Act of 1998 (“COPPA”).  For two years, regulator’s had sought to update COPPA ”with the times” by expanding the law beyond its original intent - to prevent web-based companies from obtaining personal information of children without their parents’ consent.  Tablet and smartphone devices have propelled the app industry into a multi-billion dollar market, but it is the mechanics of how the app industry makes its money that has regulators concerned.  The business model for most app development firms is to build a product that consumers can download for free on their mobile device, and in exchange, the consumer allows software embedded into the app to be sent to a third-party data aggregator who then returns the aggregated data back to the developers for their discretional use. 

Software Application firms are weary of the new rules because they fear regulatory fallout from developing a game, like Angry Birds, and being classified as a “kid app” under the new COPPA rules.  Such a designation would subject the game designer to strict regulatory requirements or face civil penalties.  The FTC has signaled that it will look to define what constitutes a “kids’ app” broadly, and suggests that all software firms know the law if they plan on building an app with a cartoon character in it.  Enter the lessons learned in Big Tobacco…

In the mid-1990′s, Big Tobacco faced an onslaught of class action and regulatory (i.e. FTC) lawsuits that would end up changing the way the industry fundamentally advertises its products to the general public.  On or about September 12, 1997, the Tobacco Industry was informed that “Joe Camel in California is dead.”  The makers of the Joe Camel marketing campaign, R.J. Reynolds, repeatedly denied that it was targeting smoking to minors, and stated that the Joe Camel campaign was directed at “adults in their 20′s who choose to smoke.”  However, R.J. Reynolds agreed to settle the numerous lawsuits by agreeing to a cash settlement payout and dropping the ads that depict Joe Camel.

Now one would logically ask how in the world do kid apps and the targeting of smoking to minors belong in the same discussion?  The answer to that question lies in a minors’ ability to make an intelligible informed decision.  For years Big Tobacco lawsuits addressed the health, safety and public welfare issues related to minors smoking, but it was not until Joe Camel was literally put on trial, that the issue of a minors’ informed consent was raised.  How possible is it for a minor to distinguish between a simple cartoon character and the message that cartoon character is sending?

Similarly, App Industry advocates suggest that in order to offer free software apps, data collection about the user, like time spent on the device, is needed to ensure its long-term ability to offer targeted advertising (which is where their money is made).  Additionally, app providers fear losing important third-party data aggregators, because the data aggregators don’t want to deal with the regulatory headache of COPPA.  Online privacy advocates, like their predecessor anti-smoking advocates, state that the lucrative children’s technology market needs basic fundamental safeguards in place to prevent minors from being preyed upon by Big Data advertisers.  Is it incredulous for app development firms to know when your child goes to sleep, eat, bathroom, etc., based on their login/logout time?  Is there an expectation that a minor has the capacity to fully understand that their location may be accessed remotely via the mobile device they are walking around with?  In that sense, a seven year-old boy/girl will login to Angry Birds expecting to smash pigs and hippos, and not fully comprehend the impact of his/her actions.

Stagnation is the worst thing that could happen to any organization, and never being satisfied with the status quo is what sets successful organizations apart.  Application firms need to change the development process to make regulatory compliance a core part of their design programs – but is that necessarily a bad thing?  Big Tobacco companies have survived now for almost 15 years without Joe Camel by adapting the strict regulatory requirements into their advertising campaigns.  In this vein, software application firms are no different – at least the innovative ones.  The future of the software application industry depends upon its ability to develop a product that is adaptable to emerging trends.

Ninth Circuit: Warrantless Forensic Examination of Electronic Data Must Meet 4th Amendment Requirements

Earlier this month, March 8, 2013, the Ninth Circuit U.S. Court of Appeals issued a ruling related to the warrantless forensic examination of electronic data on a laptop that was seized at the U.S.-Mexico border in Arizona (U.S. v. Cotterman, No. 09-10139).  The fallout from the U.S. v. Cotterman ruling is significant in that, going forward, law enforcement agencies, absent some “particularized” suspicion, will be barred from conducting an unfettered dragnet of electronic data stored on hardware devices brought into the U.S. by international travelers.  The 9th Circuit’s determination of a “reasonable suspicion” requirement is consistent with its other rulings involving the search and seizure of electronic data.

The Court opined that the “uniquely sensitive nature of data [stored] on electronic devices” gives rise to a significant expectation of privacy that renders an exhaustive exploratory, or in Cotterman’s case, forensic, search more intrusive than a mere cursory scan, or quick look, through the electronic device.  The Court continues to state that “digital media nowadays contains volumes of intimate details of our lives.  It is simultaneously an office and personal diary.  This type of material implicates the 4th Amendments specific guarantees of the people’s right to be secure in their papers.”

In the “cloud,” an electronic device (i.e. laptop) is merely a conduit for accessing user data that, in earlier times, would be akin to sensitive “papers” found in the home – thus triggering 4th Amendment protections for the cloud data.  While the information stored in the “cloud” may not itself cross the U.S. border, it may appear as a “seamless part of the digital device when presented at the border.”  In making reference to cloud computing technology, the Court seems to not distinguish between the type of hardware being used to store electronic data.  Regardless of whether the device is mobile, like a laptop, or stationary, like a server, a warrant is needed, absent reasonable suspicion, to search the content of any electronic device.

The Cotterman conclusion is consistent with, and builds upon, other “electronic data” 4th Amendment cases brought before the 9th Circuit.   In U.S. v. Comprehensive Drug Testing (the “Balco” case), the Court was asked to determine the proper administration of a search warrant.  In the Balco case, the Court determined that special, independent third-parties must segregate and redact seizable data from non-seizable data when the Government wants to execute a search warrant of electronic databases.  Again, the Court is trying to prevent the Government from conducting an unfettered dragnet on persons who might not even be aware that information is being seized about them.

As for Mr. Cotterman’s narrative, the Court did conclude that the forensic examination of his laptop required a showing of reasonable suspicion, however the facts, viewed in totality of the circumstances, supported the Government’s assertion that the border agents had acted upon reasonable suspicion in conducting the initial search of Mr. Cotterman’s laptop and subsequent forensic examination.

Failure to Reach Regulatory Oversight on Cybersecurity, Highlights Tension Between FCC and ISP’s

The United States Telecom Association, whose member representatives include Internet service provider’s like CenturyLink, AT&T, and Verizon, appears to have blocked a Federal Communications Commission advisory panel’s recommendation on measures needed to deal with the nation’s cyber-security problem.  The lack of an agreement on Internet regulatory oversight highlights growing tension between the Obama administration’s directive, which orders federal agencies to develop a cyber-security framework for specific industries, and private sector industries, which view government oversight as stifling innovation and “not flexible.”

Advocates for regulatory oversight suggest that the federal government should develop a set of strict security standards that are developed in “concert” with the National Security Agency and other agencies.  However, Telco advocates say that a “checklist” of government standards would be “clunky,” create an additional layer of unnecessary bureaucracy, and potentially expose ISPs to liability for failing to prevent cyber-attacks (since a vast majority of malicious code travels over the fiber optic pipes owned by Telco’s). 

The irony behind the Telco industry lobbying against a checklist of standards for fear that their industry would become ”clunky” and “bureaucratic,”  has never made a customer service call to Verizon, AT&T, et al, or taken a tour of a telecommunication co-location facility.  A response to the “bureaucratic” position requires little mention, simply because its absurdity.  A co-location facility, which is the physical aberration of the Internet “clouds,” can best be described as a large, climate- and air- controlled office space with a seemingly endless series of interconnected wires, metallic racks stuffed with servers, switches, routers, processing units, “fan noise” and blinking yellow, blue, red, orange, and white lights that resembles Dr. Seuss’ Thinga-ma-jigger - it’s the definition of already being “clunky.” 

In fairness to the regulatory oversight advocates, the government has been telling the private sector for years that self-regulation is a preferred option, but even self-regulation has its limitations.  Organizations cannot self-regulate, because they themselves have become, or are, too bureaucratic – and this is not limited only to the Telco industry.  If the Telco industry wants to have a straight-faced discussion on why a checklist of standards would not work, then they should look no further than the financial sector.

The financial industry has tried its own version of self-regulation in the form of the Payment Card Industry Data Security Standard, or as it is more commonly known, “PCI Compliance.”  Banks and credit card companies love to show regulators that they have their act together when it comes to the issue of cyber-security, because participating members must be in compliance with the set of standards articulated by the PCI governing body (which is exclusively made up of banks and credit card companies).  The problem with the PCI checklist is that, regardless of when a breach of data will occur (and it will),  the customer, not the credit card companies,  will still be liable for the loss in data.  There is no “risk transference” in the PCI standard, and therefore what’s the incentive for customers to be PCI compliant?

Consider the Heartland Payment Systems (HPS) data breach case - at the time, the HPS data breach was the world’s largest release of unauthorized data; HPS was PCI Compliant; ended up numerous pending class action lawsuits as a result of the data breach; PCI governing body “revoked” their compliance AFTER the breach; and HPS is still in business today.  Result:  can a checklist of standards have any teeth if a company is “certified” compliant one day, and a cyber-incident occurs on another? 

 

‘Data Governance’ – A Way for Organizations to Fight Cyber-Attacks

As the U.S. intelligence community prepares to militarize its cyber-units for warfare in a virtual world, the rest of us are left to wonder how can we protect our asset resources from a ”virtual-attack.”  Cyber-warfare and espionage have now supplanted terrorism as the greatest threat to our national infrastructure.  As a result of more mainstream media coverage, the daily digital assault on our government and private sector IT infrastructure has begun to show the level of vulnerability perpetrated by advance persistent threats (“APTs”), and the economic impact to the U.S. economy is in the tens of billions of dollars.  Intelligence officials testified Tuesday that computer technology is evolving faster than security experts can respond, and if the anticipated budget cuts from the Sequestration are allowed to proceed, then the outlook for preventing a cyber-attack becomes more challenging. 

The reality of our cyber-world today is a Dr. Seussian-like ”thinga-ma-jigger” of patches and fixes that dissuades a direct attack, but allows the resulting response, by the perpetrators, to flank the targeted organization or individual.  The negatives to this existing mind-set is namely (1) very costly to keep updated; (2) costly to consumers; and (3) other areas of the organization become underfunded.  Our existing IT infrastructure fails miserably at securing mission-critical data, because it is too rigid and static.  Because of this, a “Maginot Line” of useless fortifications and obstacles has been constructed by our military and technical leaders.

The Maginot Line is named after the French Minister of War, Andre Maginot (1877-1932), and was a line of concrete fortifications, tank obstacles, artillery casemates, machine gun posts, and other defenses, which France constructed along its borders with Germany and Italy, in light of its experience from World War I, and in the run-up to World War II. The Maginot Line was considered state of the art at its time, and was impervious to most forms of attacks, however, a weakness of it was its ability to be flanked, and the rest, as they say, is history.

In order to better prepare for a cyber-attack, the U.S. government and organizations should consider a paradigm shift in responding to threat vulnerabilities.  The shift should be from a defensive, or reactive, policy management structure of Dr. Seuss-like readiness, to a proactive comprehensive data governance framework that underscores our commitment to the preservation and protection of our mission-critical data, good will, intellectual property, trade secrets, and other proprietary information.  A proactive data governance policy framework is a realistic outcome that private organizations and individuals can work towards. 

From the outset, a data governance framework requires active C-level participation in order to create accountability and ownership to the various stakeholders, regulators, and general public at-large.  The message is one of commitment  that senior management is actively engaged in its daily management functions.  Moreover, in “leading by example,” senior management is in the best position to (1) articulate the importance of mission-critical data protection; (2) define the scope and objectives fundamental to the framework’s success; and (3) quantify the business value of the framework  to the employees and business partners.  Upon successful implementation of such a framework, private organizations (for-profit and non-profit alike) will have created a compliance-based culture, centered on information protection, which will increase productivity and embolden consumer confidence.

Harvard University Search of Deans’ E-mail a ‘Breach of Trust’ or Cyberbullying?

Tomorrow I will be boarding a red-eye flight to Boston to speak at prestigious Harvard University on the topic of cyber-bullying.  The term cyber-bullying can be defined as using any form of electronic communications to harass, torture, threaten, or humiliate another person.  In an unrelated, but ironic, headline I read in this mornings The New York Times, Harvard University officials are accused of secretly searching the e-mail accounts of 16 resident deans in response to leaked information about a student cheating scandal at the school.  Adjectives like “shocked and dismayed”, “bewildered”, “dishonorable” and  ”breach of trust” were used by faculty members to describe how they felt upon learning that e-mail accounts were secretly searched.   

Generally, as a private institution, Harvard University may conduct searches of workplace computers and e-mail accounts without the consent or knowledge of the individuals whose accounts are the subject of the search.  However, Harvard faculty policy states that while the administration can search a Harvard faculty e-mail account as part of an internal investigation, it must notify the faculty member beforehand or soon after. In this case, the notification followed after about six months.  Is the notification of the search six months after-the-fact sufficient to be considered “soon” enough “after” the internal investigation?

In preparation for my presentation at Harvard on Wednesday, I cannot help but correlate the content of my discussion to whether the search of the computers, while legal, constituted a form of cyber-bullying by University officials.  A resident deans job function is to advise undergraduate students on a myriad of issues that may affect them while attending Harvard, but comes with no job security.  The resident dean is in a purgatory of fiduciary obligations between the University, who pays its salary, and the  undergraduate students, with whom they are to serve.  When a conflict arises between the two “masters,” which one supersedes the other?  Does the University not have an obligation to protect its brand/image to other stakeholders?  Is this conduct to search the accounts, while legal, unethical?  Should the students be advised that the resident deans are not their fiduciary representative?  If so, what is the purpose of the resident dean? 

The basis for the search is related to an alleged on-going scandal whereby approximately “70 students were forced to take a leave from Harvard for collaborating or plagiarizing on a take-home final exam in a government class last year.”  The leaked internal memo, to all the resident deans last fall, discussed how they should advise the students who stood accused of cheating.  To constitute whether the officials conduct would be considered cyber-bullying, the fact-finder would need to examine the extent to which the lack of job security and understanding of fiduciary obligations put the resident deans in a position where they were feeling threatened or harassed.