Analyzing The Law

So I am back in school AGAIN (I’m a life-long learner), augmenting my not so slow-paced job.

Let’s just say that at this point, I recognize that the more I know, the more I don’t know anything.

The class that I am taking now is Cyberlaw, and while I did take law in business school–many moons ago–that was more focused on contracts and business organizations.

This class looks interesting from the perspective of the legal and regulatory structure to deal with and fight cybercrime, -terrorism, and -war.

One interesting thing that I already learned was a technique for evaluating legal cases called IRAC, which stands for:

– Issues–the underlying legal matters that the case is addressing.

– Rules–what legal precedents can be applied.

– Analysis–whether those rules apply or not, in this case.

– Conclusion–rendering an opinion on the case.

This is a structured way to analyze any legal case.

Of course, before you do these, you have to look at the facts–so that is the very first section.

The problem with that is then you have F-IRAC and that can definitely be taken the wrong way. 😉

(Source Photo: Andy Blumenthal)

Amazing Internet Statistics 2012

So what happens in only 1 minute on the Internet–this cool magazine Ideas and Discoveries (October 2012) provides some amazing examples:

– Information Sharing–639,800 gigabytes of data are exchanged

– Information Generation–6 new Wikipedia articles are created

– Information Visualization–20,000,000 photo looked at on Flickr

– eMail–204,000,000 emails are sent

– eCommerce–$83,000 of sales on Amazon

– Social Networking–320 new users on Twitter and 100 on LinkedIn (wonder how many for Facebook…)

– Cyber Crime–20 new victims of identity theft

And in the same month, Harvard Business Review reported on the growing significance to commerce with the Internet contributing to GDP (in 2010) as much as:

– 8.3% in the UK

– 7.3% in South Korea

– 5.5% in China

– 4.7% in the US

– 4.7% in Japan

– 4.1% in India

Moreover in HBR, this is what was reported that people are willing to give up instead of the Internet for a year–and the numbers are pretty startling–check this out:

– 91% of UK would give up fast food

– 89% of Indonesians would give up smoking

– 86% of Japanese would give up chocolate

– 85% of Chinese would give up coffee

– 78% of Indonesians would give up their shower

– 60% of Japanese would give up exercise

– 56% of Chinese would give up their car

– 56% of Japanese would give up sex–go figure! 😉

While this is all sort of light, there is also a very seriousness dimension to this. For example, in the Wall Street Journal today, it quotes Secretary of Defense, Leon Paneta warning that with Iran’s digital assault on the U.S., the concerns of cyberwar are growing with the SecDef going so far as to say “Is there a cyberwar going on? It depends on how you define war.”

Yes, the Internet is amazing for so many reasons and we can’t take it for granted–we need to be vigilant and defend the Internet (cyber) with the same zeal and commitment as the other domains of war–land, sea, and air–all are vital to national security and for the preservation of life, liberty, and the pursuit of happiness.

This is a lesson we need to learn quickly and decisively–before the old Star Wars is passe and cyberwar turns deadly.

The Not So Candid Camera

When you’re at the swimming pool, it’s a time for swimming, splashing, and fun.

With family and friends, it’s even a great time to catch some scenic photos of loved ones having a great time.

You expect to see cameras and smartphones taking some discreet pictures or videos.

Not a new problem, but some people take advantage of the people swimming or tanning to take compromising shots.

When people are knowingly scantily clad in public–people will argue what level of responsibility they have for the way they present themselves.

However, when others take advantage of that–let’s be clear, the predator is the aggressor!

At the pool, I saw this taken to a whole new level today–and by someone and in a way I would not have expected.

This older-looking guy, with a hat on, strolls up to the pool with a huge tripod mounted video camera on a WALKER and starts taking rolling video on a pool almost exclusively filled with little children.

There was no warning, no request–“may I”, no do you mind, just a video camera mounted on a walker at the head of the pool with lots of little kids, and also some teens, women, and more.

First, I watched to see what this guy was doing…then I thought, I better capture this and I took a series of photographs of the guy–who had no apparent compunction about invading everyones privacy.

But the story isn’t over–it get’s worse.

All of a sudden, I notice my computer picking up a wireless network with a name that self identified them with a clear inclination for child pornography (I am withholding the actual name so as not to tip off the criminal). I capture this too–with a screenshot. Was it the same guy with mounted video camera or someone else?

So much for a relatively serene vacation, and some quiet private time.

I just saw Dateline’s “To Catch A Predator” early this week and I almost can’t believe this is happening. I think to myself–is this real?  Unfortunately it is.

I reported both incidents to hotel security. At their request, I email them the screenshot of the wireless network name that would make anyone cringe. Next call is to the National Center for Missing and Exploited Children and CyberCrime.com.

Normally, I believe in live and let live, but we all have to do our part to protect children and other innocent victims.

Crashing The Internet–Are We Prepared?

Almost week after week, I read and hear about the dangers of cyber attacks and whether “the big one” is coming.

The big one is what some experts have called a pending “digital Pearl Harbor.“

Just last week, the Federal Times (13 June 2011) wrote that the “U.S. government computer networks are attacked about 1.8 billion times per month.“

The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require “stronger and more proactive leadership.”

Charles Dodd, a cyber security consultant in D.C. warns that “You’ve bought a stick to a gunfight, and you’re arrogant about your capabilities.” 

So the question is–are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?

Certainly, with so much critical infrastructure–from government, military, and private industry–dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on “Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime” as follows:   

–“There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives.“

It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has “demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet.“

And it took only 20 minutes to trigger the chain reaction in which “manipulated routers overloaded all other Internet routers worldwide…mak[ing] it impossible for Internet address to be found.”

Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts…that does not seem like an inordinate amount to press forward with for a coordinated attack. 

So the Internet in theory can be crashed!  

Just think for a moment about how that would impact you and what you do every day…would anything be the same?  Could we even function normally anymore? 

As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.

In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified. 

This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.  

If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won’t be sorry later. 

(All opinions are my own)

(Source Photo: Heritage and History.com)

>Fixing The Information Flow

>

So check this out–H2Glow has an LED faucet light that it temperature sensitive and turns blue for cold water and red for hot.

When I saw this, I thought this would be a great metaphor for managing the information flow from our organizations–where we could quickly and simply see whether the information flowing was sharable and for public consumption (“blue”) or whether something was private and proprietary (“red”).

The Economist, 24 February 2011, in an article called “The Leaky Corporation” writes: “Digital information is easy not only to store, but also to leak. Companies must decide what they really need to keep secret, and how best to do so.”

Like a faucet that gushes water, our organizations are releasing information–some with intent (where we are in control) and much without (due is spillage and pilferage).

In the age of WikiLeaks, computer hackers, criminals, terrorists, and hostile nation states, as well as the insider threat, information is leaking out uncontrollably from our organizations and this puts our vital competitive information, national secrets, and personal privacy information at risk (i.e. health, financial, identity, and so on).

Of course, we want the proverbial blue light to go on and information to be shared appropriately for collaboration and transparency, but at the same time, we need to know that the light will turn red and the information will stop, when information is justifiably private and needs to be kept that way.

Being an open and progressive society, doesn’t mean that that there is only cold water and one color–blue. But rather, that we can discern the difference between cold and hot, blue and red, and turn the faucet on and off, accordingly.

Information is proliferating rapidly, and according to IDC, a market research firm, the “digital universe” is expected to “increase to 35 zettabytes by 2020.”–a zettabyte is 1 trillion gigabytes or the equivalent of 250 billion DVDs.

Therefore, the necessity of filtering all this digitally available information for inside use and outside consumption is going to become more and more critical.

According to The Economist article, we will need to employ the latest techniques and automation tools in:

– Enterprise Content Management–to “keep tabs on digital content, classify it, and define who has access to it.”

– Data Loss Prevention–using “software that sits at the edge of a firm’s network and inspects the outgoing data traffic.”

– Network Forensics–“keep an eye on everything in the a corporate network and thus…detect a leaker.”

Of course, as the Ciso chief security officer says: “technology can’t solve the problem, just lower the probability of accidents.“

In the end, we need to make sure people understand the vulnerability and the dangers of sharing the “red” information.

We can focus our employees on protecting the most critical information elements of the organization by a using a risk management approach, so that information with the high probability of a leak and with the greatest possible negative impact to the organization is filtered and protected the most.

The leaky faucet is a broken faucet and in this case we are all the plumbers.

>Now We All Have Skin In The Game

>

It used to be that cybersecurity was something we talked about, but took for granted. Now, we’re seeing so many articles and warnings these days about cybersecurity. I think this is more than just hype. We are at a precipice, where cyberspace is essential to each and every one of us.

Here are some recent examples of major reviews in this area:

• The White House released its 60-days Cyberspace Policy Review on May 29, conducted under the auspices of Melissa Hathaway, the Cybersecurity Chief at the National Security Council; and the reports states: “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21^st century…the nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat.”
• The Center for Strategic and International Studies’ Commission on Cybersecurity for the 44^th President wrote in a December 2008 report: “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration…It is a battle we are losing.”

Cyberspace is becoming a more dangerous place as the attacks against it are growing. Federal Computer Week, June 2009, summarized the threat this way:

“Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication and the U.S. defenses are not keeping up.”

Reviewing the possibilities as to why this is happening: Have we dropped our guard or diverted resources or knowhow away from cybersecurity in a tight budgetary environment and now have to course correct? Or, have our adversaries become more threatening and more dangerous to us?

I believe that the answer is neither. While our enemies continue to gain in sophistication, they have always been tenacious against us and our determination has never wavered to overcome those who would threaten our freedoms and nation. So what has happened?

In my view the shift has to do with our realization that technology and cyberspace have become more and more vital to us and underpins everything we do–so that we would be devastated by any serious disruption. As the Cyberspace Policy Review states definitively: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S economy, civil infrastructure, public safety, and national security.”

We rely on cyberspace in every facet of our lives, and quite honestly, most would be lost without the connectivity, communications, commerce, productivity, and pleasure we derive from it each and every day.

The result is that we now have some serious “skin in the game”. We have something to lose–things that we deeply care about. Thus, we fear for our safety and survival should something bad happen. We think consciously or subconsciously how would we survive without the technology, Internet, and global communications that we have come to depend upon.

Let’s think for a second:

What if cyberspace was taken down or otherwise manipulated or controlled by hostile nation states, terrorists, or criminals?

Would there be a breakdown in our ability to communicate, share information, and learn? Would there be interruptions to daily life activities, disruptions to commerce, finance, medicine and so forth, concerns about physical safety or “accidents”, risks to critical infrastructure, and jeopardy to our ability to effectively protect ourselves and country?

The point here is not to scare, but to awaken to the new realities of cyberspace and technology dependence.

Safeguarding cyberspace isn’t a virtual reality game. Cyberspace has physical reality and implications for all of us if we don’t protect it. Cyberspace if a critical national asset, and we had better start treating it as such if we don’t want our fear to materialize.

>Intrusion-Prevention Systems and Enterprise Architecture

>Firewalls have traditionally been used to “wall off” the enterprise from computer attack, but now intrusion-prevention systems are augmenting the organization’s defenses.

The Wall Street Journal, 28 January 2008 reports that “intrusion prevention systems promise an even smarter defense” than firewalls.

Firewalls are intended to keep intruders out. However, because certain traffic, such as email, needs to get through, holes or open ports allow in traffic that can carry viruses or malware into the network.

Intrusion-prevention systems work differently—they don’t wall off the enterprise networks like firewalls, but rather like a metal detector, they filter or scan every piece of traffic entering the organization for suspicious activity, and reject any item that is identified as a threat.

According to Wikipedia, Intrusion prevention systems (IPS)… [are] a considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done.

Intrusion-prevention systems can be hardware that is physically attached to the network or software that is loaded onto individual computers.

Are intrusion-prevention systems really necessary?

Yes. “According to the Computer Security Institute 2007 Computer Crime and Security Survey, the average annual loss suffered by U.S. companies from computer crime more than doubled last year to $350,424 from $168,000 in 2006. And these reported losses tend to underestimate the number of attacks.”

Gartner analyst recommends antivirus on PCs and an intrusion –prevention system on the network.

Are there any problems with intrusion-prevention systems?

One of the biggest issues is false positives, which if not adjusted for will block desired incoming traffic. One way to handle this is to use the intrusion-prevention system to “detect threats and flag them,” rather than simply block them altogether. Additionally, the organization can adjust the filters that they may not need. This is the tuning required to ensure performance in terms of network speed and an appropriate level of filtering.

If your organization is not using an intrusion-prevention system, this is something your enterprise architecture needs to plan for and implement ASAP.