Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Beyond Google’s Looking Glass – The Internet of Things is Already Here

Seal of the United States Federal Trade Commis...

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

  • Public transportation systems designed around real-time usage and traffic patterns.
  • Prescription monitoring to help patients take the right medications at the correct time.
  • Fresher, healthier produce.
  • Protection of pets and children.
  • Social connectivity, with photo-tagging and group-meeting moving into the real world.
  • Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21st. These are the questions posed by the FTC thus far:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
  • Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.


[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

The Blackberry Effect

For the past four days, riots in Britian have shaken the country. Reports emphasize that the RIM Blackberry is the technology preferred for the spread of information regarding the attacks.

According to the NPR Marketplace Tech report, “the Guardian originally was “monitoring chat about the riots on Blackberry’s BBM messaging service and posting newsworthy posts that it sees. But the paper now says it’s going to stop publishing messages that anticipate violence.”

The riots have created a number of legal challenges. RIM may be called on to retain the information being communicated on its servers. Some analysts are musing over RIM’s ability to voluntarily provide this data to governmental officials, but such voluntary action is not likely under E.U. privacy directives. Government compulsion is another matter. RIM may find itself obligated to provide the data.

But RIM is not alone. The controversial Google face recognition software — and similar technologies privately available — may be used to identify the rioters for later prosecution. Similar questions have arisen in Vancouver after the looting triggered following Game Seven of the Stanley Cup Finals.

Tech Crunch has reported about a recently launched Google Group,  “London Riots Facial Recognition.”  “The group’s goal is to use facial recognition technologies to identify the looters who appear in online photos.” Others are using Facebook tools to farm similar information.

The riots and the public response put notions on privacy to a new test. Some of these tools are owned by governmental agencies. Others, however, are part of the social media environment and are being used by private citizens. The riots represent senseless violence and most appears divorced from any political action. Still, the notion that one’s public photographs can be used by fellow citizens to inform the police of criminal activity echoes of more insidious government enforcement.

The combination of messaging data and facial recognition software may combine to change the relationship between police and criminals. So long as this doesn’t change the relationship between the public and the state, that might be reasonable. But the difference may beg the question.