New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.

IP for Creative Upstarts papers available for conference on Nov. 9-10, 2012

Presented by Michigan State University College of Law

Intellectual Property, Information & Communications Law Program

Co-sponsored by

       NKU Chase College of Law, Law + Informatics Institute

Copyright Alliance

This conference considers how law and policy can nurture diverse creative industries—”Creative Upstarts”—in the U.S. and abroad. “Creative Upstarts” encompass a range of commercial enterprises from independent artists and producers in developed countries to emerging content industries such as Nigeria’s “Nollywood,” Jamaican dancehall, Brazilian tecnobrega music, and Chinese digital publishing. Their interests have been overlooked in recent debates on intellectual property and information policy. This conference seeks to remedy that gap. Read More

Papers

More Information:

                   

Sponsors

Contact Information

Professor Sean Pager

spager@law.msu.edu

Fourth Circuit Joins Ninth in Limiting CFAA – Setting Stage for More Action

In 1986, Congress amended its earlier attempt to combat computer crime with the Computer Fraud and Abuse Act of 1986. It was further expanded in 2001 under the USA Patriot Act. The CFAA serves as both a criminal and civil statute.  It has both strong criminal penalties for unauthorized entry into computer systems and provides an express private cause of action – enabling injured parties to sue intruders using the federal law as the basis for their claims.

The most controversial aspect of the CFAA has been the meaning of unauthorized access. Among the violations, Congress has made it a crime to “intentionally accesses a computer without authorization or exceeds authorized access….” The statute provides some additional guidance. The addition of exceed has its own definition. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). So it seems fairly clear that using one’s password to acquire documents for which one has no right to read is a violation of the statute.

But data theft is more nuanced than just this. What about downloading documents when the person downloading has authority to use the material, but then uses that material in an unauthorized manner. Put another way – if an employee is fired and then takes the files she has had at home and brings them to her next employer, it is unlikely an CFAA claim can be made. Conversely, if she returns to work the day after being fired and downloads all the company documents, she has certainly violated the CFAA since her termination ending her authorized access to the computer. But what about the situation when one downloads the documents intending trade secret theft prior to being fired or quitting the company?

In a recent Fourth Circuit opinion, WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) faced this situation.

The court explained the split of authority interpreting the statute:

In short, two schools of thought exist. The first, promulgated by the Seventh Circuit … holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held [in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)] that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

The second, articulated by the Ninth Circuit … interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. Thus, in [United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc)] the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.

The Fourth Circuit opinion attempts to make sense of the language with a simple, plain language approach. “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized,” the court explained. “Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”

This separates the Fourth Circuit from the Seventh Circuit and even distinguishes it somewhat from other courts. Employees who hack into their employers’ computer systems to steal data or who use the username and password of other employees to gain greater access to computer systems will remain liable under the CFAA. But those who take electronic files home to work on them at night without express permission were beyond the scope of the CFAA. Similarly, those disgruntled employees who steal electronic files while on the job may be violating their terms of employment, company policies, and state laws but they are not violating the CFAA in the Fourth Circuit.

Since it is better that the interpretation of a statute does not turn on the language in the employee handbook, this is a better result. Companies can still protect themselves by limiting access to sensitive information. Other laws protect theft of trade secrets and other torts provide remedy for breach of fiduciary duties. On the other hand, the distinction between the circuits need not be as stark. An employee who erases all company data before returning equipment has likely exceeded the authority to alter the data. This result is consistent with the outcome in the WEC and a court can still reach such misconduct under the cleaner interpretation of the Fourth Circuit.

While it remains to be seen whether the Fourth Circuit opinion invites Supreme Court review, it may be sufficiently well reasoned to invite other circuits to reconsider interpretations of the statute that go beyond the language Congress enacted.

LII Presents Ethics in Informatics Program on proposed changes to ABA guidelines and SEC Technology Guidance

Information and registration for our next even is now available.

Ethics in Informatics:

Changing Ethics Rules and New SEC Guidance Redefine the Competency of the Lawyer

featuring

Dean Dennis R. Honabach, Chair of the ABA’s Standing Committee on Professionalism

Professor Jon M. Garon, Director of the NKU Chase Law & Informatics Institute

Friday, May 4, 2012

Cincinnati, Ohio

The practice of law has largely gone digital in the past decade.  In response, the American Bar Association’s Commission on Ethics 20/20 is examining technology’s impact on the legal profession.  It has proposed a revision to the Model Rules of Professional Responsibility to make explicit the affirmative duty to prevent “the unintended disclosure of, or unauthorized access to, information relating to the representation of a client” to data privacy, security and reliability.  Not to be outdone, the Corporate Finance Division of the Securities and Exchange Commission has taken steps of its own to require greater awareness, disclosure and reporting of issues relating to technological knowledge held by a company – including its lawyers.

This program provides attendees guidance on three key areas:

  • The existing and proposed ethical rules regarding technologically mediated client confidentiality;
  • The lawyer’s role in assisting clients meet their affirmative duties of disclosure; and
  • The lawyer’s duties regarding social media and cloud computing in the context of client communications, ex parte communications, and interactions with the judiciary in social media and cyberspace.
Date: Friday, May 4, 2012
Time: 7:30 a.m. to 9:35 a.m.
Continental Breakfast will be served from 7:30 a.m. to 8:00 a.m.
Location: Wood, Herron & Evans, Floor 36, 441 Vine Street, Cincinnati, OH 45202
Registration fee: $99.00 for general public and $89.00 for alumni
CLE credits: 1.5 Ethics CLE in Ohio & KY
For more information: www.lawandinformatics.org/breakfastseries
Online registration: Register online
Fax Registration: Download a fax registration form
Call in registration: (859) 572-7853 to reach Admin. Dir. Lindsey Jaeger

Dean Dennis R. Honabach is the co-author of D&O Liability Handbook and the Proxy Rules Handbook. He has published law review articles on topics ranging from managerial liability and Enron to toxic torts and legal education. Dean Honabach is the chair of the ABA’s Standing Committee on Professionalism, the co-chair of the Business Law Education Committee of the ABA’s Business Law Section and a member of the Misconduct and Irregularities Subcommittee of the LSAC.

Jon M. Garon is an attorney and professor of informatics, entertainment, intellectual property and business law. He has extensive practice experience in the areas of entertainment law (including film, music, theatre and publishing), data privacy and security, business planning, copyright, trademark, and software licensing.

“Ethics in Informatics” is the first presentation in the Law & Informatics Breakfast Series, which will address various topics on privacy, data security, social media and ethics. These programs will be hosted in downtown Cincinnati. We are very grateful to the law firms of Wood Herron & Evans LLP, Frost Brown Todd LLC, Baker & Hostetler LLP and Dinsmore & Shohl LLP for their support as hosts for this coming year’s program.

                         

Two days until NKU Law Review Symposium on Law & Informatics

The Northern Kentucky Law Review will host the inaugural Law & Informatics Symposium on March 1-2, 2012, presented in association with the NKU Chase Law & Informatics. Offering cutting edge presentations and 10.5 hours of CLE the symposium is sure to provide an important addition to the growing understanding of the intersection between law and information systems around the globe.

Limited seating is still available. See  https://supportnku.nku.edu/ChaseLII for details.

Your registration fee includes the general and special sessions, breakfast and lunch, as well as all published materials.

This two-day conference will gather academics, lawyers, and industry leaders from throughout the United States, Europe, and Asia to focus on cutting-edge issues involving data privacy, cyber-security, international trade, and internet regulation.

The first day’s topics will include criminal justice and the media, antitrust, HIPAA/HITECH Act compliance, GLBA reporting, social media marketing, and international internet regulations. The second day will include international cyber-crime cross-border transactions, international publicity, cyber currency, privacy legislation, and many related topics.

The Symposium is an opportunity for academics, practitioners, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. The agenda is available online at http://chaseinformatics.org/symposium/.

Speakers:

  • P.J. Blount, National Center for Remote Sensing, Air, and Space Law, University of Mississippi School of Law
  • Galina Borisevich, Perm State University, Russian Federation
  • Eric Chaffee, University of Dayton School of Law
  • Natalya Chernyadyeva, Perm State University, Russian Federation
  • Jorge Contreras, American University Washington College of Law
  • Evelina Frolovich, Perm State University, Russian Federation
  • Vaibhav Garg, Indiana University School of Informatics and Computing
  • Anne Gilliland, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • David Harris, Harvard Law School Charles Hamilton Houston Institute for Race and Justice
  • Henry Judy, K&L Gates
  • Kalyan C. Kankanala, Brain League IP Services Ltd. (India)
  • Deborah Keeling, University of Louisville College of Justice Administration
  • Michael Losavio, University of Louisville College of Justice Administration
  • Rachel Lyon, Northern Kentucky University College of Informatics
  • Jasmine McNealy, Syracuse University S.I. Newhouse School of Public Communication
  • Mark McPhail, University of Wisconsin-Whitewater College of Arts and Communication
  • Svetlana Polyaskya, Perm State University, Russian Federation
  • David Satola, The World Bank
  • Susan Stephan, Kretsch & Gust PLLC
  • Lauren Solberg, Meharry Medical College
  • Judith Wiener, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • Peter Yu, Drake University School of Law

For details, registration, and additional restrictions please see http://chaseinformatics.org/symposium/ or call 859.572.7577.

General Pricing: $395  – Same Day Rush: $200

Alumni Pricing: $295   – Same Day Rush: $200

Academics & Students not affiliated with NKU: $50 – Same Day Rush: $10

Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

  • The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
  • Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
  • Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.

NKU Law & Informatics Symposium Tickets Now Available

Northern Kentucky Law Review – Law & Informatics Symposium

Presented in association with the NKU Chase Law & Informatics Institute

10.5 hours of CLE (anticipated)

Registration is now available for the Northern Kentucky Law Review – Law & Informatics Symposium presented in association with the NKU Chase Law & Informatics Institute. https://supportnku.nku.edu/ChaseLII

Your registration fee includes the general and special sessions, breakfast and lunch, as well as all published materials.

This two-day conference will gather academics, lawyers, and industry leaders from throughout the United States, Europe, and Asia to focus on cutting-edge issues involving data privacy, cyber-security, international trade, and internet regulation.

The first day’s topics will include criminal justice and the media, antitrust, HIPAA/HITECH Act compliance, GLBA reporting, social media marketing, and international internet regulations. The second day will include international cyber-crime cross-border transactions, international publicity, cyber currency, privacy legislation, and many related topics.

The Symposium is an opportunity for academics, practitioners, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. The agenda is available online at http://chaseinformatics.org/symposium/.

Speakers:

  • P.J. Blount, National Center for Remote Sensing, Air, and Space Law, University of Mississippi School of Law
  • Galina Borisevich, Perm State University, Russian Federation
  • Eric Chaffee, University of Dayton School of Law
  • Natalya Chernyadyeva, Perm State University, Russian Federation
  • Jorge Contreras, American University Washington College of Law
  • Edward Fore, Barry University Andreas School of Law
  • Evelina Frolovich, Perm State University, Russian Federation
  • Vaibhav Garg, Indiana University School of Informatics and Computing
  • Anne Gilliland, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • F. Enrique Guerra-Pujol, Barry University Andreas School of Law
  • David Harris, Harvard Law School Charles Hamilton Houston Institute for Race and Justice
  • Henry Judy, K&L Gates
  • Kalyan C. Kankanala, Brain League IP Services Ltd. (India)
  • Deborah Keeling, University of Louisville College of Justice Administration
  • Michael Losavio, University of Louisville College of Justice Administration
  • Rachel Lyon, Northern Kentucky University College of Informatics
  • Jasmine McNealy, Syracuse University S.I. Newhouse School of Public Communication
  • Mark McPhail, University of Wisconsin-Whitewater College of Arts and Communication
  • Svetlana Polyaskya, Perm State University, Russian Federation
  • David Satola, The World Bank
  • Susan Stephan, Kretsch & Gust PLLC
  • Lauren Solberg, Meharry Medical College
  • Judith Wiener, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • Peter Yu, Drake University School of Law

Advance registration is strongly encouraged. Seating is limited. Individuals registering on a walk-in basis will be limited to available seating. Registration will not be accepted once the event is sold out.

For details, registration, and additional restrictions please see http://chaseinformatics.org/symposium/ or call 859.572.7577.