26 June 2009

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

16 June 2009

Proactive Risk Strategy: Transnational Asset Forfeiture...

Effective strategy execution and the application of intelligence to gain increased mission efficiency is the name of the game. The public / private convergence of people, processes, systems and the fusion of relevant international incidents data establishes the playing field. The threats to the very fabric of our economic and security well-being is directly tied to the rule of law, the safety of the environment and the ability for capital to be invested with prudent risk management mechanisms in place.

If any component of this fabric becomes frayed or torn, this vulnerability threatens the overall resiliency of this "Transnational Ecosystem". The homeostasis of the "Transnational Ecosystem" is dependent on the factors associated with it ability to gain new energy, (food, water, power, money) and to continually "Adapt" to it changing environment. The ability to adapt rapidly within this ecosystem will determine who the winners are and also the survivors. So what is a good example of this "Transnational Ecosystem" that we can apply to public / private convergence and Operational Risk Management?

Although pioneered in the USA, there now appears to be a global trend to use stand-alone civil proceedings as a means of recovering the proceeds of crime in the hope that they will be more effective than proceedings that are ancillary to and dependent on a criminal prosecution. Recent examples of jurisdictions that have introduced civil forfeiture legislation include Italy, South Africa, Ireland, the United Kingdom, Fiji, the Canadian Provinces of Ontario, Alberta, Manitoba, Saskatchewan and British Columbia, Australia and its individual States, and Antigua and Barbuda. In addition, the Commonwealth has produced model provisions to serve as a template for jurisdictions that wish to introduce such legislation.

This trend towards civil forfeiture has been prompted by the nature of organized crime. Organized crime heads use their resources to keep themselves distant from the crime that they are controlling and to mask the criminal origin of their assets. For this reason it has become extremely difficult to carry out successful criminal investigations leading to the prosecution and conviction of such individuals, with the result that finances derived from crime are often effectively out of the reach of the law and are available to be used to finance more crime. Such peaceful enjoyment of the proceeds of crime damages public confidence in the rule of law and provides harmful role models. This has led to a recognition that criminal confiscation regimes may be inadequate and ineffective in certain cases.


Traditionally, the use of OPS Risk strategies associated with civil asset forfeiture have their intersection with AML (Anti-Money Laundering) and Terrorist Financing. Moving money on a global basis utilizing the modern day "Hawala" or informal value transfer system requires smart people and sophisticated systems. Putting the person at the right place with the right evidence is the investigators "Holy Grail" yet there are other effective means for increasing that resiliency in the ecosystem.

The financial meltdown and economic crisis has impacted both the "Boy Scouts" and the "Wise Guys" on how to continue to prosper. The use of such tools such as Asset Forfeiture in combination with timely intelligence both Open Source and proprietary can provide the means for another effective Operational Risk strategy in a public / private consortium. The cooperation, coordination and collaboration of banking, hedge funds, broker dealers, insurance companies and private equity firms with federal and state task forces is a growing trend.

The mantra "Need to Know" is quickly being replaced with "A Responsibility to Provide" in the intelligence community and soon to be in the ranks of the financial private sector as it pertains to adapting to the transnational ecosystem. One good example of this momentum can be found in the rapidly growing education and awareness programs focused on this very subject:

Mission Statement

AssetForfeitureWatch.com is the indispensable source of news, information and training for law enforcement professionals and others working in the asset forfeiture field. At AssetForfeitureWatch.com, we understand that turning the proceeds of crime against criminals is one of the most powerful tools law enforcement agencies have for keeping communities safe, eliminating corruption, and crippling cross-border criminal enterprises. In offering training and education, an annual conference, live and Web seminars and an interactive community, AssetForfeitureWatch.com keeps its members on the leading edge of asset forfeiture strategy and practice.


The goal is to utilize the existing international legal framework to improve the resiliency of the "Transnational Ecosystem." Beyond the banking institutions are the governments and countries themselves who must make their decisions about their own business and commerce models. These havens across the globe will continue to exist because they don't have manufacturing capacity, IT outsourcing services or a port for trading and exporting raw materials. Therefore, they will continue to cater to the needs of suspect enterprises, non-state actors and even some rogue nations states.

So what is the lesson here? Reading between the lines. Assets in your portfolio, on your books, in the warehouse or even in your personal possession may soon be the property of a government entity near you.

11 June 2009

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.


Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.


As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.


The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

02 June 2009

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors. If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"? The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen. Only one can be prevented, preempted or neutralized before it can cause harm.

Sadly, the Report of the (Virginia Tech) Review Panel to the Governor, issued in August 2007, contained important inaccuracies, despite the panel’s best efforts to get to the truth. University officials, it now appears, may have been less than candid and forthright in their responses to the questions put to them by the panel.