24 March 2013

International Risk: Cyberwarfare Rules of Engagement...

When the financial private sector views the actions of government in terms of regulation and compliance, it is often considered another risk to its operations.  Why?  More rules and the need to report on oversight creates new obstacles to other more valuable revenue producing activities.  CDOs are an example of a financial product that explains why the government regulation mechanism continues to exist.  Yet the implementation of internal controls, to thwart the embezzlement of funds or the theft of proprietary intellectual secrets, is something that is encouraged and welcomed in the banking community.  This paradox is something that continues to occur in the cyber risk management domain:
Systemic risk as a result of banks' cyber interconnectivity is becoming a key risk for financial institutions, delegates at OpRisk North America in New York heard this week. The transfer of data occurring through this interconnectivity can put many banks at risk in the event of certain types of cyberattack, warned Adrienne Haden, assistant director, operational risk and IT risk policy at the board of governors of the Federal Reserve System. "Some of the key areas of concern for risk management in terms of capital involve information security and cyber security," she told the conference.
The dawn of Internet banking spawned the Operational Risks associated with using public networks for our various banking transactions.  The oversight of cyber risk management in the financial institution is becoming more mature by the day.  Government is more effectively learning how to apply the right oversight with private sector institutions, through the use of International Standards such as ISO 27001 and NIST best practices to protect Critical Infrastructure.

In the last few months, the newest strategies for cyber risk management have been a robust topic of global conversation.  New reports on the origin of state sponsored hacking and cyber crime data breach incidents, has produced some new theories on how to address these international Operational Risks:
Deadly force against organized hackers could be justified under international law, according to a document released Thursday by a panel of legal and cyber warfare experts.  Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I.  Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press.
Even the most knowledgeable cyber experts, are at odds over the topic of "Active Defense" and the use of asymmetric cyber force, to retaliate against a so called attack or denial of service.  A kinetic response is much more clear, based upon the source or attribution evidence of the attack.  In the cyber domain, the word "Attribute" has some very interesting ramifications.
Seoul, South Korea (CNN) -- The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim
The Korea Communications Commission, a South Korean regulator, said that after "detailed analysis," the IP address that was thought to be from China was determined to be an internal IP address from one of the banks that was infected by the malicious code.  It said, though, that "the government has confirmed that the attack was from a foreign land."
The State-of-Play will remain the same and for good reason.  The governments of the world do not have issue with each other performing reciprocal cyber espionage.  This practice is just a new version of intelligence collection and the next manifestation of Tinker Tailor Soldier Spy.  However, if there should be any visible or kinetic damage to infrastructure, then the Tallinn Manual will be a vital resource for all.  The question remains, what is a cyberattack?  Jim Lewis says:
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so."

16 March 2013

Legal Risk: Over-The-Horizon Digital Radar...

Operational Risk Management is a primary responsibility with an organizations General Counsel. Why?
"The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities."
So if you are a General Counsel or the Chief Legal Officer, your radar is consistently tuned to the "Over -The-Horizon" (OTH) risks that may impact your company, right?  The fact is that managing risk from the General Counsels office may be significantly different than what managing risk means from the CIOs office.

Loss events associated with peoples workplace behavior are many times treated differently than those events associated with a computer "intrusion" or a data breach, that was also caused by human behavior.  The law is a battleground that continues to keep an entire industry busy with offensive and defensive activities and the transfer of risks from one party to another.

What is the legal risk difference between the diversion of company funds to pay bribes in a foreign country and the theft of company trade secrets?  You see, the laws associated with these loss events have different statutes, penalties and legal risk:
On December 17, 2012, Germany-based insurance and asset management company Allianz SE paid more than $12.4 million to settle with the SEC over violations of the books and records and internal control provisions of the FCPA. The activity in question concerned improper payments to government officials in Indonesia. Following common FCPA procedure, Allianz did not deny or admit the SEC’s inquiry. The company disgorged $5.3 million in profits, paid a penalty of $5.3 million, with $1.8 million in prejudgment interest. 
The SEC stated that it uncovered 295 insurance contracts on government projects that were obtained or kept by improper payments totaling $650,626. The payments were made by Allianz’s Indonesian subsidiary. 
The conduct occurred from 2001 to 2008, at which time Allianz was considered an “issuer” under the FCPA because of its activity on the New York Stock Exchange. Even though it was not listed on the exchange, the presence of its bonds and shares on the market made it an issuer and subjecting it to the jurisdiction of the FCPA. The investigation was initiated internally using outside counsel after a whistleblower complaint in 2009.
On December 28, 2012, President Obama signed the Theft of Trade Secrets Clarification Act. S. 3642 (112th). The Clarification Act is a direct response to the Second Circuit’s decision in U.S. v. Aleynikov, 676 F.3d 71 (2nd Cir. 2012). (See details below.) In Aleynikov, the Second Circuit overturned a criminal conviction under the Economic Espionage Act 18 U.S.C. § 1831, et seq., after the court determined that the stolen source code was only used internally for a high-frequency trading system and was not “related to or included in a product that is produced for or placed in interstate or foreign commerce.” The Clarification Act expands Section 1832(a) to cover internal trade secrets “related to a product or service used in or intended for use in” commerce. In addition to the source code at issue in Aleynikov, this expansion could include internal processes of doing business or gathering information that may not qualify for traditional patent protection. More broadly, the quick reaction shows the importance that Congress attaches to this area of the law and puts individuals and companies on notice that increased indictments may occur down the line.
The ethics, compliance and legal components of Operational Risk Management comes down to "Achieving a Defensible Standard of Care" in your organization.  The risk exposures that face your organization will also occur from a more immediate impact, due to a loss of reputation and potential loss of market value.  On all fronts, the stakes remain high.

The modern day legal enterprise is still reactive and slow to respond to the changing environment around it.  The daily battle with legal risk is slow, compared with other risk management fronts within the institution.  The speed of response and the focus on preventive, preemptive or proactive actions is what sets apart the mental states of all of your security risk professionals.  Some people have seconds or minutes to decide and act, others have the luxury of days, months and years.

Unfortunately, for most the costs associated with legal risk are high, no matter who prevails in an incident or case. This fact alone, is why the introduction of a new generation of automated tools and the memory of computer-based evidence is so important.  Decision Advantage.  The law and the law industry is quickly playing catch up.  Practitioners from the technology and legal industry are now even more integrated, while the courts interpret the implications of their rulings on an accelerating mobile digital global society.

You and your team have a tremendous amount of new knowledge to gain, or your enterprise will be consumed by the volume of new Operational Risks unfolding before it.  How complex could this be?

The 1983 movie "WarGames" led to an anti-hacking law with felony penalties aimed at deterring intrusions into NORAD. Over time, it became broad and vague enough to ensnare the late Aaron Swartz.