New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001, and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.

Health Information Omnibus Rule adds will empower the patient – finally

The U.S. Department of Health and Human Services (HHS) has updated the data privacy and security rules involving electronic health records by finalizing the omnibus rule regarding these increasing protections.

First enacted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and expanded under the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, these rules have created both incentives for health care providers to digitize health records and obligations to protect the data from loss or misuse.

In the 2013 omnibus rule, HHS has moved to increase the individual patient’s interest in the health data system by expanding the patient’s rights regarding their health records.

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
  • Parents and guardians should find it easier to give permission to share proof of a child’s immunization with a school.
  • Patients must give permission before that individual’s health information is sold under an expanded number of conditions.

Digitization has swept most industries in the fifteen years since HIPAA was first enacted. Nonetheless, the cost of record conversion, concerns over privacy, and competitive issues that incentive health organizations to avoid cooperation have slowed the transition to electronic health records. The incentives of the HITECH Act and the new rule should continue pushing to complete the conversion.

The HHS press release added this observation:

 “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Full implement of the new rules will take 12-18 months, providing health care providers time to adjust their processes to meet the new obligations. The 563 page rule can be viewed here. HHS’s announcement of the rule is found here.

When to shred your Facebook page

Two recent cases (both analyzed quite thoughtfully in Eric Goldman’s blog) highlight the importance of anticipating the unintended audiences. These situations are not unique, but they provide stark reminders of why each person should be diligent about social media and its impact. The first lesson provides a stark reminder that broad complaints lose their context online. As report in the Matter of the Tenure Hearing of Jennifer O’Brien, State Operated School District of the City of Patterson, Passaic County, 2013 WL 132508 (Jan. 11, 2013), a2452-11, Ms. O’Brien was a tenured, certified elementary school teacher in the Patterson, NJ schools. O’Brien had been assigned a technology coordinator at School No. 29. The next year she found herself at School No. 21. assigned to teach the first grade, with 23 students, “[a]lmost all [of whom] were six years old. All were either Latino or African-American.” The court reports the posts:

On March 28, 2011, O’Brien posted two statements on Facebook, an internet social-networking site. The first statement was, “I’m not a teacher — I’m a warden for future criminals!” The second statement was, “They had a scared straight program in school — why couldn’t [I] bring [first] graders?”

Perhaps Ms. O’Brien was frustrated at her reassignment; perhaps this was dark humor. It was insensitive, disparaging of these six year olds, and found to constitute conduct unbecoming a teacher. Her defense that six or seven of the student were disciplinary problems or had stolen from her seems a bit non-responsive. Posting to her friends, which numbered above 300, amounted to a broadcast and resulted in her termination. She never should have made such a post. But how does she rectify it? The answer to that leads to the second incident listed on the Goldman blog. In Allied Concrete v. Lester, 2013 Va. LEXIS 8 (Jan. 10, 2013), Venkat Balasubramani writes of a dispute in which the survivor in a wrongful death action is told by her attorney’s paralegal to “to “clean up” his Facebook page because he didn’t “want any blow-ups of this stuff at trial.” While the Facebook page was subject to discovery, at least in part because the plaintiff sent a Facebook message to an attorney for the defendant. Having failed to exclude the Facebook page, the lawyer was concerned that embarrassing pictures would negatively influence the jury and affect the damage award. He should have been worried that instructing the paralegal to advise the client to destroy documents could lead to sanctions and affect the trial. In this case the sanctions were levied at $542,000 and an additional $180,000 was ordered paid to cover costs of the defendants. (Admittedly, the plaintiff made matters worse by lying about the deletion and evading the discovery requests.) While sanctions of this size should highlight the need to be cautious about what to post and when to remove the posts, matters involving federal investigations are even riskier. The Sarbanes-Oxley anti-shredding laws extend to any destruction of material related to an ongoing federal investigation. The law is extremely broad:

18 USC § 1519 – Destruction, alteration, or falsification of records in Federal investigations and bankruptcy Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Although enacted as part of Sarbanes-Oxley, the law does not have any limitations regarding publicly traded companies, corporate fraud – or seemingly any limitations at all. If the eventual investigation includes a federal agency or inquiry, then the knowing destruction of a record constitutes a violation. And records aren’t pressed in vinyl or lacquer. Tweets, posts, photos, and video will all be covered under the statute. A quick collection of examples serves to illustrate the point:

Individuals prosecuted under Section 1519 include: an employee of a private community corrections center, for providing an inmate with a clean urine sample and falsely completing official paperwork regarding the sample, United States v. Jensen, 248 Fed. Appx. 849 (10th Cir. 2007); a woman who destroyed a CD containing child pornography that belonged to her boyfriend after learning that he was under investigation by the FBI, United States v. Wortman, 488 F.3d 752 (7th Cir. 2007); a Pennsylvania state senator, for destroying e-mails pertaining to matters under federal investigation, United States v. Fumo, 2007 U.S. Dist. LEXIS 79454 (E.D. Pa 2007); and an ophthalmologist, for falsifying and creating false medical records in order to defraud Medicare and Medicaid, United States v. Mermelstein, 487 F.Supp.2d 242 (E.D.N.Y. 2007). — Obstruction of Justice under Sarbanes-Oxley: A Broad Reach by Michael G. Considine and Caroline Bersak Hyde

As a result, removals of Facebook pages, Tumblr photographs or other online content could result in a 20-year federal prison sentence if the content is removed after the owner of the account becomes aware that a federal agency is taking an interest in a matter relating to the post. Since the crime is committed if the removal is done pursuant to an indictment, investigation, or “in relation to or contemplation of” such a matter, once a federal inquiry could be triggered, it is potentially too late to remove the content. The obvious lesson is not to post harmful comments or embarrassing statements. The second best step is to remove harmful content to reduce ongoing embarrassment and damage while preserving the removed content for investigators. After all, nothing in the law requires a person continue an ongoing harm; the duty is to disclose to investigators and that goal can be accomplished without continuing the public disclosure. If the situation in Patterson had created interest in pursuing a federal civil rights claim on behalf of the first grade students, then suddenly the question of social media decorum easily escalates to a federal investigation. In such a case, the comments can only be removed if they are fully archived so that there is no spoliation of the evidence. If a teacher in Ms. O’Brien’s position tried to delete the Facebook account to make the situation go away, that teacher could be facing federal prison rather than merely a tenure hearing. This raises not a lesson but a warning. The overbreadth of these statutes grants far to much prosecutorial discretion and the ability to layer multiple criminal sanctions on, one-atop-another. Trivial acts may suddenly result in prosecutions for decades of potential jail time. Strong laws require predictable outcomes and equal treatment. Selective enforcement of overly broad provisions achieve no social goals. The final lesson is for employers to develop, enforce and train their staff members on the importance of both social media policies and document retention policies. Companies face challenges enforcing either policy, but when they come in conflict, employees and their supervisors can land in jail. Maybe the best time to shred that social media account is right this minute – unless, of course, there is any federal interest in investigating the content.

Remote Proctoring for the MOOC – an opening for the next wave in privacy excess

For those who herald such things, 2012 was the year of the MOOC – massive open online courses. Most MOOC courses are free, though some providers are attempting to monetize the offerings. The Chronicle of Higher Education reports that Coursera, the leading provider has exceeded one million students while Udacity is nearing that mark.

The MOOC movement represents a highly disruptive innovation in education. Content is provided for free (or low cost) to the public on a massive scale. While some courses are little more than correspondence programs, others are highly interactive – with student projects, effective feedback, and measurable learning outcomes.

Successful educational institutions will still sell the academic degrees as well as the more intimate experiential learning opportunities. Other universities, struggling financially, tend to see MOOCs as threats to revenue while other critics raise concerns about rigor and engagement.

Ironically, the open access for the MOOC raises concerns about the reliability of the authentication of the test taker. If the certification is valuable, then perhaps one can hire a stand-in to take the course and pass the exam. According to the Washington Post, “security measures suggest that people sometimes cheat in MOOCs, even when there are no course credits or money at stake.”

To expand its business model and improve the reliability of MOOC participation, Coursera has launched a “pilot project to check the identities of its students and offer “verified certificates” of completion, for a fee. A key part of that validation process will involve what Coursera officials call “keystroke biometrics”—analyzing each user’s pattern and rhythm of typing to serve as a kind of fingerprint.”

Keystroke biometrics are recognized for distinguishing between automated computer responses and human responses, so they are quite useful for separating human users from computer bots. They are less commonly used as an identity credential.

The keystroke biometrics are just part of the Coursera approach. It will also use photographs of the student’s ID and of the student taken from the computer to be compared by hand.

The most common way for online courses to be verified is for the student to take the exam at a test center. Such facilities exist throughout the county and sometime universities offer this service to each other as an accommodation for traveling students.

Using ineffective technologies will make a joke out of the credibility for MOOC certification. While the risk of being caught will deter some potential cheaters, it will incentivize others to work around the weak protections and harm the credibility of these programs.

Inevitably, the next step in student monitoring will be to remotely capture photos, video or audio of the students engaged while in the course. Products that remotely control onsite computers such as Apple Remote Desktop, LanSchool, and Net Orbit, can be adapted to the student’s home computer. In 2010, for example, a Philadelphia high school was sued for spying on its students without any prior notification.

Perhaps the use of live biometric voice recognition would improve the reliability and avoid the risk that the system could capture data surreptitiously, but such steps should be taken with caution.

Until the MOOC certificate is part of a college transcript, there is no reason to worry about verification. Schools offering college credit for these courses should extend their academic standards and honor codes to the courses.

Any monitoring of online students should be done in a manner that requires the student to log into the system and complete verification steps. It should not allow the system to reach into the student’s computer or turn on monitoring devices – including keystroke monitors, microphones or cameras. Any system that allows the school to choose when to monitor the student is likely to become intrusive and glean inappropriate information by the school.

There are many effective ways to verify the work of students – computer monitoring should not be one of them.

Netflix Wins Congressional Protection to go Social in US under New Law

An amendment to the 1988, Video Privacy Protection Act provides videotape services the ability to allow their customers to opt in for video rental and viewing data. Under the new legislation, companies such as Netflix, Hulu, and Crackle will be able to let their users share what they have been watching through their social media services.

President Obama is expected to sign the bill into law this week.

netflix1Video companies will use the new law to encourage their users to post what they are watching to their friends and family – encouraging greater viewership on that platform. Netflix already provides this option on its European platform, but concerns over the reach of the Video Privacy Protection Act limited the company’s use of social media in the U.S.

Earlier this year, Hulu lost a claim in which it argued the Video Privacy Protection Act did not extend to online content suppliers. The California District Court hearing the case disagreed, stating “a plain reading of a statute that covers videotapes and “similar audio visual materials” is about the video content, not about how that content was delivered (e.g. via the Internet or a bricks-and-mortar store).” The decision to allow the class action against Hulu to proceed (and a settlement by Netflix in a similar situation) set the stage for legislative action.

The law was originally enacted in response to the disclosure of Supreme Court Nominee Robert Bork’s videotape records. The law extended similar protections for library records. (The American Library Association reports that 48 of the 50 states have such statutes.) In addition to the federal law, many states also have laws protecting rental and viewership records, so compliance at the state level may somewhat deter the roll-out of the automated “frictionless sharing” of viewership data.

At the heart of the privacy rules stand a constitutional assertion that free speech often starts with unmonitored access to information. The freedom to read divergent, controversial, or even antisocial and seditious materials is essential to develop an open, robust and unfettered political debate. To punish a person merely for accessing controversial content will ultimately stifle expression, creating a far greater evil than the content being discouraged.

Perhaps because this form of privacy is rooted in First Amendment protections, it was the one privacy rule in which U.S. residents had greater legal protections than their European counterparts.

The law provides consumers the ability to withdraw consent at any time. Nonetheless, expect to see a great many status updates about your acquaintances’ viewing habits by the end of the year. Opting out of those might not be as easy.