Commission report warns U.S. is losing the spy race from lack of R&D, STEM-education

On Nov. 5, 2013, The National Commission for the Review of the Research and Development Programs of the United States Intelligence Community released an unclassified version of its assessment of U.S. research and development programs, finding that the U.S. is falling behind and highly uncoordinated. [The Report can be found here.]

The Commission making the review was originally constituted at the 9-11 Commission (properly The National Commission on Terrorist Attacks Upon the United States. In 2010, the Commission was reauthorized to serve more broadly on the Intelligence Community readiness.

The New York Times described the report as “blistering … charging that the intelligence world’s research-and-development efforts are disorganized and unfocused.”

The Commission said the lack of investment, coordination, infrastructure and foresight is putting the nation at risk.

U.S. technological superiority is diminishing in important areas, and our adversaries’ investments in [Science and Technology]—along with their theft of our intellectual property, made possible in part by insufficient cyber protection and policies—are giving them new, asymmetric advantages. The United States faces increasing risk from threats against which the IC could have severely limited warning, deterrence, or agility to develop effective countermeasures.

The report is not primarily an intelligence report. The Commission was not focused on the failures associated with the NSA massive – and in some cases unconstitutional – spying campaign. Nor was it tied to the Edward Snowden disclosures and the global embarrassment triggered by those disclosures.

Instead, the report identifies the need to treat intelligence as a global issue that needs broad reforms, such as STEM education and immigration/workforce reform. It identifies a wide range of concerns about the lack of investment in intelligence and the failure to be prepared.

The report calls for much greater data analytics, which will likely be the platform used by the NSA to justify its ongoing activities. Even a pro-intelligence report such as this, however, identifies the need for intelligent data analytics rather than the massive, undifferentiated and largely counter-productive methods currently highlighted by the NSA disclosures. Not surprisingly, the admonitions also demand better coordination, including “development of a new joint program plan between the Director of Science and Technology and the Deputy Director of National Intelligence for Intelligence Integration for Enhanced Integrated Intelligence, which it will use to track, prioritize, and coordinate Enhanced Integrated Intelligence R&D across the [intelligence community].”

“Exacerbating these challenges are U.S. policies that weaken the U.S. R&D talent base,” the report warned.  “As scientific and technical knowledge and the resulting economic growth spread around the world, the competition for R&D talent is increasingly global.”

This is just one of many reports highlighting the continued disarray of the intelligence community, an infrastructure struggling to keep up with cyber-threats and embarrassing the U.S. with political follies.

The report opens with a powerful juxtaposition of quotes that should help guide future discussions:

Failure to properly appraise the extent of scientific developments in enemy countries may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—Task Force Report on National Security Organization (the Eberstadt Report) (1948)

Failure to properly resource and use our own R&D to appraise, exploit, and counter the scientific and technical developments of our adversaries—including both state and non-state actors—may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—National Commission for the Review of the Research and Development Programs of the United States Intelligence Community (2013)

Report of the National Commission for the Review of the Research and Development Programs of the United Sta…

Advertisements

2013 NKU Security Symposium tomorrow, Friday, October 18, 2013

The NKU Chase Law + Informatics Institute, the Center for Applied Informatics, and our event sponsors look forward to the 2013 NKU Security Symposium tomorrow, Friday, October 18, 2013.

The program is free, but you must register. This is your last opportunity.

The Legal Issues in Privacy and Security (Legal Track) will be in Development B of the NKU METS Center in Erlanger, KY.

Legal Track Speakers:

  • John C. (Jack) Greiner, attorney, Graydon Head

  • Scot Ganow, attorney, Faruki Ireland & Cox P.L.L.

  • Jennifer Orr Mitchell, partner, Dinsmore & Shohl LLP

  • Michael G. Carr, JD, CISSP, CIPP, Chief Information Security Officer, University of Kentucky

Click here for the CLE Materials for the maximum of 4.0 general CLE credits approved by KY, OH & IN (new lawyer credits in IN).

  • Jon M. Garon, NKU Chase College of Law

Data Security: Breach Notification Law Issues [pdf]

  • Jennifer Orr Mitchell, Dinsmore & Shohl LLP

Attorneys and Other Contractors – HIPAA Business Associates in 2014 and Beyond [pdf]

For your convenience we have included directions below.

A detailed agenda can be found on the event website at http://cai.nku.edu/security2013/agenda.html

Directions to the NKU METS Center
From Downtown Cincinnati and Northern Kentucky:
I-71/75 South From the South: I-71/75 North … to I-275 West. Take first exit (Exit No. 2 – Mineola Pike). Left turn onto Mineola Pike crossing over I-275. Right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

From Indiana:
I-74 to I-275 South into Kentucky. Stay on I-275, which curves East in Kentucky and go about 22 miles all the way past the Greater Cincinnati Airport until you get to Exit No. 2 – Mineola Pike. Right turn onto Mineola Pike. Then right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

Special thanks to the sponsors of the legal track:  CincyIP and Frost Brown Todd. 

W. Bruce Lunsford contribution to create Academy for Law, Business + Technology

With apologies for posting a press release as a blog post, the news that W. Bruce Lunsford has pledged $1 million to Chase under the direction of the Law + Informatics Institute for the creation of the the W. Bruce Lunsford Academy for Law, Business + Technology is exciting enough for us to share our news.

HIGHLAND HEIGHTS, Ky. (May 15, 2013) — The Northern Kentucky University Chase College of Law has received a $1 million gift from W. Bruce Lunsford to establish and support the W. Bruce Lunsford Academy for Law, Business + Technology.

Lunsford, a 1974 graduate of Chase College of Law, is chairman and CEO of Lunsford Capital, LLC, a private investment company headquartered in Louisville, Ky.

The W. Bruce Lunsford Academy for Law, Business + Technology will be an honors immersion program operated by the NKU Chase Law + Informatics Institute. The focus of the program will be to develop “renaissance lawyers” for the Information Age. The Lunsford Academy will provide students with the technological, financial and professional skill sets essential to the modern practice of law.  Through the program’s technology-driven, skills-based curriculum, students will acquire the fundamental skills that will make them more productive for their clients, more attractive to employers and better prepared to practice law upon graduation.

For those interested in learning more about the details of the program, the most comprehensive vision is provided in my forthcoming article from Connecticut Law Review. An working draft of the paper may be found here: Jon M.Garon, Legal Education in Disruption: The Headwinds and Tailwinds of Technology, (Conn. L. Rev. forthcoming) at SSRN: http://ssrn.com/abstract=2040560.

In addition to taking the program’s required and elective law and informatics courses, Chase students participating in the Lunsford Academy will have the opportunity to participate in technology-focused semester-in-practice placements and study abroad programs; they will also be able to seek joint degrees.

Chase College of Law partners with the NKU College of Informatics to offer a Juris Doctor/Master of Business Informatics and Juris Doctor/Master of Health Informatics and with the NKU Haile/US Bank College of Business to offer a Juris Doctor/Master of Business Administration.

Professor Jon Garon, director of the Law + Informatics Institute, said the development of the Lunsford Academy is the next step in the evolution of legal education. “In addition to a solid foundation in legal doctrine, theory and practice, law students need business education, information technology and intellectual property knowledge, and law practice management experience,” he said. “These skills will enable students to compete in today’s highly networked, efficient and global business community. The generous donation by Bruce Lunsford enables Chase to meet this challenge and redefine the scope of legal education.”

In recognition of Lunsford’s gift, the academy will be named the W. Bruce Lunsford Academy for Law, Business + Technology, upon approval by the NKU Board of Regents.

“We are extremely honored and pleased that Bruce has made this significant investment in our Law + Informatics Institute,” said Dennis R. Honabach, dean of the College of Law. “The Lunsford Academy will provide our law students with invaluable opportunities to become uniquely prepared for the modern practice of law.”

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.

Remote Proctoring for the MOOC – an opening for the next wave in privacy excess

For those who herald such things, 2012 was the year of the MOOC – massive open online courses. Most MOOC courses are free, though some providers are attempting to monetize the offerings. The Chronicle of Higher Education reports that Coursera, the leading provider has exceeded one million students while Udacity is nearing that mark.

The MOOC movement represents a highly disruptive innovation in education. Content is provided for free (or low cost) to the public on a massive scale. While some courses are little more than correspondence programs, others are highly interactive – with student projects, effective feedback, and measurable learning outcomes.

Successful educational institutions will still sell the academic degrees as well as the more intimate experiential learning opportunities. Other universities, struggling financially, tend to see MOOCs as threats to revenue while other critics raise concerns about rigor and engagement.

Ironically, the open access for the MOOC raises concerns about the reliability of the authentication of the test taker. If the certification is valuable, then perhaps one can hire a stand-in to take the course and pass the exam. According to the Washington Post, “security measures suggest that people sometimes cheat in MOOCs, even when there are no course credits or money at stake.”

To expand its business model and improve the reliability of MOOC participation, Coursera has launched a “pilot project to check the identities of its students and offer “verified certificates” of completion, for a fee. A key part of that validation process will involve what Coursera officials call “keystroke biometrics”—analyzing each user’s pattern and rhythm of typing to serve as a kind of fingerprint.”

Keystroke biometrics are recognized for distinguishing between automated computer responses and human responses, so they are quite useful for separating human users from computer bots. They are less commonly used as an identity credential.

The keystroke biometrics are just part of the Coursera approach. It will also use photographs of the student’s ID and of the student taken from the computer to be compared by hand.

The most common way for online courses to be verified is for the student to take the exam at a test center. Such facilities exist throughout the county and sometime universities offer this service to each other as an accommodation for traveling students.

Using ineffective technologies will make a joke out of the credibility for MOOC certification. While the risk of being caught will deter some potential cheaters, it will incentivize others to work around the weak protections and harm the credibility of these programs.

Inevitably, the next step in student monitoring will be to remotely capture photos, video or audio of the students engaged while in the course. Products that remotely control onsite computers such as Apple Remote Desktop, LanSchool, and Net Orbit, can be adapted to the student’s home computer. In 2010, for example, a Philadelphia high school was sued for spying on its students without any prior notification.

Perhaps the use of live biometric voice recognition would improve the reliability and avoid the risk that the system could capture data surreptitiously, but such steps should be taken with caution.

Until the MOOC certificate is part of a college transcript, there is no reason to worry about verification. Schools offering college credit for these courses should extend their academic standards and honor codes to the courses.

Any monitoring of online students should be done in a manner that requires the student to log into the system and complete verification steps. It should not allow the system to reach into the student’s computer or turn on monitoring devices – including keystroke monitors, microphones or cameras. Any system that allows the school to choose when to monitor the student is likely to become intrusive and glean inappropriate information by the school.

There are many effective ways to verify the work of students – computer monitoring should not be one of them.

Beyond debunking the Facebook Notice

In response to the widespread posting of copyright warnings on Facebook, David Pogue wrote a short blog “You Can Stop Spreading That Facebook Notice Now” which correctly attempted to get people to stop repeating the useless post. His advice was correct – the post doesn’t have any effect – but perhaps there is more to the hoax than his article suggests.

The post quoted by Mr. Pogue is presented as follows:

     In response to the new Facebook guidelines, I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, crafts, professional photos and videos, etc. (as a result of the Berner Convention).

For commercial use of the above my written consent is needed at all times!

Facebook is now an open capital entity. All members are recommended to publish a notice like this, or if you prefer, you may copy and paste this version.

Snopes, the anti-misinformation site, has already debunked this hoax. It cites two other variations. In them, they add some privacy constraints as well:

The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law.

UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE.

Mr. Pogue explains why he considers the post a hoax, then sites to a Facebook statement and to Snopes for confirmation. He is absolutely right that the post is ineffective. He may not, however, be accurate in other regards.

For example, Facebook explained the falsity as follows: “There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

First, the actual terms of the Facebook policy are a bit more nuanced: “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

  • The Facebook user owns the copyright in everything she uploads.
  • Facebook gets full use of that content.
  • If the user account is terminated, Facebook can still use the content so long as “your content has been shared with others, and they have not deleted it” – which means most content is never deleted.

So Facebook is completely correct that the posting does not affect the copyright in the posted content, but it fails to completely explain the consequences of the contract.

Second, this is a contract rather than a policy. This is important since contracts can be amended. But only according to the contract terms. In the case of Facebook, this means that only Facebook can propose changes to the contract – not the user – and users agreed that “Your continued use of Facebook following changes to our terms constitutes your acceptance of our amended terms.” This means the language cannot be used as a contractual modification.

Still on contract law, there is the curious reference to the Uniform Commercial Code (UCC). Since the UCC applies to the sale of goods, it has no bearing on a social media user website. Moreover, UCC 1-103 merely recites the proposition that the statute does not eliminate additional common law protections such as “capacity to contract, principal and agent, estoppel, fraud, misrepresentation, duress, coercion, mistake, Bankruptcy, or other validating or invalidating cause[s]….” UCC 1-308 is a bit closer to the issue. If the contract had not already been formed, then reserving one’s rights means that the performance under the contract does not automatically mean the contract has been accepted.

The posting may not be a “hoax” so much as a failed attempt to react to the unequal bargaining power between a web site provider and an individual user. That it fails does not make it a joke. The frustration may be very real.

The privacy statements of the attempted reservation of rights similarly fails. Something posted publicly does not become private through a disclaimer. If one’s settings are entirely private and posts are limited to a select group of people, some limited privacy might survive. This statement will not help in that regard.

One final note about Mr. Pogue’s column should also be noted. He chides the hoax author for describing the “Berner Convention.” Mr. Pogue reminds his readers that “you’re already protected by copyright law” – which is true, but ignores the contractual waivers that have limited its scope. He then goes on to say “there’s no such thing as the Berner Convention. There’s a Berne Convention, which covers literary works.”

I am hoping that Mr. Pogue – a journalist who makes his living as a writer and columnist focusing on law and technology – understands that literary works under U.S. and international law include the following under copyright law:

  1. literary works;
  2. musical works, including any accompanying words;
  3. dramatic works, including any accompanying music;
  4. pantomimes and choreographic works;
  5. pictorial, graphic, and sculptural works;
  6. motion pictures and other audiovisual works;
  7. sound recordings; and
  8. architectural works.

The Berne Convention coverage is slightly different than the U.S. law (quoted above) in this regard, but it certainly includes all the photographs, music files, videos, poems, and pictures that a person uploads. It is not limited to fictional works of book length or any other more limited definition of literary works.

Mr. Pogue did not say anything of the sort. But the tone and the inference suggest he thinks the reference to the Berner Convention was much more egregious than a typo in the title. And while this doesn’t affect his advice to stop using the clause on Facebook, it makes one wonder – at least a little bit.

So stop using the Facebook disclaimer. Don’t negotiate a contract after you have agreed to its terms. Don’t expect that Facebook’s acknowledgement of user copyrights will actually change the company’s use of the uploaded content. And finally, don’t expect most journalists to understand the difference between copyright, patent, and trademark – they’re just in the business of creating content after all.