Coming to a Government Contract Near You: Mandatory Information Safeguarding Requirements

Justin A. ChiarodoPhilip E. Beshara, and Heather L. Petrovich

The government recently finalized a sweeping amendment to the Federal Acquisition Regulation (“FAR”) that will impose basic information system safeguarding requirements on many federal acquisitions, marking the latest in the continuing government effort to regulate and enhance cybersecurity protections in the industry. The Final Rule, effective June 15, 2016, imposes fifteen basic safeguarding requirements for contractors with information systems containing information provided by, or generated for, the government under a federal contract.

Though many contractors likely maintain information security standards that meet or exceed the new rule, they should confirm their compliance status by assessing these requirements against their current cybersecurity compliance program (to help mitigate the risk of a breach of contract claim or more serious enforcement action). This should include confirming that the requirement is flowed down to subcontractors where appropriate.

The new Rule (available here) broadly applies to all federal contractors and subcontractors with information systems that process, store, or transmit “federal contract information” (i.e., information provided by, or generated for, the government under a federal contract). These safeguarding requirements will be imposed on most acquisitions (including acquisitions below the simplified acquisition threshold and commercial item procurements). The only exception is the acquisition of commercial-off-the-shelf (“COTS”) items. Contractors and subcontractors must also flow down the requirements to all subcontracts where the subcontractor may have federal contract information residing in—or transiting through—its information systems.

While the Rule imposes 15 new requirements, they are characterized as “basic” security controls. Indeed, many companies will already be familiar with these standards, as most, if not all, are employed as standard best practices. Several are drawn directly from the National Institute of Standards and Technology (“NIST”) guidelines applicable to federal agencies. Importantly, the Rule does not impact the considerably higher safeguarding standards governing contractors dealing with Controlled Unclassified Information (“CUI”) or classified information.

Compliance with these safeguards may not only shield a contractor from liability in the event of an inadvertent release of information, but as the government indicated in its commenting on the Rule, the failure of a contractor to maintain the required safeguards may constitute a breach of a contract. Nonetheless, the security controls set forth in the Rule represent standard industry best practices and should be implemented by any prudent contractor regardless of the presence of covered information. To this end, any company doing business with the federal government should look to these guidelines as representative of the types of essential practices it should employ.

The Final Rule will be implemented through FAR Subpart 4.19 and a new contract clause (FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”). The 15 requirements are set forth below:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Unforeseen Consequences of Hacking: When Someone Wants To Use Your Cybercrime Misfortune Against You In A Litigation

Michelle Gitlitz Courtney and D. Morgan Barry

Companies that are hacked face a range of repercussions, such as notifying clients and customers that the privacy of their information has been compromised and implementing a new security system. In July 2015, it was highly publicized that the extramarital affair dating website Ashley Madison was hacked and the names of thousands of cheating men and women were disclosed to the public. While hacks often lead to the filing of class action complaints concerning inadequate cybersecurity measures, here, the plaintiffs’ counsel took an unprecedented position: they sought to use the content of press articles that cited to the leaked documents (including privileged documents) in the multidistrict class action lawsuit.[1]

The class action plaintiffs in the Ashley Madison litigation attempted to use the hacked documents to support their claims that Avid Dating Life (“Avid Dating”), the owner of the extramarital affair website, failed to properly secure users’ confidential information and committed fraud by maintaining fake female profiles on the website AshleyMadison.com.

Upon notice of Plaintiffs’ intention to use the documents, Avid Dating sought a restraining order to prevent Plaintiffs’ use of the documents that were disclosed as a result of the hack. Avid Dating asserted that the use of stolen documents in a litigation is against federal case law, state case law, the Rules of Professional Conduct, and ethics opinions. Supporting Avid Dating were the Amici Does, former users of the adultery website.

In response, Plaintiffs argued that they should be able to use news and media articles discussing the hacked documents (including privileged documents) in their class action complaint because Plaintiffs had no involvement in the hack, the documents were widely disseminated on the internet and in the media, Plaintiffs did not intend to use the stolen documents themselves, but instead use media reports that referenced the stolen documents, and the documents demonstrated Avid Dating’s own wrongful acts.

In a thoughtful, ten-page decision on April 29, 2016, Judge Ross of the Eastern District of Missouri ruled that Plaintiffs were not permitted to use the stolen documents or media reports referencing the documents.[2] Judge Ross did not consider Plaintiff’s innocence in the hack or the fact that the documents were already referenced in news publications to be influential in his decision. Because the documents were stolen and use of stolen documents compromises judicial integrity, Plaintiffs were not permitted to use the documents—end of story.

Judge Ross acknowledged the ethical dilemma in protecting from disclosure privileged hacked documents that showed wrongdoing on the part of Avid Dating: “[h]owever distasteful it may be that some of the e-mail communications between Avid and its counsel may show wrongful or inappropriate conduct, the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery.”[3]

[1] In re Ashley Madison Customer Data Sec. Breach Litig., No. 4:15-md-02669 (E.D. Mo. Dec. 9, 2015).

[2] Id. pg. 8.

[3] Id.

Data Breach Negligence Claims Not Recognized in Pennsylvania

By Steven L. Caponi and Elizabeth A. Sloan

163751742In an important and well-reasoned 12-page decision, Judge Wettick of the Court of Common Pleas of Allegheny County refused to create a common law duty to protect and secure confidential information. The decision was issued in the matter of Dittman v. UPMC, which was filed on behalf of over 62,000 plaintiffs. Although not binding state-wide, Judge Wettick’s decision represents an important step in the development of privacy law in Pennsylvania.

The complaint was filed against the University of Pittsburg Medical Center (“UPMC”) after names, birthdates, social security numbers, confidential tax information, addresses, salaries, and bank account information pertaining to current and former employees was stolen from UPMC’s computer systems. The plaintiffs alleged that UPMC had a common law “duty to protect the private, highly sensitive, confidential and personal financial information, and the tax documents of plaintiffs and the members of the proposed class.” The complaint claimed that UPMC violated this duty when it failed to “exercise reasonable care to protect and secure the information.”

Advocating for more than simple recognition of a general duty, the Dittman plaintiffs sought court imposition of very specific and onerous duties on UMPC. Given the nature of the employee/employer relationship, the plaintiffs argued that UPMC’s duties included the obligation to design, maintain, and test “its security systems to ensure that [] the members of the proposed Classes personal and financial information … was adequately secured and protected.” It was further argued that “UPMC [] had a duty to implement processes that would detect a breach of its security systems in a timely manner.” Lastly, the plaintiffs argued that UPMC should be liable for its failure to meet industry standards in the face of a risk that was reasonably foreseeable.

Judge Wettick’s decision is important not only for its ultimate holding, finding no common law cause of action for data breaches, but also for the three lines of thought relied upon to support his conclusion. Specifically, Judge Wettick found: (1) Pennsylvania’s economic loss doctrine precludes a negligence cause of action for economic loss stemming from a data breach; (2) public policy considerations mitigated against the creation of an affirmative duty of care in connection with data breach cases; and (3) the Pennsylvania General Assembly’s prior actions evidenced an intent not to impose such a duty.

With regard to the economic loss doctrine, the court noted that the UPMC employees sustained only economic losses resulting from the improper actions of third-party bad actors. With this finding in hand, the court turned to the economic loss doctrine and affirmed that “no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.” Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009). Seeking to overcome the economic loss doctrine, the Dittmer plaintiffs invoked Pennsylvania Supreme Court case law, including Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa.2012), to suggest the court should impose a common law duty of care on those who maintain the confidential data of third parties. The court rejected this argument as an improper effort to undermine the economic loss doctrine.

The court went on, however, to consider the factors articulated in Seebold and concluded “the controlling factors are the consequences of imposing a duty upon the actor and the overall public interest in the proposed solution.” Recognizing the magnitude of the problem, the court noted that “data breaches are widespread … frequently occur because of sophisticated criminal activity of third persons … [and] [t]here is not a safe harbor for entities storing confidential information.” Judge Wettick further noted that the imposition of a new duty was unnecessary because entities who store confidential information already have a strong incentive to protect the data and avoid the disastrous operational consequences resulting from a breach.

Addressing the public policy component of Seebold, the court adopted a very practical approach.  Judge Wettick determined that the creation of a new duty would expose Pennsylvania courts to the “filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons”—a burden the courts are not equipped to handle. He further recognized that there is an absence of guidance as to what actions constitute reasonable care, and allowing juries to determine what constitutes reasonable care is not a “viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation.” Lastly, the court took notice of the fact that creation of a new cause of action would require companies to expend substantial resources defending lawsuits even though the entities “were victims of the same criminal activity as the plaintiffs.”

The court concluded its analysis into the propriety of creating a common law duty by noting that the Pennsylvania General Assembly extensively considered the issues surrounding data breaches when enacting the Breach of Personal Information Notification Act (the “Act”). 73 P.S. § 2301, et seq. (effective June 20, 2006). Notably, the Act did not establish a duty of care or a private cause of action. Rather, the Act created only a notification obligation in the event of a breach.  Had the General Assembly wished to impose a new duty, it had the opportunity to do so.  Exercising judicial restraint, Judge Wettick concluded “[i]t is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”

While Judge Wettick’s decision will surely not be the last word on liability stemming from data breach cases in Pennsylvania, it is highly instructive, well-reasoned, and likely to be followed by other Pennsylvania courts. A copy of the Judge Wettick’s decision can be obtained here.

And The Survey Says . . . GCs Need More Cybersecurity And Social Media Training

By Jeffrey Rosenthal

Social Media AppsBecoming better versed in issues surrounding cybersecurity and social media risk would greatly benefit general counsel at publicly traded companies, according to a recent survey of executive leadership.

In May 2015, a survey of 5,000 directors, board chairs and CEOs of publicly traded companies—sponsored by executive search firm BakerGilmore, and NYSE Governance Services—was released.  The survey was conducted in February and March of 2015.

Among the questions asked was the areas in which executives felt their general counsel would most benefit from gaining additional expertise so to add value to their company.  The overwhelming favorite: Cybersecurity risk—chosen by 67 percent of the executives surveyed.  The next closest answer was social media risk (39 percent), followed by crisis management (30 percent).

In fact, only 5 percent of respondents assessed their general counsel’s grasp of the issues surrounding cybersecurity as “excellent”; 44 percent characterized it as “good”; and 47 percent as only “fair.”  Likewise, only 7 percent rated their general counsel’s working knowledge of social media risk as “excellent.”

“Not surprisingly, as the corporate world continues to grapple with fallout in the modern cyber era, directors believe general counsel would most benefit from additional education in cybersecurity and social media, areas in which many directors are admittedly lacking in expertise,” wrote the survey’s authors.

But there was also positive news for in-house lawyers:  General counsel are “much more likely” to be considered key members of the management team nowadays, as compared to a decade ago.  “Overall, general counsel are being lauded for their strategic contributions as well as pragmatic ones, making them increasingly valued members of the executive team,” the survey concluded.

A copy of the survey, entitled “GCs” Adding Value to the C-Suite,” is available here.

Old Dog New Tricks

By Steven L. Caponi and Kate B. Belmont

PirateKey

The maritime community is sitting on the precipice of disaster. While regarded as one of the oldest and most well respected industries on the planet, the maritime community as a whole has failed to protect itself against the growing threat of cybercriminals. Methods of daily business transactions have failed to evolve and the reliance on out-dated technology with little to no cybersecurity protection has left many sections of the maritime community vulnerable to cyber-attack. The bunker fuel industry, in particular, has been recently faced with growing and continual threats, due to its outmoded business practices and its failure to employ the most efficient and reliable forms of cybersecurity protection.

As technology has evolved, dependence on technology has also increased. While technological advances may make work easier or faster, it has also created new threats and vulnerabilities for industries that rely too heavily on it, without employing the proper protections. Unfortunately, the bunker fuel industry is a prime example of a community that relies on shared technology and communication information, but has failed to implement the appropriate cybersecurity protections. As a result, the bunker fuel industry is a current target for today’s cybercriminals.

Like money, bunker fuel is a highly valuable and fungible commodity. It is estimated that, by 2020, worldwide sales of bunker fuel will reach 500 million tonnes per year. Using an average price of approximately $750 per metric tonne (mt) of MDO, suggests there will be nearly $500 billion in annual bunker fuel sales. Without a doubt, the bunker industry is a critical component of the maritime community and the global economy. That said, industries that are slow to change take significant and daily risks when methods of doing business fail to evolve to meet the growing threat posed by more sophisticated criminals. In common military/security parlance, this makes the bunker fuel industry a ‘soft target’ for cyber criminals.

In the bunker fuel industry, thousands of daily quotations, sales and payment transactions take place electronically. The principle means of communications for these transactions is through email communications. This has been, and continues to be, the Achilles heel for the bunker fuel industry. The bunker fuel industry has been the victim of many recent cyber-attacks, due to its reliance on unsecured email communications for its daily business transactions. The common practice in the industry involves traders receiving emails from buyers requesting quotes. The trader responds to these requests and after a series of email communications with a potential buyer, the transaction is often consummated and confirmed through these same email communications. Eventually, the bunkers are loaded and a new series of emails are exchanged to facilitate payment.

It is at this stage where the cybercrime is usually committed. After the physical supplier provides bunkers to the customer’s vessel, the trader receives an emailed invoice which appears to be from the physical supplier. As this is common practice in the industry, the invoice is submitted for processing and the wire transfer is quickly made. Unfortunately, the invoice is fraudulent, the wire transfer information is fraudulent, and payment is made to the cybercriminal’s account. When the legitimate invoice does arrive from the supplier with the real wire information, in many cases the trader is forced to pay twice. This is just one example of how the bunkering community is so easily susceptible to cyber-attacks.

While a convenient method for transacting business, emails can represent a significant vulnerability that will be readily exploited by cybercriminals. The fundamental flaw with e-mail transactions is the unavoidable reality that each communication travels over multiple unsecured networks and passes through numerous computer systems, all of which are unknown to the email sender and recipient. This presents cybercriminals with the opportunity to intercept communications, dissect how a particular business manages its transactions and allows them to send e-mails impersonating legitimate individuals or businesses. Too frequently, businesses ignore these risks by falling victim to a false sense of security caused by three erroneous assumptions: (i) that cybercrime requires a high level of sophistication; (ii) that a successful attack is a time consuming endeavour; and (iii) that they are not big enough to be worth the criminals’ effort.

Make no mistake, cybercriminals are smart, determined and have a good understanding of how to use a computer. But they are far from the image of a highly sophisticated group of computer geniuses sitting in a dimly lit room using banks of cutting edge computers to sift through lines of source code. Rather, most cybercriminals are members of an organised crime group who have concluded they can steal more money using a mouse than a gun. Geographically, these groups operate out of Africa, Russia, South East Asia and various countries in Eastern Europe. They prefer locations that are economically challenged, and where local politicians and law enforcement can be compromised. Contrary to popular belief, they are not highly educated because they buy rather than develop the software used to facilitate their crimes.

The second and third assumptions are perhaps the most easily exposed. Cybercrime is not solely focused on large targets, because such targets necessitate time consuming effort requiring weeks of preplanning. In fact, cybercrime is the complete opposite – it is a crime of opportunity. This is reflected in the cybercriminals’ use of phishing emails. Phishing involves the use of what otherwise appears to be legitimate email messages or websites that trick users into downloading malicious software or handing over your personal information under false pretences. For example, by unknowingly downloading malware, a user provides the criminals with the ability to access their computer, read their files and send messages from their email account. Or, an employee may receive an email allegedly from the IT department stating they are performing routine security upgrades and asking that user confirm their user name and password in order to not be locked-out of the system.

Many reading this article may question the utility of using such an approach and believe reasonable people would not fall victim to a phishing attack. The figures tell a different story. Over 156 million phishing emails are sent every day. They are randomly generated using very basic software programs and transmitted 24/7 across the globe. Around 16 million of these e-mails make it past company security systems and 8 million are opened and read. This results in over 80,000 people, every day, clicking on the corrupted link, unknowingly downloading malware and providing user identification and log-on credentials. As a result, after an evening of sending millions of emails, cybercriminals have 80,000 new victims to choose from.

By now, many in the maritime community are aware of the cyber-attack that cost World Fuel Services (WFS) an estimated $18 million. The scam exposed the numerous flaws in the way most bunker fuel is sold. Impersonating the United States Defense Logistics Agency, cyber criminals used fake credentials to send an email seeking to participate in a tender for a large amount of fuel. WFS received the offer to participate in the tender, took the email at face value and purchased 17,000 mt of marine gas oil from Monjasa that was then delivered to a tanker known as the Ocean Pearl while it was off the Ivory Coast. Upon submission of the invoice, the government agency responded that it had no record of the fuel tender.

There are several facts about the bunker fuel industry that we know to be absolutely true: (i) the industry involves hundreds of billions of dollars in annual transactions; (ii) the transactions are consummated almost exclusively through electronic communications; (iii) there are minimal security protocols used to validate these transactions; (iv) cyber criminals pursue crimes of opportunity that present low risk; and (v) every organisation will at some point be compromised by malware or a phishing scam. This begs the question, what should be done to combat this threat? Fortunately for the bunker industry, there are several common sense steps that will dramatically reduce the potential for falling victim to a cybercrime.

The first and most obvious step is to retain professionals who can help harden your company against a cyber-attack. Both cybersecurity lawyers and consultants can provide assistance in developing systems and protocols to protect your company from cybercriminals and the potential liability that results from a cyber-attack. Being a hardened target means adopting the policies and procedures that will make your company less susceptible to an attack. Present cybercriminals with a choice between expending resources trying to overcome your defences or moving on to a more vulnerable victim. More often than not, they will choose to the path of least resistance.

Unfortunately, there is not one simple solution for becoming a hardened target, because each business operates differently with a different clientele. But there are things nearly all companies can do to become more secure and hardened. For example, do not rely solely on email communications to consummate large purchases or transactions. In addition to email, require a second channel of communication with the buyer, such as a phone call, fax or form of identification/authorisation not readily accessible to cybercriminals. There are other options such as utilising a secure web portal for bunker fuel transactions. Whatever path is taken, it is wise to remember that the more sophisticated and varied your procedures for consummating a transaction, the more work required by the criminals. The more work required by the criminals, the more likely they will select a different target.

To avoid the continued targeting by cybercriminals and the tremendous financial implications that result therefrom, the bunker fuel industry must evolve to meet the threats posed by reliance on unsecured shared technology and communication information, and work with cybersecurity professionals to develop or strengthen its cybersecurity practices. To date, the bunker fuel industry has failed to even moderately protect itself from cyber-attacks but must now act to arm itself or suffer continued disastrous financial implications.

“Old dog new tricks” appeared in Petrospot‘s December 2014/January 2015 edition of Bunkerspot. To read the article, please click here. Reprinted with permission from Petrospot.

Maritime Cybersecurity: A Growing Threat Goes Unanswered

By Steven L. Caponi and Kate B. Belmont

boatThe maritime industry may be one of the oldest in the world, but in-depth reports issued by the United States Accountability Office (“GAO”) and the European Network and Information Security Agency (“ENISA”) confirm that our industry is as susceptible to cyber­security risks as the most cutting-edge technology firms in Silicon Valley. With the ability to commandeer a ship, shut down a port or terminal, disclose highly confidential pricing documents, or alter manifests or container numbers, even a minor cyber attack can result in millions of dollars of lost business and third-party liability. Unfortunately, cybersecurity on board merchant vessels and at major ports is 10 to 20 years behind the curve compared with office-based computer systems and competing industries throughout the world. Like other industries critical to the global economy, such as the financial services sector and energy, it is time for the maritime industry to adopt a proactive response to the growing cybersecurity threat.

Economic and Security Perspectives

Although not yet treated as a significant business risk, cybersecurity has for some time been viewed as a considerable threat by the governmental agencies responsible for both national and international maritime security. In late 2011, ENISA issued a sobering report focused on the cybersecurity risks facing the maritime industry, and provided recommendations for how the maritime industry should respond. Unfortunately, the most recent report issued by the GAO in June of this year confirms that the threat has grown more significant, but that the maritime industry has failed to make cybersecurity a priority. Copies of both the ENISA and GAO reports can be obtained by visiting Blank Rome’s cybersecurity blog, Cybersecuritylawwatch.com.

ENISA was prompted, in part, to issue its 2011 report because the maritime sector is universally viewed as critical to the security and prosperity of European society. ENISA noted that in 2010, 52 percent of the goods trafficked throughout Europe were carried by maritime transport, compared to only 45 percent a decade earlier. The ENISA report further noted that, throughout Europe, approximately “90% of EU external trade and more than 43% of the internal trade take place via maritime routes.” The industries and services belonging to the maritime sector are responsible for approximately three to five percent of EU Gross Domestic Product. This vast amount of trade flows into and out of the numerous ports located in 22 EU member states.

From both an economic and security perspective, the ability to disrupt the flow of maritime goods in Europe or the United States would have a tremendous negative impact on the respective local economies, and would also be felt worldwide. According to ENISA, “The three major European seaports (i.e., Rotterdam, Hamburg, and Antwerp) accounted in 2010 for 8% of overall world traffic volume, representing over 27.52 million TEUs.” Additionally, these ports “carried in 2009 17.2% of the international exports and 18% of the imports.” For its part, the GAO noted that, as an essential element of America’s critical infrastructure, the maritime industry “operates approximately 360 commercial sea ports that handle more than $1.3 trillion in cargo annually.” The Long Beach port alone services 2,000 vessels per year, carrying over 6.7 million TEUs, which accounts for one in five containers moving through all U.S. ports. Long Beach ranks among the top 21 busiest ports internationally, with significant connections to Asia, Australia, and Indonesia.

Given the interconnectivity of the maritime industry and paramount need to keep ports moving with speed and efficiency, a cyber attack on just one of the major EU or U.S. ports would send a significant negative ripple throughout the entire industry. With the ability to impact so many nations and peoples at once, the maritime industry presents a fruitful target for both private and political actors. Threats of cyber attacks can range from rival companies, to those wishing to advance a political or environmental agenda, to nation states advancing a national agenda, to terrorist organizations, and even cyber attacks from pirates or freelance hackers.

What Would a Cyber Attack Look Like?

Both the GAO and ENISA agree that the soft underbelly of the maritime industry is its reliance on Information and Communication Technology (“ICT”) in order to optimize its operations. As was clearly noted by ENISA, ICT is increasingly used by all levels of the maritime industry “to enable essential maritime operations, from navigation to propulsion, from freight management to traffic control communications, etc.” Examples of these technologies include terminal operating systems, industrial control systems, business operating systems, and access control and monitoring systems. ICT systems supporting maritime operations, from port operations management to ship communication, are commonly highly complex and utilize a variety of ICT technologies.

Further complicating cyber defense efforts, ICT systems used by ships, ports, and other facilities are frequently controlled remotely from locations both inside and outside of the U.S. Presenting an even higher level of concern, some ports have adopted the use of automated ground vehicles and cranes to facilitate the movement of containers.

Consistent with the threat facing other critical infrastructure sectors, cyber threats to the maritime industry come from a wide array of sources. As noted by the GAO, these include:

“Advanced persistent threats—where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives—pose increasing risk. Threat sources include corrupt employees, criminal groups, hackers, and terrorists.”

While the source of the threat may vary, there is no doubt that the desire and willingness to act against the maritime industry is real. Major shipping companies have already begun to suspect that they have been victims of deliberate hacking attacks. It is well known that between 2011 and 2013, there was a cyber attack on the port of Antwerp orchestrated by organized criminals who breached the port IT system, facilitating the smuggling of heroin and cocaine.

Government and Industry Response

Numerous governmental agencies in both the EU and U.S. are starting to respond to the cyber threats facing the maritime industry. They have not yet, however, promulgated concrete guiding plans and policies. Instead, the governmental agencies have assumed the role of loudly sounding a clarion call to action and taken a supporting role for industry participants.

Responsibility to actively defend against the risks of a cyber attack and be in a position to effectively respond to an incident rests squarely on the shoulders of individual ship owners, shipping companies, port operators, and others involved in the maritime industry. The failure to assume this responsibility will undoubtedly lead to serious and potentially devastating consequences, including government fines, direct losses, third-party liability, lost customers, and reputational damage that cannot be repaired.

Mitigating the Threat

Companies looking to learn more about the steps they can take to meet the evolving cyber threat head-on should consult with cybersecurity professionals and available literature. Widely available resources include the National Institute of Standards and Technology, which issues the Framework for Improving Critical Infrastructure Cybersecurity and the National Infrastructure Protection Plan (“NIPP”), developed pursuant to the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7 (“HSPD-7”). These documents, along with numerous others, can assist companies in developing a risk management framework to address cyber threats and use proven risk management principles to prioritize protection activities within and across sectors.

California Passes New Law Protecting Consumers From Data Breaches

By Jeffrey Rosenthal

123196886In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

  • Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
  • Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
  • Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.

Verizon’s Data Breach Report Reveals The Nine Most Pressing Corporate Security Threats

By Jeffrey Rosenthal

VerizonreportAs April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.

Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.

Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches.  According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:

1. Point-Of-Sale Intrusions.

Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims.  But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.

2. Web App Attacks.

Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach.  Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.

3. Insider And Privilege Misuse.

Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired.  Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.

4. Physical Theft And Loss.

Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles.  The primary cause is simple carelessness.  To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.

5. Miscellaneous Errors.

Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure.  Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address.  While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.

6. Crimeware.

Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale.  Most crimeware occurs when users download malicious files.  But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window.  Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.

7. Payment Card Skimmers.

This type of attack is mainly directed at ATMs and gas pumps.  Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion.  According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth.  Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.

8. Denial-Of-Service.

Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites.  Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.

9. Cyber-Espionage.

Unauthorized network/system access associated with state-affiliated actors tripled from last year.  Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities.  About 21% of reported incidents originated from Eastern Europe.

While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here.  Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry.  Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.

Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.

A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.

Heartbleed Adds to Corporate Cybersecurity Heartache

heartbleedIn the wake of several massive point of sale consumer data breaches over the holiday season, companies must now face Heartbleed, a bug that potentially infects 50% of the entire Internet. Blank Rome attorneys, Grant Palmer and Michael Iannucci, have written an article that addresses the Heartbleed bug and suggests a plan of action for companies dealing with cyber threats and data breaches.

You can find the article here.

Target Data Breach Suit By Banks Extends To Security Vendor

By Jeffrey Rosenthal

Target_logoDecember 18, 2013, was a dark day for Target Corp.  Nationally ousted as the victim of the largest retail data breach in history, Target’s CEO Gregg Steinhafel took pains to assure consumers “they will not be held financially responsible for any credit or debit card fraud.”

But according to a March 10, 2014, putative class action in the District of Minnesota, Case No. 0:14-cv-00643, by Umpqua Bank, Steinhafel’s statement “omits” the fact that “it is the nation’s financial institutions—and not Target—ensuring that this is the case.”  According to Umpqua’s complaint, financial institutions are the ones incurring the real costs associated with protecting customer accounts.  This includes providing notice to consumers, reissuing payment cards and refunding fraudulent charges.  The cost of card replacement alone is estimated to ultimately rest around $200 million.

Since then, two more banks, Trustmark National Bank and Green Bank, N.A., have launched a similar class action against the retail giant in the Northern District of Illinois, Case No. 1:14-cv-02069, for its failure to maintain adequate data security protocols—despite suffering two nearly identical breaches in the years preceding this one.   While largely similar, the Trustmark suit, filed March 24, 2014, departs from the aforementioned Umpqua suit in that it also seeks to hold security company Trustwave Holdings, Inc. liable as well.

“Trustwave failed to live up to its promises, or to meet industry standards,” the Trustmark complaint alleged.  It goes on to claim the vendor’s failure to timely discover and/or report the breach to Target (or the public) further drove up costs.  “The damage done to the banks and other class members is monumental,” the suit asserts.  The alleged cost to banks/retailers could eventually exceed $18 billion.

In a striking turn of events, Trustwave publicly denied having done any cyberthreat mitigation work for Target on March 29, 2014.  This denial came one day after the New-York based Trustmark National Bank filed a notice of voluntary dismissal without prejudice in the proposed class action.  The notice did state, however, that Texas-based Green Bank, N.A. would nevertheless continue with the suit.

When a company suffers a data breach—and especially one as large as Target’s—it is eminently clear that an entire gamut of persons/entities may ultimately be affected.  While the details of the Trustmark action appear largely unsettled, the fact that information security vendors are now being included in class actions is indicative of the expanding legal fallout associated with such data breaches.

The Umpqua Bank and Trustmark National Bank complaint(s):

Impact Of Data Disaster

disaster-recovery-infographic

Source: SingleHop

By Jeffrey Rosenthal

SingleHop, a leading global provider of hosted IT infrastructure and Cloud computing, created a cybersecurity infographic on what can happen to a business that experiences data loss.  Of note, SingleHop reports that 93% of businesses that lose their data center for ten (10) days go bankrupt within one year; 43% of businesses that experience a disaster never reopen; and that only 6% without a disaster recovery plan survive long-term. What makes such findings particularly troubling is the connection between data loss and an inability to continue operations—which enforces just how vital it is for companies of all sizes take appropriate measures to protect their data.  Indeed, nothing short of a company’s continued existence may be on the line when a data loss occurs.

Click here to view the infographic.

For more information on SingleHop, please visit: http://www.singlehop.com/cloud-hosting/

Can Commercial Airliners be Hijacked by a Cyber Attack?

post_planeBy Steven Caponi

The historical cause of airplanes being lost has been limited to operator error, a massive mechanical failure, weather, and a terrorist act. Technological advances, however, now require that we add to the list the potential for a cyber attack. This is not rank speculation, a conspiracy theory, or cyber hysteria. Rather, the potential for disabling a commercial aircraft using a cyber attack, while remote, is a fact well understood by both the Federal Aviation Administration (“FAA”) and the aviation industry. As the operation of planes—like everything else in society from cars to blenders—becomes more dependent on software and interconnectivity, the concept of a cyber attack on a commercial airplane should not be dismissed out of hand.  

Why consider a cyber attack? 

Start with the guidance offered by aviation and military defense experts. Last year, the North American Treaty Organization (“NATO”), the military organization whose essential purpose is to safeguard the freedom and security of most Western countries, held a meeting in Istanbul with senior executives from five international defense contractors to consider “[w]hat will be the biggest threats in the next 10 years?” Participants included aviation heavyweights Jeff Kohler, V.P. of International Business Development for Boeing, Steve Williams, President of Continental Europe for Lockheed Martin, and David Perry, Corporate V.P. for Northrop Grumman. This illustrious group concluded that, in light of computerization of important systems and the trend toward interconnectivity, the most significant threat was the potential for cyber attacks—in particular, attacks involving military/commercial/passenger aircraft.

Addressing the very topic of this article, Mr. Kohler acknowledged his company is “very concerned” about threats to software systems operating modern aircraft and the need for cyber protection. He then made two observations that, in light of current events, come across as ominous:

From our commercial aircraft side we’re very concerned about it. As commercial aeroplanes become more and more digital and electronic, we have actually started to put cyber protection into the software of our aeroplanes.

If they enter an airport environment, they are starting to exchange information and so we have to be able to protect the aircraft’s software itself, so there’s a lot of issues coming down the road just on cyber alone.

Driving home the point, Martin Hill, V.P. of Defence, EU, and NATO affairs for electronic systems company Thales, added: “Every single item that we have depends on cyber” and “[a]ll of our critical infrastructure is controlled by some sort of network. This has to be the area where we’re going to face problems and where we’ve got to spend a fortune.”

Mr. Kohler’s concerns are not surprising when one considers that in 2012, two Cambridge experts announced they had discovered a “back door” in a computer chip used in military systems and some newer passenger aircraft, which could allow the chip to be taken over via the Internet. A subsequent report by U.S. authorities found that a network in the cabin of the effected aircraft that were designed to give passengers Internet access could be used to access the aircraft’s control, navigation, and communication systems. For its part, Boeing indicated this security concern had been addressed before the official report was issued. In 2011, the threat of cyber terrorism was also the focus of the International Air Transport Association (“IATA”), which directed airlines to “remain on their guard” because cyber attacks poses “especially serious challenges for airlines that will be taking delivery of the new generation of aircraft.”

In addition to the observations discussed at the NATO Review in Istanbul and IATA guidance, on November 18, 2013, the FAA issued a “special condition” pertaining to  Boeing Model 777-200, -300, and -300ER series airplanes. The FAA action addressed modifications that enabled connections between systems accessible by passengers (in-flight entertainment networks) to previously isolated data networks/systems that perform the functions required for the safe operation of the airplane. The FAA noted that the modifications:

… may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance.

The potential to use in-flight entertainment systems to access previously secure core systems was troubling because airplanes at issue have fly-by-wire controls, software-configurable avionics, and fiber-optic avionics networks.

To address the vulnerabilities caused by the in-flight entertainment systems, the FAA required Boeing to ensure that:

… the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.

and

… appropriate procedures [be established] to enable the operator to ensure that continued airworthiness of the aircraft is maintained, including all post STC modifications that may have an impact on the approved electronic system security safeguards.

Note that these requirements apply only to the Boeing Model 777-200, -300, and -300ER series airplanes.

Unfortunately, as evidenced by the NATO Review and FAA action, when considering the cause of future plane crashes, cyber attacks will now be listed right alongside weather, mechanical failures, and human error. This means that the manufacturers and regulatory bodies responsible for the safety of air transportation must seriously focus on the potential for a cyber-hijacking and take all possible steps to prevent such a tragedy.

Dell Releases Significant Report on International Security Trends and Attitudes

dellreportBy Steven Caponi

Last month, the computer giant Dell released a report entitled “Protecting the Organization Against the Unknown: A New Generation of Threats.” The report, which is well worth a few minutes to read, was authored by the independent technology market research firm Vanson Bourne. Dell commissioned the report to examine how organizations are preventing security breaches as well as the degree to which IT security will be a priority over the next twelve months. The report analyzes the impact security breaches have had on various organizations and how organizations are protecting themselves from potential vulnerabilities associated with the adoption of BYOD, cloud, and increased Internet usage.

What makes this report particularly interesting is the breadth of survey participants, both numerically and geographically. The report reflects the results of 1,440 IT decision-makers from private sector organizations with 500 or more employees, as well as from public organizations with 500 or more end users. The interviewees were located in ten countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, India, Austria, and China. The survey topics included: IT Security in Organizations; Current Policies and Strategies; Responding to Security Threats; and Understanding the Threat.

Highlights from the report include:

  • Enterprises are spending an average of 17 percent of their IT budget on IT security. This focus on security is set to increase in the near future, as 86 percent of IT decision-makers surveyed report that their organizations will be prioritizing security over the next twelve months.
  • During the past year, security breaches cost respondent organizations an average of almost $1 million each.
  • Unsurprisingly, organizations are more likely to prioritize and commit resources to prevent breaches after they become a victim.
  • Appreciating the nature of the threat, 64 percent of the respondents were resigned to the fact that it is not a matter of if they will be breached, but when.
  • While 91 percent of those surveyed were hosting in the cloud and 93 percent adopted BYOD policies, only 46 percent implemented cloud security and 44 percent adopted policies for BYOD security.
  • 53 percent of survey participants see the government as an important partner in helping achieve operational security.

Click here for a copy of the full report.

The EC-Council Website Hacked; Hacker Posts Snowden’s Passport

ECHBy Elizabeth Sloan

EC-Council has been hacked, and its hacker isn’t keeping silent.  The hacker claims to have obtained copies of passports of law enforcement and military officials who signed up for the organization’s courses, which release could impact up to 80,000 individuals. 

EC-Council is a company that provides IT and security training and certification programs.  The organization has been controversial in that it provides courses and certifications for “ethical hacking.”   Notably, the US Department of Defense requires that its Computer Network Defense Service Providers take the EC’s “Certified Ethical Hacker” program.  The organization claims to have trained between 60,000- 80,000 individuals, including members from the FBI to IBM to the United Nations.

The hacker calls himself “Eugene Belford” – a throwback to the movie “Hackers”.  This past weekend, he defaced the EC’s website with documentation that Edward Snowden was trained by this company, posting Snowden’s passport on the website.   The hacker claims to also have all the passports and other personal information of those individuals certified by the EC, including law enforcement and military.

The hacker later posted on the defaced page the following:

“Defaced again? Yep, good job reusing your passwords morons jack67834#
owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/

-Eugene Belford

P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”

The EC’s website is still currently unavailable, and the EC has yet to comment on the cyberattack.

NIST Releases Final Framework For Improving Critical Infrastructure Cybersecurity

post_atBy Steven Caponi

The White House released today the long-awaited voluntary guidelines intended to encourage companies operating in critical infrastructure sectors to adopt policies to better protect themselves from cyber attacks.  The standards were developed through a collaborative process involving the National Institute of Standards and Technology (“NIST”) and critical infrastructure companies such as those involved with energy, transportation, communication, and banking.

The guidelines are formally known as the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”).  In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary, risk-based Cybersecurity Framework—i.e., a set of standards, guidelines, and practices to help organizations manage cyber risks. The resulting Framework announced today is intended to carry-out the objectives of the Executive Order by providing a common language to address and manage cyber risk in a cost-effective way without placing additional regulatory requirements on businesses.  The ultimate goal is to provide companies overseeing the nation’s crucial infrastructure with a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs.

In a statement, Obama warned that cyber threats “pose one of the greatest national security dangers that the United States faces,” echoing the recent judgment of major U.S. intelligence agencies.  “While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said. “America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet.”

The Framework does not mandate specific security controls, but instead are intended to provide guidance for detecting and responding to attacks, mitigating fallout from cyber incidents, and managing overall cyber risks.  A key objective of the Framework is to provide a common language and mechanism for organizations to:

  • Describe their current cybersecurity postures
  • Describe their target states for cybersecurity
  • Identify/prioritize opportunities for improved risk management
  • Assess progress toward a target state
  • Foster communication among internal and external stakeholders

Department of Homeland Security (“DHS”) chief Jeh Johnson also announced on Wednesday that the DHS was starting a program to help companies implement the Framework.  The government is not, however, providing any tax breaks or other incentives to encourage the adoption of the Framework.  The White House is instead going to rely on companies having a sense of self-preservation, as well as a strong desire to avoid being victimized by a cyber attack and managing the resulting law suits that will surely follow.

For a more comprehensive discussion of the NIST Framework and its anticipated impact on companies that are both inside and outside of critical infrastructure sectors, please read this recent article.