Cyber and Risk Disclosure on The Last Day Of The Year

Season's greetings, dear readers. On the last day of 2017, please enjoy some thoughts on cyber and risk.

As cyber, risk and information security is such a varied and diverse landscape of experience, it is so important to listen, so as to encourage a candid exchange of ideas.

That being said, one observation, that I have observed at least twice, I feel is not evidenced by existing data: "Cyber risk disclosures always take place in hindsight".

First, let's see if we can agree that risk as a general concept is exposure to vulnerability, harm or loss.  There is a moment, then, when exposure to a vulnerability goes from being a possibility to an actuality. Thus, when disclosing an event that has become an actuality ("yes, we have been exposed to this risk"), indeed, hindsight is involved. When disclosing an event of which there is a possibility of exposure to a risk, is that hindsight? Does it depend on how possible?  This could be a relevant distinction with regard to the issue of  how to approach materiality, i.e. the several hundred million dollar question: Was the risk material?

Second, let's talk about forseeability, a favorite concept of tort professors (and tortfeasors) everywhere. Let's use a simple definition: "the idea that a reasonable person could reasonably anticipate the result or the results, as predictable."

Alas, now that foreseeability has entered our last-day-of-the-year conversation, it's time to mention something else heard a few times: "We as attorneys went to school to practice law, and not to become experts on cybersecurity." My response to this is that yes, that is true; most of us intended to study law, and were not necessarily focused on any other particular area outside of law, BUT, the market will address this position, and by that I mean, of course, the clients will look for and find attorneys with a more expansive view. 

So now let's put risk and foreseeability together: 
Surfing the internet involves risk, when software runs, there is a risk it will be/has been exploited. Thus, every moment online involves risk. Every IOT device involves risk. Flash involves a GREAT DEAL of risk. When engaged in or using the previously mentioned activities or products, it's foreseeable that some types of harm will occur, and there is an entire ecosystem of services and products in existence to address some of these risks.

There are some attorneys who have indicated that the risk involved in the packaging on your clients' product being punctured is commensurate with cyber risk, which one can take to mean some attorneys believe cyber risk only involves the risk of the client's end product or service being contaminated. But cyber is more than a supply chain issue.  It is a pervasive and persistent hazard that will not be adequately addressed if it is conceived as a supply chain issue only.

Now is a good time to go back to the statement: "Cyber risk disclosures always take place in hindsight". If you think about how what we are discussing here is more than a supply chain risk, that it is an issue that involves a pervasive and persistent hazard,  it may help some law practitioners to move beyond that statement, and we need to move beyond that idea or there will be more blackouts, more out-of-order hospitals,  and losses generally.

But it doesn't have to be that way... okay, back to listening. 

See you next year.

MCC

Closing Out The Year

Hello readers. I wanted to take a moment to address the issue of "Closing out the Year." I don't mean this in the business sense, I mean this in the personal sense.
In order to give some context about my frame of mind as I draft this, please allow me to share that I am lounging, in fuzzy pajamas, sipping coffee, and that is pretty much all I plan to do today. In DC today, Carpenter is on the docket; elsewhere in the world, trials are being delayed, slaves are being sold, provocateurs are provoking, and all of that is worthy of the attention it is receiving, and perhaps even more, but I will be content if I can publish this blog post today.

So what does that mean, to close out the year? You may recall from a previous blog post the notion of "taking some time to contemplate, aiming for an improved perspective, while observing the cycle of life." I try to do this at least once a year. The last twelve months have forced my hand a bit on the issue of personal reckonings, so it is even more important to take this time to scan the horizon and look at the big picture. Be wary of tunnel vision.

One helpful item with respect to closing out the year is to reiterate one's tautologies, if one has any. You can go ahead and make a list of these if you think it will help.

Two: Consider what has changed, and how it affects your plans for the coming year. It's good to set some time to specifically consider which of your life's conditions has changed in the last 365 or so days, almost as if it was an administrative task.

Three: Consider the people in your life. There are some things we can control, and there are some over which we have no control. Many wise people have observed that an important process in life is to learn to tell the difference between the two. I would add that once this is done, take a look at the parties with whom you find yourself surrounded and consider whether they continue to merit a place in your life. Who can you help? Who must you learn to forget?

Four: Consider your surroundings. Do you like where you find yourself? I seriously love New York, as you may already know, however, relocating can be a great thing, for example, for one's career. Spending the months that are typically cold in New York City, in a milder place such as Las Vegas, or France or something along those lines is what seems to have worked best for me. It can be a lot of work to maintain a residence you don't see that often, so remember that the goal is comfort, not exhaustion. Whatever your preference, as you consider 1-3 above, (especially three) consider such within the context of four. If you have had to make hard decisions in life I'm sure you already know that you can think someone is groovy, but if they do not share your ideas about surroundings, it is best to not over-invest in that relationship, because you are not going in the same direction.

Five: Execution. What will you do in the next 365 days to make this vision of your life and who you are, into a reality? What can you refrain from doing?

My best wishes to you as you close out the year,
Martha

Let Us Give Thanks 🦃

It's been a while since one of these blog posts addressed a favorite American pastime, cooking. As a way of saying "Thank You" to everyone who shares their cooking tips online, and as a way of getting ready for Thanksgiving, please read on for information on a technique that has the potential to make chicken or meatballs fluffier.

Half dollar sized chicken meatballs can work well as an appetizer. Lamb meatballs as well as pork and red meat meatballs also can work well in this size. Yum. Paired with a dipping sauce that is complementary to the entree, sharing these tiny savory treats is a great way to get guests relaxed and mingling around the dining room.

To prepare, assemble the meatball ingredients, including breadcrumbs, to your liking. The more breadcrumbs, the less dense the meatballs will be when they are cooked, and less dense is good for an appetizer. (Notwithstanding edamame, which makes a great appetizer; there are probably lots of other great dense appetizers...)  Now take some olive oil and warm it in a sauce pan. Once the oil is warm, add the warmed oil to the reserved breadcrumbs. The bread crumbs will immediately absorb the warm oil. Then add the bread crumbs to the meat mixture, or if you are reading this aghast at the use of ground meat, please feel free to try this with ground chick peas and share your results. You can preheat the oven around the time you start apportioning the meat mixture.

Chicken Meatballs Appetizer:

Ground chicken meat, 1 lb.
salt, thyme and rosemary to taste
1/4 cup milk
2 eggs beaten
1/2 cup olive oil
3/4 cup bread crumbs

Mix all ingredients, except for the breadcrumbs and the olive oil, together. The breadcrumbs should be in a separate ceramic or other heat-safe bowl somewhere. Warm the olive oil over low to medium heat in a saucepan. When the viscosity of the oil begins to change, the oil is warm enough. Take it off the heat and pour the oil over the breadcrumbs; use a fork to combine well. Let breadcrumbs sit for about a minute and then add to the ground meat mixture; combine well. Use an ice cream scoop or other spoon to apportion the meat mixture and roll into spheres that are about the diameter of a half-dollar.
Place in an oven-safe tray that is large enough to fit all of the meatballs without them touching and bake for about seventeen minutes at 450 degrees.

The dipping sauce: Remember earlier in the blog post where it states this recipe is best used for appetizers? Well think about what your main entree is going to be. If it involves roasting or sautéeing anything, make a simple roux and add some of the pan drippings from the roast, or from the sautée to the roux to create a complimentary dipping sauce for the appetizer. If you're fresh out of ideas, or if you are attending a pot luck and have no idea what the main course will be, try one of these ideas for a dipping sauce. 

Thank you for reading and Happy Thanksgiving. 🦃 

Notes From CLE with Preet Bharara & Co. in September

At CUNY law for continuing legal ed:

The first speaker is former political candidate and professor of law, Zephyr Teachout. Arguing for some type of strict liability standard in corruption matters, she observes that we are unaware when we are influenced. 

Is there something inherent in policing that leads to corruption? This question was posed by the panelist from Sidley Austin. Later he references Caperton.

There is an interesting comment, within the context of public corruption, about the existence of an anonymous website for self-reporting ( http://ipaidabribe.com/ ). The anonymity of it raised an eyebrow from me, especially as was thinking recently about ■■, and a pseudonymous Twitter account. Had been thinking about how I personally was surprised that ■■ was being pseudonymous online (if it is, in fact ■■■) because it seemed like an abdication of leadership to me. Those of us who have the authority and the education and the skill set need to consider the value of coming forward and setting an example of what is appropriate and legal and what is not, especially for the benefit of those who are not so sure. However if ■■ and I disagree then, clearly, reasonable minds may differ on this issue. 

Nevertheless, what can reliably be determined about a data set that is self-reported and can't be verified/authenticated?  Am briefly reminded about that legal case regarding anonymous Yelp comments, it could be anyone- thus intent may be at issue. 

(Note: the above paragraph takes on a renewed level of significance after last week's #MeToo tsunami, so here is a link to "A cryptographic solution to securely aggregate allegations could make it easier to come forward" h/t Legal Hackers ) 

It is marvelous to be in a classroom again, and to catch up with the dean and my constitutional law professor.

Now we are having a break and Preet Bharara should be here soon... We shall see what will happen.. ( I think he has arrived because some of the panelists excitedly headed backstage)...

Preet! So far 7 people have silently gotten up with posters to protest something, something about the Bronx, the protestors seem to see him as a proxy for law enforcement generally. 

Will be thinking about tonight for some time...

Sent from my iPad

(Somewhat redacted to shield those who may prefer to stay anonymous  -MCC) 

September 2017

A couple of weeks ago, I decided I needed a break from my everyday life. Normally, for me, when I feel like this, I get on a plane and explore some new far-away place. But for the past year, since around October of 2016, my own health had been a bit spotty, and I had taken a break from extensive travel. I will hopefully be well enough to go back to my usual ways around January 2018, and am really looking forward to that, but in the meantime, I recently took a staycation.

My friend Gary died this week (I drafted this Saturday), on September 13th.

We first met around 1995 at college. He was the immediate past executive editor of a campus newspaper where I eventually became business manager. His role at the paper meant that my initial sense of him was that he was the boss. Some of those college adventures were experiences that inspired part of a novel I once wrote (novel, not memoir- it is a novel written in memoir style). As our respective lives unfolded, we stayed in touch, and when he got married, his wife and I connected, which cemented our ongoing friendship--22 years of friendship at the time of his passing.

Gary touched many lives, in various ways. Right now I am trying to distill what I learned from him, as I consider my own life during this staycation:

Gary’s immeasurable kindness was subtle; he shared friendship and support, all the while being unobtrusive and non-invasive. He enjoyed making pies and sharing recipes, peppering dinner conversations with vocal impressions from literature and Monty Python jokes. He had strong opinions on what kind of beer should go with chili, sometimes commenting with such conviction, like it was the most important thing *ever*-- which I found calming.

Sometimes we debated ICANN policy, or traded perspectives on data retention. Mostly we talked about cats.

I can’t believe he’s gone.

It’s relevant for me that he passed near Rosh Hashanah. I took my staycation to conclude around then, a symbolic decision about taking some time to contemplate, aiming for an improved perspective, while observing the cycle of life.

I will take his example of prudent, quiet support into the next year, and beyond.

Thank you, Gary.

-MCC

Eclipse Watchers at WTC

Canada 150: 1867-2017

-MCC

In Memoriam

Dr. Harbottle, who made significant contributions to the art and science of authentication, passed away last November, on the Friday before the presidential election. I learned of his passing last night. Dr. Harbottle was one of my mentors, and over the years he gave me (and many others I presume) quite a lot to think about.
Here is a link to his obituary: http://www.legacy.com/obituaries/newsday/obituary.aspx?pid=182396556

 Thank you, Dr. Harbottle -MCC

High Emotion Words

This week #phishing was in the headlines again as we learned over one million Gmail users had received a fraudulent Google docs sharing request: https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/ .

While #InfoSec professionals generally agree that employee training is one way to raise awareness of this type of attack, there is still a lot of room to learn with regard to phishing education best practices, with one EU based study asserting: “There is a lack of empirical data on the consequences of using deception in organizational phishing studies.”(https://ethicalencountershci.files.wordpress.com/2016/03/chi2016_workshop_ethicalphishing_cameraready_final.pdf )

We know that email users are sometimes tempted by the lure of easy money, as in the now ubiquitous “I’m a prince & I won the lottery!” type scams. Others may have their cognitive judgment impaired by the use of emotionally loaded words. Here is a link to a list of words that are considered to be emotionally persuasive: http://www.thepersuasionrevolution.com/380-high-emotion-persuasive-words/

Some legal professionals focus on bringing or defending suits for pecuniary losses associated with, for example, identity theft that sometimes follows from a data breach, or on complying with data protection regulations generally. There is implicit in these types of legal actions some type of culpability on the part of the hacked entity (“failure to exercise reasonable care in protecting… information”).

However, phishers often use well-known brand names without authorization. The perpetrator of the latest news grabbing phishing attack is unlikely to have a licensing agreement with the brand they are purporting to be. Phishing attacks, thus may also, at least tangentially, be diminishing the value of said brands with no fault at all attributable to the damaged brand.

What do you think is the best way to address a method of redress for the copyright and trademark holders who are harmed when the value of a global brand is affected by a criminal phishing spree?