What’s all this talk about digital transformation?

Digital transformation: Some organizations see it as a scary idea, wreaking revolutionary, unsettling changes. Others are curious — just what does this buzzword mean and what are we transforming into? Regardless of your viewpoint, your enterprise seriously needs to understand and chart its course to becoming a digital ninja. Like it or not, your success depends on how quickly your organization captures, absorbs and uses digital information. Read moretwitter_digitaltransformation.png

 

North Korean WannaCry Ignites Government-Industry Collective Defense

 

North-korea-wannacry-hacking-attack-805227

In a Monday Wall Street Journal op-ed Thomas P. Bossert, Trump’s homeland security adviser, declared “[t]he [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible.” The findings are based on evidence says Bossert, and he is backed up by UK and Microsoft.

A Washington Post Bossert quote ratchets up the call for closer government-industry cyberdefenses. “[S]ome say that defending cyberspace is impossible and that hackers are inevitable. I disagree. . . . Government and industry must work together, now more than ever, if we are serious.”

Today, US and UK officials suggested it was highly likely the Lazarus Group was backed by the North Korean government. Facebook deleted accounts associated with Lazarus last week “to make it harder for them to conduct their activities,” reports The Guardian,  Facebook announced it acted with Microsoft “and other members of the security community” to disrupt the group’s activities.

A few hours ago Axious reports that the Department of Homeland Security (DHS) plans on intervening in U.S. company cybersecurity issues when necessary.

“The Department of Homeland Security is now calling on all companies to commit to U.S. collective defense, per Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS. But Bossert wouldn’t go so far as to say that an attack on a U.S. company constitutes an attack on the country.

DHS plans to move beyond offering voluntary assistance on cybersecurity issues and instead plans on intervening directly when necessary, per Manfra.”

Watch for much closer public-private actions to combat state-actor cyberattacks. 

Public Sector Brings New Cybersecurity Tech to Market

Hacker image
Here’s follow-up on a recent blog on emerging public and private sector roles in protecting against state-actor corporate cyberattacks.

Did you hear about the Department of Homeland Security Science and Technology Directorate’s commercialization of another Transition to Practice program technology?

The new industrial control systems cybersecurity solution — called SerialTap — passively taps serial-line communication data for use with enterprise cybersecurity incident and event management systems to improve situational awareness during an event. SerialTap integrates with legacy IT enterprise security solutions and industrial control systems used by critical infrastructure sectors.

The SerialTap announcement came during Critical Infrastructure Security and Resilience Month, which aimed at building awareness of the importance of critical infrastructure, and reaffirming “the nationwide commitment to keep our critical infrastructure and our communities safe and secure.”

Good to see the public sector sharing new technology to improve cybersecurity incident response.

#writmarketing

Whose Job is it to Protect Corporate Data Stores from State Actor Cyberattacks?

6-cybersecurity-730x260

It’s hard not to notice, that constant breach of data under corporate care has become our new normal. Headlines seem almost redundant — another data breach revealed, some very tardy.  In this barrage of breach announcements, we hear more about state-actors originating cyberattacks on corporate data stores. So, whose job is it to protect against foreign state attacks on corporate data stores?

“As we all have witnessed: no company, individual or even government agency is immune from these [cyber] threats.” So said Marisa Mayer, former Yahoo CEO, during her November Senate testimony on the Yahoo breach. Despite years of heading off may cyberintrusions and leveraging white hackers to test their defenses, Mayer says Yahoo still does not know exactly how “Russian agents intruded on our systems and stole our users’ data.”

Last year, North Korean hackers almost succeeded in stealing $1 billion from the New York Federal Reserve, after hacking into the Bangladesh Central Bank. The misspelling of “foundation” as “fandation” is the only thing that stopped the heist.  Let’s not forget,  Pyongyang Sony Pictures hack to stop release of an unflattering movie.

In 2011, North Korea’s leader Kim Jong-un started investing beyond cyberattack prowess for warfare, with a new focus on training hackers for theft, harassment and political-score settling. Researchers believe that 1/5th of Pyonyang cyberattacks originate from their hackers stationed in India, while other attacks are routed through Malaysia, Nepal, New Zealand and other countries.

“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” said Senator Nelson during the Yahoo hearing. The Senate committee chairman, added that the patchwork of state regulations on breach notifications must be replaced with a federal law.

On another front, the SEC plans to update its cybersecurity guidance for publicly traded companies, after the Equifax fiasco. Equifax discovered the attack in July but waited until September to inform shareholders. During that window, Equifax executives sold company stock. A company investigation exonerated them. A senior SEC regulator wants  faster cyber intrusion notices to investors, and revision of post-breach insider trading policies.

Is federal cyber-regulation of the private sector the answer?

In a Friday the 13th London speech, DOJ’s Rod Rosenstein said law enforcement’s  goal is to disrupt and deter future attacks, and punish cybercriminals. The Deputy Attorney General observed that “foreign criminals regularly break into systems to steal ideas that make our nation strong and competitive in the global marketplace.” Rosenstein recommends corporations immediately tell law enforcement when they discover a breach, in part so the company can gain access to sophisticated government tools.

What is law enforcement doing to head off these attacks before they happen?
Is Homeland Security doing enough to help corporations protect data from cyberattacks?

Ransomware attacks sure got corporate security folks’ attention this summer. WannaCry and NotPetya wreaked havoc on companies from FedEx to Merck.

SC Magazine places heaps of blame on the National Security Agency (NSA) for the  these  attacks. The NSA originally discovered the Microsoft security vulnerabilities, didn’t tell anyone and let their own hacking tools for the flaws get stolen by cybercriminals.

If the NSA can be hacked, how can corporations fend off nation-state and sophisticated hackers?

Then there’s the ultimate economic cyberattack —  where a nation-state aims to shut down the power supply or scramble bank records with a cyberattack. The NotPetya  attack gripped Ukraine’s power grid this summer. Ukraine claims Russia was behind this cyberwarfare.

Wired reports that the NotPetya October follow-on, “Black Rabbit attack” — locked hundreds of machines and hampered critical infrastructure in Russia, Ukraine, Germany and Turkey — may raise doubts about Russian involvement in NotPetya. Though one of the cybersecurity firms commenting on the situation is under F.B.I. investigation for links to  Russian intelligence.

Is this a spy novel or what?

These massive destructive attacks on critical infrastructure and data manipulation worry the head of the US National Security Agency (NSA), Admiral Michael Rogers. Let’s remember that a vast swath of US critical infrastructure is run by the private sector.

How will we protect corporate data stores from nation-state and rogue cyberwarfare, let alone run-of-the-mill profit-seeking hackers?

Isn’t the private sector’s job commerce and innovation? Yet in the digital economy, corporations must also be extremely sophisticated data security companies. After all, they leverage our personal data for profit, right?

The European Union’s  GDPR is about to usher in massive corporate liability for data privacy.  Though “cybersecurity,” a major data breach threat, is not mentioned in the regulation.

Does the government need to take a wider role in combating state-actor cyber attacks on corporate data? What new public-private models are needed to protect corporate data stores? Whose job is it to protect against state-actor cyberattacks on the private sector?

Food for thought.

 

Breaking News – Supreme Court to Rule on Microsoft EU Emails

A significant battle between Microsoft and law enforcement has made its way to the US Supreme Court. The DC Court of Appeals struck down lower courts’ decisions that Microsoft must give US law enforcement client emails  stored in Ireland in a drug trafficking case. The  upcoming Supreme Court ruling on this case will have far-reaching impact in our digital economy where data crisscrosses the global internet, coming to rest on a server in a particular country.

global internet

How far do US laws extend to data stored in foreign countries?

If Microsoft is forced to hand over the emails from their Ireland data center, how will EU data protection authorities react?  Especially, given that the General Data Protection Regulations, an overhaul of EU data privacy laws, massive financial penalties for non-compliance take effect in May 2018.

If Microsoft does not have to hand over the emails, will criminals hide their communications and data overseas so US law enforcement cannot access it?

Be sure to follow this case and watch for the Supreme Court ruling.

How are Law Firms using Artificial Intelligence Today?

Starwars DroidThis year at ILTACon 2017 my radar was searching for an update on what is really happening with legal AI in law firms. Are law firms getting beyond the hype and using AI? What specific use cases are catching on? How does AI impact lawyers and staff? Here’s what I found out.

The Nitty Gritty On AI For Matter Budgeting And AFAs

Law firms have learned that AI tools are very good at finding key issues in billing narratives to support AFAs and budgeting, for one. This law firm use case was highlighted again and again in ITLA sessions.

read the rest of my blog in ABA Law Technology Today.

 

Data Protection is Everybody’s Job

Data protection is everybody’s job today. With the perfect storm of  a doubling of data every two years, juicy dark web profits for stolen personal info and crushing data breach business impacts, organizations simply have to build data protection values into the company’s culture.  Read this blog for practical tips on how to do this in your organization.

 

Groundbreaking Cybersecurity Regulation Kicks in Today for New York Financial Institutions

It’s the first of it’s kind, but  surely not the last. The groundbreaking New York Department of Financial Services cybersecurity regulation takes effect today, August 28, 2017.  All financial services organizations operating in New York must be in compliance, along with their law firms and accountants. This regulation is likely the forerunner of more state cybersecurity regulations, especially after the summer of WannaCry and Not Petya. Learn more about the regulation in  a blog I wrote, published by the information governance leader Iron Mountain.

Information Governance Refresh Checklist

Summer time can be the perfect time to refresh your information governance road map. Goaded by the explosive growth of digital content, devices and cloud storage, smart organizations are morphing traditional records management towards a more holistic information governance (IG) road map, accounting for digital information, security, compliance and information assets life cycles. The latest go-to road map for navigating this jagged journey — the Cohasset Associates and ARMA International Information Governance Benchmarking Survey — is once again available for fresh insights and best practices. In the ninth biennial web-based survey, nearly 1,000 industry professionals added their perspective.

Read full article here. 

Foreign Corrupt Practices Act “Pilot Program” Still Alive and Kicking

In April 2016, the Department of Justice (DOJ) launched the foreign corrupt practices act (FCPA) Pilot Program. The program puts into effect several policies introduced in the famous “Yates Memo,” outlining guidance on voluntary self-disclosure of FCPA transgressions, investigation cooperation, individual accountability and even how cooperation  can result in non-prosecution. Despite expected regulatory rollbacks and ironically, the highly public firing of the Yates Memo author Acting US Attorney General Sally Yates, the Trump administration shows no signs of let up in FCPA enforcement or the Pilot Program.

Last month, Acting Assistant Attorney General Kenneth A. Blanco announced that the DOJ will evaluate the Pilot Program for extension and any revisions when it expires in April 2017. In the meantime, Blanco advises that the program remains in full force and effect.  Here’s an article to learn more about how the Pilot Program works.