The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.
First off, my apologies for my late post this week, I spent this week in France with a customer, a large U.S. based manufacturing company who eight months ago acquired a France based manufacturing company in the same market to grow their business in Europe. As a U.S. based company, operating from the U.S. there were many challenges that they faced, information technology is often an area that organizations immediately look to post-acquisition to drive synergies and efficiencies, but when a U.S. based company enters the European market this can be significantly more complex. The reason I mention this is because the legislation and cyber law differences between the U.S. and the E.U. can make this complex and pretty challenging. Regulations like GDPR (E.U. General Data Protection Regulation) (Palmer, 2018) is an example of one regulation that the E.U. imposed to protect data privacy. There are plenty of other regulations like PCI, HIPPA, SOX, etc. that all need to be considered in the context of GDPR, this is a real challenge for many organizations.
A side note on why I was late this week, and maybe some travel advice for anyone flying from the New York area (EWR) to Paris (ORY). As a million mile flyer on United, I more often than not fly United, although I dislike the airline immensely, I was a loyal Continental flyer for a very long time and it’s hard to give up airline status when you travel 100K+ miles a year. My typical process week after week is to work while I travel, well this trip I flew La Compagnie, a small French boutique airline, with two 757s in their fleet flying between Newark (EWR) <-> Paris and Newark (EWR) <-> London, the flights are all business class at a price below United economy fares, seating only 74 passengers, with good service the only downside (for me at least) is no WiFi. Anyway, sorry for the tangent, but just wanted to give some background.
In this weeks Legislation lecture, Ronda R. Henning states that “Legislation, the legal foundations of cyberlaw, lag technology.” (Henning, n.d.) She goes on to say that most legislators are technologically illiterate; that most cyberlaw is derived from legacy mediums (e.g. – print) and this legacy legislation has been applied to cyberlaw. Henning also discusses the topic of authenticity, maintaining chain of custody, and being able to demonstrate through metadata that digital assets have not been tampered with. In the past, we have discussed hashing as a method of creating a digital signature, hashes like MD5, SHA-256, etc. can create a digital signature of a file which can be used to validate data integrity and authenticity. (Simon, 2013)
I think a telling and interesting aspect of cyberlaw and “Legal Obligations” when it comes to the relative measure of obligations, meaning that things like “best effort” and “industry standard” are defined by relative measures of what others are doing within a given industry or discipline. What this means is there are frameworks for governing how we maintain and audit our security posture, but what we need to do is far more fluid.
Looking at the IBFS (Intergalactic Banking and Financial Services) case study, while fictitious, we can see requirements and challenges which are likely common across the finance and banking industry which is steeped in legacy and highly regulated. We can see the need to balance cost and capability, to increase agility and elasticity via partnerships and outsourcing and to do this while being compliant with regulations which govern the banking and finance industry. As we look at the emergence of game-changing technologies and such as the emergence of blockchain and cryptocurrencies, applying legacy legislation becomes more difficult. While copyright example moved from print media to video content to digital assets, not perfectly but fairly easily, applying legacy financial regulations to technologies like blockchain and cryptocurrencies will not be as easy. I will be interesting to see how regulatory bodies adapt, the idea of legislators being technology illiterate will probably need to change.
Cyberlaw is very complex, we can to some degree understand aspects of cyberlaw such as copyright and regulations, but when we add things like the Patriot Act and the NSA to the mix things get really complex. (Diamond, 2015)
We have discussed security frameworks like NIST, ISO 27001, SABSA and SSAE-16 and I have looked at all these frameworks, which are primarily process driven frameworks. We learned this week that protecting an organization is about best effort, best practices, and industry standards, I use the Center for Internet Security (CIS) (Links to an external site.)Links to an external site. as my guide for industry standards and best practices is the. CIS provides best practices, benchmarks, and toolsets and they do this all in the context of the platform you are securing, Windows, Linux, Hypervisor, etc.
CIS Center for Internet Security. (n.d.). Retrieved September 11, 2018, from https://www.cisecurity.org/
Diamond, J. (2015, May 23). Patriot Act debate: Everything you need to know – CNNPolitics. Retrieved September 11, 2018, from https://www.cnn.com/2015/05/22/politics/patriot-act-debate-explainer-nsa/index.html
Henning, R. R. (n.d.). Legislation. Retrieved September 11, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU01VjEvRGF0YS9tb2R1bGUueG1s Florida Institute of Technology
Palmer, D. (2018, May 23). What is GDPR? Everything you need to know about the new general data protection regulations. Retrieved September 11, 2018, from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.
Simon. (2013, May 29). Verifying File Authenticity via Hashing. Retrieved September 11, 2018, from https://www.anotherwindowsblog.com/2013/05/verifying-file-authenticity-via-hashing.html
Yacine, a very interesting and thought-provoking post. I may be a bit of a conspiracy theorist but I think operating under the premise that Ronda R. Henning touches on this week, in regards to wiretapping or eavesdropping and how living in the digital world alters information intercept. I found it really interesting that Ronda R. Henning pointed out Skype of wireless or VoIP. She points out CDRs (call detail records), what the industry refers to as metadata. I think or metadata as the data that matters, if I have the metadata, I likely have a path to all the data. While the Patriot Act has been reeled in (at least publically) by the Freedom of Information Act, we still see the government looking to take control of communication mediums, most recently the movement to nationalize the 5G network. These are complex issues, the nationalization of anything scares me a little, but on the other hand, I think it would be naive not to consider the complexity of maintaining order in a wireless world where information moves free and frictionless over the airwaves, on the other hand, if it’s on the airwaves it can be intercepted by anyone who can decode it. I reminded of a scene from the movie Heat.
We should pay attention to the fact that the FBI broke the encryption on the iPhone. They politely asked Apple to assist, when Apple said not they figured out how to crack it. The best way to operate is to assume someone is always watching.
ACLU v. FBI – FOIA Case for Records Relating to Patriot Act Section 215. (2014, October 6). Retrieved September 16, 2018, from https://www.aclu.org/cases/aclu-v-fbi-foia-case-records-relating-patriot-act-section-215
Henning, R. R. (n.d.). Legal Obligations. Retrieved September 16, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU01VjEvRGF0YS9tb2R1bGUueG1s
Miller, D. (2017, October 03). FBI allowed to keep details of iPhone hacking secret. Retrieved September 16, 2018, from http://www.abc.net.au/news/2017-10-02/fbi-to-keep-details-of-san-bernardino-iphone-hacking-secret/9007400
Vazquez, M., Berlinger, J., & Klein, B. (2018, January 30). FCC chief opposes Trump administration 5G network plan. Retrieved September 16, 2018, from https://www.cnn.com/2018/01/28/politics/trump-nationalize-5g/index.html
Wendy, good post. Is the purpose of legislation and law to “set expectations of proper behavior”, or to set rules which can be used to police behavior?
I agree that legislation and laws have typically been created to managed social behavior and protect the citizens of a community (local, state, federal, etc.), but with the world becoming increasingly flat we see that legislation in on country (e.g. – GDPR in the EU) can have an impact of organization which are multinational, in the digital era and the connected world this includes just about everyone, GDPR is the reason we are being asked to accept or decline cookies on just about every site we visit on the internet. (Irwin, 2018)
While Cyber Deterrence and Response Act of 2018 (H.R.5576, 2018) (Blinde, 2018) aims to create a registrar of hackers, pulling them out of the shadows and punishing them, but what percentage of hackers are known vs. what percentage are anonymous? This can be really tricky. This is an interesting move by the government, sounds good on paper, but it seems that it will be difficult to police. We know that nation-states have cyber warfare divisions, the U.S. included, we know that they are in the shadows gathering cyber intelligence and acting on it, but I am wondering if this can be attacked overtly, with something like sanctions. (Richards, 2018)
Blinde, L. (2018, July 02). Bill to fight state-sponsored cyber threats passes out of House foreign affairs committee. Retrieved September 16, 2018, from https://intelligencecommunitynews.com/bill-to-fight-state-sponsored-cyber-threats-passes-out-of-house-foreign-affairs-committee/
Irwin, L. (2018, August 16). How the GDPR affects cookie policies. Retrieved September 16, 2018, from https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies
Richards, P. (2018, April 19). Nation state attacks – the cyber cold war gets down to business. Retrieved September 16, 2018, from https://www.csoonline.com/article/3268976/cyberwarfare/nation-state-attacks-the-cyber-cold-war-gets-down-to-business.html