Speaker Biography: MacDonnell Ulsch Director of Technology Risk Management in Boston and the firm’s chief privacy specialist

Download 445 b.
Hajmi445 b.

Speaker Biography: MacDonnell Ulsch

  • Director of Technology Risk Management in Boston and the firm’s chief privacy specialist.

  • Distinguished Fellow of the Ponemon Institute.

  • Served on the U.S. Secrecy Commission under U.S. Senators Helms and Moynihan.

  • Advised counterintelligence staff of a Presidential Administration.

  • Worked with U.S. Senator Sam Nunn on information security policy.

  • Met with King Hussein of Jordan on Middle Eastern security and political policy.

  • Advised “DaVinci Code” author Dan Brown on the novel “Digital Fortress,” on U.S. national security.

  • Interviewed Judge Leon Jaworski of the Warren Commission on the assassination of President Kennedy.

  • On the Board of the National Security Institute, worked there 13 years, with U.S. intelligence agencies.

  • Founded information security research program at Dataquest/Dun & Bradstreet and was Chief Analyst at D&B.

  • Former Director of Global Risk at PricewaterhouseCoopers, LLP.

  • Former Sr. Director of Regulatory Compliance at Gartner, Inc.

  • Former Lecturer at Boston University.

  • Currently writing, “Threat! Managing Risk in a Hostile World,” to be published by the IIA Research Foundation.

What’s On Your Horizon?

  • Sabotage

  • Emerging State Statutes

  • Emerging Federal legislation

  • International legislation

  • Asymmetric Threats

  • Technology Proliferation

  • Integrated Security

  • Financial Loss

  • Reputation Loss

  • Valuation Loss

  • U.N. Public Policy

  • Executive Responsibility for Data Crimes

A Matter of Coincidence?

DuPont and Chemist Gary Min

  • Former Chinese national.

  • Former DuPont chemist stole secrets worth $400MM.

  • Recently pleaded guilty to corporate espionage.

  • In the crosshairs: KEVLAR, TEFLON, NOMEX, LUCITE and other products protected under trade secret.

  • May have intended to sell secrets to government of China or to Chinese companies.

  • An employee for 10 years.

  • Had developed significant products. He had access to a high-security electronic database at DuPont.

  • This enabled him, but it was also his downfall.

Tripping the Wire

  • His biggest mistake was elevating his profile to security:

    • Over a short period of time he downloaded 22,000 abstracts and documents from the secure DuPont database.
    • 15-20 hours at a time.
    • This level of activity represented 15 times more use than the next highest user at DuPont.
    • Federal authorities were contacted at this time.
  • Min leaves DuPont and goes to work for Victrex PLC. He transferred 180 documents to his Victrex computer.

  • Min was in China when a DuPont investigator found documents at Min’s home and in an apartment he had rented. Other documents were found on his home PC.

The NYNEX Case

  • Certain elements of this case were tried in federal court and were reported in the Wall Street Journal.

  • Other aspects of this case have never been made public.

  • I am making certain elements of the case public today.

  • The case will be discussed more extensively in THREAT! Managing Risk in a Hostile World, to be published by the Institute of Internal Auditors Research Foundation.

  • No individuals will be mentioned by name.

  • Principal companies will be named.

  • Several companies will not be named. Such disclosure would enable the identification of the individuals involved.

Industrial Espionage Case History II


  • NYNEX exited the information products and services business at a loss estimated to be in the hundreds of millions of dollars.

  • NYNEX discharged senior executives over the incidents.

  • A number of Co. X executives were terminated.

    • A senior executive was restricted from serving on any public board for several years.
    • His employment was terminated.
    • He was fined but avoided imprisonment.
    • He was recently honored for his industry contributions.
    • He is currently the CEO of a privately held, successful company.

Aftermath …

  • The rogue consultant was granted full federal and state immunity from prosecution:

    • He was not fined and faced no prison term.
    • He runs a very successful research and consulting firm.
    • He is financially secure.
  • Another senior executive formed a company afterwards and then sold it, making about $100MM.

    • He was never charged in the case.

The Rise of Social Networks

Blogging: A Growing Risk

  • Rapid growth: 34.5MM to over 100MM blogs worldwide.

  • Rapid growth: blog audience: 20 percent the size of total newspaper reading audience.

  • 9 percent of computer users have created blogs.

  • Blogging from laptops and Internet-enabled PDAs.

  • In an organization of 100,000 employees:

    • 25 percent blog or 25,000.
    • Blogging an average of twice per week is 50,000 messages a week or 2.4MM annually.
    • Many blog from work.
    • Others blog from mobile platforms.
  • Organized crime is believed to be behind or influence a number of gambling and pornography blogs.

Here’s the Problem With Blogs

Blogs …

  • Case History:

    • Company was being hacked weekly, resulting in expensive downtime.
    • Targeted by unidentified foreign hackers.
    • Key IT employee perceived blogging as neutral threat factor.
    • He needed help in defending the enterprise more effectively.
    • Internal solutions were not solving the problem.
    • Company’s proprietary data was at risk.
    • Blogging made it worse
  • Prediction:

Complexity of Identity Theft

  • ID Theft Drivers

Find the SSN

Organized Crime Growing

  • Organized crime is involved in trade secret theft, economic espionage, terrorist financing, narcotics trafficking, pornography, ID theft … and technology.

  • Russia has emerged as a major international influence in organized crime. Many countries participate in organized crime. Russia is but one example.

  • Compare organized crime in the US and Russia (American Russian Law Institute):

    • US:
    • Russia
      • 5,000 – 8,000 groups
      • 100,000 active members

Russian Organized Crime & IP Theft

  • The theft of intellectual property by organized crime is escalating in the following states, in particular:

    • New York
    • California
    • Pennsylvania
    • Massachusetts
  • According to a report from Michigan State University School of Criminal Justice:

    • Russian activity is accelerating as a result of the dismantling of the Soviet Union.
    • Federal authorities are currently investigating and infiltrating these criminal enterprises.
    • “The threat from … economic crimes (such as the theft of intellectual property, industrial espionage … and computer-related crime) is increasingly recognized as a matter of national security.
  • Use of IT and communications professions by organized crime is growing.

Linkage to Child Pornography

  • The majority of child pornographic images and videos seized are produced primarily in:

    • The former Soviet states.
    • Southeast Asia (including Japan).
    • South America (increasingly).
  • The proliferation of commercial pay-per-view technology and Internet payment systems technology that provide anonymity are in demand.

Case History: A Boston Police Officer

  • Police in Boston

    • Several rogues involved with local crime gangs, offering protection of
      • Drug transactions
      • Prostitution
    • Target owners of luxury automobile
      • Use police access to database to obtain personal identity information
      • Use personal identity data to acquire credit information about the target individual. This is accomplished through an employee at a local bank
      • Credit information is sold to East Coast identity thieves, who in this case are undercover FBI agents

Employee Crime

  • A financial institution network used for XXX-rated web sites

  • A corporate data center used by rogue employees operating their own profitable business

  • A man buys a SSN online, commits ID theft

    • But then he engages in cyberstalking the woman to whom the SSN was assigned.
    • This turns in to physical stalking, as many cases do.
    • He ended up assaulting and killing her
    • What if the SSN came from your data base?
    • What are the moral and ethical implications?
    • What is the reputational impact?
    • What is the financial liability?
    • What if the security controls were sub-standard?

An Attack Trend?

  • The first information warfare occurred during the Kosovo war: web site defacements of U.S. Department of Defense and U.S. corporate entities, including IBM.

  • An interesting DDOS attack on Estonia

    • Bots or Zombies used in attack
    • Parliament disrupted
    • Nation’s largest bank severely disrupted
    • Traced attacks to inside the Kremlin
    • Significant because of KGB linkage to organized crime
    • Zombies linked to organized crime
    • Three weeks to block the attacks
  • Many attackers make precise attacks: don’t want to disable Internet because of its usefulness to them

Mobile/Wireless: A Risk Force Multiplier

  • Mobile technology contributes to the dimension of risk:

    • Greater distribution of target information.
    • Less institutional monitoring.
    • Fewer employee observations about risky behavior.
    • Less attention to security policies and procedures.
    • Greater likelihood of losing a mobile device.
    • Greater likelihood of mobile device theft.
    • Greater likelihood of a breach.

Mobile Device Theft

  • More than two million a year reported stolen worldwide.

  • 1,600 a day reported stolen in the U.S.

  • A laptop is stolen every 53 seconds.

  • Chances of a laptop being stolen are one in ten.

  • 97% are never recovered.

  • Most common crime after identity theft.

  • Contains the most sensitive data, including social security numbers, as well as intellectual property, and trade secrets.

  • Six of one hundred government and defense workers in the United Kingdom are said to have lost or had stolen a laptop computer.

  • Many stolen laptops have passwords written on paper and taped to the underside of the laptop.

  • What is on your laptops?

  • What policies are in place to prevent mobile device theft?

The Mobility of Logical Information

  • Electronic information seldom resides in one place.

  • Information structures are designed for redundancy.

  • Then behavior reinforces the principle of redundancy.

  • Where does data exist and where is it at risk:

    • Desktop computer
    • Laptops
    • Handhelds
    • Cell phones
    • Flash drives
    • Portable backup drives
    • Data centers: domestic and foreign
    • Email servers

Legislative Uncertainty

12 C.F.R. 30 Will Influence Legislation

  • Interagency Guidelines Establishing Standards for Safeguarding Customer Information

U.S. Federal

  • 110th Congress, 2007, Sen. Leahy:

    • Personal Data Privacy and Security Act of 2007
      • Require data brokers to disclose information held on individuals
      • Requires companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs
      • Increases criminal penalties
      • A crime to conceal a security breach
      • Requires government to establish rules protecting data privacy

U.S. Federal

  • 110th Congress, 2007:

    • Data Accountability and Trust Act
      • Authorizes the U.S. FTC to write data privacy requirements for businesses
      • Mandatory vulnerability assessments
      • Policies for obsolete data disposal: feasibility study for standard processes
        • Includes paper records
      • Data breach would result in FTC audit of security practices
      • Administrative, technical, and physical security controls
      • ID reasonably foreseeable vulnerabilities
      • Enhancing punishment for ID theft

U.S. Federal

  • 109th Congress: Specter-Leahy Personal Data Privacy And Security Act of 2005, S. 1789

    • Increased penalties for electronic ID theft
    • Section 102: Adding fraud as a predicate offense for RICO (Racketeer Influenced Corrupt Organizations), recognizing organized crime
    • Section 103: Making it a crime to conceal ID theft
    • Give individuals access to, and the opportunity to correct, personal information held by data brokers
    • Require entities with personal data to establish internal policies that protect data
    • Require that entities notify consumers of a breach, as well as law enforcement
    • Prohibits companies from requiring consumers to disclose Social Security Numbers
    • Authorizes $100M over four years to help state law enforcement fight misuse of personal information

U.S. Federal

  • Data Security Act of 2006

    • National data protection and breach notification standard
    • Impacts financial institutions, retailers, and government agencies
    • Requires timely investigation of security breaches
    • Law expands the reach of current laws-both state and federal-that require only financial institutions to protect personal information
    • Modeled after Gramm-Leach Bliley Act of 1999
    • Failure to comply:
      • Levy fines
      • Impose corrective measures
      • “Even bar individuals from working in their respective industries”
  • H.R. 1263: Consumer Privacy Protection Act of 2005

    • … (2) Policy … shall be … approved by the senior management officials

U.S. Federal

  • H.R. 620: Security Measures Feasibility Act [addresses driver’s license and ID cards, assesses cost to states for security]

    • Establishment of State motor vehicle databases that contain all fields of licenses. [A report to Congress states that] any recommendations … that the Comptroller General considers necessary to better protect the security of driver’s licenses and identity cards issued by states
    • This could have significant legislative impact and, eventually, commercial impact

States & Privacy

  • Many entities make the mistake of mapping privacy policy to 1386

State Legislation is Proliferating, Changing

    • California:
      • Established the precedent, SB-1386
      • SB-1386 Safe Harbor:
        • Businesses may forgo consumer notification if the information contained in the breached database is encrypted
        • SB-1297 and paper
    • Arkansas:
    • Indiana:
      • Addresses government agencies only
    • Montana:
      • Broadens the range of personal identifiers
    • North Dakota:
      • Similar to 1386 but includes DOB and mother’s maiden name
    • Washington:
      • Similar to 1386
    • Georgia:
      • Applies only to data brokers such as ChoicePoint


    • New Jersey
      • Identity Theft Prevention Act requires destruction of unneeded customer data
      • Limits use of social security number sent by the U.S.P.S.
      • Consumer notification
    • Louisiana
    • Illinois
      • Personal Information Protection Act
      • Does not require state government notification
    • New York
      • Information Security Breach and Notification Act
      • $150,000 fines
      • Disclosure timeframes vague
    • Wisconsin
      • Includes DNA profile. Requires notification for unauthorized access, even paper access. Also in North Carolina.

Notification Triggers Variable

  • California: no threshold triggers. All California residents must be notified

  • In some states, notification required only when there is reasonable likelihood that the information at risk will result in harm

  • In California, businesses required to notify only those affected by the breach. In other states, only consumer reporting agencies must be notified

  • In New York and North Carolina, businesses hit with a security breach must notify the Attorney General’s office.

  • In New Jersey, the State Police must be notified

  • The trend is toward legislation that protects the consumer

  • Multiple complex state laws encourage more federal legislation in order to reduce regulatory and trans-state conflict and jurisdiction

International Section 304 of H.R. 1263:

  • Harmonization of the International Privacy Laws, Regulations, and Agreements

    • “... the Secretary of Commerce shall provide notice of the provision of the Act to other nations, individually, or as members of international organizations or unions that have enacted … information privacy laws, regulations, or agreements, and shall seek recognition of this Act by such nations…. The Secretary shall seek the harmonization of this Act with information privacy laws … to the extent such harmonization is necessary for the advancement of transnational commerce, including electronic commerce.”

International: Fortress India

  • Fortress India is an initiative backed by the National Association of Service and Software Companies (Nasscom) in response to U.S. legislation and interest in protecting U.S. information overseas

    • Background investigations are difficult in a nation hampered by a lack of online databases and high attrition rates
    • Fortress India, as an element of Nasscom, wants to change this security and privacy dynamic
    • At ICICI OneSource, a call center, employees swipe ID cards to enter the center, empty pockets of cell phones, PDAs, pens notebooks, calls are monitored and recorded, data is guarded


  • MacDonnell Ulsch

  • One Liberty Square

  • Boston, Massachusetts 02109

  • (617) 428-7705

  • Don.Ulsch@JeffersonWells.com

Do'stlaringiz bilan baham:

Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2017
ma'muriyatiga murojaat qiling