26 June 2009

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

11 June 2009

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.


Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.


As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.


The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

02 June 2009

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors. If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"? The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen. Only one can be prevented, preempted or neutralized before it can cause harm.

Sadly, the Report of the (Virginia Tech) Review Panel to the Governor, issued in August 2007, contained important inaccuracies, despite the panel’s best efforts to get to the truth. University officials, it now appears, may have been less than candid and forthright in their responses to the questions put to them by the panel.