http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/ By Ashley Deeks LAWFARE May 31, 2015 This past week, the NATO Cooperative Cyber Defense Center of Excellence put on its annual Cyber Conflict conference in Tallinn, Estonia. The conference boasted a number of experienced cyber-hands, including Adm. Mike Rodgers, DefCon founder Jeff Moss, and law of armed conflict expert Mike Schmitt. One of the most interesting sessions, which included a presentation by Mike, focused on aspects of the Tallinn Manual versions 1.0 and 2.0. Version 1.0, produced by an independent group of experts, came out in 2013. It proffered what the experts saw as current black letter law on jus ad bellum and jus in bello rules relevant to cyber operations. The Manual includes both crisp articulations of the rules and more extensive commentary setting out the legal basis for the rule and any differences that arose among the experts. Version 2.0 picks up where Version 1.0 left off, and will set forth the experts’ views on what international law applies to cyber activity that falls below the level of armed conflict or the use of force. Mike previewed some of the topics that 2.0’s group of experts will discuss, including customary rules related to sovereignty. As Mike notes, sovereignty is not simply a factor restricting a state’s activities in other states’ territory. It also is the basis for states to regulate and exercise jurisdiction within their territory over people, hardware, and cyber operations. One challenge for the experts will be to achieve consensus on what types of activities by one state violate another state’s sovereignty: what level of damage, intrusion, or alteration of data suffices? Other norms up for discussion relate to due diligence obligations by states to stop actions that produce adverse consequences for other states, and the applicability of state responsibility (including counter-measures and the use of “necessity” arguments). Tallinn 2.0 has the potential to be even more influential than Tallinn 1.0, because it systematically will address activities that are far more prevalent in the cyber realm than uses of force or armed attacks. Bill Boothby, a former Deputy Director of Legal Services for the UK Royal Air Force, then provided a retrospective look at Tallinn 1.0. Mike Schmitt had asked Bill to review all of the literature that offered reviews or critiques of Tallinn 1.0, to assess whether to consider certain modest amendments to the Manual’s commentary (though not to its black letter rules) or to take up certain issues that Tallinn 1.0 did not cover. Bill assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected “all reasonable positions” on the issues it took up and that there were only a few amendments worth pondering. In particular, Bill wondered whether the definition of what constitutes a “cyber attack” might need to expand to include “major disruptions” that nevertheless do not produce physical harm to the affected state. He also asked whether the jus in bello rule on precautions was ill-suited to cyber, given that states utterly have failed to segregate their military cyber infrastructure from civilian cyber infrastructure. […]
Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter or in some locations summer solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, with respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2015, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.
http://www.healthcareitnews.com/news/stolen-laptops-mean-2m-mega-fines By Mike Miliard Managing Editor Healthcare IT News April 23, 2014 Serving notice that “covered entities and business associates must understand that mobile device security is their obligation,” the HHS Office for Civil Rights has settled with two organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen. That’s a big number. And that’s because it’s meant to drive home the point that unencrypted laptops and mobile devices pose significant risks to the security of patient information, said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: Encryption is your best defense against these incidents,” she said. The biggest of the two settlements was levied against Concentra Health Services, after OCR opened an investigation following a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. […]
http://www.computerworld.com/s/article/9247309/Bank_abandons_place_in_class_action_suit_against_Target_Trustwave By Jeremy Kirk IDG News Service March 31, 2014 One of the two banks suing Target and security vendor Trustwave over responsibility for one the largest data breaches in history has pulled out of the lawsuit. Trustmark National Bank, of New York, filed a notice of dismissal of its claims on Friday in U.S. District Court for the Northern District of Illinois. It had joined Green Bank of Houston in the class-action suit, which claims Target and Trustwave failed to stop the theft of 40 million payment card details and 70 million other personal records. The suit may have wrongly named Trustwave as one of Target’s IT security contractors. After the suit was filed on March 24, Trustwave said it would not comment on pending litigation and customarily does not identify its customers. Many agreements with IT vendors and customers are confidential. But on Saturday, Trustwave’s Chairman and CEO Robert J. McCullen added more clarity by writing a letter on its website saying Target did not outsource its data security or IT obligations to the company. […]
Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, with respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2014, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.
http://healthitsecurity.com/2013/09/10/are-hipaa-business-associates-aware-of-their-obligations/ By Patrick Ouellette Health IT Security September 10, 2013 The Sept. 23 HIPAA Omnibus Rule deadline is closing in, but Coalfire’s “The Final Omnibus Rule
http://www.bankinfosecurity.com/fdic-improve-vendor-management-a-6053 By Tracy Kitten Bank Info Security September 9, 2013 Federal regulators are urging banking institutions to pay more attention to vendor management in light of recent breaches, such as one that compromised core processor Fidelity National Information Services, better known as FIS. During a recent Community Bankers Advisory Committee meeting in Washington, D.C., examiners from the Federal Deposit Insurance Corp. stressed the obligations banks and credit unions have to ensure that the vendors they use maintain adequate levels of security. Regulators regularly examine certain vendors to ensure that sensitive information is sufficiently protected through the use of encryption and other technologies. The vendors include those that have contracts with banks for core banking services or that provide services covered under the Bank Service Act. The institutions that use those companies’ products and services should request reports on those examinations and follow up to ensure security mandates are being met, regulators say. Due diligence is the responsibility of the institution, not the examiner. […]
http://www.infosecnews.org/to-be-a-board-member/ Posted in its entirety as Pastebin pages sometimes disappear… http://pastebin.com/VJtribPU BY: A GUEST ON AUG 21ST, 2013 The information security industry is rife with initiatives and organizations, one more formal than the other, that would benefit from able and competent boards. From the Security B-Sides organization, OWASP, ISSA and the Cloud Security Alliance to ISC2, over the years it has become clear that building and maintaining a competent and agile board proves to be a relative challenge. While each organization is different, the issues they face are similar. This post does not address the specific concerns of a single organization but rather tries to frame the need for dedicated and competent board members against the backdrop of an industry and community that continues to struggle with their own identity. It should provide guidance to both people with board ambitions and those looking to support them. Anybody identifying themselves with an organization and its membership should ask themselves at least the following questions. Why me? ——- The first answer to this question could be ‘Why not?’ but the answer lies in the fact that it is a flawed question to begin with. The real answer should be ‘Who cares? This is not about YOU.’ A large following and a well-known name will obviously make it significantly easier to obtain a board seat but it is just important to note that very few organizations provide board seats as a ‘badge of honor’. The position comes with both a decent dose of responsibility and the requirement to put in hours. If your first reason to aim for this position is that it will look good on your resume then you’re not only in for a surprise, you’re also about to hugely disappoint yourself and the people that rely on your engagement to make things happen. ‘Servant Leadership’ is a term that is overused these days. The essentials of the concept are very relevant for the aspiring board member though. It only starts when a community or membership provides you the opportunity to serve. Within that mandate is your obligation to serve your constituency with only the common interest on your agenda. Where you may expect the additional ‘badge’ to propel your career to soaring heights, you will rather find yourself spending numerous cycles on complex problems with no inkling of personal reward in return. Instead your reward lies in the value and benefits you create for your constituency. […]