Wednesday, October 24, 2012

Did the SC Supreme Court legalize industrial espionage on the cloud?

As reported in Ars Technica, the South Carolina (SC) Supreme Court iruled that gaining access to someone else's email does not violate any laws, specifically the Stored Communications Act. In the case, Jennings vs Jennings, the husband (M. Lee Jennings) was suing his ex-wife's (Gail M. Jennings) daughter-in-law, Holly Broome, (from a previous marriage) for unauthorized access to his personal email account. Holly had guessed the correct answers to the secret questions and gained accessed to his email accounts. She had been asked by her mother-in-law to look at M. Lee Jennings's email because he admitted to her that he was having an affair and had exchanged email correspondences with this woman. Holly printed the emails and provided it to Gail and her defense team, who used it against ML Jennings during their divorce trial.

The Supreme court found that the hacking was not in violation of the Stored Communications Act (SCA) because cloud-based email does not meet the "definition of "electronic storage" within the SCA [which] requires that it must be both temporary and intermediate storage incident to transmission of the communication and storage for the purposes of backup protection".  It should be noted that, as pointed out by William Shapiro on this episode of This Week in Enterprise Tech (it's the first segment so you don't have to listen to the whole episode), that this judgment is only limited to South Carolina.

Wow. In these few small sentences, the SC Supreme Court has allowed unauthorized access to anything that is stored on the cloud. In the last few posts on the UWCISA blog, I have commented on industrial espionage and Microsoft's move of Office to the cloud. On my entry on cloud I noted that the cloud pretty much gives access to law enforcement:
"In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. "

On my entry on industrial espionage, I highlighted that, in addition to the risks highlighted by US government officials on using Chinese hardware manufacturers, "it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese."

Furthmore, I have been immersed in the last few week's in Kevin Mitnick's (wiki, his site) Ghost in the Wires, which details how he hacked into Motorola, Sun, and other major companies.Once you read his story, you will quickly realize how this ruling by the SC Supreme Court makes it open season on any corporation that uses the cloud as means to outsource processing. If an average person, like Holly Broome can access confidential email - imagine what a determined hacker like Mitnick could do!  For example, if you use Google Docs or the soon to be released Microsoft Office 365, then a competitor can gain access without violating the SCA and use that information. Will this judgement spur hackers to relocate to South Carolina and access all types of confidential information stored on the cloud? Of course they can't take patented or copyright information, but what about companies that likely don't have such information patented, trademarked etc or protected by other laws (e.g. privacy legislation, theft of credit cards, etc)?

It's interesting how vulnerable cloud, and technology in general, is to the inability of law makers and judges to see into the future. Common sense would dedicate that a person that buys or uses a service and keeps it secret via a password, expects that the information to be confidential to them. But I am not a lawyer, just an accountant in tech. That being said, it is unlikely that Google, Microsoft, Amazon, and the other tech giants will take this ruling lying down. One can expect that they will use their dollars and influence to allay fears that their services are safe from "legal industrial espionage".

Tuesday, October 9, 2012

Huawei & ZTE: Corporate spies or victims of non-tariff trade barrier

On this episode of the TWIT network's Tech News Today had an interesting discussion regarding the recent allegations that Huawei and ZTE were spying on US companies that purchase and use their equipment. As they hosts of the tech news show pointed out, Congress does not have any evidence that the firms were involved in such activity, but were rather concerned with the relationship of the two companies with the Chinese government. Another interesting point that they pointed out was that Cisco would benefit from such a ban. And according to this article, Cisco has paid $640,000 in lobbying on "measures to enhance and strengthen cyber security". As one analyst quoted by Bloomberg put it, "This is going to allow Cisco and Juniper to compete more fairly". However, Huawei too has been lobbying the US government to the tune of  $820,000. Although many have cited Chinese hackers as a threat, for example, it is suspected that Nortel was targeted over a ten-year period by such hackers. However, it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese.

Big Data: Some resources

For the CAs and CISAs, looking for the coles notes version of what's going in the world of big data, check out the following podcast by David Linthicum and company; some of the most knowledgeable people on Cloud computing. Chris Daly (who works with Dave) provides a good nine item list based on this article. Chris did us all a big favour by breaking down the slideshow into a nice list of nine points. I will let you click on the link to see what they are, but I thought it was interesting to comment on the first two:

  • "Define the business drivers". It's pretty amazing how this single premise is one of the most critical concepts on business-technology, that requires constant attention! Ironically, I just finished answering a question to a fellow accounting profession who is taking a course on IT controls to emphasize this point. What I explained to him was that the fundamental concept here is that technology changes are driven by business. In other words, IT Strategy or investments must be driven by the overall value drivers of the business.As for why you would not make changes to the system because of technological improvements is because those technologies may have no actual "Return on Investment" (ROI) for the business. In other words, companies should not adopt technology for the sake of technology. 
  • "Discover the data and it’s location". Wow! For those of IT-auditors that run computer assisted audit techniques (CAATS) can really appreciate how these six words can represent a mountain of work! When I teach the computer-assisted audit techniques course at University of Waterloo, I always make a point of warning my students of the practical limits of running CAATs: getting the data can be the hardest aspect of the whole process. For those of you not familiar what CAATs are, they are basically  automated tests that auditors will run using "generalize audit software" on data that is used to support items on the financial audit. You can also use these technique to identify security issues or fraud; see IDEA's Caseware. (Full disclosure: Caseware is a both a sponsor of the Center that supports this blog as well as the course I teach at UW). For example, these tools help perform full analysis of a set of data e.g. identify all the negative amounts in an inventory file or link files to together using a unique identifier to compare the data from one file (e.g. credit limits) to the data in another file (e.g. total amounts owing by the customer. Also, check out the wikipedia entry it's pretty good. 
For other sources, check out the massive (and free) report from McKinsey on Big Data, which they have even made available to run on your Kindle App on your Android or iOS device. Also, check out this CAMagazine article on the topic. This HBR blog post has provides a look at the overall issues, including privacy problems. 

If you have any other resources, especially from an IT Auditor (i.e. security, data integrity, etc), perspective, please do share.