Monthly Archives: December 2015

25 CISOs Identify the Biggest Security Challenges as They Enter 2016

As the year winds to a close, CISOs across industries assess the past year and plan for the security challenges they will face as they head into 2016.

Security Current heard from several key CISOs about what they think will be the most important issues in cybersecurity in 2016.

Read their insights here:

Joe Adornetto
Quest Diagnostics CISO
In 2015, three of the five largest data breaches were in healthcare. This latest evolution in the threat landscape places our industry in the crosshairs and as a healthcare provider we need to be prepared for an incident.

The ability to detect and manage an incident becomes a fundamental process as we focus on cybersecurity, particularly in areas of APT detection, communications, remedy & response, and threat intelligence.

Roota Almeida
Delta Dental of New Jersey Head of Information Security
The health care industry will continue to be a prime target for cyber criminals. No other single type of record contains so much Personally Identifiable Information (PII) that is often linked to financial and insurance information and can be used for various attacks. “Get ready for Medical Identity Fraud!”

Additionally, breaches in the past couple of years have wreaked havoc on many brands and reputations. Due to this, board and the C-suite will have an appetite for offloading the risk to insurance providers. Cyber insurance will gain velocity and popularity in the coming year.

Bret Arsenault
Microsoft Corporation CISO

In the world of cybersecurity, each year brings new threats against our networks and devices, but also new opportunities and innovations to protect against malicious actors.

As we look ahead to 2016 and protecting against the next generation of cyberattacks, it will be critical for businesses and organizations to focus on improving their existing safeguards, rather than focusing only on the types of attacks themselves. Interestingly enough, the most effective preventative actions aren’t necessarily cost-prohibitive – like robust monitoring systems, proper employee training, and a strong identity lifecycle process.

Keeping a pulse on internal security measures is just as important as protecting from external threats. While the external threats keep evolving, we all need to be diligent about building a pervasive security culture, in which employees have the necessary awareness to practice smart cyber hygiene and to make safer online decisions.

Devon Bryan
ADP Vice President Global Technical Services (CISO)
With 2015 being appropriately dubbed as ‘the year of the ‘mega breach’ and with the increasing sophistication and stealth with which miscreants have been launching their attacks, the predictions for 2016 are quite ominous.

Despite the increased penetration of EMV (Europay, MasterCard and Visa), I’m not anticipating significant declines in retailer financial crimes in 2016.  I’d expect that in 2016 the overly hyped market predictions regarding cyber insurance adoptions would actually start materializing.  I’d expect more dramatic transformation in the bloated end-point protection space with AV actually being replaced. I’d expect to see explosion in the ransomware space and specifically DD4BC variants.  I’d also expect to see dramatic developments in uber mobile malware.  Based on the current tensions in global privacy I’d expect some significant developments in US – EU Privacy relations.

Paul Calatayud
Surescripts CISO
In 2015, data breaches became a new reality for all industries and sectors of the economy. Cybercriminals no longer focused on retail but crossed into healthcare and the monetization of that data. Looking forward to 2016, organizations are preparing themselves and focusing on achieving operational excellence.

No longer do companies feel immune to information security threats. Instead organizations should assume a breach could happen and prepare for the worst. As part of improving their operations, companies are working to reduce breach detection times drastically from the average 229 days, according to the 2014 Mandiant Threat Report.

In addition, healthcare companies are taking a page out of the ecommerce playbook and proactively looking for weaknesses beyond the front end and customer facing systems in order to make sure all digital doors are closed to threats.

James Carpenter
Texas Scottish Rite Hospital for Children CISO
In 2015, CISO’s have been experiencing increasing pressure to not become delays for execution of business processes due to security policy. CISO’s are business problem solution providers as much as they are protectors. Furthermore, the CISO of 2015 has been expected to be a business leader, IT leader, finance leader, and an excellent people influencer and navigator. This has helped the CISO of 2015 establish a workable security program that may even have included changing the applications the business has been using or the technologies used by the workforce.

  • Key takeaways: CISO influence elevated across several business domains
  • CISO is a designer or co-designer of business solutions
  • No Delay – All elements of security programs are under scrutiny to ensure as much automation and reliability are in place

In 2016, increased investment in cloud / webscale / hyper convergence technologies will quicken the pace and reliability of IT deployments which will correspondingly force similar improvements in security to keep up. CISO’s will need to begin or increase their adoption of cloud security software such as DRAAS and cloud authentication to keep up.

Cloud services such as Office 360, Azure, Amazon AWS, should be piloted in a controlled way to begin engaging the future if this hasn’t happened already. More than ever, users are expecting an organization’s applications to mimic the characteristics of apps on their phones – always work, always fast, easy to use. The CISO of 2016 will be a leader engaging these technologies and methods to bring the benefits realization of cloud into reality for their organization.

2016 Forecast:

  • Bigger Internet pipes with high reliability/failover
  • Rapid increase in cloud technology adoption
  • Limited staff increases – new staff valuable skillset will be strong in Devops/Cloud concepts
  • SkunkWorks – Expanded partnerships with non-IT business units to explore new technologies together with a shared expectation that sometimes things won’t work.

David Cass
IBM Cloud & SaaS Operational Services CISO

The year 2015 was one of escalating breaches for banking, healthcare, government, media and telecommunications. No industry sector was spared, and these attacks demonstrated their destructive capabilities. Nation-state activity increased to an all-time high, paving the road for the cybersecurity pact with China. From a technology point of view, social, mobile, big data and cloud transitioned from buzz words to the new normal.

In 2016, I expect cyberthreats will continue to increase. Whether or not the cybersecurity pact leads to a framework of new international norms remains to be seen. Cloud continues to mature and will see adoption by large companies that only a year or two ago would have never considered it as an option.

In 2016, cloud will be about leveraging new capabilities rather than just a cost savings. Analytics and cognitive capabilities will see rapid growth as organizations look at their big data for new insights.

IoT will continue to grow as new devices are introduced regularly, and IOT device makers will be challenged by the amount of data being collected and how to properly safeguard that information. Additionally, privacy laws will continue to evolve, challenging organizations on their appropriate use of data.

Daniel Conroy
Synchrony Financial CISO
The year 2015 started with learnings from data breaches seen over the previous 18 months. The learnings included the importance of something as simple as a strong password to the implementation of layered security infrastructure and periodic penetration testing. The biggest takeaway from 2015 is that companies need to be in position to detect attacks before they occur and stop the adversary before successful exploitation of vulnerability.

At the same time, while it is important to invest in technologies and processes to prevent attacks, the reality is that nobody can prevent all attacks. But companies must take significant steps to minimize the impact, respond, and recover from attacks as quickly and effectively as possible.

The information security industry is seeing trends of cyber criminals spending weeks to months doing reconnaissance before attacking organizations. The industry continues to witness increased reliance on third party providers and increased malware and ransomware attacks against firms. As mobile commerce and the number of connected devices continue to grow, there will be an increase in planned organized attacks and hacking-as-a-service offerings.

While deploying technologies for faster and better detection of destructive malware and APT attacks will be a primary focus in 2016, companies must invest in establishing a forward-looking risk mitigation program and integrated threat intelligence and analysis capabilities which are necessary for a strong cyber defense.

Gary Coverdale,
County of Napa CISO
The year 2015 found an abundance of both internal and external breaches. Externally we’ve seen more and more Ransomware/Cryptolocker hacks, hacks into environments such as content applications that are missing updates and patches, and other incidents that take advantage of unpatched software and hardware. These are ‘low hang’ fruits that a proper cyber hygiene process can and will minimized.

Simple things like inventorying your technology assets; properly configuring those devices including switches, appliances, servers and computing systems (by incorporating very strong admin and user passwords, encryption of devices, and dual factor authentication); Controlling your assets in properly managing accounts and limiting user and admin privileges; an aggressive patch process; and repeating this process.

You must have proper and recoverable backups (especially important while being hit by Ransomware.)! Bringing cyber hygiene into your incoming E-mail and Internet activity is important and a fairly low hanging fruit to minimize breaches. Additionally become more aggressive with your user community cyber awareness program as 2015 was filled with Internal breaches or breaches that were successful from phishing attacks toward your organization!

The year 2015 was one of fairly unsophisticated breaches into systems and data but 2016 will be more sophisticated with substantially morphing malware that will get through undetected or by unintended ‘collaboration’ with you internal staff. Be prepared, take advantage of quick wins by properly deploying aggressive cyber hygiene and start hardening your systems by taking advantage of ‘smart’ partnering with the appropriate vendors that have the right and cost effective solutions meeting your security, privacy, and compliance initiatives.

Grace Crickette
San Francisco State University Special Administrator, CFO Division
In 2015, we were focused on how to elevate our current “State of IT Security” and communicate the right information to Leadership and the Board. We focused on aggregating and evaluating information on the health of our governance and current state of progress around securing our data and our systems. Then synthesizing the information down actionable information so that Leadership could better prioritize allocation of resources. We formed a diverse team from various disciplines to develop a repeatable process.

In 2016, the focus will still be on continuous assessment, evaluation, and communication of our current state. We need to continue to expand our team to include even more people from a variety of departments across our organization.

We have found that engaging non-technical managers to help deal with implementation of a security risk assessment on an ongoing bases provides the relationships that we need to be able to improve rapidly. Example: If you want to understand what data you have and why and what you should retain then you need to have a continuous process and continuous engagement with ownership at many levels.

Having those owners as part of your regular risk assessment security team and meeting routinely, providing education…providing lunch…making friends…. it works!

Darren Death
ASRC Federal CISO
There is a lot of discussion and marketing around advanced cyber security tools and threat intelligence services these days. Many organizations are jumping to implement these tools/service offerings and have not made the initial investment to ensure that they have a strong Cyber Security foundation.

I believe that there will be a shift in 2016 focusing on the need to perform basic Cyber Hygiene practices. Many of the new frameworks and reporting requirements that are coming from the government and the private sector will force the organization to take a deeper look at their environment.

The idea of basic Cyber Hygiene may seem over simplistic; however, it is often times overlooked in favor of flashy tools or is not part of an IT organizations culture. Often times an adversary does not need to implement highly advanced attacks because an organization has not performed their due diligence and has made the attacker’s job very easy.

Organizations will need to focus on understanding what there IT assets are and where they are located; ensure that the assets are securely configured; continuously validate that the configuration stays secured and that the environment stays patched; understand the risk profile of the environment; and have a risk reporting mechanism that is business/mission focused and connected to executive management. While the above list is not an exhaustive list associated with Cyber Hygiene it will go a long way to lowering an organizations risk profile.

 

Todd Fitzgerald
Grant Thornton International Global Director Information Security (CISO)
In 2015 there was a clear shift from prevention to ensuring that adequate incident response capabilities would quickly discover and react to the breach. Cyber insurance was also garnering much discussion as a way to mitigate the risk, while the premiums and exclusions increased as insurance companies re-evaluated the risk/reward of the policies.

As companies looked for ways to demonstrate compliance, frameworks such as the NIST Cybersecurity Framework, ISO27001 Certification, Cloud Security Alliance Controls Compliance, HITRUST, SOC2 attestations and so forth were evaluated. Company boards became increasingly interested from a risk perspective.

Gene Fredriksen
PSCU CISO
Intelligence today has been productized, and as such is not conducive to widespread dissemination of consistent information. There can be weeks of lag time between sources passing alerts and advisories to its subscribers. Unfortunately, the result of this today is an inconsistent level of protection across the Internet, leaving gaps, which can be exploited and subsequently leveraged by criminals.

PSCU continued the expansion of our Security Analytics system in 2015, enabling us to correlate disparate log and system feeds, turning them into actionable alerts. From an operational perspective, driving down the false positive rate allows users to have a higher confidence level in the alerts being generated, and it yields better use of critical resources and faster response to true security issues.

The system has also simplified compliance reporting, allowing us to quickly produce customized reports as required. This continued investment in resources to combat cyber security threats has improved our people, process and technology systems targeted at protecting the information entrusted to us by our credit union owners.

Looking ahead to 2016 and beyond, the best hope for a consistent intelligence feed is the government, particularly DHS. However, the hurdles with getting private industry cleared to accept sensitive threat information has slowed the pace of rolling anything out to the masses. While there is pending legislation and programs targeted at opening up access to those information sources, the sheer size of the problem makes rapid progress unlikely.

I believe that the conversation on risk management will continue into 2016 and beyond at the highest levels of the organization, as many organizations are still inherently accepting too much risk. To support this risk objective, the conversation will shift to understanding “where does the key data lie,” and the appropriate preventative and detective controls will be architected to protect these ‘crown jewels.’

Security resources are scarce and expensive and thus need to be focused on the highest value assets. Finally, companies will be pursuing more partnering with outside resources for a piece of the security operation to obtain the technologies and skills sets needed.

David Hahn
Hearst Corporation CISO
The Security Industry is starting to focus beyond just data leakage or loss.  The data breaches will continue to happen but the concerns of disruption and inability for businesses to operate grows.  We have seen this with the SONY attack, and other disruption attacks worldwide.

Brian Kelly
Quinnipiac University CISO
Looking back at 2015, I would say it was the year that redefined APT. It went from the long-standing definition of Advanced Persistent Threat to Annoying Phishing Tactics. While InfoSec pundits continue to warn of zero days and skilled adversaries with arsenals of offensive cyber weapons, the most dangerous and effective tactic remains phishing emails.

The FBI’s report of over $740 million in losses from “Business Email Compromise” supports my thinking, additionally the Anthem breach that compromised 80 million member’s personal data began with a phishing email that compromised a database administrators’ credentials that were used in the heist.

Looking forward to 2016, I see an uptick in cyber liability Insurance policies being issued. This is a growth area that has the potential to impact our collective cyber security posture in a positive way. There are many pre-breach resources packaged in the policies including Information Security Awareness Training materials, vulnerability assessment tools and policies along with the more widely known post-breach services of incident response, forensics services, credit monitoring and notification support.

I wonder if this increased interest in and purchasing of these policies will raise the bar similarly to the impact that Ralph Nader’s book “Unsafe at any speed” had on the automotive industry 50 years ago.

Marty Leidner
The Rockefeller University CISO
For the information security community as a whole 2015 showed us a substantial increase in the number of attacks and also obviously in the sophistication and targeting of those attacks. This despite the increased spending of resources in attempting to protect our valuable data and enterprises. These factors together make the challenges we face in the coming year 2016 quite considerable.

That said, I think we have to look ahead at 2016 for actionable implementable solutions that both end-users and system administrators can use and live with. These solutions must also have demonstrable benefits that can be explained to upper-level executives. This is no easy challenge.

It requires, I believe, at the very least, a more intelligent targeted response to only the most highly vetted and credible alerts, in other words ignore the noise and focus in on the problems. I wish the information security community and solution vendors best of luck in attempting to meet this challenge. I am sure it would be an interesting year.

Brian Lozada
Abacus CISO
In 2015 the lack of information sharing between government and the private sector is an area that has been highlighted. The importance of collaborative and working partnerships between the homeland security enterprise and the high-tech private sector industries needs to become a priority to foster working together collaboratively to counter the threats of the ever-changing terrorist landscape in the cyber arena.

The private sector has expertise and can add value help identify, remediate, and mitigate the cyber threats that are currently facing our nation. The homeland security enterprise has intelligence about cyber threats that if shared could arm more companies and organizations with information will allow them to better protect themselves. Without these partnerships, cyber terrorists and cyber criminals will continue to have the advantage.

If cyber terrorists and cyber criminals take advantage of the lack of communication between the private sector and the homeland security community and tailor an attack, it could cripple our nation’s response efforts. The impact would be significant. This could be avoided with proper information and resource sharing and partnerships between the private sector and the homeland security community.

Michael Mangold
Tractor Supply Company Director of Information Security
In 2015, we saw many companies react to the uptick in data breaches across several business verticals as there was increased focus on information security.  Executive leadership has made information security a key focus to help secure critical assets, protect customer information and maintain shareholder confidence.  Companies began initiatives to improve incident response capabilities and take a more collaborative approach to information sharing with external partners to expand threat intelligence capabilities.

As we move into 2016, you will see incident response continue to be a primary focus as companies look to accelerate detection and response capabilities.  Third party providers will be closely scrutinized to ensure they have the right controls to protect company data.  Security resources will be at a premium, as the demand will continue to outpace the supply.  Managed security services will be leveraged to help address this shortfall and provide companies a cost effective, scalable model.

Vickie Miller
FICO CISO
If 2015 was the year of Threat Intelligence and Information Sharing, expect to see a growing gap between what product marketers are describing and what CISOs are ultimately finding useful and buying. Artificial Intelligence may become the new buzzword, but most security programs will still need to invest in areas that offer protection from opportunistic attacks (better processes, management and people).

Farhaad Nero
Bank of Tokyo-Mitsubishi Vice President of Enterprise Security
The year 2015 was a pivotal in terms of realizing the impact that third party service providers have on an organization’s security posture. Heading into 2016, I would recommend that security executives — CISOs — within the organization do a deep dive on the security tools, protocols and practices used by their third party providers.

Your security is only as good as those who have access to your infrastructure. And, speaking from firsthand experience, the regulators also are increasingly focusing on this – and for good reason. Raise and extend the security bar.
Pritesh Parekh,
Zuora CISO
In 2015, healthcare and the government were the top targets; IoT threats grew to become a major concern; and targeted malware increased in the retail and financial sectors. Security teams everywhere battled weak authentication and vulnerable security patches. On the bright side, Microsoft’s data trustee model tried to dispel European mistrust and cloud computing itself allowed security startups to quickly integrate their products and provide services for consumers.

The year 2016 is likely to be a record-breaking year for data breaches with the financial and retail sectors as the top targets. Cyber Insurance and ID theft monitoring companies will probably thrive in this environment.

And due to the increasing number of data breaches with healthcare organizations, HIPAA compliance enforcement may be revamped and become more stringent. On the global stage, Safe Harbor 2.0 may not address EU privacy concerns and may unfortunately become just another checklist item for most organizations.

Vanessa Pegueros
DocuSign CISO
The key takeaway for 2015 would be that Boards and C-Suite executives are broadly recognizing that security is a critical element of any business and must be taken seriously. The very public dismissal of executives at Target and other companies that experienced breaches put security and risk at the top of every executive’s mind – and this is good. Unfortunately, the continued volume of breaches that occurred made consumers numb and feeling helpless relative to their own ability to protect themselves and their personal data.

In 2016, I see four key trends dominating:

  1. Breaches will continue and cybercriminals will be looking at both new and old technology as vectors
  2. Boards and the C-Suite will spend increasingly more time, resources, and energy trying to solve the security problem. They will address this in a few ways:
    • The CISO role will be elevated in the organization – The old model of having the CISO report to the CIO will come under increased scrutiny and more and more organizations will transition to Board level visibility of security and risk topics.
    • Boards will ramp up their efforts to bring more risk and security expertise into their Boardroom.
    • Budgets for security technologies will continue to grow.
    • Cyber Insurance will gain momentum.
  3. Money will continue to pour into the security start up space:
    • This will congest the security space even more and create a bigger divide between decision makers and security vendors as decision makers increasingly grow confused over providers and their solutions.
    • This will create an opportunity for incumbent vendors and analyst firms to bring order to the chaos and help their customers get through the turbulent time.
    • M&A activity will begin to increase in the security space toward the end of the year.
  4. Consumers will begin to organize, setting the stage for future legal action against companies who have compromised personal data in a breach

So in summary 2016, will bring more breaches, more attention from the top levels and more money being spent to solve the problems as consumers become increasingly less tolerant of their data being exposed in breaches.

Wayne Proctor
SVP, CISO FLEETCOR Technologies
The most important focus for cyber security in 2015 has been improving incident response capability. The wave of recent major data breaches makes it clear that if your company is targeted by hackers, you will be breached. This reality required a move from focusing on prevention strategies to becoming experts at incident response.

Companies not only need to have solid incident response plans but also need to gain deep visibility in to what is happening inside their IT environment, as you can’t respond to something you don’t know about. Enhancing security visibility will be the primary driver for security spend in 2016.  Primary solutions to help enhance visibility include:  advanced threat identification, next generation SIEM, threat feeds and data analytics.

Joel Rosenblatt
Columbia University Director, Computer & Network Security

Looking back at 2015, the root cause of the major break-ins often started out as compromised accounts. The mechanisms for these compromises are varied, some highly targeted attacks requiring much research and planning, and some simple phishing schemes based on the principle of “if you throw enough mud against a wall, some of it will stick.”

My crystal ball is a little cloudy (pun intended), but in my humble opinion, the only way that we are going to stay a little ahead of the bad guys in 2016 is by getting very serious about the elimination of passwords as the final arbiter of identity. Multifactor authentication, while not perfect, is probably the best technology around at this point to make that happen.

The other tech that I see as becoming a major player in security in the near future is whitelisting. Depending on anti-virus to protect your systems is a sure way to allow the key loggers and root kits of tomorrow onto your computers, allowing for the collection of credentials, which is where I started (grin).

Anthony Scarola
CISO TowneBank
This year (2015) brought more successful email social engineering/phishing attacks, especially at SMEs, due to increased sophistication and difficulty in detection by filtering solutions and employees. This led to increased advanced malware, also difficult to detect by existing, signature-based solutions.

The number of connected devices increased, which added additional stress to overworked and understaffed IT for managing increased vulnerabilities. And, although financial institution cybersecurity regulation has increased, it has also matured; more FIs are doing better at communicating cyber risk to the board, leading to better protection of key organizational assets.

Next year (2016) will bring advancements in evolving technologies, including the coalesced use of data analytics, machine-to-machine communication of indicators of compromise, and artificial intelligence through deep learning, to more quickly prevent, detect, and respond to attacks. Regulation will continue increasing and evolving, and institutions will reengineer networks, enhancing security controls with advanced tools, focusing on the inner layers and key organizational assets.

Organizations will continue migrating to the cloud for compliance, cost savings and lower risk; however, this will also decrease agility and control. Sadly, many SMEs, some large enterprises, and a few cloud providers will see breaches of confidential information leading to identity, intellectual property, and/or financial theft, as the battle between good and evil rages on.

David Sheidlower
BBDO CISO
In 2015, consumers’ awareness of their Personal Intellectual Property (PIP) in the cloud began to accelerate and with it came the commoditization of consumer security schemes. This was most notable in the area of out of band authentication becoming widely available. This will continue to accelerate.

In 2016, I believe that consumers will begin to want to be able to view the logs of the access to their PIP in the cloud so they can personally monitor it for unauthorized access.

Terrence Weekes
DJO Global CISO
In 2015 CISOs were drowned with “next generation” technology. Venture capital investments in cybersecurity technology companies have saturated the market with niche solutions and services that have yet to be broadly recognized as “must-have” tools within enterprise security programs.

Understandably, IT vendors and solution providers are aggressively competing for cybersecurity market share. However, their approach with customers fails to consider the reality that the majority of publicized data breaches do not result from highly-sophisticated advanced attacks. Rather many of these data breaches result from basic security program deficiencies (poor vulnerability management, lack of system hardening, weak authentication, excessive elevated access, etc.) and lack of skilled staff resources to identify and respond to incidents earlier in the attack lifecycle.

While some CISOs operate world-class security programs, many are still struggling with achieving/maintaining regulatory compliance and aligning their program to business goals. The year 2016 will likely yield greater awareness of cybersecurity risks within executive and board ranks, and that awareness should drive CISOs to develop more appropriately-funded security programs that are threat-aware and business-focused.

5 CYBERSECURITY PREDICTIONS FOR 2016

Hacker

I’m sure that there will be a ton of opinions around the new year’s biggest cyber threats.   2015 was a year that many won’t forget due the impact of many huge breaches such as the embarrassing Ashley Madison breach or the Office of Personnel Management (OPM)’s breach (even I recently received a letter saying that my Social Security Number and other  personal information was taken as part of an intrusion).  One thing is for sure – cybersecurity is more important than ever since attacks are inevitable.  With that being said – below is a recent list that highlights the top 5 predictions.  Do you agree?

___________________________________________________

The past year brought a staggering number of high-profile data breaches and other cyberattacks. As usual, most hackers waged attacks for financial gain. But 2015 also saw a handful of others beginning to take action for moral reasons, targeting companies they believed were doing wrong.

In the coming year, security experts expect there to be other new types of hacks that diverge from the standard blueprint. Below, find out the surprising (and scary) developments they’re betting on.

1. Destructive attacks worsen.

Not only will cybercriminals have a greater variety of motives, they will also increase their range of targets, Patrick Peterson, founder and CEO of security firm Agari, tells Inc. “Businesses and government entities that have never seen themselves in the crosshairs will move into the scope for these diversifying attackers,” Peterson warns. Nontraditional targets such as power plants and consumer sites and applications are among those that could become victims.

2. Social engineering gets personal.

Social engineering, the act of tricking someone to reveal desired information either in person or through electronic communication, is not new. But criminals will continue to use it in creative and effective ways, taking advantage of the fact that humans are the weakest link in any company’s security. “They will pick one company, then one unsuspecting individual within that company to prey on,” Peterson says. “Using information on that person, gleaned through the sites they’ve visited or data the hacker has purchased, the bad actors will convince the good ones to unknowingly betray themselves, and ultimately the organizations for which they work.”

3. Attacks through apps.

If you’ve ever read privacy policies for mobile apps, you know that some apps access your email, contacts, and text messages. Hackers have already targeted massively popular apps like Snapchat, but these new attacks will go further–the personal information will serve as the basis for a larger scheme. “An attack entry point via an app on a mobile device may well be able to access a whole company network,” Margee Abrams, director of IT security services for Neustar, tells Inc. “In 2016, we will see many more companies recognizing this threat and applying for a professional vulnerability assessment that identifies potential security holes in networks, wireless networks, and applications.”

4. Internet of things hacks increase.

As more types of equipment connect to the internet, expect a host of new attacks to originate through them. The so-called internet of things “will become central to ‘land and expand’ attacks in which hackers will take advantage of vulnerabilities in connected consumer devices to get a foothold within the corporate networks and hardware to which they connect,” says Derek Manky, global security strategist for cybersecurity firm Fortinet.

5. Laws on infrastructure security.

There have already been hacks that caused physical damage in the offline world, but experts are warning that 2016 might bring an attack on critical infrastructure. The result, they predict, will be new laws to shore up the electrical grid, nuclear power plants, and other large energy facilities. “This year we will see governments making compliance mandatory across all critical infrastructure industries–with real consequences for non-compliance,” says Yo Delmar, vice president of MetricStream, a governance, risk, and compliance firm.

BadWinmail Microsoft Outlook Bug Can Give Attackers Control Over PCs

Please read from Microsoft (https://technet.microsoft.com/library/security/ms15-131)

Users are vulnerable just by reading or previewing an email

Just by looking at an email message in Outlook, attackers can now take control over your PC. The good news is that Microsoft has patched the issue, but unless you updated Outlook after December 8, you’re still vulnerable to this issue.

Security researcher Haifei Li discovered this peculiar Outlook bug, which he named BadWinmail. According to a technical report he put together after the vulnerability’s discovery, the attack is extremely easy to carry out and does not require any complex interaction from the end user.

The only condition is that the user views or previews the email in which the attacker has embedded a malicious Flash file.
Flash strikes again!

At the vulnerability’s root is Windows OLE, or Object Linking and Embedding. This technology allows various types of data objects to be embedded inside Office documents.

Outlook emails are considered Office documents, and Flash objects are supported via OLE. Unfortunately, Flash is also one of the most maligned software packages around, and comes with numerous, well-documented security issues that allow a full compromise of affected devices.

When a user opens an Outlook email or previews the email in one of the Outlook panels, the OLE mechanism will automatically read the embedded Flash object and try to execute it, to provide a preview.

Since most Flash exploits only need to be executed to work, and because there’s a flaw in the Outlook security sandboxing system, an attacker can easily embed malicious Flash objects inside emails and have other malicious code executed via older (Flash) vulnerabilities.
BadWinmail + APT = ♥

The indirect effect of a BadWinmail attack is that it will allow attackers to install more damaging malware like spyware or backdoors. “It’s also a wormable issue rarely seen on Windows platform nowadays,” said Mr. Li.

This type of damage and reach is very appealing to APT groups or cyber-espionage agencies that generally focus on smaller, individual targets.

In one specific scenario, BadWinmail attacks can be executed when the Outlook client is opened. These are the cases when the malicious email carrying the BadWinmail attack is also the latest received email. Most Outlook clients, when opened, are configured to show a preview of the last received email.

Microsoft fixed the BadWinmail-related issues on December 9 via the Microsoft Security Bulletin MS15-131 (CVE-2015-6172).

Spear-Fishing Website Hosts Outlook Web App Phishing Page IMPORTANT

A Russian website designed for spear-fishing activities has been compromised to host a phishing page seeking to capture the log-in details for Outlook Web App.

The web page looks real, has high chances of success
Security researchers who observed the campaign discovered that it was targeted at recipients within universities and relied on a very realistic-looking fraudulent page that could fool unsuspecting students, faculty, or staff at the targeted educational institution into leaking their Outlook Web Access credentials to the attacker.

One difference that can be observed between the fake log-in page and the real thing is that the fraudulent one adds a field for providing the email address, whereas a legitimate log-in session requires only the username and the password to access the account.

It is important to note that this log-in information is in many cases the same for accessing other accounts. Proofpoint says that even if only one user falls victim to the scam, the attacker could obtain valuable information and possibly access to other resources; these could help them move laterally in the network and reach financial information or research data.

The security company did not mention the bait included in the spear-phishing email, but considering the quality of the fraudulent page, there is a high chance that it proved pretty good social engineering skills.

Users should always check the URL of a log-in page before entering the sensitive information, especially when the link comes via email, from an untrusted source.

Drone Registration Rules Are Announced by F.A.A.

A vendor showing off the Micro Drone at this year's International Consumer Electronic show in Las Vegas

A vendor showing off the Micro Drone at this year’s International Consumer Electronic show in Las Vegas

WASHINGTON — The Federal Aviation Administration on Monday announced new rules that will require nearly all owners of remote-controlled recreational drones to register the machines in a national database, an attempt by the agency to address safety fears.

Federal officials have rushed to issue new rules on drones before the holidays, when an estimated 700,000 new drones are expected to be bought. Drone owners will be required to submit their names, home addresses and email addresses to the F.A.A., disclosures meant to encourage users to be more responsible, officials said.

“Unmanned aircraft enthusiast are aviators, and with that title comes a great deal of responsibility,” Anthony Foxx, the secretary of the Transportation Department, said in a conference call. “Registration gives us an opportunity to work with these users to operate their unmanned aircraft safely.”

The federal rules are the first of their kind for users of recreational drones, also known as unmanned aircraft systems. The prices for the machines have fallen sharply in recent years, making them popular tools for aerial photography and videography, among other uses.

The government is taking more steps to address safety concerns and regulate the aerial vehicles.

The government is taking more steps to address safety concerns and regulate the aerial vehicles.

In recent months, though, drones have been flown more frequently over parks, sports stadiums and backyards, and lawmakers and the public have grown more vocal about the need for new regulations.

The agency’s effort is limited by practical realities. A drone that collides with an aircraft would be destroyed, including the registration markings required by the new rules. And drone users who plan to use the machines for nefarious purposes may avoid registering at all.

“In practice, the F.A.A. doesn’t have the resources to police all illegal activity,” said Lisa Ellman, a partner at the Hogan Lovells law firm in Washington. “But the broader hope is that it will create a culture of accountability, and people will willingly participate.”

The F.A.A.’s registration rules, outlined in a 211-page document, generally follow recommendations submitted by a task force last month. The group included drone makers, aviation experts and hobbyist groups.

The rule applies to owners of drones weighing between half a pound and 55 pounds, and only American citizens will be allowed to register. The F.A.A. said it would introduce the website for registration, faa.gov/uas/registration, on Dec. 21; registering will be free for the first 30 days. After that period, the fee for each individual drone user will be $5 for a three-year certificate of registration.

As expected, the F.A.A. laid out its rules for requiring almost everyone with a recreational drone to register the machine with the government.

As expected, the F.A.A. laid out its rules for requiring almost everyone with a recreational drone to register the machine with the government.

Anyone who owned a drone before Dec. 21 will be required to register a machine by Feb. 19, 2016. People who get a drone after Dec. 21, which includes anyone who receives a drone over Christmas, will be required to register before their first flight. There will be an option for owners to register by mail or in person, and the rules apply only to people over the age of 13, though children are permitted to fly under a parent’s registration.

The users are then required to put their registration numbers on any drone they own and have their registration card on them when they take a drone out for a flight.

Many questions remain on how the rules will be enforced and how consumers will be informed, though the F.A.A. said it would promote the new rules online and work with retailers and hobby groups to inform the public.

“I’m sure retailers and others are scrambling right now,” Ms. Ellman said.

Drone manufacturers and hobby groups have warned that the $5 for registration in the United States will harm their businesses and discourage new users. But the F.A.A. said it was necessary to charge a fee to cover the costs of running the database.

A camera drone in Manhattan. Lawmakers and the public have grown more vocal about the need for new regulations

A camera drone in Manhattan. Lawmakers and the public have grown more vocal about the need for new regulations

Critics of the registration said the minimum weight of half a pound — the equivalent of two sticks of butter — would include too many small toy drones that are most popular with children and are generally harmless.

Failure to comply with the rules could result in criminal penalties of up to three years’ imprisonment, or $27,000 in fines. The F.A.A. said it would work with local law enforcement to enforce its rules. The agency already has guidelines that restrict drones to be flown above 400 feet, at night and within five miles of an airport.

Experts said they doubted the agency would impose heavy penalties on first-time hobbyists.

“In reality, they aren’t going to go after the uninformed innocent new user,” said Michael E. Sievers, a lawyer at the Hunton & Williams firm.

Regulators in Europe are also trying to figure out how best to guarantee the safe operation of remotely piloted aircraft.

But unlike in the United States, where Congress and the F.A.A. have the power to regulate the types of vehicles that are allowed to fly and where, the reach of Brussels has been limited.

The European Parliament passed a resolution in October calling on the European Commission to draft European-wide guidelines that address not only safety, but also the privacy concerns raised by the use of drones that are able to collect and store photo or video images. The resolution also called for drones to be equipped with unique identity chips and for user registration requirements.

Cybersecurity Information Sharing: What You Need to Know

The Latest

We are in “the red zone” for the Senate’s Cybersecurity Information Sharing Act (CISA), one of the first significant cybersecurity bills, currently in conference with a House version. So what does this mean for U.S. companies?

Under CISA, companies would receive liability protection for

  • Monitoring information systems (including their own and those of their customers when given permission), and
  • Voluntarily sharing cyber threat information with other companies and the government.

However, major concerns still plague the process, and some of the biggest names in technology (think Apple, Microsoft, LinkedIn, Facebook, Google, and others) vehemently oppose the bill. We outline some of the pros and cons here and what the bill means for U.S. businesses:

The Pros

  • Better Baseline: New liability protections under CISA will likely raise the bar for security practices. Defining liability implies setting a baseline, and enterprise due care will expand in response. Liability protections also enable companies to set up their own network defenses to repel attackers.
  • Real-Time Data: The quality of threat information and enterprise response could improve significantly. Companies that share and receive real-time threat information would be better informed about the threat environment, and could take action quickly.

The Cons

  • Privacy, the Casualty (Again): Industry groups and privacy advocates fear the law would skirt multiple privacy concerns. As companies share threat information with each other and with government, there is a high likelihood that on occasion, personal data would accidentally be included. CISA’s liability protection would cover companies that run into this type of situation, putting customer privacy at risk. So far there has been little thought paid to the consequences of a slip-up.
  • Government Duplication: Others fear heavy government involvement in developing plans for cyber incidents that affect critical networks. In general, heavy government centralization of information sharing is seen as unnecessary and too sweeping, when companies like Facebook are already building their own information sharing capabilities like Threat Exchange.

Despite the cons, we are still nearing the final stages of a significant cybersecurity bill. So what can we do moving forward?

The Takeaways

We discuss a few takeaways here for how to take action, but as CISA evolves, so will the implications for U.S. businesses. Here are the actions we think will stay constant:

  • Develop a company position on handling information sharing, stating whether real-time information sharing or data sanitization and privacy is the highest priority. Small and medium businesses in particular should take a hard look at participating if they don’t have the infrastructure to support privacy best practices and stringent data security.
  • Invest in educating network defenders. Sharing and receiving threat information and erecting network defenses requires ongoing education, strong network design and security practices, and organizational oversight.
  • Update and streamline identity and access management, and ensure granular access controls for those interacting with information sharing portals.

As security guru Bruce Schneier has stated, we’re still squarely in the “response era” of cybersecurity. We’ve evolved from learning about the threat landscape, we’ve seen government and industry collaborate to build the NIST Cybersecurity Framework, and now the national dialogue is focused on breach response and information sharing. The conversation about CISA reinforces that, but will have to make privacy a core component for us to evolve further.

The Realities of Shadow IT

Every business wants to maximize profits and efficiency. Naturally, employees sometimes feel that the best way to do that is to bypass the IT department and use their own software or services.

Shadow IT refers to technology not supported by a company’s central IT department, and as personal devices become more sophisticated and as more employees turn to the cloud for new systems, shadow IT becomes easier to implement.

Of course, there is nothing inherently wrong with shadow IT. Many view it as an inescapable reality of any company that uses technology and data storage. In fact, IT departments are often aware of shadow IT within the company and make use of it themselves.

However, the reality is that shadow IT introduces security risks because it is not introduced to the same security measures as company-sanctioned technology. Cloud-based file sharing services are common forms of shadow IT, and many workers are unaware that such IT can be dangerous.

In this day and age, it would be so easy to use a simple service like DropBox to store corporate data. But something like this could result in a major security breach.

The advantages of some cloud services are that your data always remains secure and nimble. Some cloud services build a secure network between the cloud, your carrier, and all Peak cloud nodes with a 100% SLA guarantee to keep out “noisy neighbors.” Plus, in the ever-changing business environment where new technologies are constantly affecting your business, some cloud services provide you with whatever you need in the way of technology and security to help you focus on your core business.

With a Hybrid model, services can provide management and access to both enterprise private cloud and connected Shadow IT platforms. For example organizations can continue to allow business units to leverage AWS public cloud based environments where speed-to-market and flexibility is critical.   Corporate IT can then provide business units with similar levels of flexibility to deploy applications that contain customer sensitive date in a highly secure private cloud environment.

Regardless of how you store your data, having an honest assessment of your company’s shadow IT usage could go a long way towards increasing productivity and protecting your data.

The Danger of Fake Patches

We talk a lot about threats to data security on this blog, and personal experience has probably acquainted you with everything from Trojan Horses to phishing.

Here’s a particularly sneaky threat that’s becoming more and more common:
Fake patches.

Part of what makes them a problem is that, unlike those spam e-mails from people and companies you don’t know, fake patches can look like perfectly reasonable notices from software services or programs you’d expect to receive patches from, like Adobe or Google Chrome. The fake updates display the company logo, so they seem real enough. Just last year, hacker sent out a fake version of Java Update 11 in fact that contained malware.

How well-equipped you are depends, not surprisingly, on the security measures you have in place. Keeping the auto-update feature on is good practice, provided your software is designed to identify incoming patches and make sure they’re genuine. Even then, it’s possible for malware to use a fraudulent certificate to get around an auto-update program.

There are a number of things you can do to minimize risk. Cutting down on Shadow IT and foreign software on corporate machines makes it harder for hackers to send fake patches. A robust antimalware service is another step.

But at the end of the day, just being smart and cautious goes a long way. Fake patches often look suspicious in the same way spam e-mails look suspicious. They might have misspellings or they just don’t look like a software update you’re accustomed to seeing. They might even ask you to pay for the software they’re asking you to download.

Little things like avoiding pop-ups and scanning and cleaning your computer help, too. And, as always, talk with the IT department and back up your files. Communication and stored, safe files will ensure a small problem doesn’t become a big one.

If you’d like to talk more about security, you can connect with us through the

IG: OPM still vulnerable to cyber attacks

OPM_seal

 

Despite some improvement, the Office of Personnel Management continues to lag in cybersecurity, according to the most recent info security audit from the agency’s internal watchdog. Failure to move on key vulnerabilities leaves OPM potentially open to another devastating attack, according to the fiscal 2015 audit from OPM’s Office of the Inspector General.

Despite an increased focus on IT security at OPM after a breach exposed the personal information of over 20 million current, former and prospective federal employees, the agency “continues to struggle to meet many…requirements” under the Federal Information Security Modernization Act, the report stated.

One key weakness: CIO Donna Seymour in April issued an extension on OPM system authorizations that had expired. A continued moratorium on authorizations “will result in the IT security controls of OPM’s systems being neglected,” the report said. “Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack.”

As many as 23 major OPM IT systems are operating without a valid authorization, according to the OIG. The agency agreed with the OIG’s recommendation that all active OPM systems have a valid authorization, but the OIG does not appear convinced of OPM’s intent to follow through on it.

“The [Office of the CIO] could not have made a ‘risk-based’ decision to extend the authorizations of these systems because it has not done any assessment to determine what risks actually exist within these systems,” the report said.

On the positive side of the ledger, OPM closed one recommendation to expand its network monitoring program to include the Continuous Diagnostics and Mitigation Program offered by the Department of Homeland Security on Sept. 30 of this year.

On Nov. 6, OPM’s tech team expanded its data collection to record “more meaningful data” on network events, while reducing the proportion of extraneous information, closing an OIG recommendation from 2014.

Changes made to information security governance this fall at OPM satisfied a long-standing weakness cited by OIG. At OIG’s urging, the agency implemented, “a centralized information security governance structure where all information security practitioners, including designated security officers, report to the [chief information security officer].”

Still, key weaknesses remain, according to the report. OPM does not have a thorough inventory of its servers, databases, and network devices, which “drastically diminishes” the effectiveness of the agency’s security tools, the report stated. In an age of telework, the OIG also found that OPM has not configured its virtual private network servers to automatically log out of remote sessions.

An ambitious project to revamp OPM’s IT infrastructure by migrating applications to a new “Shell” environment has impacted OPM’s FISMA reporting metrics. The audit compared OPM’s inventory of major IT systems with an inventory done in preparation for the Shell migration.

“There are significant discrepancies between the two lists, and our primary concern is that there are still unidentified systems residing on OPM’s network, and that existing applications are not appropriately classified as major or minor,” the report said. OPM has estimated that the first two phases of the Shell project will cost $93 million, and the agency has struggled to come up with the money for the project.

In comments on a draft of the OIG report, the CIO office said it was “proud” to report that it had closed 77 percent of recommendations made by OIG FISMA audits from fiscals 2007 to 2014. The OIG was less impressed with that number.

“The vast majority of those recommendations were closed many years ago, and are no longer relevant to the current cybersecurity threats that the agency faces,” the OIG report stated. “A more relevant statistic is that OPM has closed only 43 percent” of recommendations in fiscal 2013 and 2014 FISMA audits, it added.

Judge David Campbell: Predictive coding rarely proposed, rarely used

Capture

This is the second part of an interview with US District Court Judge David Campbell, the former chair of the advisory committee responsible for drafting newly promulgated amendments to the Federal Rules of Civil Procedure. In part one, Judge Campbell addressed the prospective impact of the rule changes, and what their emphasis on proportionality and cooperation may mean in practice. He also outlined the evolution of the federal spoliation sanction rule, 37(e), which has been the focus of much debate and handwringing.

Here he discusses what other measures must accompany the rule changes to bring a substantive reduction in litigation costs, speed case resolutions, and reopen the federal court system to those it has priced out. We also ask him to share his experience with predictive coding and how it is — or is not — being used in his courtroom.

Logikcull: In the commentary to Rule 37, the committee noted that “The court should be sensitive to the party’s sophistication with regard to litigation in evaluating preservation efforts; some litigants, particularly individual litigants, may be less familiar with preservation obligations than others who have considerable experience in litigation.” Has anybody challenged that language as potentially giving a free-pass to litigants who are “willfully ignorant” — or maybe just lazy — when it comes to their preservation obligations?

Hon. David Campbell: I have not heard those challenges. It may well be that some folks have that concern. I will tell you, from my perspective, a very important background for this rule change is that the reality is that ESI in now in the possession of everybody. The personal injury plaintiff who walks into the lawyer’s office on crutches after the car accident has ESI that’s relevant to the injury, whether it’s their Facebook page, or the text they sent to their girlfriend after the accident, or communications with their doctors, or emails they might have sent. And that’s a very different world than we lived in 20 years ago. The reason for the comment you just read from the committee note is that if that person turns out to have not stopped Facebook’s deletion of posts — and I don’t know how Facebook deletes posts, but just use that as a hypothetical — a court can take into account their lack of sophistication in deciding later what Rule 37(e) measures should be imposed.

And I think that’s right. I don’t think we should hold them to the same standard as an entity that has an IT department. A number of the most prominent cases on the loss of ESI — I believe this is correct — deal with the plaintiff’s loss of ESI.

We had an expert tell us in one of these (rules committee) hearings that by 2018 — maybe he said 2020 — there will be 26 billion devices on the internet, which is, you know, four for every person on Earth. And the truth is, I believe, five years from now, 10 years from now, the amount of information that each person has in the cloud will be equivalent to the kinds of records that use to be found in the filing cabinets of entire businesses. So ESI, in my view, isn’t just a problem for the big entities. It’s a litigation issue for everyone, and this rule (Rule 37(e)) tries to take that into account.

“Five years from now, the amount of information that each person has in the cloud will be equivalent to the kinds of records that use to be found in the filing cabinets of entire businesses. So ESI, in my view, isn’t just a problem for the big entities. It’s an issue for everyone.”

Logikcull: Well, to that point, data growth is accelerating at an incredible rate. Is there any fear that whatever cost-lowering impact these changes will ultimately have will be negated by the fact that, not only is there going to be exponentially more data, but also that the technology available to handle that data does not appear to be getting much cheaper? Do you have that concern? I imagine you do.

Judge Campbell: I do. I think any judge or any lawyer involved in litigation should. We are hoping that these rule changes help through Rule 37(e) in bringing some level of uniformity of how you deal with the loss of information. We hope Rule 37(e) will reduce the amount of side litigation that occurs over loss of ESI and sanctions. The proportionality change and the case management changes, as well, are intended to get judges involved earlier in cases and work with the parties in figuring out how we get cases resolved efficiently given many factors, one of which is ESI which has to be dealt with in the case.

I don’t pretend to believe we’ve solved the problem. I think you’re right – we don’t really foresee the extent of the problem and it’s something that the courts are going to have to adapt to. But our intent is to at least make some progress on dealing with ESI through these amendments.

“I don’t pretend to believe we’ve solved the problem. We don’t really foresee the extent of the problem.”

Logikcull: Judge, what’s your sense of how well technology — and I’m now talking about the legal provider side, or e-discovery vendor side — has developed and been adopted by practitioners to counter these rising data volumes? I’m particularly interested in knowing your thoughts on, if you’ve even seen it, the utility of predictive coding… The field has put a ton of faith into that process and others, and into technology in general — and it seems to me, anyway, that the results have been somewhat underwhelming. Do you have an opinion on that?

Campbell: I’ve got some thoughts. I don’t know if they’re mature enough to call them an opinion [laughing]… I think it’s a reality that, going forward, we’re going to have to find technological solutions to this growth of ESI. The reality is that the old model of having lawyers or paralegals review every document that’s produced is not going to work. It just can’t work in a world where you’re dealing with millions of documents. We either incur enormous expenses continuing that model; or we surrender and produce everything — which I don’t think lawyers are going to do; or we need to find a technological way to winnow down the ESI to a manageable size.

So my view is, whether it can accurately be said that, today, technology is solving the problem, ultimately it’s going to have to solve the problem, because I don’t think the court system and lawyers are going to be able to continue dealing with it the way we dealt with paper evidence.

I will also say that I’m finding in my cases that predictive coding or technology-assisted review is rarely proposed by the parties and rarely used. I think that will change over time. I’ve seen more of it over the last few years. But it is still used in a very small percentage of the cases. And I am surprised at the number of big document cases where the parties do not use it, even when I suggest it. They instead prefer keyword searches.

I think part of that is the need to educate the bar through sophisticated litigators as to what the technology can do, and it is my hope that the predictions will prove true that it really can do this more quickly and more accurately than people.

But I’m not seeing it used widely in my cases, and, you know, Phoenix is the fourth or fifth biggest city in the United States. So I think we have our share of complex cases, and yet it is still a rare commodity in my cases.

“Whether it can accurately be said that, today, technology is solving the problem, ultimately it’s going to have to solve the problem, because I don’t think the court system and lawyers are going to be able to continue dealing with it the way we dealt with paper evidence.”

Logikcull: You mentioned the emphasis in the rule changes on making judges more proactive case managers. Judge [Paul] Grimm [of the federal District Court in Maryland], among others, has been pretty vocal about the idea that judges do not traditionally view themselves as case managers, but as dispute resolutionists. What’s your assessment of how well the judiciary will be able to take a more proactive role in facilitating some of these e-discovery issues?

Campbell: I have no illusion that simply re-writing the rules is going to transform judges from passive to active case managers. It clearly won’t. And as you know, the idea of active case management has been in the Federal Rules since 1983, when Rule 16 was revised to create an active role for judges. So we have been of the view that these rule changes need to be accompanied by a very significant education effort to encourage judges, in particular, to be more active case managers. Many are. But Judge Grimm is right that many still are not.

There are a number of steps we’ve taken. Members of the committee have written articles. We’ve created videos that are now on the Federal Judicial Center website that have been sent to every federal judge in the country explaining the rule changes. The committee has written letters to every chief district judge and every chief circuit judge in the country asking that they include the new rule amendments in district and circuit conferences next year to educate judges and lawyers about them. We’ve compiled materials that are available for judges on the FJC website — articles, PowerPoints and other things. And the Federal Judicial Center, which is the entity that trains judges, is intending to do more active training of judges. We’re hoping that that push, along with the rule changes, will bring about a behavior change on the part of us judges. Whether or not it works, we’ll have to see over time. But I’m hoping, at least with many judges, it will produce more active case management.

Logikcull: To stay on this theme of education, but now turning to educating the bar and practitioners… I get the sense, just as an outside observer, that there is an education gap. You have some small percentage of highly knowledgeable people who are technically competent who typically, though certainly not always, come from the largest law firms and largest corporations. And then you have some large remnant that tends to not understand this stuff at all. You’re at the federal court level. Is that what you’re seeing? Or are you seeing a general rising of education?

Campbell: Well I certainly see lawyers who understand the rules and are dealing with ESI better than others do. But I don’t think I would say that you find all of the best prepared lawyers in the large law firms or large corporations. I see many lawyers who are sole practitioners or who are in small firms or government attorneys who are right on top of ESI and the rules.

But there’s no doubt that many are not. I think that is changing. I alluded to it a moment ago, I’m seeing more and more — although it’s still a fairly small percentage — thinking about things like technology-assisted review. And I’m definitely seeing more who are dealing with ESI up front and talking about it at the Rule 26(f) conference. I’m hoping that the publicity that occurs in connection with these rules amendments — and there is a fair amount of publicity going on through various bar groups — will educate lawyers about these ESI issues in a way that they haven’t been before. As I said earlier, we have to deal with ESI in the federal courts. I think everybody involved is becoming more and more aware of it — and we’ll see lawyers become more sophisticated over time.

“I’m seeing more and more (lawyers) — although it’s still a fairly small percentage — thinking about things like technology-assisted review.”

Logikcull: Some practitioners see the expense associated with e-discovery as an access to justice problem. Judge John Facciola has gone so far as to say that e-discovery is contributing to making the federal court system a “playground for the rich.” Is that a sentiment that you share?

Campbell: I don’t think I would call it a “playground for the rich,” but I absolutely agree that too many people cannot afford to litigate in federal court. I do think the cost of federal litigation makes it unavailable to the average citizen. And I see many of them who are representing themselves struggling to handle a case because they can’t get a lawyer to take it because it doesn’t have enough money at stake. I think that’s a problem.

“I do think the cost of federal litigation makes it unavailable to the average citizen. And I see many of them who are representing themselves struggling to handle a case because they can’t get a lawyer to take it because it doesn’t have enough money at stake.”

That’s one of the problems we talked about at the 2010 conference that I mentioned. Part of our intent in putting the proportionality idea into the new rules and trying to get judges to actively manage cases more efficiently from the beginning, and we hope cutting down the side litigation over the loss of ESI, is to reign in the cost of discovery. There are other things that the Civil Rules Committee and other Judicial Conference committees are looking at to try to make civil litigation less expensive.

But in my view, it absolutely is a problem, and one that we need to work hard as a federal judiciary to solve.