Month: January 2019

On January 30, the United States Patent and Copyright Office (PTO) announced that on January 28, President Donald J. Trump had signed the documents to ratify the Marrakesh Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired, or Otherwise Print Disabled.  The Marrakech Treaty, which was adopted in 2013, is largely modeled on existing United States law.  With 48 other countries as Members of the Marrakech Treaty Assembly, it now constitutes part of the body of international copyright law that the World Intellectual Property Organization (WIPO) administers.

The USPTO explained that the Treaty

is intended to reduce the global shortage of print materials in accessible formats for the many millions of persons who are blind, visually impaired, or have other print disabilities (such as physical limitations that prevent holding a book).

The treaty ensures, with appropriate safeguards for publishers, that copyright restrictions will not impede the creation and distribution of copies of published works in special formats accessible to these individuals. It also fosters the cross-border exchange of such copies internationally, allowing eligible U.S. citizens to obtain currently unavailable access to books published abroad.

Once the United States formally deposits the ratification documents that President Trump signed with the WIPO, 90 days later the Treaty will  enter into force for the United States.  That means, as the USPTO put it, that “U.S. nationals will be entitled to the benefits it provides in all of” the 48 other Treaty members.

Note: Legal and corporate compliance officers responsible for intellectual property issues in U.S. companies should take note of the United States’ ratification as a positive development to expand accessibility of published works for the blind and visually impaired.  They should track the date of deposit for the ratification instruments, to determine when the Treaty will enter into force for their and other U.S. companies.

On January 4, Baltimore Mayor Catherine Pugh announced that she selected New Orleans Police Superintendent Michael S. Harrison as her choice for Commissioner-designate of the Baltimore Police Department.  What makes this announcement of interest to ethics and compliance experts is the innovative approach to policing ethics that Harrison, who served in the New Orleans Police Department (NOPD) for 27 years and led it since 2014, implemented in the NOPD and plans to implement in Baltimore.

The approach, as developed in New Orleans, is known as Ethical Policing Is Courageous (EPIC).  At its most basic level, EPIC seeks to counteract the “bystander effect” – a common behavior in which individuals in a group setting who witness an unethical or illegal act remain silent when they see that no one else in the group is speaking or acting to address the improper act  —  with “active bystandership.”  In general terms, an active bystander, according to the MIT Active Bystander Program, “assesses a situation to determine what kind of help, if any might be appropriate” and “evaluates options and chooses a strategy for responding.”

As the Washington Post reported last week, EPIC beings with “a training program for officers that emphasized ‘active bystandership and peer intervention’” and creates an expectation

that officers should step in when a colleague is misbehaving — assaulting a citizen, lying on a report, planting evidence — and stop the bad acts before they happen or else report them. “When they see misconduct potentially about to happen,” [New Orleans] Deputy Superintendent Paul Noel said, the goal is “to step in and say, ‘I got this. Back off.’” The idea is that once one bystander steps in, others often follow suit, and the peer pressure keeps the bad act from occurring.

“Active bystandership is contagious,” Noel said. “It’s hard to resist an outspoken co-worker who is intent on doing the right thing.”

New Orleans police are starting to build up anecdotes of EPIC in action. In one instance, officials said, officers had handcuffed a man after fighting, and a sheriff’s deputy from another department walked up and kicked the man in the face. “We don’t roll like that anymore,” one of the officers told the deputy, and then they arrested him. “Previously, everybody would have looked the other way,” Noel said.

At a recent Fourth of July festival, a handcuffed man spit blood and saliva in an officer’s face. “The officer was about to respond,” Noel said. “Then he thought about the EPIC program and walked away.” Trainers in the program use spitting in role-playing as a way of persuading officers not to respond with force that can ultimately harm the officer as well as the spitter.

Four elements of the EPIC program that the Post article identified appear to have enhanced its acceptance within the NOPD:

• Source Credibility: The NOPD, as the Post described it, “sought out officers who were respected among the rank-and-file, whose support for EPIC would carry weight on the street, and recruited them to teach the program during in-service training. And the department pitched the program to union leaders as a way for officers to avoid disciplinary problems by not getting reported in the first place.”
• “Tone from the Top”: The EPIC program began by training the top NOPD commanders first, including Harrison.
• Individual Public Commitment to Program: NOPD officers “now wear an EPIC pin on their lapels, declaring their commitment to acting ethically and reporting any misbehavior they see.”
• Positive Reinforcement of Ethical Behavior: “Body-camera footage of incidents where officers have intervened to stop bad actions is used in training sessions, and officers who successfully intervene are honored, Harrison said.”

Although NOPD commanders acknowledged that the success of EPIC is difficult to measure, citizen complaints about the NOPD have reportedly decreased substantially, from 850 in 2016 to 734 in both 2017 and 2018, and citizen satisfaction with the police has increased.

Note: The challenges that Harrison will face in implementing EPIC within the Baltimore Police Department are likely to be formidable.  As a Baltimore Sun article recently noted,

Baltimore is the most murderous big city in the United States. The police department has been exposed as a hot bed of corruption, where a recent federal investigation brought down a unit of detectives who stole and resold drugs on the street, among other crimes. The city’s consent decree was put in place in 2017 after U.S. Justice Department investigators determined Baltimore police had engaged for years in unconstitutional and discriminatory policing.

The Baltimore Police Department operates with a half-billion dollar annual budget, but still manages to spend millions of dollars each month on overtime. Recruitment has been dismal, officer morale is poor, and crimes routinely go unsolved.

On the other hand, Harrison faced very similar challenges in improving a department that, like Baltimore’s, has had a reputation for brutality and corruption and has been under a consent decree. The fact that other cities, such as Honolulu, Albuquerque, Baton Rouge, and St. Paul (MN) are adopting the EPIC approach suggests that EPIC is an approach suitable for policing in every city and state.

For that matter, corporate ethics and compliance officers should look more closely at the EPIC approach and consider incorporating elements of the EPIC program into their own compliance programs.  A generic “speak up” corporate policy, or ethics hotline with state-of-the-art technology, will accomplish little if executive and employees at all levels are skeptical that C-level executives truly welcome and reward ethically-based actions.   On the other hand, if employees see that those same C-level executives not only attend ethics training but speak out within the company to foster an active bystander culture, and prominently recognize and reward employees whose actions demonstrate active bystandership, the more likely that the company’s ethics program will improve its credibility and effectiveness over time.

On January 25, Le Parisien published an interview with Guillaume Poupard, the Director of the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) (National Cybersecurity Agency).  Last week, at the International Forum on Cybersecurity (FIC) in Lille, France, Poupard raised the possibility of a “cyber-Pearl Harbor.”

In the interview, Poupard explained his concerns about that prospect:

We fear and wish to avoid a succession of massive surprise attacks. All the technical elements are available, it remains only to have the will and to light the first fuse. There are two threats: theft of intelligence and sabotage. We have seen that many countries have developed capabilities to sabotage computer systems. All that is missing is the trigger. With the geopolitical context degrading, some countries may one day be tempted to attack us with cyberattacks. (All translations informal)

With regard to the April 2015 cyberattack against TV5Monde, which has since been ascribed to a group of Russian hackers, Poupard characterized it as sabotage, adding,

and there was an explicit message. [Note: The hackers called themselves the Cyber-Caliphate and made threats against France, only a few months against the Charlie Hebdo terrorist attack.]  We have since detected attacks from state, private, or terrorist actors who are not yet aiming to destroy but to insert themselves into and especially to study the computer systems of three of our critical sectors: energy, telecommunications, and transportation. For example, it is necessary to anticipate terrorist attempts that in 10 years would involve a plane whose system was hacked.

When asked whether French companies are prepared for large-scale cyberattacks, Poupard tactfully replied:

The awareness is heterogeneous, to remain politically correct.  There are sectors like the banking sector, where security is part of their DNA. But there are other areas such as heavy industry, that used to protect themselves with simple fences and is surprised to have attacks on their digital tools connected to the Internet. But leaders talk to each other and are more aware of the risks.

Poupard also explained that ANSSI

only does defense, not intelligence or attacks.  We have considerable resources, even if I always ask for more like any good director.  We have around 600 people who are high-level experts. The new laws have allowed us to work with vital operators, whether they are ministries or transport companies or in energy, to mandate strengthening their cybersecurity.  We have the ability to detect attacks in ministries, and tomorrow we may have the possibility to detect them directly upstream from the [Internet] hosts and telecom operators.  But we cannot be the sole security of France, which is why we certify and qualify private companies to cover everyone.

When asked how we can know who is responsible for an attack, Poupard called the attribution of an attack to a particular person or entity

a very complicated extreme sport.  In France, we are more cautious than our allies before pointing the finger. This is because we have more fear of repercussions or we have less information. There is always a doubt about responsibility. Attributing an attack is good for preventing an attack.  Instead, we have the feeling that with some actors, large states that I will not name, it is more efficient to have a frank discussion in a private and secret context.

Note: Poupard’s remarks should be of interest to information-security officers in general, and certainly to those in companies and government agencies with operations and interests in France.  Although his basic message is already well-recognized in cybersecurity circles, his statements provide some indication of the approach that ANSSI is taking to improving cybersecurity.

With regard to his reference to “cyber-Pearl Harbor,” that metaphor has been in vogue for some time – albeit sometimes as a straw man for commentators to dismiss as hyperbole.  It is worth remembering, however, that the real Pearl Harbor did not involve the full global range of U.S. military might, but rather the targeting of a specific regional concentration of naval power that at that time represented a perceived significant threat to Japanese military interests in the Pacific.

A cyber-Pearl Harbor, in other words, need not leave an entire society in smoldering ruins to have vital military or geopolitical value for the attackers, or the state actor for whom they are working.  Nor need it be a single, limited-duration attack.  Poupard’s use of the phrase “a succession of massive surprise attacks” may suggest where his greatest concern lies in anticipating and preventing future cyberattacks.

On January 27, the Washington Post published an interview between Lally Weymouth of the Post and Brazilian President Jair Bolsonaro during his visit to Davos for the World Economic Forum.  While the interview ranged widely to touch on various topics such as the need for pension reform in Brazil and his admiration for U.S. President Donald Trump, certain views on the following topics are especially noteworthy:

• Corruption: When Weymouth asked what his government would do to fight corruption, Bolsonaro replied, “Minister of Justice Sérgio Moro has available all the [tools] to follow the money trail. Corrupt people will no longer enjoy an easy life in Brazil.” When Weymouth then asked about Bolsonaro’s son, newly elected Brazilian Senator Flávio Bolsonaro, who reportedly hired multiple people with close ties to gang members, Bolsonaro responded, after pointedly stating, “This is not a government or a federal administrative matter – or your business”:
  • “To a large extent, his family name, Bolsonaro, is the reason why he has so much visibility. What has been said about him so far is the result of political accusations from people who want to criticize my administration. My son has always worked with the Rio de Janeiro state military service and has granted more than 300 different decorations and honorable titles to members of the military who [fought] in combat. Two of those are now being charged with wrongdoing. Of course, the person who granted the decoration cannot be blamed.”
  • Bolsonaro ended this response with the enigmatic comment: “Should any evidence become available against my son, he will be punished like anyone else and serve his penalty.”
• Venezuela: When asked about his view of the Maduro regime in Venezuela and whether he thought regime change was a good idea, Bolsonaro said that “[w]e” have always been against the Maduro regime, and that the current regime “must be changed.”  When asked how he saw that happening, he replied, “You [the United States], of course, must remove Maduro from power.  He happens to have 70,000 Cubans on his side, so it will not be easy to remove him from office.”  Bolsonaro also indicated that he opposed the use of Brazilian troops for that purpose, saying, “We will not embark Brazil on a military intervention.”  He added that although Brazil had “welcomed and accommodated refugees” from Venezuela, “[w]e have pretty much reached our limit and have clearly signaled to the Maduro dictatorship that Brazil does wish to see change in the current regime of Venezuela.”
• Democracy: When Weymouth asked about his commitment to democracy — noting his past expression of admiration for the Brazilian military dictatorship that ruled Brazil from 1964 to 1985, Bolsonaro said, “The military saved Brazil from a potential dictatorship in 1964.”  In response to a followup question about his commitment to democracy in Brazil, Bolsonaro said, “We will shore up democracy at any cost. . . . I represent freedom and democracy.  Our armed forces guarantee what I am stating to you. . . . The armed forces are the guarantor of democracy.”

Bolsonaro also acknowledged that it was “a possibility” that he might serve only one term as President because of the unpopular things he will need to do, but indicated that “[t]he jury is still out” on whether he would not run again.

Note: In contrast to his first few days in office – when a number of his initial public statements on issues such as a possible tax increase, placement of a U.S. military base in Brazil, and abolition of a land-reform program were quickly contradicted by other Brazilian authorities – Bolsonaro gave responses to the Post interview that apparently raised no official hackles and appeared generally consistent with his basic positions during his Presidential campaign.

Bolsonaro’s answers about his son Flávio, however, will not quiet suspicions about possible corruption in the family that is at odds with his public commitment to combating corruption, and to his and his son’s campaigning on anti-corruption platforms.  The recent report that a Brazilian Supreme Court Justice ordered a Rio de Janeiro state court to temporarily suspend an investigation into suspicious payments by Flávio to his former driver can only intensify those suspicions.

In an article published in Social Science Computer Review, four researchers conducted an analysis that found a significant relationship between people with lower self-control and higher rates of victimization via malware infection.  The study was based on an online questionnaire on victimization, routine activities, and self-control among other issues, with responses by more than 5,000 individuals in a nationally representative sample of people from the Netherlands.  The study measured low self-control by 12 items of dysfunctional impulsivity from a standardized impulsivity inventory that “assesses self-reported difficulty with the regulation of behavioral impulses” (e.g., “I often say and do things without considering the consequences”).

Based on the responses, the researchers found that “respondents with a lower self-control have a significantly higher average score on malware victimization,” and “were more likely to experience more symptoms of infection.” They also found that this relationship “was significant and remained in the presence of routine activity measures,” and that malware victimization “is a consequence of differences in individual routine activities which are individually shaped by individuals’ levels of self-control.”  In contrast, they also found that “respondents who often check for viruses score significantly lower on malware victimization,” and that respondents’ use of a secured wireless connection “is associated with lower probabilities of infection.”

Note: This study should be of interest to corporate-compliance and information-security officers, as they review their intracorporate training courses and online reminders to employees and customers about malware risks.  Such training and reminders are often framed in general, “one-size-fits-all” terms, to reach the broadest possible audience.   But as the lead author of the study, Professor Thomas Holt of Michigan State University, has noted, “it is also essential to address the psychological side of messaging to those with low self-control and impulsive behaviors.”

To that end, information-security programs should consider expanding their training content and cybersecurity reminders to include more targeted messages for those with lower self-control.  The messaging can be framed in nonjudgmental terms, but should call out the consequences of impulsivity – perhaps “Take your time before clicking on emails or attachments from senders you don’t recognize.  People who click without thinking are more likely to trigger malware that can take over their computers or steal their personal data.”

Over the longer term, Professor Holt indicated that he “hopes to help break the silos between computer and social sciences to think holistically about fighting cybercrime.”  “If we can identify risk factors,” he said, “we can work in tandem with technical fields to develop strategies that then reduce the risk factors for infection.”  The study itself acknowledges that “[f]uture research is needed assessing the extent to which populations recognize and experience infections across devices and the risk patterns associated with infections by mobile and personal computing devices.”  Such research deserves support from academia, government, and the corporate sector.