Author: Jonathan J. Rusch

On January 4, Baltimore Mayor Catherine Pugh announced that she selected New Orleans Police Superintendent Michael S. Harrison as her choice for Commissioner-designate of the Baltimore Police Department.  What makes this announcement of interest to ethics and compliance experts is the innovative approach to policing ethics that Harrison, who served in the New Orleans Police Department (NOPD) for 27 years and led it since 2014, implemented in the NOPD and plans to implement in Baltimore.

The approach, as developed in New Orleans, is known as Ethical Policing Is Courageous (EPIC).  At its most basic level, EPIC seeks to counteract the “bystander effect” – a common behavior in which individuals in a group setting who witness an unethical or illegal act remain silent when they see that no one else in the group is speaking or acting to address the improper act  —  with “active bystandership.”  In general terms, an active bystander, according to the MIT Active Bystander Program, “assesses a situation to determine what kind of help, if any might be appropriate” and “evaluates options and chooses a strategy for responding.”

As the Washington Post reported last week, EPIC beings with “a training program for officers that emphasized ‘active bystandership and peer intervention’” and creates an expectation

that officers should step in when a colleague is misbehaving — assaulting a citizen, lying on a report, planting evidence — and stop the bad acts before they happen or else report them. “When they see misconduct potentially about to happen,” [New Orleans] Deputy Superintendent Paul Noel said, the goal is “to step in and say, ‘I got this. Back off.’” The idea is that once one bystander steps in, others often follow suit, and the peer pressure keeps the bad act from occurring.

“Active bystandership is contagious,” Noel said. “It’s hard to resist an outspoken co-worker who is intent on doing the right thing.”

New Orleans police are starting to build up anecdotes of EPIC in action. In one instance, officials said, officers had handcuffed a man after fighting, and a sheriff’s deputy from another department walked up and kicked the man in the face. “We don’t roll like that anymore,” one of the officers told the deputy, and then they arrested him. “Previously, everybody would have looked the other way,” Noel said.

At a recent Fourth of July festival, a handcuffed man spit blood and saliva in an officer’s face. “The officer was about to respond,” Noel said. “Then he thought about the EPIC program and walked away.” Trainers in the program use spitting in role-playing as a way of persuading officers not to respond with force that can ultimately harm the officer as well as the spitter.

Four elements of the EPIC program that the Post article identified appear to have enhanced its acceptance within the NOPD:

• Source Credibility: The NOPD, as the Post described it, “sought out officers who were respected among the rank-and-file, whose support for EPIC would carry weight on the street, and recruited them to teach the program during in-service training. And the department pitched the program to union leaders as a way for officers to avoid disciplinary problems by not getting reported in the first place.”
• “Tone from the Top”: The EPIC program began by training the top NOPD commanders first, including Harrison.
• Individual Public Commitment to Program: NOPD officers “now wear an EPIC pin on their lapels, declaring their commitment to acting ethically and reporting any misbehavior they see.”
• Positive Reinforcement of Ethical Behavior: “Body-camera footage of incidents where officers have intervened to stop bad actions is used in training sessions, and officers who successfully intervene are honored, Harrison said.”

Although NOPD commanders acknowledged that the success of EPIC is difficult to measure, citizen complaints about the NOPD have reportedly decreased substantially, from 850 in 2016 to 734 in both 2017 and 2018, and citizen satisfaction with the police has increased.

Note: The challenges that Harrison will face in implementing EPIC within the Baltimore Police Department are likely to be formidable.  As a Baltimore Sun article recently noted,

Baltimore is the most murderous big city in the United States. The police department has been exposed as a hot bed of corruption, where a recent federal investigation brought down a unit of detectives who stole and resold drugs on the street, among other crimes. The city’s consent decree was put in place in 2017 after U.S. Justice Department investigators determined Baltimore police had engaged for years in unconstitutional and discriminatory policing.

The Baltimore Police Department operates with a half-billion dollar annual budget, but still manages to spend millions of dollars each month on overtime. Recruitment has been dismal, officer morale is poor, and crimes routinely go unsolved.

On the other hand, Harrison faced very similar challenges in improving a department that, like Baltimore’s, has had a reputation for brutality and corruption and has been under a consent decree. The fact that other cities, such as Honolulu, Albuquerque, Baton Rouge, and St. Paul (MN) are adopting the EPIC approach suggests that EPIC is an approach suitable for policing in every city and state.

For that matter, corporate ethics and compliance officers should look more closely at the EPIC approach and consider incorporating elements of the EPIC program into their own compliance programs.  A generic “speak up” corporate policy, or ethics hotline with state-of-the-art technology, will accomplish little if executive and employees at all levels are skeptical that C-level executives truly welcome and reward ethically-based actions.   On the other hand, if employees see that those same C-level executives not only attend ethics training but speak out within the company to foster an active bystander culture, and prominently recognize and reward employees whose actions demonstrate active bystandership, the more likely that the company’s ethics program will improve its credibility and effectiveness over time.

On January 25, Le Parisien published an interview with Guillaume Poupard, the Director of the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) (National Cybersecurity Agency).  Last week, at the International Forum on Cybersecurity (FIC) in Lille, France, Poupard raised the possibility of a “cyber-Pearl Harbor.”

In the interview, Poupard explained his concerns about that prospect:

We fear and wish to avoid a succession of massive surprise attacks. All the technical elements are available, it remains only to have the will and to light the first fuse. There are two threats: theft of intelligence and sabotage. We have seen that many countries have developed capabilities to sabotage computer systems. All that is missing is the trigger. With the geopolitical context degrading, some countries may one day be tempted to attack us with cyberattacks. (All translations informal)

With regard to the April 2015 cyberattack against TV5Monde, which has since been ascribed to a group of Russian hackers, Poupard characterized it as sabotage, adding,

and there was an explicit message. [Note: The hackers called themselves the Cyber-Caliphate and made threats against France, only a few months against the Charlie Hebdo terrorist attack.]  We have since detected attacks from state, private, or terrorist actors who are not yet aiming to destroy but to insert themselves into and especially to study the computer systems of three of our critical sectors: energy, telecommunications, and transportation. For example, it is necessary to anticipate terrorist attempts that in 10 years would involve a plane whose system was hacked.

When asked whether French companies are prepared for large-scale cyberattacks, Poupard tactfully replied:

The awareness is heterogeneous, to remain politically correct.  There are sectors like the banking sector, where security is part of their DNA. But there are other areas such as heavy industry, that used to protect themselves with simple fences and is surprised to have attacks on their digital tools connected to the Internet. But leaders talk to each other and are more aware of the risks.

Poupard also explained that ANSSI

only does defense, not intelligence or attacks.  We have considerable resources, even if I always ask for more like any good director.  We have around 600 people who are high-level experts. The new laws have allowed us to work with vital operators, whether they are ministries or transport companies or in energy, to mandate strengthening their cybersecurity.  We have the ability to detect attacks in ministries, and tomorrow we may have the possibility to detect them directly upstream from the [Internet] hosts and telecom operators.  But we cannot be the sole security of France, which is why we certify and qualify private companies to cover everyone.

When asked how we can know who is responsible for an attack, Poupard called the attribution of an attack to a particular person or entity

a very complicated extreme sport.  In France, we are more cautious than our allies before pointing the finger. This is because we have more fear of repercussions or we have less information. There is always a doubt about responsibility. Attributing an attack is good for preventing an attack.  Instead, we have the feeling that with some actors, large states that I will not name, it is more efficient to have a frank discussion in a private and secret context.

Note: Poupard’s remarks should be of interest to information-security officers in general, and certainly to those in companies and government agencies with operations and interests in France.  Although his basic message is already well-recognized in cybersecurity circles, his statements provide some indication of the approach that ANSSI is taking to improving cybersecurity.

With regard to his reference to “cyber-Pearl Harbor,” that metaphor has been in vogue for some time – albeit sometimes as a straw man for commentators to dismiss as hyperbole.  It is worth remembering, however, that the real Pearl Harbor did not involve the full global range of U.S. military might, but rather the targeting of a specific regional concentration of naval power that at that time represented a perceived significant threat to Japanese military interests in the Pacific.

A cyber-Pearl Harbor, in other words, need not leave an entire society in smoldering ruins to have vital military or geopolitical value for the attackers, or the state actor for whom they are working.  Nor need it be a single, limited-duration attack.  Poupard’s use of the phrase “a succession of massive surprise attacks” may suggest where his greatest concern lies in anticipating and preventing future cyberattacks.

On January 27, the Washington Post published an interview between Lally Weymouth of the Post and Brazilian President Jair Bolsonaro during his visit to Davos for the World Economic Forum.  While the interview ranged widely to touch on various topics such as the need for pension reform in Brazil and his admiration for U.S. President Donald Trump, certain views on the following topics are especially noteworthy:

• Corruption: When Weymouth asked what his government would do to fight corruption, Bolsonaro replied, “Minister of Justice Sérgio Moro has available all the [tools] to follow the money trail. Corrupt people will no longer enjoy an easy life in Brazil.” When Weymouth then asked about Bolsonaro’s son, newly elected Brazilian Senator Flávio Bolsonaro, who reportedly hired multiple people with close ties to gang members, Bolsonaro responded, after pointedly stating, “This is not a government or a federal administrative matter – or your business”:
  • “To a large extent, his family name, Bolsonaro, is the reason why he has so much visibility. What has been said about him so far is the result of political accusations from people who want to criticize my administration. My son has always worked with the Rio de Janeiro state military service and has granted more than 300 different decorations and honorable titles to members of the military who [fought] in combat. Two of those are now being charged with wrongdoing. Of course, the person who granted the decoration cannot be blamed.”
  • Bolsonaro ended this response with the enigmatic comment: “Should any evidence become available against my son, he will be punished like anyone else and serve his penalty.”
• Venezuela: When asked about his view of the Maduro regime in Venezuela and whether he thought regime change was a good idea, Bolsonaro said that “[w]e” have always been against the Maduro regime, and that the current regime “must be changed.”  When asked how he saw that happening, he replied, “You [the United States], of course, must remove Maduro from power.  He happens to have 70,000 Cubans on his side, so it will not be easy to remove him from office.”  Bolsonaro also indicated that he opposed the use of Brazilian troops for that purpose, saying, “We will not embark Brazil on a military intervention.”  He added that although Brazil had “welcomed and accommodated refugees” from Venezuela, “[w]e have pretty much reached our limit and have clearly signaled to the Maduro dictatorship that Brazil does wish to see change in the current regime of Venezuela.”
• Democracy: When Weymouth asked about his commitment to democracy — noting his past expression of admiration for the Brazilian military dictatorship that ruled Brazil from 1964 to 1985, Bolsonaro said, “The military saved Brazil from a potential dictatorship in 1964.”  In response to a followup question about his commitment to democracy in Brazil, Bolsonaro said, “We will shore up democracy at any cost. . . . I represent freedom and democracy.  Our armed forces guarantee what I am stating to you. . . . The armed forces are the guarantor of democracy.”

Bolsonaro also acknowledged that it was “a possibility” that he might serve only one term as President because of the unpopular things he will need to do, but indicated that “[t]he jury is still out” on whether he would not run again.

Note: In contrast to his first few days in office – when a number of his initial public statements on issues such as a possible tax increase, placement of a U.S. military base in Brazil, and abolition of a land-reform program were quickly contradicted by other Brazilian authorities – Bolsonaro gave responses to the Post interview that apparently raised no official hackles and appeared generally consistent with his basic positions during his Presidential campaign.

Bolsonaro’s answers about his son Flávio, however, will not quiet suspicions about possible corruption in the family that is at odds with his public commitment to combating corruption, and to his and his son’s campaigning on anti-corruption platforms.  The recent report that a Brazilian Supreme Court Justice ordered a Rio de Janeiro state court to temporarily suspend an investigation into suspicious payments by Flávio to his former driver can only intensify those suspicions.

In an article published in Social Science Computer Review, four researchers conducted an analysis that found a significant relationship between people with lower self-control and higher rates of victimization via malware infection.  The study was based on an online questionnaire on victimization, routine activities, and self-control among other issues, with responses by more than 5,000 individuals in a nationally representative sample of people from the Netherlands.  The study measured low self-control by 12 items of dysfunctional impulsivity from a standardized impulsivity inventory that “assesses self-reported difficulty with the regulation of behavioral impulses” (e.g., “I often say and do things without considering the consequences”).

Based on the responses, the researchers found that “respondents with a lower self-control have a significantly higher average score on malware victimization,” and “were more likely to experience more symptoms of infection.” They also found that this relationship “was significant and remained in the presence of routine activity measures,” and that malware victimization “is a consequence of differences in individual routine activities which are individually shaped by individuals’ levels of self-control.”  In contrast, they also found that “respondents who often check for viruses score significantly lower on malware victimization,” and that respondents’ use of a secured wireless connection “is associated with lower probabilities of infection.”

Note: This study should be of interest to corporate-compliance and information-security officers, as they review their intracorporate training courses and online reminders to employees and customers about malware risks.  Such training and reminders are often framed in general, “one-size-fits-all” terms, to reach the broadest possible audience.   But as the lead author of the study, Professor Thomas Holt of Michigan State University, has noted, “it is also essential to address the psychological side of messaging to those with low self-control and impulsive behaviors.”

To that end, information-security programs should consider expanding their training content and cybersecurity reminders to include more targeted messages for those with lower self-control.  The messaging can be framed in nonjudgmental terms, but should call out the consequences of impulsivity – perhaps “Take your time before clicking on emails or attachments from senders you don’t recognize.  People who click without thinking are more likely to trigger malware that can take over their computers or steal their personal data.”

Over the longer term, Professor Holt indicated that he “hopes to help break the silos between computer and social sciences to think holistically about fighting cybercrime.”  “If we can identify risk factors,” he said, “we can work in tandem with technical fields to develop strategies that then reduce the risk factors for infection.”  The study itself acknowledges that “[f]uture research is needed assessing the extent to which populations recognize and experience infections across devices and the risk patterns associated with infections by mobile and personal computing devices.”  Such research deserves support from academia, government, and the corporate sector.

On January 17, the Associated Press reported that the European Union Agency for Law Enforcement Cooperation (Europol) “has identified links between match-fixing gambling syndicates being unraveled in Spain and Belgium that are thought to have paid off dozens of players and corrupted lower-level tennis tournaments on a massive scale.”  Moreover, Pedro Felicio, the head of Europol’s Economic and Property Crime Unit, said that there are “strong indications” that the match-fixers were also involved in volleyball, beach volleyball, and basketball.

Europol and other European Union (EU) member states’ police forces have made these connections as the result of multiple operations they conducted in 2018 against match-fixing rings.  In a June 2018 law enforcement operation, police made 129 arrests in Spain and France and broke up a match-fixing ring that, according to Europol, had “close contact with many tennis, beach volleyball, basketball, and ice hockey players,” and bribed about 20 players to fix match outcomes on which the group then bet.

In another June 2018 law enforcement operation, against match-fixing in Belgium, police disrupted an apparently more extensive operation that authorities believe “to have paid at least 115 low-ranked players in more than half a dozen countries to fix games, sets and matches in exchange for payments of 500 to 3,000 euros ($570 to $3,400).”  That operation, according to the Belgian Federal Public Prosecutor’s Office, involved 21 house searches in 12 Belgian cities and towns, detention of 13 individuals for questioning, and coordinated operations in Germany, France, Bulgaria, Slovakia, the Netherlands, and the United States.  To date, investigators reportedly “have questioned players in Belgium, the Netherlands, Germany, Slovakia, and Bulgaria and are looking to question others, including both players and managers, in the United States, Chile and Egypt.”

In addition, Europol recently reported that the Spanish Guardia Civil (Civil Guard), with Europol’s support, arrested 83 individuals – 28 of them professional tennis players, one of whom reportedly participated in the 2018 US Open – in an operation that dismantled an organized crime group involved in fixing professional tennis matches.  In that operation, police conducted 11 house searches in Spain in which they seized €167 000 in cash, a shotgun, and more than 50 electronic devices, credit cards, five luxury vehicles, and documents related to the case, and obtained freezes of 42 bank accounts and the balances therein.

One common element in each of these operations was the identification of Armenian nationals as key operators of the match-fixing rings.  With regard to the operation in Spain, Europol stated that the Armenian ring members not only used an unnamed professional tennis player as the link between the gang and the rest of the criminal group, but after bribing the players “attended the matches to ensure that the tennis players complied with what was previously agreed, and gave orders to other members of the group to go ahead with the bets placed at national and international level[s].”

A second common element is the existence of evidence connecting ostensibly different match-fixing rings.  Felicio stated that “cross-checks of suspects’ names, their contacts, company details, places and people they frequented and phone records” pointed to links between the groups.

Multiple countries’ police forces and Europol are continuing to cooperate in these disruption and intelligence-sharing operations.  Just last week, Belgian investigators reportedly traveled to France for police questioning of four low-ranked French tennis players, who had been detained because of suspicions that they had been paid to fix matches by an Armenian national who allegedly ran the Belgium-based match-fixing operation.

Note: Match-fixing in professional tennis remains a blot on the sport that is difficult to eradicate.  In its 2018 Report, the Tennis Integrity Unit, professional tennis’s global anti-corruption body, reported that during 2018 it had taken action against players and chair umpires for match-fixing, ranging from suspension to lifetime bans.  While there are welcome indications that professional tennis is dedicated to enhancing its anti-corruption regime, private-sector efforts that necessarily focus on participants in professional tennis will have little effect on professional criminals who can reap substantial profits from match-fixing.

Furthermore, as this blog recently noted, criminal organizations are conducting match-fixing on a multinational scale in sports beyond tennis and football (soccer).  The spread of match-fixing across multiple professional sports and multiple countries make it imperative that law enforcement agencies in Europe and other countries, especially the United States, closely collaborate on two fronts: (1) intelligence-sharing, including further exploration of linkages between match-fixing operations and Armenian organized crime groups; and (2) law enforcement efforts to target the match-fixing rings’ leaders for criminal prosecution and forfeiture of their criminal proceeds.