Please read the KMPG report in the link: https://assets.kpmg/content/dam/kpmg/pdf/2014/05/cyber-security-not-just-technology.pdf

Which of the five mistakes, do you think, is more common in an organization/business of your choice? Which of the three options would be more challenging in taking action (risk assessment, changing organizational culture or determining budget?

Of the five cybersecurity mistakes that exist within many industries, the most prominent within critical infrastructure industries is the perception that hiring the best professionals to defend against cybercrime is the only required measure. While hiring skilled professionals can be beneficial for multiple reasons, it should not be the only action due to the amount of other changes that need to occur. Specifically, for organizations handling electricity, water, or fuel, the main issue is that cybersecurity wasn’t a part of the model and now needs to be implemented on a legacy foundation. There’s also the issue of applying cybersecurity behavior to employees, as well as vendors, to ensure multi-layered protection.

Out of the options of risk assessment, changing organizational culture, and determining budget, I believe that changing organizational culture would be the most challenging for taking action. With risk assessment or determining a budget for cybersecurity measures, while both require looking at multiple different aspects of a business to make those changes, people changing is one of the most difficult for cybersecurity measures. This is due to the hierarchy of any business often lacking any knowledge when it comes to security practices outside of basic measures. Employees are likely to stick to practices like writing passwords on notes, leaving devices open when they need to do something else, and clicking on links or emails without considering the potential danger. Upper management struggles with cybersecurity by seeing it as an additional cost to a business with no returns that only eats up resources, as well as maintaining the same behavior as regular employees. So, this kind of change would require people to significantly change how they work, which can cause more frustration to cybersecurity measures despite the benefits.

We are now studying the Computer Fraud and Abuse Act (CFAA) in which you will learn that Section 1030(a)(2) makes it a federal crime to “[access] a computer without authorization or [exceed] authorized access, and thereby [obtain] information from any protected computer.”  In Van Buren v. United States, 593 U.S. ___ (2021), the U.S. Supreme Court considered the reach of the statute (the CFAA) as it applies to a Georgia police officer in his personal use of a department database.

Read about the case (either through its full decision here:  19-783 Van Buren v. United States (06/03/2021) (supremecourt.gov)), or at least through these summaries:  (1) Van Buren v. United States – Ballotpedia and (2) Van Buren v. United States | Oyez.

Then do the following: In your post, explain whether you agree with the U.S. Supreme Court’s majority in its holding on whether Sergeant Van Buren violated the CFAA. Support your position by referencing the majority and/or dissenting opinions, as well as any other material you deem relevant, and also provide practical support for your decision. I want proof  that you have read the facts and opinions (majority and dissenting) carefully. I want some detail in your response.

Be sure to have a good handle on the majority’s holding and reasoning, as well as why some dissenters disagreed with the majority.

When considering both the court’s majority and dissenting opinions, I am more inclined to agree with the Court majority holding that Van Buren did not violate the CFAA. My reasoning for this is the arguments of textual definitions and the restrictions that those definitions put in place for the inherent broadness of the Act.

Referencing the full decision, “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” From that definition, Van Buren made the argument that the “so” in “entitled so to obtain” refers to information unobtainable from an already accessible computer compared to the government’s perspective of specific circumstances. I agree with this argued definition from the original due to the technicality of Van Buren’s access. Because he had the authorization and credentials to obtain the information, there was not a violation of the CFAA but only of the department’s policy due to accessing said information for an unlawful purpose.

Furthermore, the government’s proposed definition of “exceeds authorized access” was also faulty due to seeing the clause as circumstantial compared to a gates-up-or-down inquiry. My issue with the government’s definition is that a circumstantial approach to policy would make every instance of exceeding authorized access a violation of the CFAA, whether it would be examples of looking at personal emails or searching for something on the internet that is not related to the business that owns the devices.

However, there were points on the dissenting side that I consider strong against the majority’s position but still imperfect. These include the focus on the word “entitled” and the consideration of property law concerning the Act. According to the dissent, “A person is entitled to do something only if he has a “right” to do it.” This led to the conclusion that because Van Buren had no law enforcement “right” to use the computer the way he did, he violated the CFAA. While a good point in connecting Van Buren’s training to the CFAA, the problem lies in the word itself. Entitlement, in this case, is about the ability to do something, not why it is used to do something.

Lastly, the point of property law does hold some weight but has a flaw. Both the majority and the dissent agree that the statute is meant to defend property, but the dissent relates the information in a computer to property, as well as claims that a crime like trespassing is comparable to that of Van Buren’s case. While there is an initial connection with the access, the flaw exists with the nature of the crimes, that being physical access compared to digital access. With trespassing, the crime is about exceeding physical access to enter an area that is clearly stated not to be entered or the person in question has had no permission to enter. Whereas, if someone is allowed to be somewhere but goes into an area they are not allowed to be in, they are not trespassing, but they are violating rules. Conversely, a database doesn’t care what person is looking at it for any particular reason, the thing that does matter is whether or not someone has the credentials to access it at all, which Van Buren did.

Overall, the dissenting opinion’s perspective on the conclusion does hold some value in criticizing the meaning of entitlement and the connection of property law to the Act being significant counterpoints, but the majority’s opinion of the definition “exceeds authorized access” and the perspective of both statutes being a gates-up-or-down approach creates necessary boundaries which prove Van Buren’s crime came from his reasoning compared to his access, and therefore, did not violate the CFAA.

Van Buren v. United States, 593 U.S. ___ (2021). https://supreme.justia.com/cases/federal/us/593/19-783/case.pdf

In this course we consider the value of both gathering and protecting information, as well as sharing it with others (aka disseminate when done so deliberately). In the digital world, the relative ease with which we may access information and vast troves of data raise significant questions that impact the individual and society, and even our national security. Freedom, trustworthiness of sources and methods, national security concerns and privacy interests also come into play. Issues arise that may demand an intricate balancing of sometimes competing interests. With these and other considerations in mind, watch the video below (yes, it’s dated, but the issues survive) and answer the following related questions in an informed manner. It will help to review module 5 too and other credible and relevant sources. Cite any outside sources – and outside sources are recommended!

Question 1: What are some important reasons to a) support or b) oppose his Julian Assange’s position in defending the work and mission of Wikileaks? 

Question 2: In your opinion, is Assange a hero, a criminal or both, or neither? Why?

https://www.youtube.com/watch?v=HNOnvp5t7Do

Question 1: What are some important reasons to a) support or b) oppose Julian Assange’s position in defending the work and mission of Wikileaks? 

Referencing the TED talk, there are significant reasons to support Julian Assange’s position. First, WikiLeaks intends to uncover information that pertains to crimes that are being kept secret, not just information in general. An example of this was the Baghdad video, which showed U.S. soldiers shooting at innocent Baghdad civilians and U.S. reporters, some laughing about as they did so, and utilizing excessive force. As mentioned by Assange, the purpose was about “changing the perception of the people paying for it all,” not for the civilians who already experienced the conflict daily.  

Secondly, WikiLeaks whistleblowing is a valuable tool that can force positive change within governments and companies, due to the public being given a more holistic understanding of things that are occurring behind the scenes and forcing sectors to face their problems. Some examples like the Kroll report, the Albanian well blowouts, and the WikiLeaks report on Iceland’s financial crisis show this in different forms. Whether it be the public making more informed choices, companies contacting WikiLeaks about problems they are involved in, or new legislation being put in place for more freedom of the press, these kinds of changes are beneficial by mitigating crimes and outputting information that can make a difference.

Third, while it only works to an extent, I would argue that citizens of any nation have a right to know about crime-related information that is tied to their way of life or perception of the sectors they exist within so they can make informed choices. This can include information within politics, conflicts between nations, the companies people buy products from, and the sectors people work in. For WikiLeaks to be a platform that can provide that extra context, that is worth its continuation.

Question 2: In your opinion, is Assange a hero, a criminal or both, or neither? Why?

Personally, I see Assange as a hero for the information that WikiLeaks has uncovered. To me, it shows that accountability and transparency are things that will be held no matter how powerful an entity, and that positive change can come from that. Furthermore, with how freedom of the press has always remained a critical tool for people to remain informed on different issues in the world, the effort of WikiLeaks and by extension Assange, is inspiring as a source of information that focuses on criminal activity intentionally hidden from the public. WikiLeaks as a platform and other similar platforms have paved the way for being another method of holding guilty entities responsible for their actions, and for this I see Assange as a hero for the dedication he has had to that mission.

A prime example of a company that uses ERP systems successfully is Amazon. Amazon utilizes the ERP system SAP to improve efficiency in operations and automation. SAP’s capabilities in tracking assets such as accounting and sales allow Amazon to have better accuracy, improving its financial trajectory. By monitoring sales and customer data, Amazon can also better fine-tune the customer’s experience, leading to more sales in the future.

The automation from Amazon’s ERP system supports managing tasks, inventory, orders, and Amazon’s increasing size to ensure continual growth. As orders for products are placed, the ERP system automatically routes and categorizes them according to priority level, and automatic messages are sent out to customers. Furthermore, when inventory of items becomes low, the ERP system also routes messages to vendors to resupply them, along with maintaining the information of all items. These sets of tasks are managed by the ERP system to maintain operations and cut out manual input. Through the use of bi-directional data, this allows ERP systems to provide a bridge to different systems, allowing for better efficiency. ERP systems also provide better service the more that a business scales, as the overall output becomes faster and higher quality. This use of ERP systems has allowed Amazon to be a significant power in the field of e-commerce.

https://changemanagementinsight.com/successful-erp-implementation-examples/

https://www.versaclouderp.com/blog/automating-amazon-and-e-commerce-with-erp-to-boost-roi-and-outperform-competitors/#:~:text=As%20soon%20as%20products%20are,is%20inefficient%20and%20error%2Dprone

Discuss how companies and organizations are securing their information systems.

Due to the vast number of vulnerabilities from company to company, investment into proper security tools for information systems is now necessary to ensure protected operations and data.

What tools are they using?

These investments lead to implementing tools such as digital firewalls, intrusion detection and prevention systems (IDS/IPS), backups, and authentication controls. Firewalls can be digital or physical but are always meant to filter traffic to prevent unauthorized access. IDS/IPS are controls for finding and/or blocking malware before it enters the system. Backups help store older and current information so that in the event a breach does occur, it is easier to recover the damage. Authentication controls like two-factor and multi-factor authentication can be simple implementations that, while tedious, can prevent many easy intrusions into an information system.

What is the cost of securing information systems?

Now, while implementing security tools can be beneficial for any organization, there is still a substantial cost to implement and maintain them. The cost of securing information systems can change based on the size of the organization but with outsourced cybersecurity services, it can range from $2,000-$3,500 a month. When using in-house resources, a good IT budget is around 10% for cybersecurity for a good range of flexibility.

What is the cost of not securing information systems?

Despite the significant cost that cybersecurity can have on a business, there’s an even greater price when there are no controls and a breach occurs. Damages have continued to increase over the years due to many organizations still having poor security posture. The average cost of a data breach can be upwards of 4.45 million dollars, which can be a sizeable dent for large businesses, or the end for medium or small businesses.

What are the most effective techniques of securing information systems? 

This then calls for the most effective techniques to be utilized when securing information systems due to the much larger cost of there being no protection. Some effective techniques take the form of encryption, proper employee security training, strong passwords, and investing in a virtual private network (VPN). Encryption can secure data by making it unreadable for many people, and security training can be effective by educating people, which is the biggest factor for breaches. Stronger passwords also prevent easy access along with VPNs creating a safe tunnel for information to travel through.

What are the least effective techniques of securing information systems?

In contrast, the least effective techniques for securing information systems may include security controls, but use of ones that cannot do enough to protect an organization. Organizations also may have no controls at all. Ineffective techniques include easy password conditions, single-factor authentication, and no redundancy with the backend of an information system. Having easy password conditions makes insider threats or brute-force attacks much more common. Single-factor authentication can take the form of passwords or a single credential that if compromised, leaves the information system susceptible to attacks. Redundancy is about adding more layers to a system to better protect it, and a lack of redundancy can create a single point of failure that still leaves the system vulnerable.

With that said, there is ample reason for organizations to invest in effective security controls to protect their information systems due to how lower-quality tools can still leave systems susceptible, and a complete lack of tools can cost them millions of dollars if a data breach were to occur.

https://www.vc3.com/blog/managed-cyber-security-services-cost

https://tealtech.com/blog/cost-of-cybersecurity-for-small-business/#:~:text=Cyber%20Security%20Services%20Prices,to%20%24200%20for%20each%20user

https://ico.org.uk/for-organisations/advice-for-small-organisations/whats-new/blogs/11-practical-ways-to-keep-your-it-systems-safe-and-secure/

https://www.compuquip.com/blog/least-effective-it-security-measures#:~:text=Knowledge%20Factors%20(Something%20You%20Know,attackers%20out%20of%20your%20network

A necessary element of IT infrastructure is operating systems. Operating systems (OS) are software that is the basis for managing applications, software, and digital systems within IT infrastructure. An OS is meant to ensure that everything is connected and functional because, without an OS, all applications on a single computer would need to be managed separately, meaning that the IT infrastructure falls apart. Furthermore, operating systems utilize different interfaces, such as an application program interface (API), graphic user interface (GUI), and command-line interface (CLI), not only for applications and people to interact with what’s needed but also for necessary changes and updates to be consistently made.

With operating systems being management-focused, they are utilized in IT infrastructure by managing things like computer resources, multiple programs, and security. Computer resources take the form of CPU, bandwidth, and memory, and an OS is meant to properly allocate these resources and much more at all times based on current priority. Software programs such as browsers, management systems, and collaboration platforms also need to be managed by an OS to not only function but also to be a bridge for anyone who needs to utilize it at any given time. Finally, while operating systems need to manage a significant amount of data, they also are needed to enforce security controls across an IT infrastructure. Controls like firewalls, authentication, encryption, and permission are managed by an OS to keep itself safe, as well as the larger IT infrastructure.

Do you think there is a change in U.S. Strategic culture within the last few years? Why?

https://archive.ph/2n7sK

Within the past few years, I would argue that there has been substantial change within U.S. strategic culture due to two significant factors. The first would be the adoption of cyberspace and, by extension, cyber operations in other countries, and that adoption causing U.S. strategic culture to change around it. Due to countries like China, Russia, Iran, North Korea, and several other countries having differing strategies for how they want to utilize cyberspace, the U.S. has needed to not only ensure that those actions do not cause greater problems but also that U.S. civilians are protected from it as well. This has then led to the strategic culture having heavy investment into both offensive and defensive cyber operations to protect people, but also to have retaliations not only for current attacks but significantly more powerful ones if they were to emerge.

The second factor as to why the strategic culture has changed is due to the evolution of offensive cybersecurity technology and the mass popularity of social media sites as avenues for possible misinformation. Cyberspace’s flexibility with almost anyone to interact with each other has led to malicious actors taking the opportunity to manipulate others to get information by committing cybercrimes. With the rampant number of phishing attacks and spoofing, strategic culture has been changed to crack down on this now global issue despite the difficulty of attribution compared to more traditional attacks. Social media platforms have also given way to misinformation and disinformation campaigns influencing public opinion, like the 2016 U.S. election. These platforms also create new difficulties for strategic culture by having information up in the air for credibility and individual people having more responsibility to cross-reference information. These changes from other countries and the evolution of cyberspace have caused significant changes within U.S. strategic culture by investing in both offensive and defensive cyber operations to protect against future threats from other countries and to mitigate the apparent disinformation that spreads on social media sites and the cybercrime that happens in multiple critical sectors and industries.

I feel that there is valid reasoning to consider cyberspace as a domain of operations like all others. A significant factor for this is how cyberspace has already been utilized for both countries and actors attacking and defending against each other. Countries like the United States, Russia, China, North Korea, Iran, and many others have offensive, defensive, or both types of cyber operations as a part of their military strategy and have had it integrated for years. Furthermore, cyberspace offers a special utility with the connection to modern military technologies, the ability to monitor others, the capability for sending out attacks rapidly, building up cyber defenses, as well as enhancing the other military domains’ strategies with the evolution of technology. Whether it was for inciting harm, mitigating harm, gathering information, or being used for espionage, it has already been shown that cyberspace can be and has been used as a domain of operations and, therefore, should be considered as one just like land, sea, air, and space.

However, a consequence of cyberspace being accepted as a domain of operations means that there needs to be more effort into establishing the rules associated with the domain’s operations. It can no longer be a topic that is almost up in the air due to the difficulty of intertwining cyberspace and law. The addition of a legal framework can help, but there will need to be more time given to addressing how to utilize cyberspace as a domain of operations. Another consequence of cyberspace is managing accessibility. With the domain being available for anyone with the technology to cause significant damage to a country, there is a need to work toward mitigating cyber-attacks from non-state actors as much as possible for safety, as well as deterring people from doing so in the future. This also includes countries defending themselves from each other from attacks such as espionage, attacks on critical infrastructure, malware that affects a large number of citizens, and escalation into greater attacks from the other domains. While it makes sense to accept cyberspace as a domain of operations due to its current utility in military strategy, consequences such as legal boundaries and the harmful side of accessibility should also be considered as a part of that choice.