Investigative & Security Professionals for Legislative Action

Security Related Topics

<< First  < Prev   1   2   3   4   Next >  Last >> 
  • 17 Nov 2016 10:56 AM | Anonymous member (Administrator)

    Prioritizing Internet of Things (IoT) Security

    While the benefits of IoT are undeniable, the reality is that security is not keeping up with the pace of innovation. As we increasingly integrate network connections into our nation’s critical infrastructure, important processes that once were performed manually (and thus enjoyed a measure of immunity against malicious cyber activity) are now vulnerable to cyber threats. Our increasing national dependence on network-connected technologies has grown faster than the means to secure it.

    The IoT ecosystem introduces risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality through large-scale distributed denial-of-service attacks, and potential disruptions to critical infrastructure.

    Last year, in a cyber attack that temporarily disabled the power grid in parts of Ukraine, the world saw the critical consequences that can result from failures in connected systems. Because our nation is now dependent on properly functioning networks to drive so many life-sustaining activities, IoT security is now a matter of homeland security.

    Overview of Strategic Principles

    Many of the vulnerabilities in IoT could be mitigated through recognized security best practices, but too many products today do not incorporate even basic security measures. There are many contributing factors to this security shortfall. One is that it can be unclear who is responsible for security decisions in a world in which one company may design a device, another supplies component software, another operates the network in which the device is embedded, and another deploys the device. This challenge is magnified by a lack of comprehensive, widely-adopted international norms and standards for IoT security. Other contributing factors include a lack of incentives for developers to adequately secure products, since they do not necessarily bear the costs of failing to do so, and uneven awareness of how to evaluate the security features of competing options.

    Below is a link to a 17-page November 15, 2016 report by the U.S. Department of Homeland Security entitled "Strategic Principles for Securing the Internet of Things (IoT). It sets forth ways to organize strategies to address IoT security challenges.


  • 02 Mar 2016 10:54 AM | Anonymous member (Administrator)

    The item below was furnished to ISPLA from a regulatory agency having jurisdiction over the financial services industry. It outlines various pretexts used against banks and others to obtain personally identifiable information (PII) of their customers. - Bruce Hulme, ISPLA Director of Government Affairs

    American Banker: To Case the Joint, Press 1: Crooks Refocus on Bank Call Centers - By Penny Crosman - March 1, 2016

    The often-overlooked call center is getting more attention, as banks realize that stronger security on online and mobile channels has driven cybercriminals to focus their energies on conning phone reps.

    They're tricking these eager-to-please call center agents into coughing up customer information or letting them reset passwords on other people's accounts.

    "Fraudsters will always use the weakest plank in the door," said Gary McAlum, chief security officer at USAA. "If you're using strong authentication security but someone can call into a call center and social-engineer through the call center representative to reset their account, then that's the weak point in the network. It has to be an end-to-end holistic approach."

    This problem made news when Apple Pay came out in September 2014. There was an immediate rash of call center fraud, as cybercriminals realized they could set up accounts using stolen credit card data. The problem has steadily grown since then.

    Last year, one in every 2,900 calls coming into large banks' call centers was fraudulent, according to Pindrop Security. This year, the number is closer to one in every 2,000 calls. Among regional banks, it's more like one in 700. Pindrop's software analyzes incoming calls for signs of fraud and scores them for risk. For instance, if a call is coming from Nigeria and the same caller number has called the contact center for different accounts, it will probably end up with a high risk score. (Pindrop was one of American Banker's Tech Companies to Watch in 2013 and it recently received $75 million from Google Capital. Its customers include eight of the top 15 U.S. banks.) The company will release this year's fraud report in April but gave American Banker a few numbers in advance.

    The average fraud exposure caused by these hackers — that is, the average amount they could potentially steal after successfully logging in by gaming the call center — was $7.6 million per bank in a 2014-15 study. More recently, in a study that covered the 12 months through February, it was $11 million per bank, according to Pindrop.

    So the attackers have been able to expand the pools of money that they can reach by over 45%.

    "When we're working with customers, we're finding about 30% to 80% of all fraud has a phone component," said Vijay Balasubramaniyan, Pindrop's CEO and chief technology officer.

    Bankers are generally tight-lipped about sharing what technology they're using to better secure their call centers.

    "The more information you provide to the fraudsters, the better [equipped] they are to perpetrate their fraud," said Brett Beranek, director of product strategy for voice biometrics at Nuance Communications. His company's technology analyzes incoming calls for fraud, detecting mismatches between the caller and previous recordings tied to the same account. It can also spot people calling about multiple accounts and fraudsters whose voices are on a blacklist. "The more information is disseminated, the less effective fraud groups can be at stopping the fraudsters."

    Canada's Tangerine Bank recently invested in secure chat software to allow call center agents to have encrypted, archived chat sessions with authenticated customers, according to the bank's chief information officer, Charaka Kithulegoda.

    Patience and PII

    One reason call centers are facing a rise in fraud attempts is the prevalence of personally identifiable information, McAlum observed.

    Fraudsters painstakingly gather information about account holders on the Web and use it to manipulate customer service agents who are trained to be helpful, not to block crime. The fraudster might say, "I don't remember my own password, let me call you right back." Then he'll go out to social media sites and figure it out. 

    "One call center agent completely buckled and started reading out every single account transaction on [a customer's] account for the last month," Balasubramaniyan said. "Though [the fraudster] didn't manage to get a wire at that point, now that he had all his transactions, he called back in, and when the next call center agent said, 'How do I trust you?' he started rattling off these transactions. The call center agent said, 'OK, it must be you,' and let him through."

    Balasubramaniyan's all-time favorite call was from a fraudster who, when asked, "What's your mother's maiden name?" replied, "My dad married thrice, so can I take three guesses?"

    "It doesn't even make sense — so what, your dad married thrice?" Balasubramaniyan said.

    The call center agent allowed him to take three guesses, the last of which was "Smith," which is one of the most popular names in the world and happened to be right. After that call, he wired $97,000 out of the bank. 

    Beranek said by closely monitoring what goes on in the call centers, banks can learn how fraudsters operate.

    "Often a fraudster will call in several times and progressively increase the complexity of their calls," he said. "So for call No. 1, they would ask for a benign piece of information that would be very easy to socially engineer the contact center agent to provide. By call five or seven, they have amassed enough information that they could completely take over the account, go online and perform a wire transfer."

    Fraudsters often need several attempts to break into accounts, because as they search the Web for information on account holders, sometimes the data they get is correct, sometimes it isn't.

    IVR Reconnaissance

    In addition to live agents being fooled by fraudsters, there's an uptick in the gaming of automated interactive voice response systems, or IVRs. Cybercriminals can robo-call IVRs continuously to guess a PIN number. (If it's four digits, there are 10,000 possible combinations.)

    In 2014, only 47% of calls to banks went through IVR systems. This year, more than 60% of calls will, according to Pindrop, as banks are cutting back on live agent calls. (It behooves Pindrop to point all this out, as it's getting ready to release an IVR security system that will act similarly to its call center software.)

    There isn't always fraud happening within the IVR itself, Balasubramaniyan said. "What the IVR is great in is reconnaissance, which is finding out about an account without talking to a call center agent," he said. It's also good for trying different combinations of account numbers, PINs and card verification values (those three-digit codes on the backs of payment cards) without coming up on any radar.

    "If you're able to detect that activity, you can forewarn banks on average 30 days before account takeover even starts happening," Balasubramaniyan said. "It's almost like 'Minority Report,' " the science fiction movie about a clairvoyant police force.

    In addition to security software, of course, part of the answer is to make call center agents more aware of social engineering and help them look for signs of foul play. One of our cybersecurity predictions for 2016 was that banks and other companies would address the problem of fraudsters' easily being able to reset passwords.

    The hard part is taking a tougher stance on such helpful call center duties, without turning away legitimate customers.


  • 07 Jan 2016 12:07 PM | Anonymous member (Administrator)

    The item on encryption below may be of interest to our European INTELLENET members. It is concerns a Dutch government document on encryption and is quite informative on the subject of "backdoor" access by government. However, It is quite lengthy. - Bruce Hulme, ISPLA Director of Government Affairs


    Full translation of Dutch Government document by Matthijs R. Koot Posted on 2016-01-05 2016-01-06  

    TL;DR: on January 4th 2016, the Dutch government stated that it will, at this time, not take restrictive legal measures considering the development, availability and use of encryption within the Netherlands. Some things to keep in mind:

    • they explicitly state ‘at this time’ — the possibility remains that their position changes in the future;
    • current Dutch law provides some forms of compelled decryption: first, two provisions in intelligence law regarding targeted hacking and targeted interception (note: the law does not forbid the use of this power against a target, but for obvious reasons — e.g. maintaining operational secrecy — it seems likely it will typically only be used against third parties, for instance a provider, a roommate, etc.), and second, one provision in the code of criminal procedure (criminal law) regarding access to a secured computer (the law forbids the use of this power against a suspect because of nemo tenetur, i.e., the right to not self-incriminate);
    • in July 2015, the Dutch government proposed compelled decryption for untargeted (bulk) interception in a draft intelligence bill (intelligence law). The draft bill is currently being revised and is expected to be submitted to the House of Representatives by the end of Q1/2016. AFAIK it is expected that the final bill, that will be debated in the House of Representatives, will still include the new decryption provision. The status of the bill can be viewed here;
    • in December 2015, the Dutch government stated they cancelled the decryption provision in the final version of a cybercrime bill (more) (part of criminal law). The stated reason for cancelling: incompatibility with nemo tenetur. Why they initially introduced it — notably following a rather critical study by professor Bert-Jaap Koops — yet now cancelled it, is not clear (to me).

    On January 4th 2016, the Dutch government released a statement on encryption. It is covered by El Reg. Here is a full, unofficial translation of that statement (~1600 words; hyperlinks were added by the above translator):

    Government position on encryption

    We hereby submit the government position on encryption. This fulfills promises made during the General Meeting of the Telecom Council of June 10th 2015 (Parliamentary Papers 2014-2015, 21501-33, nr. 552) and the General Meeting of the JHA Council of October 7th 2015.


    Encryption is increasingly easy to obtain and use, and increasingly common in regular data communication. The government, the private sector and citizens increasingly use encryption to protect the confidentiality and integrity of communication and stored data. That is important for public trust in digital products and services, and for the Dutch economy, in the light of the rapidly developing digital society. At the same time, encryption obstructs access to information necessary for prosecution services and intelligence & security services when malicious persons (such as criminals and terrorists) use it. The recent attacks in Paris, where the terrorists possibly used encrypted communications, lead to the justified question what is needed to provide these services with proper insight into attack planning, and to maintain that insight.

    The duality described in the previous paragraph was also heard in the public debate in the past months about the dilemmas of the use of encryption. The House [of Representatives; i.e., the lower house] has also discussed this. During the General Meeting of the Telecom Council it was asked what the government intends to do regarding the promotion of strong encryption. Besides that, the House requested the government to establish a position on encryption.

    Next, the importance of encryption for the system and information security of the government and the private sector, and for the constitutional protection of privacy and confidential communication, will be discussed. The importance of prosecution of serious criminal offenses and the protection of national security will be laid down. Finally, after weighing of the interests, a conclusion is drawn.

    The Dutch situation can not be discussed without taking into account the international context. Software for strong encryption is increasingly available world-wide, and is already integrated in products or services. Considering the broad availability and use of advanced encryption techniques, and the cross-border nature of data traffic, options to act at a national level are limited.

    Importance of encryption for the government, private sector and citizens

    Cryptography plays a key role in technical security in the digital domain. Many cyber security measures in organizations depend strongly on the use of encryption. Secure storage of passwords, the protection of laptops against loss or theft, and the secure storage of backups are more difficult without the use of encryption. The protection of data transferred via the internet, for instance during internet banking, is only possible through the use of encryption. Due to the connectedness of systems and the global branches and various paths that communication can travel, the risk of interception, breach, access or manipulation of information and communication is always present.

    The government increasingly communicates with citizens via digital means, and provides services where confidential data is exchanged, such as the use of DigiD [a national authentication system that Dutch citizens can use to log in to the IRS, the cadastre, their municipality, etc.] or declaring taxes. As stated in the coalition agreement of 2012, citizens and companies should be able to carry out their interactions with the government entirely digitally by 2017. The government has the responsibility to ensure that confidential data is protected against access by third parties: encryption is indispensable for this. The protection of communication within the government also depends on encryption, such as the security of the exchange of diplomatic messages, and military communication.

    For companies, encryption is essential to store and transfer business information securely. The ability to use encryption strengthens the international competitiveness of the Netherlands, and promotes an attractive climate for businesses and innovation, including startups, data centers and cloud computing. Trust in secure communication and storage of data is essential for the (future) growing potential of the Dutch economy, that mainly resides in the digital economy.

    Encryption supports the protection of privacy and the confidentiality of citizens’ communications, because it provides them with a means to protect the confidentiality and integrity of personal data and communications. This is also important for exercising the right to free speech. It enables citizens, but also persons who hold an important democratic profession, such as journalists, to communicate confidentially.

    Encryption thus enables everyone to ensure the confidentiality and integrity of communication, and defend against, for instance, espionage and cyber crime. Fundamental rights and freedoms, as well as security interests and economic interests, benefit from this.

    Encryption, prosecution services and intelligence & security services

    The investigatory powers and means available to the services, must be equipped for the present and future digital reality. Effective, lawful access to data promotes the security of the digital and physical world. Encryption used by malicious persons hinders access to data by the prosecution services and intelligence & security services. The services experience these barriers for instance when they investigate the distribution and storage of child pornography, while supporting military missions abroad, while countering cyber attacks, and when they want to gain and maintain insight into terrorists who are planning attacks. Criminals, terrorists and opponents in armed conflicts are often aware that they can attract attention of the services, and also posses advanced encryption methods that are difficult to circumvent or break. The use of such methods requires little technical knowledge, because encryption is often integral part of the internet services that they too can use. That complicates, delays, or makes it impossible to gain (timely) insight in communication for the purpose of protecting national security and the purpose of prosecuting criminal offenses. Furthermore, court hearings and the providing of evidence in court for a conviction can be severely hindered.

    The right to privacy and confidentiality of citizens’ communication

    As mentioned before, the use of encryption supports citizens in ensuring privacy and confidentiality of their communication. Said lawful access to data and communication by prosecution services and intelligence & security services constitutes a breach of the confidentiality of citizens’ communication.

    Confidentiality of communication involves the constitutional protection for privacy and the right to protection of correspondence [letters, snail mail], telephone communication and telegraph communication (hereafter: ‘confidentiality of communications’). These constitutional rights are laid down in, respectively, Article 10 and Article 13 of the Dutch constitution. Besides that, these fundamental rights are laid down in Article 8 ECHR and Article 7 and Article 8 of the Charter of Fundamental Rights of the EU (insofar EU law is affected).

    The protection of constitutional rights applies to the digital world. Said constitutional regulations and international regulations provide the framework to counter unlawful breaches. Said rights are not absolute, meaning that limitations can be established insofar they meet the requirements set by the Dutch constitution and the ECHR (and insofar European Union law is affected, the EU Charter). A limitation is permissible when it serves a legitimate purpose, is established by law, and the limitation is foreseeable and cognizable [=transparent]. Furthermore, the limitation must be necessary in a democratic society. Finally, the infringement must be proportional, which means that the government’s purpose of the infringement must be proportional in relation to the infringement on the right to privacy and/or the right to confidentiality of communications.

    These requirements provide the framework for weighing the interests involved in encryption, such as the right to privacy and the right to confidentiality of communications, public and national security, and the prevention of criminal offenses. This framework, insofar it involves the special powers of the intelligence & security services, is also laid down in the Intelligence & Security Act of 2002 (‘Wiv2002’, Article 18 and Article 31). The obligations [for third parties] to cooperate with decryption laid down in the Wiv2002 (Article 24, third paragraph, and Article 25, seventh paragraph) and in the Code of Criminal Procedure (‘WvSv’, Article 126m, sixth member) can be invoked if the related special powers are exercised after such weighing.

    Discussion and conclusion

    Nowadays it is increasingly less often possible to break encryption. Furthermore, it is increasingly less often possible to demand unencrypted data from service providers. Increasingly often, modern uses of encryption mean that data is processed by the service providers only in encrypted form. Considering the importance of investigation and prosecution, and the interests involved with national security, these developments necessitate the search for new solutions.

    Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption. For instance by introducing a technical doorway [=backdoor, exceptional access] in an encryption product that would enable prosecution services to access encrypted files, digital systems can become vulnerable to criminals, terrorists and foreign intelligence services. This would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.

    In carrying out their legal tasks, prosecution services and intelligence & security services are partially relying on cooperation from providers of IT products and services. Given this dependence, consultation is necessary with providers regarding effective data provisioning in case of the use of their services by malicious persons, while taking into account everyone’s role and responsibilities, as well as the legal frameworks.

    Given this discussion, we draw the following conclusion:

    The government has the duty to protect the security of the Netherlands and to prosecute criminal offenses. The government emphasizes the necessity of lawful access to data and communication. Furthermore, governments, companies and citizens benefit from maximum security of digital systems. The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.

    Therefore, the government believes that at this time it is not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands. The Netherlands will propagate this conclusion, and the arguments that underlie it, internationally [recall: the Netherlands chairs the EU in the first half of 2016 and focuses on, among others, the digital domain]. Regarding the promotion of strong encryption, the Minister of Economic Affairs will follow-up on the intent of the amendment (Parliamentary Papers 2015-2016, 34300 XIII, nr.10) on the budget of the Ministry of Economic Affairs [=grant EUR 500k to OpenSSL].

    (signed by the Minister of Security & Justice and the Minister of Economic Affairs)

    Further reading:

    • 2016-01-06: Wired is reporting on David Chaum’s plan to end the crypto war: PrivaTegrity, a backdoor scheme that requires cooperation between nine server administrators from nine countries. Chaum reportedly developed it “as a side project for the last two years along with a team of academic partners at Purdue, Radboud University in the Netherlands, Birmingham University and other schools”. Recall this sentence in the above translation of the Dutch gov’t statement on encryption: “Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption“. It is unclear (to me) whether the authors of the Dutch gov’t statement were aware of Chaum’s idea at the time they wrote that sentence. For  details on Chaum et al.’s “cMix” scheme, see cMix: Anonymization by High-Performance Scalable Mixing (.pdf, 2016).

  • 25 Nov 2015 7:26 PM | Anonymous member (Administrator)

    Crowd Management Safety Guidelines for Retailers

    Crowd related injuries can occur during special sales and promotional events. In 2008, a worker died at the opening of a "Black Friday" sale on Long Island in New York.

    Under the Occupational Safety and Health Act of 1970, employers are responsible for providing their workers with safe and healthy workplaces. The Occupational Safety and Health Administration (OSHA) encourages employers to adopt effective safety and health management systems to identify and eliminate work-related hazards, including those caused by large crowds at retail sales events

    OSHA has prepared these guidelines to help employers and store owners avoid injuries during the holiday shopping season, or other events where large crowds may gather. Crowd management planning should begin in advance of events that are likely to draw large crowds, and crowd management, pre-event setup, and emergency situation management should be part of event planning. OSHA recommends that employers planning a large shopping event adopt a plan that includes the following elements.

    In 2008, a 34-year-old retail worker was trampled to death when Black Friday shoppers in Long Island literally busted through the doors of a Walmart store to claim their holiday bargains. Since then, OSHA has issued "Crowd Management Safety Guidelines for Retailers."


    1. It’s wrong – perhaps illegal – to expect that shoppers will be able to control themselves enough to avoid destroying whatever stands between them and the best bargains.
    2. When counting your blessings this Thanksgiving, don’t forget to include the increased availability of online shopping, where the risk of getting trampled by Long Island shoppers at 5 a.m. is minimal.


    §  Where large crowds are expected, hire additional staff as needed and have trained security or crowd management personnel or police officers on site.

    §  Create a detailed staffing plan that designates a location for each worker. Based on the size of the crowd expected, determine the number of workers that are needed in various locations to ensure the safety of the event (e.g., near the door entrances and throughout the store).

    §  Ensure that workers are properly trained to manage the event.

    §  Contact local fire and police agencies to determine if the event site meets all public safety requirements, and ensure that all permits and licenses are obtained and that local emergency services, including the local police, fire department and hospital, are aware of the event.

    §  Designate a worker to contact local emergency responders if necessary.

    §  Designate a store manager to make key decisions as needed during the event

    §  Provide legible and visible signs that describe entrance and exit locations, store opening times, and other important information such as the location of major sale items and restrooms.

    §  Prepare an emergency plan that addresses potential dangers facing workers, including overcrowding, crowd crushing, being struck by the crowd, violent acts and fire. Share emergency plan with all local public safety agencies.

    §  Train workers in crowd management procedures and the emergency plan. Provide them with an opportunity to practice the special event plan. Include local public safety agencies if appropriate.

    Pre-Event Setup:

    §  Set up barricades or rope lines for crowd management well in advance of customers arriving at the store.

    §  Make sure that barricades are set up so that the customers' line does not start right at the entrance to the store. This will allow for orderly crowd management entry and make it possible to divide crowds into small groups for the purpose of controlling entrance.

    §  Ensure that barricade lines have an adequate number of breaks and turns at regular intervals to reduce the risk of customers pushing from the rear and possibly crushing others, including workers.

    §  Designate workers to explain approach and entrance procedures to the arriving public, and direct them to lines or entrances.

    §  Make sure that outside personnel have radios or some other way to communicate with personnel inside the store and emergency responders.

    §  Consider using mechanisms such as numbered wristbands or tickets to provide the earlier arriving customers with first access to sale items.

    §  Consider using Internet lottery for "hot" items.

    §  Locate sale items in different parts of the store to prevent overcrowding in one place.

    §  Locate shopping carts and other potential obstacles or projectiles inside the store and away from the entrance, not in the parking lot.

    §  If appropriate, provide public amenities including toilets, washbasins, water and shelter.

    §  Communicate updated information to customers waiting in line. Have signs and distribute pamphlets showing the location of entrances and exits, store opening times and location of special sales items within the store.

    §  Shortly before opening, remind waiting crowds of the entrance process (i.e., limiting entry to small groups, redemption of numbered tickets, etc.).

    During the Sales Event:

    §  Provide a separate store entrance for staff. Provide door monitors there to prevent crowd entry.

    §  Make sure that all employees and crowd control personnel are aware that the doors are about to open.

    §  Staff entrances with uniformed guards, police or other authorized personnel.

    §  Use a public address system or bullhorns to manage the entering crowd and to communicate information or problems.

    §  Position security or crowd managers to the sides of entering (or exiting) public, not in the center of their path.

    §  Provide crowd and entry management measures at all entrances, including the ones not being used. If possible, use more than one entrance.

    §  When the store reaches maximum occupancy, do not allow additional customers to enter until the occupancy level drops.

    §  Provide a safe entrance for people with disabilities.

    Emergency Situations:

    §  Do not restrict egress, and do not block or lock exit doors

    §  Know in advance who to call for emergency medical response.

    §  Keep first-aid kits and Automated External Defibrillators (AEDs) available, and have personnel trained in using AEDs and CPR onsite.

    §  Instruct employees, in the event of an emergency, to follow instructions from authorized first responders, regardless of company rules.

    This is one in a series of informational fact sheets highlighting OSHA programs, policies or standards. It does not impose any new compliance requirements. For a comprehensive list of compliance requirements of OSHA standards or regulations, refer to Title 29 of the Code of Federal Regulations.

    Have a Safe and Happy Thanksgiving Day too!

    Bruce H. Hulme, CFE, BAI - ISPLA Director of Government Affairs

  • 19 Oct 2015 5:41 PM | Anonymous member (Administrator)

    New York State Rifle & Pistol Ass’n, Inc., et al. v. Cuomo, et al.

    Connecticut Citizens’ Defense League, et al. v. Malloy, et al.

    1436cv(L); 14319cv

    Laws in New York and Connecticut prohibiting certain semiautomatic assault weapons and large-capacity ammunition magazines do not violate the Second Amendment, the U.S. Court of Appeals for the Second Circuit ruled. Upholding laws passed in the wake of the 2012 murder of 20 students and six adults at the Sandy Hook Elementary School in Newtown, Connecticut, the Second Circuit said the measures do not violate the Second Amendment's guarantee of "the right of the people to keep and bear arms."

    In the first case, the court upheld, with one exception, Western District Judge William Skretny's grant of summary judgment to New York. The circuit held only that one provision of New York's law regulating load limits on guns did not survive scrutiny.

    In the second case, the circuit upheld summary judgment for Connecticut granted by U.S. District Judge Alfred Covello of the District of Connecticut except on one provision: the state's prohibition of the non-automatic Remington 7615 "unconstitutionally infringes upon the Second Amendment right," Judge Jose Cabranes wrote for the court.

    Cabranes said the court was adopting a two-step analytical framework for challenges under the Second Amendment in light of the U.S. Supreme Court's decision in District of Columbia v. Heller, 554 U.S. 570 (2008) and the case law as it has developed since Heller.

    Heller struck down the District of Columbia's ban on handgun possession as it affirmed the individual right to possess and carry weapons in "common use" and "for lawful purposes like self-defense."

    Read more:

    Read more:

    Investigative and Security Professionals should consider reviewing the 57-page opinion of the U.S. Circuit Court for the Second Circuit with regard to appeals in New York and Connecticut. What follows is merely an ISPLA summary of just a few key points.

    Before the Second Circuit Court were two appeals challenging guncontrol legislation enacted by the New York and Connecticut legislatures in the wake of the 2012 mass murders at Sandy Hook Elementary School in Newtown, Connecticut. The New York and Connecticut laws at issue prohibit the possession of certain semiautomatic “assault weapons” and largecapacity magazines. Following the entry of summary judgment in favor of defendants on the central claims in both the Western District of New York (William M. Skretny, Chief Judge) and the District of Connecticut (Alfred V. Covello, Judge), plaintiffs in both suits pressed two arguments on appeal. First, they challenged the constitutionality of the statutes under the Second Amendment; and second, they challenged certain provisions of the statutes as unconstitutionally vague. Defendants in the New York action also crossappeal the District Court’s invalidation of New York’s separate sevenround load limit and voiding of two statutory provisions as facially unconstitutionally vague.


    To summarize, we hold as follows:

    (1) The core prohibitions by New York and Connecticut of assault weapons and largecapacity magazines do not violate the Second Amendment.

             (a) We assume that the majority of the prohibited conduct falls within the scope of Second Amendment protections. The statutes are appropriately evaluated under the constitutional standard of “intermediate scrutiny”—that is, whether they are “substantially related to the achievement of an important governmental interest.

             (b) Because the prohibitions are substantially related to the important governmental interests of public safety and crime reduction, they pass constitutional muster.

    We therefore AFFIRM the relevant portions of the judgments of the Western District of New York and the District of Connecticut insofar as they upheld the constitutionality of state prohibitions on semiautomatic assault weapons and largecapacity magazines.

    (2) We hold that the specific prohibition on the non semiautomatic Remington 7615 falls within the scope of Second Amendment protection and subsequently fails intermediate scrutiny.

    Accordingly, we REVERSE that limited portion of the judgment of the District of Connecticut. In doing so, we emphasize the limited nature of our holding with respect to the Remington 7615, in that it merely reflects the presumption required by the Supreme Court in District of Columbia v. Heller that the Second Amendment extends to all bearable arms, and that the State, by failing to present any argument at all regarding this weapon or others like it, has failed to rebut that presumption. We do not foreclose the possibility that States could in the future present evidence to support such a prohibition.

    (3) New York’s sevenround load limit does not survive intermediate scrutiny in the absence of requisite record evidence and a substantial relationship between the statutory provision and important state safety interests.

    We therefore AFFIRM the judgment of the Western District of New York insofar as it held this provision.

    The following concerns the SevenRound Load Limit, a controversial measure that passed in New York during the "Dead of Night" within weeks after the shooting

    "Though the key provisions of both statutes pass constitutional muster on this record, another aspect of New York’s SAFE Act does not: the sevenround load limit, which makes it 'unlawful for a person to knowingly possess an ammunition feeding device where such device contains more than seven rounds of ammunition.

    "As noted above, the sevenround load limit was a secondbest solution. New York determined that only magazines containing seven rounds or fewer can be safely possessed, but it also recognized that sevenround magazines are difficult to obtain commercially. Its compromise was to permit gun owners to use tenround magazines if they were loaded with seven or fewer rounds. On the record before us, we cannot conclude that New York has presented sufficient evidence that a sevenround load limit would best protect public safety. Here we are considering not a capacity restriction, but rather a load limit. Nothing in the SAFE Act will outlaw or reduce the number of tenround magazines in circulation. It will not decrease their availability or in any way frustrate the access of those who intend to use tenround magazines.

    "To be sure, the mere possibility of criminal disregard of the laws does not foreclose an attempt by the state to enact firearm regulations. But on intermediate scrutiny review, the state cannot 'get away with shoddy data or reasoning.' To survive intermediate scrutiny, the defendants must show 'reasonableinferences based on substantial evidence' that the statutes are substantially related to the governmental interest. With respect to the load limit provision alone, New York has failed to do so."

    A link to the full opinion is at:

    Bruce Hulme, CFE, BAI

    ISPLA Director of Government Affairs

  • 15 Sep 2015 7:18 PM | Anonymous member (Administrator)

    UNLICENSED FLORIDA PI ARRESTED FOR COMPUTER CRIME: claims to be searching for transfer of funds from charitable organization to Jihadist groups

    Manhattan U.S. Attorney Announces Charges Against Florida "Private Investigator" For Attempting To Gain Unauthorized Access To The Computer Network Of A Global Charitable Organization

    Preet Bharara, the United States Attorney for the Southern District of New York and Robert J. Sica, the Special Agent in Charge of the New York Office of the United States Secret Service, announced on September 14 the filing of a criminal complaint against TIMOTHY SEDLAK for attempting to gain unauthorized access to the computer network of a global charitable organization based in New York, NY (the “Organization”).  Sedlak was arrested in Ocoee, Florida on the evening of September 11, 2015 and was presented September 14 in federal court before U. S. Magistrate Judge Gregory J. Kelly in Orlando, FL.

    Sedlak, 42, of Ocoee, Florida, was charged with one count of attempted unauthorized access to a computer, which carries a maximum sentence of five years.  The maximum potential sentence in this case is prescribed by Congress and is provided for informational purposes only. According to the complaint, an unidentified global charity headquartered in New York experienced some 390,000 attempts to gain unauthorized access to its computer network from June to July, 2015.

    The attempted intrusions, which disrupted employees' ability to access email and conduct business, were made by computers associated with two internet protocol addresses subscribed to by Sedlak at his home in Florida.

    On LinkedIn, Sedlak holds himself out as an investigator with Surveillance Associates, LLC, a Florida company registered in his name. However, complaint indicates that he did not have a license to work as a private investigator in Florida.

    The Complaint filed in Manhattan federal court also revealed the following:

    Computers associated with two particular internet protocol addresses made nearly four hundred thousand attempts to gain unauthorized access to the Organization’s computer network.  As a result, numerous Organization employees experienced difficulty accessing their Organization email accounts, and were disrupted in their ability to conduct regular business functions.  Both of the IP Addresses were subscribed to Sedlak at his residence in Florida.

    In particular, between June 22, 2015 and July 8, 2015, from one of the IP Addresses, there were approximately 195,000 attempts to log into approximately twenty email accounts of the Organization.  Between July 8, 2015 and July 10, 2015, from the other IP Address, there were an additional approximately 195,000 attempts to log into approximately six email accounts of the Organization.  Sedlak had never been employed by the Organization, and was not authorized to access any email accounts of the Organization.

    On September 11, 2015, US Secret Service agents executed a search warrant at the Sedlak Residence, from which they seized, among other things, (i) approximately 30 computers connected to the same internal network, which enabled each computer to communicate with the others (the “Sedlak Computers”); (ii) notes pertaining to the Organization, an executive of the Organization (“Individual-1”) and an individual who has been publicly affiliated with the Organization (“Individual-2”), including e-mail addresses, registrant information for certain website domain names, and certain IP address information associated with the Organization, Individual-1 and/or Individual-2; and (iii) lists of e-mail addresses and e-mail servers, many of which included the word “jihad.”  The Sedlak Computers contained, among other things, a list of certain Organization employees’ email account usernames, and a “brute force” password-cracking tool.  Such a tool is designed to launch a relentless barrage of potential passwords at an email account in an attempt to guess the account’s password.

    That same date Secret Service agents interviewed Sedlak, who claimed to be using the computers to conduct “research” into charitable organizations in the course of his work as a private investigator.  He claimed to be trying to determine if the organizations were unintentionally financing jihadist groups by sending funds to charitable organizations in the Middle East, which are then seized by jihadist groups.  When questioned about notes pertaining to Individual-1 and Individual-2 found at the Sedlak residence, he claimed that he came across such information in his “research” into the financing of jihadist groups and that he hoped to sell the information he found.

    The investigation remains ongoing. This case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  AUSA Kristy J. Greenberg is in charge of the prosecution. (U.S. v. Sedlak, U.S. District Court, SDNY - No. 15-mj-3265)

    Bruce Hulme, ISPLA Director of Government Affairs

    Your Resource to the Profession, to Government, and to the Media

    Educate to Legislate:


  • 04 Sep 2015 2:32 PM | Anonymous member (Administrator)

    Department of Justice Policy Guidance: Use of Cell-Site Simulator Technology

    Cell-site simulator technology provides valuable assistance in support of important public safety objectives. Whether deployed as part of a fugitive apprehension effort, a complex narcotics investigation, or to locate or rescue a kidnapped child, cell-site simulators fulfill critical operational needs.

    As with any law enforcement capability, the Department must use cell-site simulators in a manner that is consistent with the requirements and protections of the Constitution, including the Fourth Amendment, and applicable statutory authorities, including the Pen Register Statute. Moreover, any information resulting from the use of cell-site simulators must be handled in a way that is consistent with the array of applicable statutes, regulations, and policies that guide law enforcement in how it may and may not collect, retain, and disclose data.

    As technology evolves, the Department must continue to assess its tools to ensure that practice and applicable policies reflect the Department’s law enforcement and national security missions, as well as the Department’s commitments to accord appropriate respect for individuals’ privacy and civil liberties. This policy provides additional guidance and establishes common principles for the use of cell-site simulators across the Department.1 The Department’s individual law enforcement components may issue additional specific guidance consistent with this policy.

    This policy applies to the use of cell-site simulator technology inside the United States in furtherance of criminal investigations. When acting pursuant to the Foreign Intelligence Surveillance Act, Department of Justice components will make a probable-cause based showing and appropriate disclosures to the court in a manner that is consistent with the guidance set forth in this policy.


    Cell-site simulators, on occasion, have been the subject of misperception and confusion. To avoid any confusion here, this section provides information about the use of the equipment and defines the capabilities that are the subject of this policy.

    Basic Uses

    Law enforcement agents can use cell-site simulators to help locate cellular devices whose unique identifiers are already known to law enforcement, or to determine the unique identifiers of an unknown device by collecting limited signaling information from devices in the simulator user’s vicinity. This technology is one tool among many traditional law enforcement techniques, and is deployed only in the fraction of cases in which the capability is best suited to achieve specific public safety objectives.

    How They Function

    Cell-site simulators, as governed by this policy, function by transmitting as a cell tower. In response to the signals emitted by the simulator, cellular devices in the proximity of the device identify the simulator as the most attractive cell tower in the area and thus transmit signals to the simulator that identify the device in the same way that they would with a networked tower.

    A cell-site simulator receives and uses an industry standard unique identifying number assigned by a device manufacturer or cellular network provider. When used to locate a known cellular device, a cell-site simulator initially receives the unique identifying number from multiple devices in the vicinity of the simulator. Once the cell-site simulator identifies the specific cellular device for which it is looking, it will obtain the signaling information relating only to that particular phone. When used to identify an unknown device, the cell-site simulator obtains signaling information from non-target devices in the target’s vicinity for the limited purpose of distinguishing the target device.

    What They Do and Do Not Obtain

    By transmitting as a cell tower, cell-site simulators acquire the identifying information from cellular devices. This identifying information is limited, however. Cell-site simulators provide only the relative signal strength and general direction of a subject cellular telephone; they do not function as a GPS locator, as they do not obtain or download any location information from the device or its applications. Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder’s name, address, or telephone number).


    This policy guidance is intended only to improve the internal management of the Department of Justice. It is not intended to and does not create any right, benefit, trust, or responsibility, whether substantive or procedural, enforceable at law or equity by a party against the United States, its departments, agencies, instrumentalities, entities, officers, employees, or agents, or any person, nor does it create any right of review in an administrative, judicial, or any other proceeding.

    Cell-site simulators require training and practice to operate correctly. To that end, the following management controls and approval processes will help ensure that only knowledgeable and accountable personnel will use the technology.

    1. Department personnel must be trained and supervised appropriately. Cell-site simulators may be operated only by trained personnel who have been authorized by their agency to use the technology and whose training has been administered by a qualified agency component or expert.

    2. Within 30 days, agencies shall designate an executive-level point of contact at each division or district office responsible for the implementation of this policy, and for promoting compliance with its provisions, within his or her jurisdiction.

    3. Prior to deployment of the technology, use of a cell-site simulator by the agency must be approved by an appropriate individual who has attained the grade of a first-level supervisor. Any emergency use of a cell-site simulator must be approved by an appropriate second-level supervisor. Any use of a cell-site simulator on an aircraft must be approved either by the executive-level point of contact for the jurisdiction, as described in paragraph 2 of this section, or by a branch or unit chief at the agency’s headquarters.

    Each agency shall identify training protocols. These protocols must include training on privacy and civil liberties developed in consultation with the Department’s Chief Privacy and Civil Liberties Officer.


    The use of cell-site simulators is permitted only as authorized by law and policy. While the Department has, in the past, appropriately obtained authorization to use a cell-site simulator by seeking an order pursuant to the Pen Register Statute, as a matter of policy, law enforcement agencies must now obtain a search warrant supported by probable cause and issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure (or the applicable state equivalent), except as provided below.

    As a practical matter, because prosecutors will need to seek authority pursuant to Rule 41 and the Pen Register Statute, prosecutors should, depending on the rules in their jurisdiction, either (1) obtain a warrant that contains all information required to be included in a pen register order pursuant to 18 U.S.C. § 3123 (or the state equivalent), or (2) seek a warrant and a pen register order concurrently. The search warrant affidavit also must reflect the information noted in the immediately following section of this policy (“Applications for Use of Cell-Site Simulators”).

    There are two circumstances in which this policy does not require a warrant prior to the use of a cell-site simulator.

    1. Exigent Circumstances under the Fourth Amendment

    Exigent circumstances can vitiate a Fourth Amendment warrant requirement, but cell-site simulators still require court approval in order to be lawfully deployed. An exigency that excuses the need to obtain a warrant may arise when the needs of law enforcement are so compelling that they render a warrantless search objectively reasonable. When an officer has the requisite probable cause, a variety of types of exigent circumstances may justify dispensing with a warrant. These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.

    In this circumstance, the use of a cell-site simulator still must comply with the Pen Register Statute, 18 U.S.C. § 3121, et seq., which ordinarily requires judicial authorization before use of the cell-site simulator, based on the government’s certification that the information sought is relevant to an ongoing criminal investigation. In addition, in the subset of exigent situations where circumstances necessitate emergency pen register authority pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishable by a term of imprisonment greater than one year. In addition, the operator must obtain the requisite internal approval to use a pen register before using a cell-site simulator. In order to comply with the terms of this policy and with 18 U.S.C. § 3125,3 the operator must contact the duty AUSA in the local U.S. Attorney’s Office, who will then call the DOJ Command Center to reach a supervisory attorney in the Electronic Surveillance Unit (ESU) of the Office of Enforcement Operations.4 Assuming the parameters of the statute are met, the ESU attorney will contact a DAAG in the Criminal Division5 and provide a short briefing. If the DAAG approves, the ESU attorney will relay the verbal authorization to the AUSA, who must also apply for a court order within 48 hours as required by 18 U.S.C. § 3125. Under the provisions of the Pen Register Statute, use under emergency pen-trap authority must end when the information sought is obtained, an application for an order is denied, or 48 hours has passed, whichever comes first.

    3 Knowing use of a pen register under emergency authorization without applying for a court order within 48 hours is a criminal violation of the Pen Register Statute, pursuant to 18 U.S.C. § 3125(c).

    4 In non-federal cases, the operator must contact the prosecutor and any other applicable points of contact for the state or local jurisdiction.

    5 In requests for emergency pen authority, and for relief under the exceptional circumstances provision, the Criminal Division DAAG will consult as appropriate with a National Security Division DAAG on matters within the National Security Division’s purview.

    2. Exceptional Circumstances Where the Law Does Not Require a Warrant

    There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

    In this circumstance, the use of a cell-site simulator still must comply with the Pen Register Statute, 18 U.S.C. § 3121, et seq., which ordinarily requires judicial authorization before use of the cell-site simulator, based on the government’s certification that the information sought is relevant to an ongoing criminal investigation. In addition, if circumstances necessitate emergency pen register authority, compliance with the provisions outlined in 18 U.S.C. § 3125 is required (see provisions in section 1 directly above).


    When making any application to a court, the Department’s lawyers and law enforcement officers must, as always, disclose appropriately and accurately the underlying purpose and activities for which an order or authorization is sought. Law enforcement agents must consult with prosecutors6 in advance of using a cell-site simulator, and applications for the use of a cell-site simulator must include sufficient information to ensure that the courts are aware that the technology may be used.7

    6 While this provision typically will implicate notification to Assistant United States Attorneys, it also extends to state and local prosecutors, where such personnel are engaged in operations involving cell-site simulators.

    7 Courts in certain jurisdictions may require additional technical information regarding the cell-site simulator’s operation (e.g., tradecraft, capabilities, limitations or specifications). Sample applications containing such technical information are available from the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division. To ensure courts receive appropriate and accurate information regarding the technical information described above, prior to filing an application that deviates from the sample filings, agents or prosecutors must contact CCIPS, which will coordinate with appropriate Department components.

    1. Regardless of the legal authority relied upon, at the time of making an application for use of a cell-site simulator, the application or supporting affidavit should describe in general terms the technique to be employed. The description should indicate that investigators plan to send signals to the cellular phone that will cause it, and non-target phones on the same provider network in close physical proximity, to emit unique identifiers, which will be obtained by the technology, and that investigators will use the information collected to determine information pertaining to the physical location of the target cellular device or to determine the currently unknown identifiers of the target device. If investigators will use the equipment to determine unique identifiers at multiple locations and/or multiple times at the same location, the application should indicate this also.

    2. An application or supporting affidavit should inform the court that the target cellular device (e.g., cell phone) and other cellular devices in the area might experience a temporary disruption of service from the service provider. The application may also note, if accurate, that any potential service disruption to non-target devices would be temporary and all operations will be conducted to ensure the minimal amount of interference to non-target devices.

    3. An application for the use of a cell-site simulator should inform the court about how law enforcement intends to address deletion of data not associated with the target phone. The application should also indicate that law enforcement will make no affirmative investigative use of any non-target data absent further order of the court, except to identify and distinguish the target device from other devices.


    The Department is committed to ensuring that law enforcement practices concerning the collection or retention8 of data are lawful, and appropriately respect the important privacy interests of individuals. As part of this commitment, the Department’s law enforcement agencies operate in accordance with rules, policies, and laws that control the collection, retention, dissemination, and disposition of records that contain personal identifying information. As with data collected in the course of any investigation, these authorities apply to information collected through the use of a cell-site simulator. Consistent with applicable existing laws and requirements, including any duty to preserve exculpatory evidence,9 the Department’s use of cell-site simulators shall include the following practices:

    8 In the context of this policy, the terms “collection” and “retention” are used to address only the unique technical process of identifying dialing, routing, addressing, or signaling information, as described by 18 U.S.C. § 3127(3), emitted by cellular devices. “Collection” means the process by which unique identifier signals are obtained; “retention” refers to the period during which the dialing, routing, addressing, or signaling information is utilized to locate or identify a target device, continuing until the point at which such information is deleted.

    9 It is not likely, given the limited type of data cell-site simulators collect (as discussed above), that exculpatory evidence would be obtained by a cell-site simulator in the course of criminal law enforcement investigations. As in other circumstances, however, to the extent investigators know or have reason to believe that information is exculpatory or impeaching they have a duty to memorialize that information.

    1. When the equipment is used to locate a known cellular device, all data must be deleted as soon as that device is located, and no less than once daily.

    2. When the equipment is used to identify an unknown cellular device, all data must be deleted as soon as the target cellular device is identified, and in any event no less than once every 30 days.

    3. Prior to deploying equipment for another mission, the operator must verify that the equipment has been cleared of any previous operational data.

    Agencies shall implement an auditing program to ensure that the data is deleted in the manner described above.


    The Department often works closely with its State and Local law enforcement partners and provides technological assistance under a variety of circumstances. This policy applies to all instances in which Department components use cell-site simulators in support of other Federal agencies and/or State and Local law enforcement agencies.


    Accountability is an essential element in maintaining the integrity of our Federal law enforcement agencies. Each law enforcement agency shall provide this policy, and training as appropriate, to all relevant employees. Periodic review of this policy and training shall be the responsibility of each agency with respect to the way the equipment is being used (e.g., significant advances in technological capabilities, the kind of data collected, or the manner in which it is collected). We expect that agents will familiarize themselves with this policy and comply with all agency orders concerning the use of this technology.

    Each division or district office shall report to its agency headquarters annual records reflecting the total number of times a cell-site simulator is deployed in the jurisdiction; the number of deployments at the request of other agencies, including State or Local law enforcement; and the number of times the technology is deployed in emergency circumstances.

    Similarly, it is vital that all appropriate Department attorneys familiarize themselves with the contents of this policy, so that their court filings and disclosures are appropriate and consistent. Model materials will be provided to all United States Attorneys’ Offices and litigating components, each of which shall conduct training for their attorneys.

    * * *

    Cell-site simulator technology significantly enhances the Department’s efforts to achieve its public safety and law enforcement objectives. As with other capabilities, the Department must always use the technology in a manner that is consistent with the Constitution and all other legal authorities. This policy provides additional common principles designed to ensure that the Department continues to deploy cell-site simulators in an effective, appropriate, and consistent way.

  • 14 Apr 2015 10:43 AM | Anonymous member (Administrator)





    v. CASE NO: 8:14-cr-379-T-36TGW




    This matter comes before the Court upon the Defendant’s Motion for an Evidentiary Hearing on Admission of Polygraph Evidence (Doc. 67). An evidentiary hearing was held on this matter on December 23, 2014. In the motion, Defendant sought a hearing on the admissibility of the polygraph evidence and a ruling on the admissibility of said evidence. Accordingly, the Court will construe Defendant’s Motion for an Evidentiary Hearing on Admission of Polygraph Evidence (Doc. 67) as a motion to determine the admissibility of the polygraph evidence under Federal Rule of Evidence 702. The Court, having considered the motion and being fully advised in the premises, will grant the Motion and permit the polygraph evidence to be admitted at trial.

    I. Background

    Defendant Angulo-Mosquera, a 53-year old deckhand and cook, was indicted on September 4, 2014 in the Middle District of Florida on charges related to the seizure of 1,700 kilograms of cocaine concealed on board a Ruleighter known as the "Hope II" in August 2014.

    Defendant Angulo-Mosquera is a Colombian national with no known criminal record in any country. He has never before been in the United States. Defendant Angulo-Mosquera denies any knowledge of the drugs found concealed on the Hope II and any involvement of any kind in the illegal drug trade.

    After several lengthy interviews by counsel with the assistance of a court-certified interpreter (also from Colombia), Defendant Angulo-Mosquera agreed to submit to a polygraph examination administered by James Orr, a former special agent for the FBI with extensive experience in administering polygraph examinations on behalf of the United States government. According to Mr. Orr, the examination results indicated that there was no deception on the following relevant questions:

    1. Did you know those drugs were on that ship before the Coast Guard boarded the ship? Answer: No.

    2. Did you know those drugs were on the Hope II before the Coast Guard boarded that ship? Answer: No.

    3. Did you know those drugs were on that ship before the Coast Guard found them in August? Answer: No.

    Doc. 67 at p. 2; Doc. 67-1 at p. 4. Mr. Angulo-Mosquera answered “No” to all three questions. Raskin Dec. ¶ 38.

    Defendant Angulo-Mosquera plans to testify in his own defense at trial and requests that the results of the polygraph examination be admitted into evidence to corroborate his testimony. The Government objects arguing that polygraph examinations are just “one step above” junk-science and are “not suitable for juror consumption.” TR at 46:15-24, 49:16-17. The results of the polygraph examination, if admitted at trial, would be presented through expert witness testimony. Thus, on December 23, 2014, the Court held an evidentiary hearing to determine the admissibility of the polygraph evidence and expert testimony regarding same, under Federal Rule of Evidence 702 (“Rule 702”) and Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).

    At the hearing, Defendant Angulo-Mosquera presented the testimony of Dr. David C. Raskin, who for 44 years has conducted laboratory and field research on polygraph techniques for the detection of deception, taught university courses about polygraph techniques, trained government and law enforcement polygraph examiners, and published extensively on polygraph techniques, regarding the reliability of polygraph examinations in general and the examination in this case specifically.

    II. Standard of Review

    The Eleventh Circuit has held that polygraph evidence may be admitted to impeach or corroborate witness testimony at trial. See United States v. Piccinonna, 885 F.2d 1529, 1535 (11th Cir. 1989) (en banc); United States v. Gilliard, 133 F.3d 809, 811-12 (11th Cir. 1998).

    In Piccinonna, the [Eleventh Circuit] fashioned a novel approach to the admissibility of polygraph evidence. The decision to change the legal landscape was based on the Court's view that advances in the science of polygraph have greatly increased the reliability of the tests and consequently reduced many of the prejudicial effects. The Eleventh Circuit outlined two situations where polygraph evidence may be admitted. Id. at 1536. The first instance is stipulated polygraph evidence. The second instance, the one most relevant for the purposes of the instant case, is polygraph evidence used to impeach or corroborate the testimony of a witness at trial.

    The Court stated that polygraph evidence may be used to impeach or corroborate, subject to three preliminary requirements. First, the party planning to use the evidence must provide sufficient notice to the opposing party. Second, the opposing party must be given a reasonable opportunity to have its own expert administer a polygraph examination which is materially similar to the previously taken examination. Third, the admissibility of evidence is subject to the relevant provisions of the Federal Rules of Evidence, specifically, Fed. R. Evid. 608 and 702.

    United States v. Crumby, 895 F. Supp. 1354, 1357 (D. Ariz. 1995). See also United States v. Henderson, 409 F.3d 1293, 1301-1302 (11th Cir. 2005). District courts have discretion regarding whether to admit polygraph evidence in a particular case. See id. Both the Eleventh Circuit and the U.S. Supreme Court have held that “reasonable judges can disagree over the reliability of polygraph methodology.” Id. at 1303. Thus, it is incumbent on district courts to review the evidence presented and determine admissibility under Rule 702.

    Rule 702 compels district courts to perform a “gatekeeping” function, an exacting analysis of the foundations of expert opinions to ensure they meet the standards for admissibility under the rule. United States v. Frazier, 387 F.3d 1244, 1260 (11th Cir. 2004) (citations and quotations omitted). This requirement is to ensure the reliability and relevancy of expert testimony. Kumho Tire Co., Ltd. v. Carmichael, 526 U.S. 137, 152 (1999).

    Thus, in determining the admissibility of expert testimony under Rule 702, courts must engage in a rigorous three-part inquiry, determining whether:

    (1) the expert is qualified to testify competently regarding the matters he intends to address; (2) the methodology by which the expert reaches his conclusions is sufficiently reliable as determined by the sort of inquiry mandated in Daubert; and (3) the testimony assists the trier of fact, through the application of scientific, technical, or specialized expertise, to understand the evidence or to determine a fact in issue.

    Frazier, 387 F.3d at 1260 (citations omitted). “While there is inevitably some overlap among the basic requirements – qualification, reliability, and helpfulness – they remain distinct concepts and the courts must take care not to conflate them.” Id. It is the proponent of expert testimony who bears “the burden to show that his expert is qualified to testify competently regarding the matters he intended to address; the methodology by which the expert reached his conclusions is sufficiently reliable; and the testimony assists the trier of fact.” Id. (citations and internal quotations omitted).

    The Supreme Court has stated that, in order for a trial judge to determine whether the expert is proposing to testify to scientific knowledge that will assist the trier of fact to understand or determine a fact in issue, this entails “a preliminary assessment of whether the reasoning or methodology underlying the testimony is scientifically valid and of whether that reasoning or methodology properly can be applied to the facts in issue.” Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 592-93 (1993). Some factors that bear on this inquiry are:

    1) whether the expert’s theories, methods or techniques can be or have been tested;

    2) whether the technique, method, or theory has been subject to peer review and publications;

    3) whether the known or potential rate of error of the technique when applied is acceptable; and

    4) whether the technique, method, or theory has been generally accepted in the scientific community.


    Daubert, 509 U.S. at 593-94. The Supreme Court was clear, however, that this was not a definitive or exhaustive list and was intended to be applied in a flexible manner. Id.; see also United Fires and Casualty Co. v. Whirlpool Corp., 704 F.3d 1338, 1341 (1999). The focus is on the scientific validity and the evidentiary relevance and reliability of the principles and methodology underlying a proposed submission. Daubert, 509 U.S at 594-95.

    III. Discussion

    There is no argument here that the Government lacked sufficient notice or a reasonable opportunity to have its own polygraph expert administer a test covering substantially the same questions. Thus, this Court must determine whether the Federal Rules of Evidence allow admission of this evidence at trial. See Henderson, 409 F.3d at 1301-1302. Dr. Raskin’s testimony supported all of the Daubert factors, and no evidence was presented by the United States to challenge or contradict that testimony.

    A. The expert’s theories, methods or techniques can be and have been tested.


    First, Dr. Raskin testified that there are dozens of scientific studies with regard to polygraph examinations. TR at 5:22 – 6:1; Raskin Dec. ¶¶ 12-16. In his Declaration, Dr. Raskin describes laboratory research studies and field studies that have been used to test the accuracy of polygraph examinations. Raskin Dec. ¶ 11. These studies and publications indicate that a properly performed polygraph examination has a 90% accuracy rate. TR at 6:16-20. The studies also show that the risk of a person who is lying passing the test (false negative) is less likely than a person who is telling the truth failing the test (false positive). TR at 9:15-23. An extensive study by the Department of Defense supports the accuracy and reliability of polygraph exams. TR at 11:3 - 12:6; Raskin p. 29. Accordingly, Defendant has shown that polygraphy can be and has been scientifically tested.

    B. The technique has been subject to peer review and publications.


    Polygraphs have also been the subject of numerous peer-reviewed publications. TR at 6:6-20; Raskin Dec. ¶¶ 12-16, and 21. Dr. Raskin cited numerous articles written and published in peer reviewed journals such as the Journal of Applied Psychology, the Journal of General Psychology, and the Journal of Police Science Administration. See Raskin Dec. at p. 6-10. Thus, the Court finds that polygraphy has been subjected to sufficient peer review and publication. See also Crumby, 895 F. Supp. at 1359.

    C. The known or potential rate of error of the technique when applied is acceptable.


    As previously discussed, the error rates are less than 10% based on the studies cited by Dr. Raskin. This error rate is certainly acceptable under Daubert. See id. at 1360 (citing John A. Podlesny and David C. Raskin, Effectiveness of Techniques and Physiological Measures in the Detection of Deception, Vol. 15 No. 4 Psychophysiology (1978); David C. Raskin, et. al., Recent Laboratory and Field Research on Polygraph Techniques in J.C. Yuille (ed.), Credibility Assessment (1989); David C. Raskin, et. al., A Study of the Validity of Polygraph Examinations in Criminal Investigation, Final Report to the National Institute of Justice).

    D. The technique has been generally accepted in the scientific community.

    Dr. Raskin testified that several “carefully constructed surveys” indicate that there is a high degree of acceptance for polygraph examinations within the scientific community. TR at 7:15 – 8:1. Moreover, all major federal law enforcement agencies use polygraphs in their investigative process and Dr. Raskin has been involved in training federal agents to conduct polygraph examinations. TR at 6:24 – 7:5, 10:1 – 11:2. Thus, the Defendant has shown that polygraphy is generally accepted in the relevant scientific community.

    E. The testimony will be helpful to the jury.

    The primary evidence in Defendant’s case will be his own testimony. The results of the polygraph examination and the expert testimony regarding that examination could help the jury make a credibility determination regarding that testimony. Accordingly, the evidence will be helpful to the jury.

    The Government expressed concern that jurors would be overly persuaded by the results of the polygraph. However, Dr. Raskin testified that studies have shown that jurors consider polygraph examination results as they would any other piece of evidence, they do not give it any extra weight and are often cautious with such evidence. TR at 8:2-15; Raskin Dec. ¶¶ 22-25. Dr. Raskin’s testimony on this issue was not challenged. Furthermore, juries are regularly presented with complex, conflicting, and persuasive evidence and trusted to weigh all evidence presented appropriately before reaching a verdict. The Court will not presume that the jury is incapable of evaluating evidence appropriately without some evidence to support that claim.

    F. The Government did not present any evidence to contradict or call into question Dr. Raskin’s testimony.

    The Government did not present any evidence or testimony at the hearing to contradict Dr. Raskin’s testimony. Instead, the government relied solely on the cross-examination of Dr. Raskin, which it aimed at calling into question the results of the polygraph examination conducted in this case. The Government attempted to show that the Defendant’s responses to the relevant questions were in fact untrue because the Defendant had previously been subject to arrest on another ship that was also carrying illegal drugs. The Government’s questioning was unconvincing, as that prior event had no relevance to the polygraph examination conducted here. It was clear that the questions asked in this particular polygraph examination were aimed at this most recent incident, and that this context was explained to the Defendant prior to the test being administered. Additionally, the Government presented no evidence of the prior incident which appears to have been an arrest only, with no conviction. There is no evidence before the Court that the Defendant had knowledge of illegal substances on the prior ship and, in fact, no evidence that such illegal substances were present.

    The Government placed significant emphasis on the holding in United States v. Scheffer, 523 U.S. 303 (1998). The Scheffer case involved a constitutional challenge to an executive order that prohibited the admission of polygraph evidence in the proceedings of courts martial. The Supreme Court held that the executive order did not violate the constitution. This holding, however, is irrelevant to the instant inquiry. Nothing in the Scheffer order has any effect on the admissibility of polygraph evidence in civilian courts. The Supreme Court did not categorically reject the admissibility of polygraph evidence but, instead, held that military defendants did not have a constitutionally protected right to admit such evidence in military courts.

    The Government then suggested that this Court should use other courts’ criticisms of polygraph evidence to discredit Dr. Raskin’s testimony. However, as noted by the Defendant, this Court does not know what kind of evidence was before the courts in those other cases. TR at 58:1-18. Here, the only evidence presented supports the admissibility of the polygraph examination under Rule 702 and Daubert. Furthermore, the case law does not uniformly support exclusion. See, e.g., United States v. Padilla, 908 F. Supp. 923 (S.D. Fla. 1995) (holding that as long as defendant only attempted to introduce evidence of her polygraph examination to corroborate or impeach a witness' testimony at trial, the polygraph was admissible. The polygraph was relevant, and its probative value was not substantially outweighed by its prejudicial effect. The test was conducted with sufficient scientific rigor to conclude that it may assist the trier of fact in determining whether defendant's confession was, in fact, induced through impermissible coercion.).

    With regard to the test administered in this case, Dr. Raskin testified that the polygraph examination conducted here by Mr. Orr was of high quality, using a “Utah Probable Lie Comparison Question Test.” TR at 15:5-25; Raskin Dec. ¶ 37. Dr. Raskin found the results reported by Mr. Orr to be correctly reported. TR at 15:25 – 16:2. Mr. Orr’s qualifications, which have not been challenged, are extensive and are primarily bestowed by the United States’ Government. See Doc. 67-2 at p. 3-6. Mr. Orr was an agent with the Federal Bureau of Investigation (“FBI”) where he was trained to administer polygraph examinations and then did so, on behalf of the Government, for over a decade. Id. at p. 3. In 1999 Mr. Orr graduated from the Department of Defense Polygraph Institute in Alabama. Id. In 2005 Mr. Orr transferred to Florida so that he could lead the local polygraph division for the FBI. Id. Mr. Orr held that position until his retirement in 2011, at which time he began his own business conducting polygraph examinations and providing expert testimony. Id. Mr. Orr is also an instructor at the Academy of Polygraph Science in Fort Myers, Florida. Id.

    Thus, the Court finds the polygraph evidence to be admissible at trial to either impeach or corroborate witness testimony. Further specifics regarding the admission of the polygraph evidence will be determined at the time of trial. Accordingly, it is hereby

    ORDERED that Defendant’s Motion for an Evidentiary Hearing on Admission of Polygraph Evidence (Doc. 67), construed as a motion to determine the admissibility of the polygraph evidence under Federal Rule of Evidence 702, is GRANTED. The Defendant may present the polygraph evidence, through expert testimony, to corroborate or impeach witness testimony at the trial in this matter.


    DONE AND ORDERED in Tampa, Florida on April 9, 2015.

    (Signed) Charlene Edwards Honeywell

                 United States District Judge

    Copies to:

    Counsel of Record and Unrepresented Parties, if any

  • 16 Feb 2015 2:46 PM | Anonymous member (Administrator)

    Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems - February 15, 2015

    Today the White House issued a Presidential Memorandum to promote economic competitiveness and innovation while safeguarding privacy, civil rights, and civil liberties in the domestic use of Unmanned Aircraft Systems (UAS).

    This Presidential Memorandum builds on efforts already underway to integrate UAS into the national airspace system (NAS).  The Federal Aviation Administration has authorized the testing of UAS at six sites around the country in December 2013 as part of its efforts to safely integrate UAS into the NAS, as required by the Federal Aviation Administration Modernization and Reform Act of 2012.

    UAS are a potentially transformative technology in diverse fields such as agriculture, law enforcement, coastal security, military training, search and rescue, first responder medical support, critical infrastructure inspection, and many others.

    The Administration is committed to promoting the responsible use of this technology, strengthening privacy safeguards and ensuring full protection of civil liberties.

    The Presidential Memorandum released today ensures that the Federal Government’s use of UAS takes into account these important concerns and in service of them, promotes better accountability and transparent use of this technology, including through the following:

    First, the Presidential Memorandum requires Federal agencies to ensure that their policies and procedures are consistent with limitations set forth in the Presidential Memorandum on the collection and use, retention, and dissemination, of information collected through UAS in the NAS.

    Second, the Presidential Memorandum requires agencies to ensure that policies are in place to prohibit the collection, use, retention, or dissemination of data in any manner that would violate the First Amendment or in any manner that would discriminate against persons based upon their ethnicity, race, gender, national origin, religion, sexual orientation, or gender identity, in violation of law.

    Third, the Presidential Memorandum includes requirements to ensure effective oversight.

    Fourth, the Presidential Memorandum includes provisions to promote transparency, including a requirement that agencies publish information within one year describing how to access their publicly available policies and procedures implementing the Presidential Memorandum.

    Fifth, recognizing that technologies evolve over time, the Presidential Memorandum requires agencies to examine their UAS policies and procedures prior to the deployment of new UAS technology, and at least every three years, to ensure that protections and policies keep pace with developments.

    Consistent with these objectives, the Presidential Memorandum additionally requires the Department of Commerce, through the National Telecommunications and Information Administration, and in consultation with other interested agencies, to initiate a multi-stakeholder engagement process within 90 days to develop a framework for privacy, accountability, and transparency issues concerning the commercial and private use of UAS in the NAS.

  • 16 Feb 2015 2:37 PM | Anonymous member (Administrator)

    White House Summit on Cybersecurity and Consumer Protection-February 13, 2015

    As a nation, the United States has become highly digitally dependent.  Our economy, national security, educational systems, and social lives have all become deeply reliant on cyberspace.  Our use of digital networks provides a platform for innovation and prosperity and a means to improve general welfare around the country and around the globe, driving unparalleled growth. But this dependency also creates risks that threaten national security, private enterprises and individual rights. It is a threat not just here in the United States, but one that everyone, everywhere who is connected to cyberspace faces.

    On February 13, the President is convening leaders from throughout the country who have a stake in bolstering cybersecurity – from industry, tech companies, and consumer and privacy advocates to law enforcement, educators, and students.  Participants will discuss opportunities to spur collaboration and develop partnerships in the cybersecurity and consumer financial worlds to share best practices, promote stronger adherence to security standards, improve cyber threat information sharing, and encourage the adoption of more secure payment technologies. 

    This Summit comes at a crucial point.  The President has been committed to strengthening our Nation’s cybersecurity since the beginning of his Administration and we have made significant progress.  Yet, cyber threats to individuals, businesses, critical infrastructure and national security have grown more diffuse, acute, and destructive. Despite improvements in network defense, cyber threats are evolving faster than the defenses that counter them. Malicious actors ranging from sophisticated nation states to common criminals to hacktivists take advantage of the anonymity, reach, and broad range of effects that cyberspace offers. Because of the interconnected nature of the Internet, no one is isolated from these threats. We are at an inflection point, both domestically and internationally, and now is the time to raise the call for greater collective action.

    Public and Private Commitments

    Cybersecurity is a shared responsibility.  The Federal government has the responsibility to protect and defend the country and we do this by taking a whole-of-government approach to countering cyber threats. This means leveraging homeland security, intelligence, law enforcement, and military authorities and capabilities, which respectively provide for domestic preparedness, criminal deterrence and investigation, and our national defense.   Yet much of our nation’s critical infrastructure and a diverse array of other potential targets are not owned by the Federal government.  The Federal government cannot, nor would Americans want it to, provide cybersecurity for every private network.  Therefore, the private sector plays a crucial role in our overall national network defense.   To that end, both the Federal government and the private are announcing key commitments today. 

    The Cybersecurity Framework

    In 2013, the President signed an Executive Order on Critical Infrastructure Cybersecurity which resulted in the development of the Cybersecurity Framework, released on February 12, 2014.  In taking a risk management approach, the Framework recognizes that no organization can or will spend unlimited amounts on cybersecurity.  Instead, it enables a business to make decisions about how to prioritize and optimize its cybersecurity investments. The Framework also offers a flexible benchmarking tool for a wide range of organizations. For organizations that don’t know where to start, the Framework provides a roadmap. For organizations that are already sophisticated, the Framework offers a yardstick to measure against – and to use in communicating with partners and suppliers. Finally, the Framework creates a common vocabulary that can be used to effectively communicate about cyber risk management. The Framework is emerging as an important tool for technologists to communicate with organizational leaders on managing cyber risks. We have been encouraged by industry use of the Framework, and we will continue to promote its broad uptake both within the government and across the private sector.  Today, the following corporations are announcing a commitment to using the Framework.

    • Intel is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract.
    • Apple is incorporating the Framework as part of the broader security protocols across its corporate networks.
    • Bank of America will announce that it is using the Framework and will also require it of its vendors.
    • U.S. Bank and Pacific Gas & Electric are announcing that they are committed to using the Framework.
    • AIG is starting to incorporate the NIST framework into how it underwrites cyber insurance for large, medium-sized, and small businesses and will use the framework to help customers identify gaps in their approach to cybersecurity.
    • QVC is announcing that it is using the Cybersecurity Framework in its risk management.
    • Walgreens is announcing its support for the Cybersecurity Framework and that it uses it as one of its tools for identifying and measuring risk.
    • Kaiser Permanente is committing to use the Framework.

    Information Sharing

    Today the President is also signing an Executive Order to encourage and promote the sharing of cybersecurity threat information within the private sector and between the private sector and Federal government. Rapid information sharing is an essential element of effective cybersecurity because it ensures that U.S. companies work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together with the federal government to quickly identify and protect against cyber threats.  From removing barriers, to helping to improve the delivery of timely and relevant intelligence to the private sector, to advocating for needed legislation, the President is committed to improving information sharing and collaboration with the private sector. 

    The following organizations will also be making commitments today:        

    • The Cyber Threat Alliance (including Palo Alto Networks and Symantec, Intel Security, and Fortinet) will announce that its new cyber threat sharing partnership is starting to build best practices and standards consistent with the new information sharing Executive Order.
    • The Entertainment Software Association is announcing the creation of a new information sharing and analysis organization that will be built consistent with the new information sharing Executive Order.
    • Crowdstrike is announcing that it will form an information sharing and analysis organization.
    • Box is announcing that it will participate in the standards-development process for ISAOs, and that it will explore ways to use the Box platform to enhance collaboration among ISAOs.
    • FireEye is launching its “Information Sharing Framework,” which allows FireEye customers to receive threat intelligence in near-real-time, and provides anonymized threat indicators 

    Secure Payment Technologies

    In October 2014, the President signed an Executive Order to advance consumer financial protection and launched the Buy Secure Initiative.  Today, the following organizations will announce new commitments to promote more secure payment technologies.

    • Visa is committing to tokenization – substituting credit card numbers with randomly generated tokens for each transaction - by the end of the 1st quarter of 2015.
    • MasterCard will invest more than $20 million in new cybersecurity tools, including the deployment of Safety Net, a new security solution that will reduce the risk of large-scale cyber attacks. 
    • Apple, Visa, MasterCard, Comerica Bank and U.S. Bank are committed to working together to make Apple Pay, a tokenized, encrypted service, available for users of federal payment cards, including DirectExpress and GSA SmartPay cards.
    • Square is working with the Small Business Administration to roll out an education program aimed at convincing small business to adopt more secure payment technologies.
    • The Financial Services Roundtable and the Retail Industry Leaders Association, on behalf of a partnership of 19 associations, are jointly announcing today the release of two papers to enhance collaboration in the development of technology standards and principles for the development of next generation technologies that minimize the value of payments information if it is stolen or lost.  

    Multi-Factor Authentication

    In order to replace the password as our primary means of security online, we must have new technologies that combine greater security and convenience.  This technology moves beyond usernames and passwords to employ multiple security steps to better ensure a person is who they say they are. 

    Through the National Strategy for Trusted Identities in Cyberspace, the US Government has invested more than $50 million over the past four years to advance this market in partnership with the research and development community and technology firms.  

    The following companies are announcing new initiatives to advance multi-factor authentication:

    • Intel is releasing a new authentication technology that will not rely on a password, but will instead employ other technologies, such as biometrics.
    • American Express is announcing rollout of new multi-factor authentication technologies for their consumers.
    • MasterCard, in partnership with First Tech Credit Union, will announce that they will implement a new pilot later this year that will allow consumers to authenticate and verify their transactions using a combination of unique biometrics such as facial and voice recognition. 
    • In September of last year, CloudFlare enabled more than a million of its customers' Web sites to support Universal SSL--for free.  Now, they are taking another step to secure the Web by enabling every CloudFlare customer to support DNSSEC, the open standard for authenticating domain names, by the end of the year. 

    Credit Score Transparency – A number of leaders in the financial services industry will be making credit scores more readily available to all Americans, improving consumers’ awareness of credit health, and providing them a tool to identify major shifts in their credit score – a key first sign of identity theft.

    • In partnership with FICO, Nationstar will join the growing list of firms making credit scores available for free to their customers by the end of the year

    Call for Legislative Action

    The government and private sector have made significant commitments to advance cybersecurity and consumer protection.   While we applaud Congress for successfully passing several pieces of important cybersecurity legislation last year, we still need Congress to pass key cybersecurity legislation.  To support that call for action, last month the President sent our updated cybersecurity legislative proposal to Congress. 

    Enabling Cybersecurity Information Sharing: The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government and enhances collaboration and information sharing amongst the private sector.  Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs), by providing targeted liability protection for companies that share information.

    The legislation also encourages the formation of private-sector led Information Sharing and Analysis Organizations.  The Administration’s proposal safeguards Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared to qualify for liability protection.  The proposal further requires the Department of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government’s sharing of cyber threat indicators.  Finally, the Administration intends this proposal to complement and not to limit existing effective relationships between government and the private sector.  These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.

    Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime.  The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft, and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.  It also reaffirms important components of the Administration’s 2011 cyber legislative proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key law used to prosecute organized crime, so that it applies to cybercrimes, clarifies penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes.  Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.

    National Data Breach Reporting: State laws have helped consumers protect themselves against identity theft while also encouraging business to improve cybersecurity.  These laws require businesses that have suffered an intrusion to notify consumers if consumers’ personal information has been compromised.  The Administration’s updated proposal helps businesses and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and by putting in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.

    Moving Forward

    The Cybersecurity Summit marks a milestone in our Nation’s efforts to strengthen its cyber defenses.  It provides an opportunity to discuss what we have accomplished to date and to highlight immediate commitments that the Federal government and the private sector are making to improve the security of cyberspace.   However, in cybersecurity, we can never rest on past achievements.  Therefore, even as we and the private sector make good on these commitments, we need to keep moving forward.   We will continue to focus on strengthening the defenses of our critical infrastructure and government networks, improving our ability to disrupt, respond to, recover from, and mitigate malicious cyber activity, enhance our international cooperation, and shape the future of cyberspace to be inherently more secure.  And we look forward to doing this in close collaboration with our private sector partners.

<< First  < Prev   1   2   3   4   Next >  Last >> 


Powered by Wild Apricot Membership Software