US President Calls for Federal 30-day Breach Notice

Today the US moved closer to a federal consumer data breach notification requirement (healthcare has had a federal requirement since 2009 — see Eisenhower v Riverside for why healthcare is different from consumer).

PC World says a presentation to the Federal Trade Commission sets the stage for a Personal Data Notification & Protection Act (PDNPA).

U.S. President Barack Obama is expected to call Monday for new federal legislation requiring hacked private companies to report quickly the compromise of consumer data.

Every state in America has had a different approach to breach deadlines, typically led by California (starting in 2003 with SB1386 consumer breach notification), and more recently led by healthcare. This seems like an approach that has given the Feds time to reflect on what is working before they propose a single standard.

In 2008 California moved to a more aggressive 5-day notification requirement for healthcare breaches after a crackdown on UCLA executive management missteps in the infamous Farah Fawcett breaches (under Gov Schwarzenegger).

California this month (AB1755, effective January 2015, approved by the Governor September 2014) relaxed its healthcare breach rules from 5 to 15 days after reviewing 5 years of pushback on interpretations and fines.

For example, in April 2010, the CDPH issued a notice assessing the maximum $250,000 penalty against a hospital for failure to timely report a breach incident involving the theft of a laptop on January 11, 2010. The hospital had reported the incident to the CDPH on February 19, 2010, and notified affected patients on February 26, 2010. According to the CDPH, the hospital had “confirmed” the breach on February 1, 2010, when it completed its forensic analysis of the information on the laptop, and was therefore required to report the incident to affected patients and the CDPH no later than February 8, 2010—five (5) business days after “detecting” the breach. Thus, by reporting the incident on February 19, 2010, the hospital had failed to report the incident for eleven (11) days following the five (5) business day deadline. However, the hospital disputed the $250,000 penalty and later executed a settlement agreement with the CDPH under which it agreed to pay a total of $1,100 for failure to timely report the incident to the CDPH and affected patients. Although neither the CDPH nor the hospital commented on the settlement agreement, the CDPH reportedly acknowledged that the original $250,000 penalty was an error discovered during the appeal process, and that the correct calculation of the penalty amount should have been $100 per day multiplied by the number of days the hospital failed to report the incident to the CDPH for a total of $1,100.

It is obvious too long a timeline hurts consumers. Too short a timeline has been proven to force mistakes with covered entities rushing to conclusion then sinking time into recovering unjust fines and repairing reputation.

Another risk with too short timelines (and complaint you will hear from investigation companies) is that early-notification reduces good/secret investigations (e.g. criminals will erase tracks). This is a valid criticism, however it does not clearly outweigh benefits to victims of early notification.

First, a law-enforcement delay caveat is meant to address this concern. AB1755 allows a report to be submitted 15 days after the end of a law-enforcement imposed delay period, similar to caveats found in prior requirements to assist important investigations.

Second, we have not seen huge improvements in attribution/accuracy after extended investigation time, mostly because politics start to settle in. I am reminded of when Walmart in 2009 admitted to a 2005 breach. Apparently they used the time to prove they did not have to report credit card theft.

Third, value relative to the objective of protecting data from breach. Consider the 30-day Mandiant 2012 report for South Carolina Department of Revenue. It ultimately was unable to figure out who attacked (although they still hinted at China). It is doubtful any more time would have resolved that question. The AP has reported Mandiant charged $500K or higher and it also is doubtful many will find such high costs justified. Compare their investigation rate with the cost of improving victim protection:

Last month, officials said the Department of Revenue completed installing the new multi-password system, which cost about $12,000, and began the process of encrypting all sensitive data, a process that could take 90 days.

I submit to you that a reasonably short and focused investigation time saves money and protects consumers early. Delay for private investigation brings little benefit to those impacted. Fundamentally who attacked tends to be less important that how a breach happened; determining how takes a lot less time to investigate. As an investigator I always want to get to the who, yet I recognize this is not in the best interest of those suffering. So we see diminishing value in waiting, increased value in notification. Best to apply fast pressure and 30 days seems reasonable enough to allow investigations to reach conclusive and beneficial results.

Internationally Singapore has the shortest deadline I know of with just 48-hours. If anyone thinks keeping track of all the US state requirements has been confusing, working globally gets really interesting.

Update, Jan 13:

Brian Krebs blogs his concerns about the announcement:

Leaving aside the weighty question of federal preemption, I’d like to see a discussion here and elsewhere about a requirement which mandates that companies disclose how they got breached. Naturally, we wouldn’t expect companies to disclose publicly the specific technologies they’re using in a public breach document. Additionally, forensics firms called in to investigate aren’t always able to precisely pinpoint the cause or source of the breach.

First, federal preemption of state laws sounds worse than it probably is. Covered entities of course want more local control at first, to weigh in heavily on politicians and set the rule. Yet look at how AB1755 in California unfolded. The medical lobby tried to get the notification moved from 5 days to 60 days and ended up on 15. A Federal 30 day rule, even where preemptive, isn’t completely out of the blue.

Second, disclosure of “how” a breach happened is a separate issue. The payment industry is the most advanced in this area of regulation; they have a council that releases detailed methods privately in bulletins. The FBI also has private methods to notify entities of what to change. Even so, generic bulletins are often sufficient to be actionable. That is why I mentioned the South Carolina report earlier. Here you can see useful details are public despite their applicability:

Mandiant Breach Report on SCDR

Obama also today is expected to make a case in front of the NCCIC for better collaboration between private and government sectors (Press Release). This will be the forum for this separate issue. It reminds me of the 1980s debate about control of the Internet led by Rep Glickman and decided by President Reagan. The outcome was a new NIST and the awful CFAA. Let’s see if we can do better this time.

Letters From the Whitehouse:

The (Secret) History of the Banana Split

Executive summary: The popular desert called “banana split” is a by-product or modern representation of America’s imperialist expansion and corporate-led brutal subjugation of freedoms in foreign nations during the early 1900s.

Inexpensive exotic treat drugstore ad
Inexpensive exotic treat drugstore ad
Long form: If there is a quintessential American dessert it is the banana split.

But why?

Although we can go way back to credit Persians and Arabs with invention of ice-cream (nice try China) the idea of putting lots of scoops of the stuff on top of a split banana “vessel” covered in sweet fruits and syrups… surely that over-extravagance derives from American culture.

After reading many food history pages and mulling their facts a bit I realized something important was out of place.

There had to be more to this story than just Americans had abundance and desire — all their fixings smashed together — and that one day someone put everything into one desert.

Again why exactly in America? And perhaps more importantly, when?

I found myself digging around for history details and eventually ended up with this kind of official explanation.

In 1904 in Latrobe, the first documented Banana Split was created by apprentice pharmacist David Strickler — sold here at the former Tassell Pharmacy. Bananas became widely available to Americans in the late 1800s. Strickler capitalized on this by cutting them lengthwise and serving them with ice cream. He is also credited with designing a boat-shaped glass dish for his treat. Served worldwide, the banana split has become a prevalent American dessert.

The phrase that catches my eye, almost lost among the other boring details, is that someone with an ingredient “widely available…capitalized”; capitalism appears to be the key to unlock this history.

And did someone say boat?

Immigration and Trade

Starting with the ice cream, attribution goes first to Italian immigrants who brought spumoni to America around the 1870s.

This three flavor ice-cream often was in colors of their home country’s flag (cherry, pistachio, and either chocolate or vanilla ice creams…red, green, and, sometimes, white). Once in America this Italian tradition of a three flavor treat was taken and adapted to local tastes: chocolate, strawberry and vanilla. Ice-cream became far more common and widely available by the 1880s so experimentation was inevitable as competition boomed. It obviously was a very popular food by the 1904 St. Louis World’s Fair, which famously popularized eating out of Italian waffle “cones”.

In parallel, new trade developments emerged. Before the 1880s there were few bananas found in America. America bought around $250K of bananas in 1871. Only thirty years later the imports had jumped an amazing 2,460% to $6.4m and were in danger of becoming too common on their own.

Bananas being both easily sourced and yet still exotic made them ideal for experiments with ice-cream. The dramatic change in trade and availability was the result of a corporate conglomerate formed in 1899 called the United Fruit Company. I’ll explain more about them in a bit.

At this point what we’re talking about is just Persian/Arab ice-cream modified and brought by Italian immigrants to America, then modified and dropped onto a newly available North American (Central, if you must) banana of capitalism, on a boat-shaped dish to represent far-away origins.

Serving up these fixings as the novel banana split makes a lot of sense when you put yourself in the shoes of someone working in a soda/pharmacy business of 1904 trying to increase business by offering some kind of novel or trendy treat.

Bananas and Pineapples Were an Exotic New Thing to Americans

Imagine you’re in a drug-store and supposed to be offering something “special” to draw in customers. People could go to any drugstore, what can you dazzle them with?

You pull out this newly available banana fruit, add the three most-popular flavors (not completely unfamiliar, but a lot all at one time) and then dump all the sauces you’ve got on top. You now charge double the price of any other dessert. Would you add pineapple on top? Of course!

The pineapple had just arrived fresh off the boat in a new promotion by the Dole corporation:

In 1899 James Dole arrived in Hawaii with $1000 in his pocket, a Harvard degree in business and horticulture and a love of farming. He began by growing pineapples. After harvesting the world’s sweetest, juiciest pineapples, he started shipping them back to mainland USA.

I have mentioned before on this blog how the US annexed Hawaii by sending in the Marines. Food historians rarely bother to talk about this side of the equation, so indulge me for a moment. Interesting timing of the pineapple, no? I sense a need for a story about the Dole family to be told.

The Dole Family

The arrival of James Dole to Hawaii in 1899, and a resulting sudden widespread availability of pineapples in drugstores for banana splits, is a dark chapter in American politics.

James was following the lead of his cousin Sanford Ballard Dole, who had been born in Hawaii in 1844 to Protestant missionaries and nursed by native Hawaiians after his mother died at childbirth. Sanford was open about his hatred of the local government and had vowed to remove and replace them with American immigrants, people who would help his newly-arrived cousin James viciously protect their accumulation of family wealth.

James Dole pictured grabbing a pineapple: "I swear I just was examining this large juicy warm fruit for quality"
James Dole pictured grabbing a pineapple: “I swear I just was examining large juicy warm fruit for quality”

1890 American Protectionism and Hawaiian Independence

To understand the shift Dole precipitated and participated in, back up from 1899 to the US Republican Congress in 1890 approving the McKinley Tariff. This raised the cost of imports to America 40-50%, striking fear into Americans trying to profit in Hawaii by exporting goods. Although that Tariff left an exception for sugar it still explicitly removed Hawaii’s “favored status” and rewarded domestic production.

Within two years after the Tariff sugar exports from Hawaii had dropped a massive 40% and threw the economy into shock. Plantations run by white American businessmen quickly cooked up ideas to reinstate profits; their favored plan was to remove Hawaii’s independence and deny sovereignty to its people.

At the same time these businessmen were cooking up plans to violently end Hawaiian independence, Queen Lili`uokalani ascended to the throne and indicated she would reduce foreign interference on the country by drafting a new constitution.

These two sides were on a collision course for disaster in 1892 despite the US government shifting dramatically towards Democratic control (leading straight to the 1894 repeal of the McKinley Tariff). The real damage of the Republican platform was Dole could falsely use his own party’s position as a shameless excuse to call himself a victim needing intervention. As Hawaii’s new ruler hinted more national control was needed the foreign businessmen in Hawaii begged America for annexation to violently cement their profitability and remove self-rule.

It was in this context that in early 1893 a loyalist policeman accidentally noticed large amounts of ammunition being delivered to businessmen planning a coup, so he was shot and killed. The pretext of armed “uprising” was used to force the Queen to abdicate power to a government inserted by the sugar barons, led by Sanford Dole. US Marines stormed the island to ensure protecting the interests of elitist foreign businessmen exporting sugar to America, despite only recently operating under a government that wanted a reduction of imports. Sanford’s pro-annexation government, ushered in by shrewd political games and US military might, now was firmly in place as he had vowed.

The Hawaiian nation’s fate seemed sealed already, yet it remained uncertain through the “Panic of 1893” and depression of the 1890s. By 1896 a newly elected US President (Republican McKinley) openly opposed by principle any imperialism and annexation. He even spoke of support for the Queen of Hawaii. However congressional (Republican) pressure mounted in opposition to him and through 1897 the President seemed less likely to fight the annexation lobby.

Finally, as war with Spain unfolded in 1898, Hawaii was labeled as strategically important and definitively lost its independence due to the American military. Ironically, it would seem, as the US went to war with Spain on the premise of ending increasingly brutal suppression of the Cuban independence movement since 1895.

Few Americans I speak with realize that their government basically sent military forces to annex Hawaii based on protection of profits by American missionaries and plantation owners delivering sugar to the US, and then sealed the annexation as convenient for war (even though annexation officially completed after Dewey had defeated the Spanish in Manila Bay and war was ending).

The infamous Blount (arguably a partial voice in these matters, yet also more impartial than the pro-annexation Morgan who has been used improperly to criticize Blount) documented evidence like this:

Total Control Over Fruit Sources

Ok, segue complete, remember how President Sanford’s cousin James arrived in Hawaii in 1899 ready to start shipments of cheap pineapples? His arrival and success was a function of that annexation of the independent state; creation of a pro-American puppet government lured James to facilitate business and military interests.

This is why drugstores in 1904 suddenly found ready access to pineapple to dump on their bananas with ice cream. And speaking of bananas, their story is quite similar. The United Fruit Company I mentioned at the start quickly was able to establish US control over plantations in many countries:

Exports of the UFC "Great White Fleet"
Exports of the UFC “Great White Fleet”

  • Columbia
  • Costa Rica
  • Cuba
  • Jamaica
  • Nicaragua
  • Panama
  • Santo Dominica
  • Guatemala

Nearly half of Guatemala fell under control of the US conglomerate corporation, apparently, and yet no taxes had to be paid; telephone communications as well as railways, ports and ships all were owned by United Fruit Company. The massive level of US control initially was portrayed as an investment and benefit to locals, although hindsight has revealed another explanation.

“As for repressive regimes, they were United Fruit’s best friends, with coups d’état among its specialties,” Chapman writes. “United Fruit had possibly launched more exercises in ‘regime change’ on the banana’s behalf than had even been carried out in the name of oil.” […] “Guatemala was chosen as the site for the company’s earliest development activities,” a former United Fruit executive once explained, “because at the time we entered Central America, Guatemala’s government was the region’s weakest, most corrupt and most pliable.”

Thus the term “banana republic” was born to describe those countries under the thumb of “Great White” businessmen.

US "Great White" power over foreign countries
The “Great White” map of UFC power over foreign countries

And while saying “banana republic” was meant by white businessmen intentionally to be pejorative and negative, it gladly was adopted in the 1980s by a couple Americans. Their business model was to travel the world and blatantly “observe” clothing designs in other countries to resell as a “discovery” to their customers back home. Success at appropriation of ideas led to the big brand stores selling inexpensive clothes that most people know today, found in most malls. The irony of saying “banana republic” surely has been lost on everyone, just like “banana split” isn’t thought of as a horrible reminder of injustices.

Popularity of “banana republic” labels and branding, let alone a dessert, just proves how little anyone remembers or cares about the cruel history behind these products and terms.

Nonetheless, you know now the secret behind widespread availability of inexpensive ingredients that made this famous and iconic American dessert possible and popular.

Linguistics as a Tool for Cyber Attack Attribution

Update August 2020: Latest research can be found in a new blog post called Cultural Spectrum of Trust.


My mother and I from 2006 to 2010 presented a linguistic analysis of the Advanced Fee Fraud (419 Scam).

One of the key findings we revealed (also explained in other blog posts and our 2006 paper) is that intelligence does not prevent someone from being vulnerable to simple linguistic attacks. In other words, highly successful and intelligent analysts have a predictable blind-spot that leads them to mistakes in attribution.

The title of the talk was usually “There’s No Patch for Social Engineering” because I focused on helping users avoid being lured into phishing scams and fraud. We had very little press attention and in retrospect instead of raising awareness in talks and papers alone (peer review model) we perhaps should have open-sourced a linguistic engine for detecting fraud. I suppose it depends on how we measure impact.

Despite lack of journalist interest, we received a lot of positive feedback from attendees: investigators, researchers and analysts. That felt like success. After presenting at the High-Tech Crimes Investigation Association (HTCIA) for example I had several ex-law enforcement and intelligence officers thank me profusely for explaining in detail and with data how intelligence can actually make someone more prone to misattribution, to fall victim to bias-laced attacks. They suggested we go inside agencies to train staff behind closed doors.

In other words, since long before the Sony breach news started breaking I have tried to raise the importance of linguistic analysis for attribution, as I tweeted here.

I’m told my sense of humor doesn’t translate well under the constraints of Twitter.

Recently the significance of our work has taken a new turn; a spike in interest on my blog post from 2012 is happening right now, coupled with news about linguistics being used to analyze Sony attack attribution. Ironically the news is by a “journalist” at the NYT who blocked me on Twitter.

I’m told by friends she blocked me after I used a Modified Tweet (MT) to parody her headline.

Allegedly she didn’t find my play on words amusing, but a block seems kind of extreme for that MT if you ask me.

And then at the start of the Sony breach story breaking on December 8, I tweeted a slide from our 2010 presentation.

Also recently I tweeted

good analysis causes anti-herding behavior: “separates social biases introduced by prior ratings from true value”

Tweets unfortunately are disjointed and get far less audience than my blog posts so perhaps it is time to return to this topic here instead? I thus am posting the full presentation again:

Download: RSAC_SF_2010_HT1-106_Ottenheimer.pdf

Look forward to discussing this topic further, as it definitely needs more attention in the information security community. Kudos to Jeffrey Carr for pursuing the topic and invitation to participate in crowds that have been rushing into the Sony breach analysis fray with linguistics.

Updated to add: Perhaps it also would be appropriate here to mention my mother’s book called The Anthropology of Language: An Introduction to Linguistic Anthropology.anthropology of language

Ottenheimer’s authoritative yet approachable introduction to the field’s methodology, skills, techniques, tools, and applications emphasizes the kinds of questions that anthropologists ask about language and the kinds of questions that intrigue students. The text brings together the key areas of linguistic anthropology, addressing issues of power, race, gender, and class throughout. Further stressing the everyday relevance of the text material, Ottenheimer includes “In the Field” vignettes that draw you in to the chapter material via stories culled from her own and others’ experiences, as well as “Doing Linguistic Anthropology” and “Cross-Language Miscommunication” features that describe real-life applications of text concepts.

Big Data Security in 1918: How Far Off Is That German Gun?

Recently I wrote here about the ill-fated American operation “IGLOOWHITE” from the Vietnam War that cost billions of dollars to try and use information gathering from many small sensors to locate enemies.

It’s in fact an old pursuit as you can see from this news image of the Japanese Emperor inspecting his big 1936 investment in anti-aircraft data collection technology.

Even earlier, Popular Science this month in 1918 published a story called “How Far Off Is That German Gun? How sixty-three German guns were located by sound waves alone in a single day.”

How Far Off Is That German Gun? How 63 German guns were located by sound waves alone in a single day, Popular Science monthly, December 1918, page 39

Somewhere in-between the Vietnam War and WWI narratives, we should expect the Defense Department to soon start exhibiting how they are using the latest location technology (artificial intelligence) to hit enemy targets.

The velocity of information between a sensor picking signs of enemy movement and the counter-attack machinery…is the stuff of constant research probably as old as war itself.

Popular Mechanics for its share also ran a cover story with acoustic locator devices, such as a pre-radar contraption that was highlighted as the future way to find airplanes.

The cover style looks to be from the 1940s although I have only found the image so far, not the exact text.

That odd-looking floral arrangement meant for war was known as a Perrin acoustic locator (named for French Nobel prizewinner Jean-Baptiste Perrin) and it used four large clusters of 36 small hexagonal horns (six groups of six).

Such a complicated setup might have seemed like an improvement to some. Here are German soldiers in 1917 using a single personal field acoustic and sight locator to enhance the “flash bang” of enemy artillery, just for comparison.

Source: “Weird War One” by Peter Taylor, published by Imperial War Museum

Obviously use of many small sensors gave way to the common big dish design we see everywhere today. Igloo White perhaps could be seen as a Perrin data locator of its day?

They are a perfect example of how simply multiplying/increasing the number of small sensors into a single processing unit is not necessarily the right approach versus designing a very large sensor fit for purpose.


Update September 2020: “AI-Accelerated Attack: Army Destroys Enemy Tank Targets in Seconds

…”need for speed” in the context of the well known Processing, Exploitation and Dissemination (PED) process which gathers information, distills and organizes it before sending carefully determined data to decision makers. The entire process, long underway for processing things like drone video feeds for years, has now been condensed into a matter of seconds, in part due to AI platforms like FIRESTORM. Advanced algorithms can, for instance, autonomously sort through and observe hours of live video feeds, identify moments of potential significance to human controllers and properly send or transmit the often time-sensitive information.

“In the early days we were doing PED away from the front lines, now it’s happening at the tactical edge. Now we need writers to change the algorithms,” Flynn explained.

“Three years ago it was books and think tanks talking about AI. We did it today,” said Army Secretary Ryan McCarthy.

Three years ago? Not sure why he uses that time frame. FIRESTORM promises to be an interesting new twist on IGLOOWHITE from around 50 years ago, and we would be wise to heed the “fire, ready, aim” severe mistakes made.