CHHS Partners With Cyberwire on “Caveat,” A New Cyber Law and Policy Podcast

For the past several years, CHHS has collaborated with the CyberWire podcast as an academic research partner. The CyberWire daily podcast is hosted by the Maryland-based CyberWire news service, which delivers real-time cybersecurity news updates to a global audience. CHHS Public Policy & External Affairs Program Director Ben Yelin has been a frequent guest on the daily podcast, discussing news items related to cybersecurity law and policy. CHHS Cybersecurity Program Director Markus Rauschecker has contributed as a guest as well.

As public interest in cybersecurity law and policy interest has intensified, CHHS and the CyberWire have partnered on a new podcast, Caveat. Yelin co-hosts the podcast with CyberWire daily podcast host Dave Bittner. The podcast’s first episode was released on October 23rd, 2019. Episodes will be released every Wednesday.

The Cyberwire issued a press release announcing the new podcast:

This latest addition to the CyberWire’s popular lineup of programs is hosted by Dave Bittner and Ben Yelin, the Program Director for Public Policy and External Affairs at the University of Maryland’s Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. It’s not just a podcast for lawyers and policymakers; security professionals, businesses, and anyone concerned about privacy and security in the digital age will find the discussions accessible, relevant, and thought provoking.

“Laws and policies haven’t kept pace as people’s personal and business lives have become increasingly and inextricably enmeshed in the rapidly evolving technologies that connect our world, drive commerce, and have become central tools of government and law enforcement,” said Peter Kilpe, the CyberWire’s Executive Editor. “With the addition of ‘Caveat’ to our lineup, we’re excited to have a more in-depth forum to discuss these critically important matters and make them accessible to a wider audience.”

CHHS is always interested in collaborating with public and private sector partners to share its subject-matter expertise, and discuss issues relevant to our work. We are particularly pleased that Caveat gives us an opportunity to reach a larger global audience through a 21st Century media platform.

Hurricane Dorian and Cybersecurity

By CHHS Extern Alexander Batton

On August 28th, 2019, a tropical storm strengthened into Hurricane Dorian off the coast of St. Thomas. The storm eventually elevated to a category 5 and tore through the northern Caribbean islands with 200 mph winds and 25-foot floodwaters. Destroying much of the land in its path, Hurricane Dorian left at least 50 people dead, with hundreds of people still missing. The United States experienced the worst destruction in Cape Hatteras, North Carolina. There, towns and islands were flooded, leaving people waiting for help in their attics.

Altogether, the storm is said to have left up to $8.5 billion in damage and therefore will require donations to cover the costs of reconstruction. In anticipation of the charitable efforts, the Department of Justice released a statement warning individuals to be vigilant with their money and to avoid cyber scammers who target Hurricane Dorian disaster victims. The agency says “[u]sers should exercise caution in handling any email with a hurricane related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.”

The National Center for Disaster Fraud explains these links often collect login information, infect machines with malware, and swindle victims for money. Similarly, the FCC issued warnings about fraudsters looking to sell fake flood insurance and disaster relief charity scams.

In recent efforts to solicit funds from Hurricane Dorian, people have been posing as news anchors, or even seemingly legitimate charities. One ABC Action News Meteorologist, Denis Philips, made a statement on his official Facebook page that someone had been posing as him online to trick members of social media sites to send money through digital apps. The fake accounts claim that all funds would be directed to a Bahamas Hurricane Relief Site. Furthermore, FEMA warns of other scams that include fraudulent house inspections, building contractors, and fake state aid.

Unfortunately, these fraudulent efforts come as no surprise. During Hurricane Katrina, the FBI discovered nearly 4,600 websites advertising relief to victims, most of them were suspected to be fraudulent. To address similar scams after Hurricane Katrina, the Justice Department established the National Center for Disaster Fraud. Currently, the FTC advises everyone to report discovered scams to ftc.gov/complaint.

If you would like to donate to a relief fund, there are many verification tools available, including Charity Navigator, Charity Watch, GuideStar, and the Better Business Bureau’s Wise Giving Alliance. Art Taylor, of the Wise Giving Alliance adds, “[d]onors should watch out for newly-created organizations that emerge that are inexperienced in addressing disasters or may be seeking to deceive donors at a vulnerable time.” In the aftermath of Hurricane Dorian, people are more vulnerable than ever to cyber scams and phishing attacks. Internet users need to be careful of their online activity and take the appropriate steps to avoid an attack.

 

 

Prof. Greenberger Speaks with CSPAN’s Washington Journal On Disaster Response Efforts

CHHS Founder and Director Michael Greenberger spoke with CSPAN’s Washington Journal on the disaster response efforts to Hurricane Dorian.

Check out the full segment here. 

CDC Issues a Warning for Vape Users

On August 30, 2019 the Center for Disease Control and Prevention (CDC) issued an official Health Advisory for users of e-cigarette products. Patients from several states have experienced respiratory symptoms such as cough, shortness of breath, or chest pain. The symptoms appeared in e-cigarette users a few days to several weeks after the use of the e-cigarette. In a couple of states, many of the patients reported a recent inhalation of cannabinoid products (no single substance or e-cigarette product has yet consistently been associated with illness). The CDC has issued recommendations for clinicians, public health officials, and for the public, urging the later to refrain from purchasing any products “off the street”, or from modifying the product as supplied by manufacturers in any way. The CDC also recommends that “…[r]egardless of the ongoing investigation, e-cigarette products should not be used by youth, young adults, pregnant women, as well as adults who do not currently use tobacco products.”

Since June, at least 215 cases in over 25 states have been reported. Many of these individuals have been hospitalized. The first death related to e-cigarettes was reported on Friday, August 23, 2019.  As e-cigarette usage becomes more popular, we need to ensure that we are monitoring the situation and are bringing awareness to as many public health officials as possible.  Clinicians and Public Health Officials must ensure that they are generally aware of how e-cigarettes work, and the dangers that they may pose.  At a time when our nation is already struggling with a response to the rise of fentanyl-related opioid overdoses, we cannot afford to let another public health crisis swell out of control.

Maryland Gov. Larry Hogan joins coalition focused on flooding, sea level rise

The Republican governor says Maryland is particularly vulnerable to flooding, because it has 7,000 miles (11,265 kilometers) of shoreline. Maryland’s Ellicott City has suffered two major floods less than two years apart. Maryland’s capital city of Annapolis experiences tidal flooding at least 40 days out of the year. The coalition is a nonpartisan group of cities, elected officials, military leaders, businesses and civic groups. It is focusing on national solutions to address higher seas, stronger storms and more frequent flooding.

https://www.baltimoresun.com/politics/bs-md-pol-governor-larry-hogan-sea-level-rise-20190827-7y6tj5idxjhptdmbj7n2sffkpe-story.html

 

CHHS Assists Howard County Department of Fire and Rescue Services Line of Duty Death Investigation

Last week, the Howard County Department of Fire and Rescue Services (HCDFRS) released an Internal Safety Review Board report regarding the Line of Duty Death of Lieutenant Nathan Flynn. CHHS is honored to have worked closely with the Internal Safety Review Board throughout its eleven month investigation, providing project management and writing support. Senior Law & Policy Analyst Maggie Davis worked closely with the ISRB throughout the writing and revision process, providing on-site project management support, and was assisted by former Senior Law & Policy Analyst Jonathan Lim and Research Assistance Kyle Clevenger. Additionally, Public Safety Technology & Communications Director Christopher Webster was part of the Peer Review committee during the revision process. The report provided both analysis of the factors contributing to Lieutenant Flynn’s untimely death as well as a safety review of the entire department. CHHS commends the ISRB for their professionalism and exemplary work ethic throughout the difficult process.

An Update on the Measles Outbreak in Maryland

Hassan Sheikh is a Law & Policy Analyst for CHHS, and works full-time assisting the Baltimore City Department of Public Health. 

Measles can present in a patient anywhere between 10 to 14 days after initial exposure to the virus. Symptoms can include fever, dry cough, runny nose, sore throat, inflamed eyes, or a skin rash. Although cases have become rare due to vaccination efforts (with the United States averaging about 60 cases of measles a year from 2000 to 2010), the CDC has reported 555 individual cases of Measles between January 1st to April 11, 2019, in over 20 different states.

Measles outbreaks, defined as 3 or more cases, are currently ongoing in New York State (Rockland County), New York City, Washington, New Jersey, California (Butte County), and Michigan. The majority of individuals who developed measles were unvaccinated.

Measles is highly contagious, and can be found in the air after an infected patient coughs or sneezes. The virus can remain contagious on surfaces for up to 2 hours; an individual can spread measles from 4 days before to 4 days after the signature rash develops. Any person who is in close contact with someone who has measles should be notified of the exposure, determine if they are susceptible to getting the disease, and receive treatment if necessary. A vaccination given within 72 hours of measles exposure may provide some protection from developing measles in some cases.

Measles can be prevented with a measles vaccine. Two doses of the vaccine are recommended for children, starting at 12 to 15 months of age. In Maryland, all school children in Kindergarten through Grade 12 must be vaccinated.  Women should not get the vaccine if they are pregnant, or plan to get pregnant within 4 weeks after getting the vaccine. For more information regarding the vaccine, please click here.

If you suspect you may be in contact with someone who has developed measles, please contact your doctor or local health department immediately to be tested. The Baltimore Sun reports that anyone who has visited the following locations at these times may have been exposed;

  • 4000 Old Court Rd in Pikesville on Sunday, April 14 from 10:30 a.m. to 1:30 p.m.
  • Market Maven (1630 Reisterstown Road, Pikesville) on Sunday, April 14 from 11:45 a.m. to 2:30 p.m.
  • Seven Mile Market (201 Reisterstown Road, Pikesville) on Sunday, April 14 from 12:45 p.m. to 3:15 p.m.

There have been two clinics in Baltimore wherein the measles vaccine was administered without cost to concerned individuals. There is no current word on whether there will be another clinic. Additional information regarding measles, including instructions on what to do if you think you may have been exposed can be found here.

Sign-Up to Volunteer for Prince George’s County Emergency Preparedness Exercise on July 19th, 2019

On July 19th, 2019, the Prince George’s County Emergency Preparedness Program and Partners will facilitate a Full Scale Exercise to practice mass medication dispensing capabilities. We are currently seeking volunteers to serve as clients to walk through a point of dispensing (POD) at Largo High School. Volunteers will be needed from 9:00 am until 12:00 pm. Please sign-up below:

Securing a Final Four

By CHHS Extern Alec Prechtel

The NCAA Men’s Basketball Tournament concluded Monday night, in host city Minneapolis, with a thrilling overtime victory by the University of Virginia. Lost in the bright lights and confetti of Virginia’s victory however, were the immense security measures taken by the city of Minneapolis and event partners to ensure that the Final Four went off without a hitch. While events of this magnitude can bring tremendous publicity and economic windfall to the host cities, there are an incredible amount of security measures that need to be taken to prepare for a party of this size.

The Final Four drew a massive amount of people to downtown Minneapolis. 72,711 fans attended Saturday’s Final Four games alone, which notably does not include those without tickets who came downtown to participate in the festivities. For a city of only 422,000 people, a remarkable amount of coordination and planning is required to handle this influx in population. Security planning for a Final Four often spans longer than a year and across many state and private entities. Thirty different law enforcement agencies worked together to ensure the safety of the event. This year, law enforcement made an emphasis to have a large presence of uniformed officers to make attendees feel safe.

Security for an event of this magnitude can be expensive too, with an estimated cost of $1.3 million for the Final Four security enhancements. Minneapolis is no stranger to hosting large events, as the city recently hosted Super Bowl LII. However, there are fewer federal resources made available for hosting the Final Four. In order to help fill this gap, planners relied on a large number of volunteers, security cameras, and partnerships with private security firms. Law enforcement also relied on coordination with local bars and restaurants, and on attendees themselves, who were encouraged to speak up if they noticed anything suspicious.

Changes were made this year to attempt to provide a more fan friendly atmosphere for the Final Four as compared to the Super Bowl. The National Guard presence as well as some of the other increased security measures needed to host a Super Bowl made some notice the distinct “military feel” during the Super Bowl festivities. An event like the Final Four typically receives a Level III SEAR (Special Events Assessment Rating), which is a lower level rating than a Super Bowl, but a step up from a regular season professional sporting event. Still, the FBI had an estimated fifty to sixty local special agents, analysts, and support staff responsible for the Final Four.

While the level of security may have been lower than a Super Bowl, authorities still made sure to have a robust law enforcement presence and to make public safety a top priority. Fortunately, this preparation allowed the Final Four to go on without any major public safety issues. The weekend was considered to be a large success, with Minneapolis receiving a lot of praise for the event.

NSA Considers Allowing Controversial Phone Surveillance Program Exposed by Snowden to Expire

by CHHS Extern Jiah Park

In 2013, Edward Snowden, a former Central Intelligence Agency (CIA) employee and former employee of Booz Allen Hamilton, a National Security Agency (NSA) contractor, leaked information regarding the United States’ (U.S.) government’s surveillance practices, which were used on both its own citizens and foreign individuals. Through different programs, the NSA collected both content and metadata of private communications. Notable programs include PRISM, governed by Section 702 of the Foreign Intelligence Surveillance Act (FISA), and the telephone records program, conducted pursuant to Section 215 of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act.

Under PRISM, the government can obtain a FISA order from a Foreign Intelligence Surveillance Court (FISC), requiring an Internet services provider to disclose the contents of communications of a foreign individual. However, FISA orders are not search warrants under the Fourth Amendment, which require probable cause, and do not require a showing of probable cause that the target of the surveillance committed a crime. In fact, there is no requirement that the government have a reasonable suspicion that the target is involved with terrorist activities. Rather, the government must establish only that “a significant purpose of the acquisition is to obtain foreign intelligence information.”

Although PRISM “has not been as controversial [] in the U.S., because it does not target Americans, . . . some content from Americans’ communication gets caught in the dragnet.” The program collects private communications of Americans “incidentally” when Americans communicate with foreign targets. Furthermore, according to Section 702 of FISA, FISA orders may be authorized to “target[ ] persons reasonably believed to be located outside the United States.”

Despite outcry from privacy advocates, PRISM, which was set to expire, was renewed in January 2018.

Another controversial surveillance method is the phone records program, in which the NSA collects metadata in bulk from telecommunications companies. Metadata includes information such as when you made the call, whom you called, the duration of the call, and all the same information if you received a call.

Although seemingly less invasive than disclosing the contents of a call, metadata can be just as, if not more useful to the government. While “content generally requires labor-intensive human analysis to become meaningful to the intelligence agencies,” metadata can be analyzed by a computer, “easily provid[ing] a complete [profile] of all your personal associations and interests,” says Shayana Kadidal from the Center for Constitutional Rights. This profile can be so detailed, it can be more informative than the content of the communication itself. Additionally, this metadata is collected in bulk, meaning that, in the program’s original form, which was authorized by the USA PATRIOT Act, phone companies had to disclose all logs they collected about all customers. However, in 2015, Congress passed the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring (FREEDOM) Act, which renewed many portions of the USA PATRIOT Act that were set to expire, but with limits concerning bulk collection, due to backlash from the Snowden leaks. Under the FREEDOM Act, phone companies no longer have to automatically provide the government with all of their records. Instead, phone companies retain their records, and the NSA may request access to the records from a FISC under a “reasonable articulable suspicion” standard.

The Freedom Act has decreased the number of records collected, but the NSA still collects hundreds of millions of records per year—151 million call records in 2016 related to 42 terrorism suspects, and 534 million call records in 2017 related to 40 suspects.

Although PRISM is still in effect, portions of the USA PATRIOT Act that authorize metadata collection are set to expire in December 2019, and the NSA is considering allowing its expiration because the program lacks operational value, according to people familiar with the matter.

Furthermore, technical issues may have resulted in the unauthorized collection of information, forcing officials to “purge hundreds of millions of call and text logs [from the agency’s database that] it got from phone companies . . . .”

According to a podcast segment with Luke Murray, a national-security adviser for Republican congressional leadership, the program has not been used in six months and the NSA may not seek renewal of the portions of the USA PATRIOT Act that authorize it. Lack of use of the program and lack of interest in preventing its expiration seriously undermines the NSA’s previous claims that metadata collection is vital to national security.

However, deliberations are still in the early and informal stages, and earnest debate is not expected to begin until the fall. Furthermore, any final decision about whether to end the program would be made by the White House. Nevertheless, there are a multitude of reasons that support nonrenewal.

In 2014, the Privacy and Civil Liberties Oversight Board (PCLOB) released a report regarding the phone records program. In its report, the PCLOB recommended that the government end the program, in part due to the fact that the program has not contributed in a demonstrable way to the effort to safeguard the nation from terrorism. Out of fifty-four counterterrorism events in the summer of 2013, only twelve incidents involved the use of the 215 program. The PCLOB found that the program primarily provides value to the NSA in two ways, both of which relates to information already known by law enforcement. Furthermore, the PCLOB could not identify “a single instance involving a threat to the United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation.”

In any case, in instances in which phone records may be necessary to an investigation, there are alternative methods by which the government may gain access to the records, such as court orders, subpoenas, and national security letters (“NSL”), authorized by the Electronic Communications Privacy Act (“ECPA”). In addition, technological changes and advancements have also made the program less useful since its introduction, such as the major shift from landline to cellular technology.

Finally, the program has serious implications on peoples’ privacy and civil liberties. As mentioned above, metadata has the ability to “reveal intimate details about a person’s life, particularly when aggregated with other information and subjected to sophisticated computer analysis.” Permitting the government to collect such data “fundamentally shifts the balance of power between the state and its citizens.”