Dear ERAI Members and Colleagues,

Retired General Keith Alexander who served as Director of the National Security Agency and Commander of the United States Cyber Command referred to cyber crime as the "greatest transfer of wealth in human history". The anonymity provided by cyberspace and the sheer number of connected people and devices ensures cyber crime will remain an area of growth for criminal networks and of risk for individuals, businesses and governments.

Since 2004, October has been identified as National Cyber Security Awareness Month. This annual campaign, initiated by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS), aims to raise awareness and increase the resiliency of our nation, its citizens and businesses. It seems an appropriate time to highlight the critical role each of us plays in protecting information and networks from cyber threats and managing risk throughout the electronics supply chain.

This quarter's issue will highlight the U.S. Government's attempts to standardize cyber security protocols throughout their supply chain; how vetting your suppliers is not just a best-practice, but is now a cyber security requirement for defense contractors; and a case study of the challenges faced by organizations trying to protect themselves using cyber crime insurance.

Additionally, in this issue of INSIGHT, we’re tackling DFARS updates, changes to widely-used industry standards and updates on criminal convictions.

We hope you enjoy this issue of INSIGHT. Feel free to share your thoughts, comments and suggestions with me at anne@erai.com.

Anne-Liese Heinichen

Supply Chain Security: Are Suppliers Effectively Managing Their Information System Risk?

By: Stan Stahl, Ph.D.

As part of its strategy to reduce private sector supply-chain risk, the U.S. National Counterintelligence and Security Center (NCSC) recently announced a new assistance program. As initially rolled out, the program will provide classified supply chain threat intelligence to critical U.S. telecommunications, energy and financial businesses.

Accompanying the announcement, the Center released Know the Risk. Raise Your Shield. The video by Bill Evanina, Director of the NCSC, provides a short overview of supply chain risk: what it is and key steps for managing it.

The Center’s announcement offers a good opportunity to take a high level look at supply chain risk, particularly the risk to the supply chain caused by risk to the information system.

Take Stuxnet, for example. Less than 1 Megabyte in size, Stuxnet infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant, and is reported to have considerably slowed down Iranian work on a nuclear weapon. Stuxnet’s payload was programmed to speed spinning centrifuges so fast they would break apart while sending control information back to the human operators that speeds were normal.

And how did Stuxnet find its way into Iran’s uranium-enrichment plant? The plant’s IT network supposedly was air-gapped, not connected to any other IT networks. This made it impossible to compromise from the Internet. It was humans who introduced Stuxnet into the network; probably by plugging Stuxnet-containing USB-drives into their computers; probably without even realizing that there was anything malicious about the USB-drives. And were it not for an error in the Stuxnet code that allowed it to ‘escape’ beyond its intended target, Stuxnet might still be causing havoc to the Iranian centrifuges.

Stuxnet illustrates how a breach of information systems can have devastating consequences on the supply chain. Once an adversary successfully gets access to a device on the network, it’s only a matter of time until the adversary successfully takes control of a critical device used to control the manufacture of an electronic component. With this control, the adversary can change the run-time manufacturing program to any of his choosing. The adversary could, for example, program the component to perform like VW’s diesel engines, giving different results under test than when off the test-bed. The device would go on to be embedded in its subsystem with no indication that the part is counterfeit with its performance changed.

In the Center’s video, Evanina properly points out that the foundation of managing supply chain risk is the due diligence with which suppliers are managed. As examples, he suggests that questions like the following be asked of suppliers:
  1. Who are their strategic partners and subcontractors?
  2. Are they associated with organizations that are competitive or adversarial with the United States?
  3. How do they manage their own supply chain risks?
  4. Who are they purchasing parts and services from?
These are the kinds of questions that need to be asked to help ensure that a supplier isn’t purposefully introducing counterfeit parts into the supply chain.

To gain confidence that a supplier isn’t unknowingly introducing counterfeit parts into the supply chain, these questions need to be augmented with questions about the supplier’s Information security management practices.
  1. How does the supplier manage information security? Who is the Information Security Manager? To whom does she/he report? What subject matter expertise is she/he supported with? How do Executive Management and the Board provide information security governance?
  2. How does the supplier ‘codify’ information security management? Are formal risk-driven information security policies and standards used to manage information security? What frameworks are used to ensure adequacy of policies and standards? Do policies and standards cover all five functional elements in the NIST Cybersecurity Framework?
  3. How does the supplier identify, document and control sensitive information?
  4. How are personnel trained and educated? How is leadership evolving the culture to be more information-sensitive?
  5. How does the supplier ensure its suppliers and other vendors are properly managing information security?
  6. How does the supplier manage the security of its IT infrastructure? How is it secured? What standards are in place to configure devices? How are end-point devices protected? What vulnerability and patch management program is in place? How else is security maintained? What tools are in place to detect a breach? How is access controlled? What about remote access and administrative access? How is input/output secured? How is encryption managed? What standards are in place for secure software development? How is security of IT vendors and cloud services vetted? And, perhaps, most importantly, how do they manage security of the web of devices that control the shop floor?
  7. How prepared for disruption is the supplier? Are effective Incident Response and Business Continuity Plans in place?
And while you’re asking these questions of your suppliers, ask them also of yourself. How effectively are you managing the security of your own information systems? After all, you too could be targeted by an attacker.

The NCSC’s new assistance program is the consequence of the increasing risk cyber has on the integrity of our supply chain. As the threat increases, we all have to redouble our efforts to protect the supply chain — including paying due diligence to how effectively our suppliers are managing information systems risk.
About Dr. Stan Stahl:

Dr. Stan Stahl is President of Citadel Information Group, an information security management services firm delivering Information Peace of Mind ® to business and the not-for-profit community. Stan is also President of Secure The Village, a non-profit providing executives the knowledge and relationships they need to meet today’s cyber crime, cyber privacy and information security challenges.

Stan serves on the California Cybersecurity Task Force; the Board of Advisors of CyberCalifornia; the Industry Advisory Board of the Information Technology Program at the Viterbi School of Engineering at USC; the Advisory Board of UCLA Extension’s Emergency Management & Homeland Security and Enterprise Risk Management Programs; and the Board of Directors of the Content Delivery & Security Association.

A pioneer in the field of information security, Stan began his career securing teleconferencing at the White House, databases inside Cheyenne Mountain and the communications network controlling our nuclear weapons arsenal. Stan received his Ph.D. degree from The University of Michigan. A frequent speaker on cyber security, Stan is regularly quoted in the media on cybercrime, cyber privacy and information security.

Citadel Information Group: https://citadel-information.com/
Secure the Village: https://securethevillage.org/

To contact Stan:
Stan on LinkedIn: http://www.linkedin.com/pub/stan-stahl-phd/0/455/105
Stan on Twitter: @stanstahl

US Enhances Cyber Security Requirements for Government Contractors

By Anne-Liese Heinichen, ERAI

In 2015, the US Government faced its largest breach of data when the Office of Personnel Management (OPM) was hacked resulting in the release of up to 21.5 million stolen records and the subsequent resignation of Katherine Archuleta, the director of the Personnel Agency. Hackers have since targeted the FBI, DHS, IRS and NASA where a group named “Anonsec” alleges to have obtained personal information from 2,400 employees, 2,100 flight logs and claims they attempted to crash an Air Force Global Hawk drone into the Pacific Ocean. In 2012, Keith Alexander, the director of the NSA and commander of the U.S. Cyber Command, estimated that U.S. companies lose approximately $114 billion annually due to cyber crime; a figure which escalates to $338 billion when considering the costs of down time faced by corporations due to cyber crime1. These attempts and intrusions illustrate how foreign governments, defense and intelligence services, rival corporations, criminal organizations and terrorist groups can have a profound effect on government agencies and private organizations.

The U.S. Government’s response began in 2010 with Executive Order 13556, Controlled Unclassified Information. This order recognized the inconsistency and inefficiencies in safeguarding of controlled unclassified information (CUI) throughout government departments and agencies and established that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program2. On February 12, 2013, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework of standards and best practices for protecting CUI.

In addition to standardizing protections across federal entities, the US Government recognized the need for requirements for information relating to supply chain risk under Section 806 of the National Defense Authorization Act for Fiscal Year 2011. In November of 2013, the Department of Defense (DoD) published DFARS amendments to safeguard unclassified information within contractor systems and required reporting to the DoD of cyber intrusion events affecting unclassified information residing on contractor systems.

Further requirements were outlined in DFARS § 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, on November 18, 2013 (revised August 2015 and subsequently December 2015), which direct contractors to flow-down cyber defense requirements to their subcontractors and their recognizable supply chain. The DFARS clauses require contractors to provide adequate security systems per NIST Special Publication 800-171 by December 31, 2017 or alternate but equally effective measures; analyze and report cyber incidents to the DoD; preserve and protect media of affected systems; provide cyber incident damage assessment information; and, “include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve a covered contractor information system, including subcontracts for commercial items, without alteration, except to identify the parties; and (2) When this clause is included in a subcontract, require subcontractors to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil and the prime Contractor.”3

NARA, along with the NIST, developed NIST Special Publication 800-171 to specifically address the protection of CUI in non-federal, contractor systems in June of 2015. More recently, on August 16, 2016, draft revisions to SP 800-171 were released. Consisting of 109 basic and derived security requirements in 14 families, the intent of 800-171 is to provide a standardized set of requirements for the protection of CUI and to enable contractors to comply using systems and practices that are already in place. While contractors must adhere to the requirements, implementation details are not specified in the document. Additionally, contractors must notify the DoD within 30 days of any requirements not met at the time that a contract is awarded. As previously stated, defense contractors have until December 31, 2017 to comply with SP 800-171 requirements.

It should be noted that there is currently no certification, accreditation system or auditing body to ensure companies are meeting SP 800-171 requirements, so there may be companies who claim to adhere to the requirements but may not have adequate measures in place to comply with those requirements. Additionally, with an estimated 10,000 contractors in the defense supply chain, it is the responsibility of the prime contractors to ensure flow-down requirements are being met throughout their supply base, which may include smaller organizations with budgetary restrictions for whom the security restrictions may be cost-prohibitive.

In 2017, NARA’s intent is to sponsor a single FAR clause that will apply the requirements contained in SP 800-171 and the federal CUI regulation to contractors to further promote standardization for organizations attempting to meet the current range of contract clauses.4
1Rogin, Josh. "NSA Chief: Cybercrime Constitutes the ‘Greatest Transfer of Wealth in History’." Foreign Policy. 9 July 2012. http://foreignpolicy.com/2012/07/09/nsa-chief-cybercrime-constitutes-the-greatest-transfer-of-wealth-in-history.

2Draft NIST Special Publication 800-171, Revision 1, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. http://csrc.nist.gov/publications/drafts/800-171r1/sp800_171r1_draft_markup.pdf

3DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

4Draft NIST Special Publication 800-171, Revision 1, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. http://csrc.nist.gov/publications/drafts/800-171r1/sp800_171r1_draft_markup.pdf

NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Fourteen families consisting of 109 security requirements are outlined to protect the confidentiality of controlled unclassified information (CUI):

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  1. Media Protection
  2. Personnel Security
  3. Physical Protection
  4. Risk Assessment
  5. Security Assessment
  6. System and Communications Protection
  7. System and Information Integrity

NIST SP800-171 in the News

BNA INSIGHTS: NIST Proposes Requirements for System Security Plans

NIST Issues Revisions to Special Publication 800-171

A Federal Response to Cyber/Physical Threats

Protecting the Defense Industrial Base from Cyber-Attack

At Long Last: The Final Rule on Safeguarding of Contractor Information Systems

Cyber Crime Victim Sues Insurance Provider for Denying $480,000.00 Claim

Kristal Snider, ERAI

AFGlobal Corporation, a Texas based AS9100 certified manufacturer servicing the aerospace market, is battling their insurance company in a Texas district court to get back $480,000.00 lost to a cyber scam dubbed “Business Email Compromise” by the Federal Bureau of Investigation (FBI).

On May 21, 2014 the Director of Accounting at AFGlobal received an email appearing to originate directly from the company’s CEO instructing payment totaling $480,000.00 be wired immediately to the Agricultural Bank of China (aka AgBank). The employee was advised the transaction was a sensitive “confidential financial operation” relating to an “acquisition” and should “take priority over other tasks.” The e-mail also indicated the employee would receive a phone call from an attorney by the name of Steven Shapiro with KPMG (an organization specializing in audit, tax and advisory services in 155 countries). The call was received, additional instructions were provided and the funds were subsequently released.

On May 27, 2014, “Mr. Shapiro” advised the employee the first payment had been received and requested an additional payment totaling $18 million be wired. The employee became suspicious and alerted his immediate supervisor and the officers of the company at which time it was discovered the company had been the target of an elaborate scheme. A claim was filed with AFGlobal’s insurance provider after attempts to recall the $480,000.00 wire were unsuccessful. The cyber crooks had emptied and closed the bank account shortly after the funds were deposited. The claim was denied by Federal Insurance Company, a division of Chubb Group, on the basis that email fraud does not meet the definition of “computer fraud” covered by AFGlobal’s policy.

The insurance company has argued that the fraudulent email did not directly cause the company's loss; rather, it was the employee’s actions that caused the loss. The insurer also claimed that the email was not an intrusive attack because it did not cause any loss or changes to the company's computer system and, although fraudulent, the email could have been received by anyone within the company.

A copy of the denial of coverage letter issued by Federal Insurance Company to AF Global Corporation is provided at the end of this article.

AFGlobal has filed a lawsuit against Federal Insurance and is seeking damages and attorney fees claiming breach of contract and “bad faith insurance practices.” This case is before the U.S. District Court for the Southern District of Texas and is schedule to be called to trial on or about June 26, 2017.

Questions to Ask a Prospective Cyber Insurance Provider

According to an article published by Broadsuite Media Group, if you are thinking about or have invested in Cyber Insurance here are the top ten questions you should ask your provider1:
  1. What types of incidents are covered?
  2. Are there any types of incidents that are specifically excluded from coverage?
  3. What regions/territories are you covered in and any final considerations?
  4. What is the timeframe in which you must report a breach in order to benefit from your policy?
  5. After reporting a cyber-attack, how quickly does the provider respond?
  6. Is the provider knowledgeable about your industry?
  7. What is the cost?
  8. If a breach occurs, how does that affect your premium?
  9. How flexible is the provider in terms of modifying coverage to meet evolving threats?
  10. Does the provider require you to comply with any specific compliance or audit obligations?
We are learning there are subtle nuances and specific limitations that could leave policy holders left holding the bag after becoming a cybercrime statistic. Review your policy with your legal counsel to ensure you have conducted a thorough risk assessment.
110 Questions to Ask a Prospective Cyber Insurance Provider - http://converge.xyz/10-questions-to-ask-a-prospective-cyber-insurance-provider/

Cyber Crime, Your Bank Accounts, and Your Insurance

Kristal Snider, ERAI

Nearly half of all business owners carry some form of cyber insurance but small businesses lag behind, largely because they don’t see themselves as vulnerable to an attack when, in fact, they are viewed by cybercriminals as the lowest hanging fruit. Rightfully so considering a startling 47% of small to midsize companies have not made cybersecurity a priority.

While government agencies, financial institutions, and the healthcare sector are becoming increasingly regulated, smaller, unregulated companies have emerged as an “ideal target” and a potential backdoor entrance to larger companies. According to a report released by BakerHostetler, 37% of the cyber breaches they investigated were directly related to employee negligence despite evidence that employee training can reduce the risk of a cyber related incident by 45 to 70 percent.

According to Howard Miller, Director of the Tech Secure® Division of LBW Insurance, the global cyber threat landscape can be broken down into two key areas:

1.) The cybercriminal is stealing from you. This is typically done by opening a malicious attachment, link, or website resulting in harmful code infecting your network. Banking credentials or banking Trojan software can then be used to steal money out of your account or fraudulent or altered instructions directed at the bank, purporting to be from you, result in funds being fraudulently transferred.

2.) You unwittingly transfer money to the cybercriminal. This type of cybercrime has been dubbed Business Email Compromise (BEC), CEO fraud or social engineering. According to the FBI, these sophisticated scams, targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments, are increasing exponentially. This deception causes the business to transfer money to the cybercriminal under various tricks of confidence. In other words, the victim is sending money to what they believe to be a legitimate entity, but then find out that it’s a criminal purporting to be a legitimate entity or individual.

Don’t Become a Cybercrime Statistic

A recent example of a business giving money to cybercriminals was reported by ERAI on September 16, 2016. A buyer located in the Czech Republic placed numerous purchase orders with a supplier in Hong Kong for goods totaling $43,152.72. Despite the fact payment was not received by the supplier within 10 days of delivery as agreed, alarm bells were not set off because the two organizations had enjoyed a successful business relationship since 2014 and both had been engaged in the purchase and sale of electronic components since the mid-90s. Unbeknownst to either party, the cybercriminals were intercepting and reviewing email communications while patiently waiting for just the right time to intervene.

The buyer never noticed when the last two characters of the supplier’s email changed from “hk” to “tk” and did not question instructions for payments to be made to two new bank accounts. It wasn’t until the supplier began requesting payment for the now delinquent invoices that the fraud was exposed. The buyer had paid all of the invoices, within the agreed upon payment terms, to bank accounts belonging to cybercriminals that have since been closed. The thieves were long gone.

The buyer argues they paid for the goods and they should not be forced to pay for them a second time and feels strongly the supplier should be held responsible since they continued to ship product despite not receiving payment as agreed.

The supplier, out the goods and the money, argues the buyer should have called to verify the change in wire instructions before sending funds to a third party account that did not even bear their company’s name.

I’ve asked James Melendres (JM), Partner and Co-Chair of the Cybersecurity, Data Protection, and Privacy practice of Snell & Wilmer, Howard Miller (HM), Director of the Tech Secure® Division of LBW Insurance and Petra Stuhmeier Griffith (PG), SVP Director of Product Development for Grandpoint Bank, to weigh in on a few of the more commonly asked questions posed by victims of these types of scams and to offer recommendations and solutions business owners can deploy to reduce these risks.

KS: James, both the buyer and the supplier were victimized, so who is right, who is wrong and who is ultimately liable? Is the Buyer obligated to pay the supplier even though they already wired payment in full to the cyber thieves?

JM: That’s a good question and not one that is easy to answer. Unless it has been specifically spelled out in contract terms, purchase orders, or invoices, liability for losses resulting from BEC fraud will likely only be determined through protracted litigation. These cases typically involve arguments about the applicability of broader contractual clauses and theories of tort liability. Because this is such a new risk, there is very little case law litigants and judges can draw upon, which causes uncertainty and unpredictability for both suppliers and buyers who find themselves victimized by sophisticated cybercriminals.

KS: Is determining liability contingent upon whose email server was compromised or is responsibility going to rest primarily with the sender of the funds?

JM: Again, and unfortunately, there is no straightforward answer. There is likely liability on the part of both the buyer and the supplier. The party whose email server was compromised may be liable to the extent that it did not implement cybersecurity best practices, such as regular network penetration testing, multi-factor authentication and verification, limitations on administrative access, and network segmentation, especially if it is determined that these failures resulted in the network intrusion that allowed the cybercriminal to modify the email address. Liability based on this type of poor cyber hygiene will be heightened if the contract required these practices. On the other hand, the sender of funds may also face liability for failing to confirm the change in wire instructions. The fact that the cybercriminal’s attack may generate a civil lawsuit between two victims only adds insult to injury.

KS: In the case cited above, the buyer is in the Czech Republic, the supplier is in Hong Kong and the cybercriminal’s bank account was in Malaysia creating a multi-jurisdictional quagmire. What legal remedies do American business owners have if they find themselves victims of this scam knowing the other parties will most likely be outside of the U.S.?

JM: As long as there is a jurisdictional nexus to the United States, American business owners will always be able to file a lawsuit against the cybercriminal. However, the reality is that serving process on a foreign hacker, much less enforcing a judgement, is extremely difficult as a practical matter. On the criminal justice side, although the Department of Justice and Federal Bureau of Investigation regularly investigate and charge cybercriminals located overseas, extraditing those individuals to the United States remains a significant challenge and can take years to accomplish.

KS: Are there any terms or conditions organizations should include in their purchase order or invoice that would help reinforce the responsibility of one party over the other in the event of a loss such as this?

JM: Certainly. As I’ve alluded to in my previous answers, a lack of clearly defined contractual terms will likely result in litigation between the buyer and supplier following a BEC attack. By contrast, if parties agree to terms about cybersecurity standards as well as standard business terms, like verifying any change in wire instruction, liability will be more clearly defined in the aftermath of this type of crime. Companies can further reduce their risk of falling subject to a BEC attack by updating their information security policies and instituting regularly employee training that highlights these types of risks.

KS: What about the bank? Does the financial institution have any liability or responsibility?

JM: In general, the answer is no, although every case is different and should be analyzed by legal counsel. In the circumstance described above, the bank simply executed a wire transfer order that the buyer voluntarily provided, so it unlikely to be held liable.

PG: Always check with legal counsel and your financial institution regarding this subject. But for Business Email Compromise fraud cases, the financial institution is typically not liable.

In the US, wire transfers are governed by Uniform Commercial Code. Banks typically have agreements with customers to implement security procedures to protect against fraud, such as wire passwords, dual control and secondary authentication/verification. As long as the bank can prove that its security procedures are commercially reasonable in providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure, the liability will fall on the customer.

With Business Email Compromise, the customer believes it is sending the payment to a legitimate entity and initiates and approves the payment transfer. Even if the bank were to flag the payment and call the client to confirm that they wanted to submit the payment, the client would likely confirm the payment because they don’t suspect that there’s anything wrong. In most cases, the bank has held up its end of the agreement and is not liable.

Some people believe that the FDIC insurance may be liable or cover some of these losses, but FDIC insurance only protects accounts if your insured banking institution fails. FDIC deposit insurance also does not protect accounts from fraud or theft online (or otherwise).

KS: Given this information and assuming the financial institution has the proper security measures in place, it sounds like businesses should prepare to take responsibility for their own losses.

PG: That’s the exact point. For Business Email Compromise, it is the failure of the business customer’s security and not the bank’s security. Banks are heavily regulated and have really beefed up their security infrastructure in recent years due to regulatory pressures. Small to medium sized companies are much easier targets than banks, so cyber criminals are now targeting these businesses instead of the banks directly.

KS: Howard, now that we know the bank is likely not liable for the loss, who is ultimately responsible for filing an insurance claim?

HM: Coverage for loss due to deception is focused on an act committed by a person falsely purporting to be a vendor, client, or employee of the business customer which results in the transfer, payment, or delivery of money and not other property such as inventory. There is no obligation to file a claim but companies with appropriate insurance could have a financial backstop where many others would have to incur the total loss.

KS: So let’s assume a U.S. supplier ships product to an international customer and that the customer wires payment(s) to a cybercriminal instead of the supplier. The customer has no cyber insurance and they are not willing or are not financially able to pay for the goods a second time. The supplier is out the money they are owed and their inventory. Is there an insurance solution that would protect a supplier in this situation?

HM: A safe answer would be no but there is an area outside of this article for accounts receivable insurance.

KS: From an insurance claims standpoint, what’s the proper protocol for responding to this type of loss?

HM: From an insurance claims standpoint, these are the guidelines I recommend:
  1. Notify the financial institution. They have relationships with law enforcement that can assist in getting funds back if possible.
  2. Notify your insurance provider as there may be time reporting requirements.
  3. If the loss involves a violation of law, you must notify local law enforcement authorities and file an Internet Crime Complaint (see www.ic3.gov for more details).
  4. Keep all pertinent documents and records which can verify the amount of any loss. Cooperate in the investigation and settlement of any claim.
KS: I wrote another article for this edition of INSIGHT titled, “Cyber Crime Victim Sues Insurance Provider for Denying $480,000.00 Claim” where I talked about a Texas manufacturer by the name of AFGlobal that is suing its cyber insurance provider for refusing to cover a BEC claim similar to the one I just shared. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but the insurer is arguing that email fraud does not meet the definition of “computer fraud” covered by AFGlobal’s policy. Isn’t the whole point of cyber insurance to protect against this type of fraudulent activity?

HM: Cyber liability are good insurance policies but deserve a separate article. They are focused on confidential data or network operations affected by a virus, hack or denial of service attack and can be very limited in their coverage for monetary losses described here. Under a standard commercial crime insurance policy, this type of loss may not be covered as theft, even though the result is the same – loss of money due to a cybercriminal. Insurance is a puzzle and it’s about putting together the right pieces. There is a difference between buying an insurance policy and knowing what’s not covered. I find when I act as a consultant for my clients it also allows me to customize their insurance based on risk analysis.

Why AFGlobal’s policy did not respond goes back to my comments about the business transferring money to the criminal voluntarily. In the latter part of 2014, the insurance industry responded to this risk. This year from the April 2016 FBI Phoenix division report on BEC to the June report, the number of worldwide victims increased by about 25% and exposed damages are up about 34% from $2.3 billion to $3.1 billion. An individual physical bank robbery usually nets under $10,000. An average business email compromise can be around $130,000. Many criminals are overseas, insulated from direct physical threat and make it difficult for US law enforcement to prosecute them. It was clear to me that as losses continue to increase, neither the financial institutions, nor the customers can shoulder the entire cost of cybercrime.

KS: I expect more businesses like AFGlobal are going to find out the hard way about the gaps that exist in their cyber insurance policies that could leave them completely exposed to scams like BEC. If these types of scenarios aren’t covered in a cyber security policy, what can business owners do protect themselves?

HM: In early 2015 I started working in partnership with Grandpoint Bank to develop a group insurance product for business banking customers to provide affordable and targeted protection against cybercrime. The bank had started seeing its customers fall victim to Business Email Compromise scams and, while they were able to recover most of the losses, they wanted to provide their customers a way to protect themselves from these kinds of losses. The idea was to fill the gap that most insureds may not realize even exist in their current insurance program. The result was an insurance policy that can enhance a company’s existing insurance or fill the gap. It’s offered at a price point that most businesses can justify while protecting one of their most valuable assets, their bank accounts. It is designed to cover fraudulent transfers as well as cyber deception.

The Client Cyber Crime Insurance policy is available exclusively to business clients of Grandpoint Bank and its divisions, Bank of Tucson, Regents Bank and The Biltmore Bank of Arizona, through Grandpoint Insurance Services, in partnership with LBW Insurance & Financial Services, Inc.

KS: Petra, why offer this program to your customers?

PG: Educating and alerting our clients, and the broader business community, about established and emerging cybercrime trends is a commitment we’re passionate about. We’ve been working for over a year to create a more powerful solution to help clients protect their financial assets against attacks by cyber criminals. The policy focuses on the kinds of coverage that directly address the key fraud risks that businesses face – losses to their bank accounts through cybercrime. Cybercrime is a major concern for businesses, especially since they are typically liable if cyber criminals steal funds from their business accounts. They often don’t have the appropriate insurance in place and are finding it more difficult to protect themselves in this ever-evolving, increasingly sophisticated cybercrime environment.

KS: What does the coverage cost?

PG: Any business that has a deposit account at Grandpoint Bank or its divisions is automatically eligible to enroll in the policy and select from a range of coverages with premiums that start at $30 per month.

KS: Thank you James, Howard and Petra for taking the time to share your insight and expertise. For more information about the Client Cyber Crime Insurance coverage being offered by Grandpoint Bank you can visit their website: www.grandpointinsurance.com or call (661-702-6039) or email Howard Miller (HowardM@lbwinsurance.com).

What You Can Do Today

You can protect your business against unnecessary financial losses by following these risk management best practices:
  • Encrypt sensitive data at rest, in transit and on mobile devices.
  • Provide employees responsible for wire transfers with anti-fraud training, including the detection of social engineering, phishing, spear phishing, or other confidence tricks.
  • Use e-mail authentication to ensure that e-mail received has originated from an authorized system (e.g. SPF-Sender Policy Framework; DKIM-Domain Keys Identified Mail).
  • Verify transfer requests and account detail changes using a method other than the initial contact method before acting on a transfer (e.g. the initial request is received by e-mail and verification is done by telephone).
  • Verify incoming checks by confirming funds are available before performing services or transferring any of the funds.
  • Change your passwords frequently.
  • Implement dual control for your bank accounts so that you always have a different person initiating a wire than the person approving a wire.
  • Set up alerts in your online banking profile to notify you of when payments are made.
  • Always call to verify when payment instructions change or you are setting up a new vendor or client.
About the Experts

James Melendres, Snell & Wilmer—Partner, Co-chair of Privacy, Data Protection, and Cybersecurity Practice

James Melendres is co-chair of the Cybersecurity, Data Protection, and Privacy practice and co-chair of the White Collar Defense and Investigations practice. He focuses on cybersecurity incident preparation and emergency response, related regulatory compliance and civil litigation as well as white collar criminal defense and government investigations. Prior to joining Snell & Wilmer, James served in the leadership offices at the Department of Justice as Counsel to the Assistant Attorney General where he oversaw legal and policy issues regarding sensitive cyber matters. He also led some of the Justice Department's most high-profile and complex matters, including the prosecution of former Central Intelligence Agency Director David Petraeus for mishandling classified information and making false statements to the Federal Bureau of Investigation.

Howard Miller, CRM, CIC, LBW Insurance and Financial Services — Vice President, Director of LBW’s Tech Secure® Division

Howard Miller brings over 20 years’ experience in property and casualty insurance. He specializes in insurance and risk solutions arising out of cyber security, cyber crime, intellectual property, and technology products and services. He is a founding member and leadership council member of the non-profit Secure the Village. In 2016 he was the first licensed agent to provide a cyber-crime insurance program for financial institution customers. He frequently delivers custom presentations on technology insurance and risk management topics for industry groups and executives.

Petra Griffith, Director of Product Development for Grandpoint Bank

Petra Griffith is the director of product development at Grandpoint Bank where she manages new product and business initiatives. Prior to joining Grandpoint, Petra was a senior product manager with Yahoo, where she led monetization products for Yahoo's media experience division. Previously, she helped start two start-ups in the Bay Area, iPrint.com and ZuluSports.com, and launched new products within larger fitness and media companies, including 24 Hour Fitness, BSkyB and Time, Inc.

Petra earned her undergraduate degree in International Politics and Economics, and German Cultural Studies from Middlebury College in Vermont, and an M.B.A. from the London Business School. You can follow Petra on Twitter (@petragriffith) and find her on LinkedIn at www.linkedin.com/in/petragriffith.


Cyber Threats in Every Day Life

By: Damir Akhoundov

Everyone is on the lookout for computer viruses and different malware these days. They can make your computer become slow or unresponsive, trigger spam emails to be sent from your e-mail client and can compromise sensitive information. A majority of the population believes they are aware of the dangers these malicious surprises can cause resulting in inconvenience and annoyance, but what many individuals and business owners do not realize is that there is a new emerging threat that can swiftly render your entire company's (and customer’s!) data obsolete or even put it completely out of your reach. This is defined by Google as:

ran·som·ware: a type of malicious software designed to block access to a computer system until a sum of money is paid.

There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC. They can target any PC user, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.

Ransomware usually either prevents you from accessing your operating system or encrypts files so you can't use them. It will demand that you pay money (a “ransom”) to get access to your PC or files. They have also been seen to make you complete surveys. There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again. Thus, this is a very serious threat for a business.

Lockscreen Ransomware

Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It requires you to pay a monetary fee (a “ransom”) to get access to your PC again.

Encryption Ransomware

Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files.

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
  • Visiting unsafe, suspicious, or fake websites.
  • Opening emails and email attachments from people you don’t know or that you weren’t expecting.
  • Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, or instant messenger chats, like Skype.
It can be very difficult or impossible to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.

The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network). The sensitive files are encrypted and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption. Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.

How to protect your business from Ransomware attack
  1. Use reputable antivirus software and a firewall. Maintain a strong firewall and keep your security software up to date. Use reputable antivirus software.
  2. Back up your data on a regular basis. Back up your files to an external hard drive, cloud or online backup provider to lessen the threat. If you are infected and your files are properly backed up, you can turn off your computer and re-install your software and files. Be sure to establish a routine for your backups to ensure the latest data is saved.
  3. Enable popup blocker features. Popups are often used to trick you into installing software or code, so simply avoid ever clicking on an infected popup by disabling popups in your Internet browser. If a popup does appear, click on the x in the right hand corner to close the dialogue box, as many times what appear to be harmless buttons within a popup might be programmed to install ransomware or other malicious code.
  4. Exercise caution when clicking on links. Don’t click on links inside emails and websites and avoid suspicious websites. If your PC does come under attack, use another computer to research details about the type of attack. Be aware that often websites that purport to help are fake sites that may even advertise fake antivirus software or de-encryption programs.
  5. Disconnect from the Internet. If you receive a ransomware note, disconnect from the Internet to avoid transmitting personal data to the criminals. If you have backed up your data, you can re-install your files and software.
  6. Alert authorities. Ransomware is a serious form of extortion. Contact your network administrator or IT director who can then contact any relevant authorities.
Don’t be tempted to give in and pay the ransom. The consensus among the network security community is that paying the ransom would be a mistake because perpetrators will usually further extort their victim and most likely not release your information. Taking precautions to protect your information and maintaining vigilance are the best solutions to avoid becoming a victim in the first place.

DFARS – The Continuing Journey

By: Bob Bodemuller, Lockheed Martin Missiles and & Fire Control (MFC)

Since the original passage of Section 818 in the 2012 NDAA we have all been on the counterfeit mitigation/avoidance roller coaster. First the law was passed and we awaited the first DFARS. Finally, the first DFARS case was open for public comment and industry provided a large amount of feedback and suggestions regarding how the DFARS could affect industry. Next we waited with anticipation to see what the result would be.

Finally in May 2014, DFARS 2523.246-7007 was published and became effective. I think all of us were surprised at some of the content because in a few areas it was much different than the public comment version.

We have had experience now with the draft, comment, and release cycle for a few DFARS now and have learned to not be surprised anymore when the final release is much different than the public comment version. That is certainly the case with the early August 2016 revisions of DFARS 252.246-7007 and the release of a new DSFARS 252.246-7008. So let us look at the history of DFARS Case 2014-D005 and examine the requirements that we must comply with as the result.

DFARS Case 2014-D005 titled “Further Implementation” was posted for public comment on September 21, 2015. The intent was to address paragraph (c)(3) of section 818 of the 2012 NDAA as modified by section 817 of the 2015 NDAA which said, “contractors shall acquire electronic parts from trusted suppliers in order to further address the avoidance of counterfeit parts.” This case also removed embedded software and firmware from the definition of electronic part and provided clarification of traceability expectations. The final rule was released on August 2, 2016 in the Federal Register and was effective upon publication.

The DFARS case resulted in the revision of the original May 2014 version of DFARS 252.246-7007 along with the issuance of a new DFARS, 252.246-7008. One of the revisions of the -7007 DFARS was to rewrite criteria 4 and 5 for source selection and traceability and refer the criteria directly to the new DFARS 252.246-7008 titled “Sources of Electronic Parts”. In effect, if the 252.246-7007 DFARS is in your contract, then the -7008 is also.

Additional revisions were new definitions of electronic parts sources. Deleted was any reference to “distribution”, authorized or independent. They were replaced by authorized supplier and contractor-approved supplier while implementing a tiered approach for electronic part sources in DFARS -7008. The tiered approach now has three categories of sources shown below.

  • Category 1: Electronic parts that are in production or currently available in stock.

  • Category 2: Electronic parts that are not in production and not currently available in stock from a category 1 supplier.

  • Category 3:
    • Sources other than a category 1 or 2 as defined above.
    • Electronic parts from a subcontractor (other than the original manufacturer) that refuses to accept flow down of DFARS 252.246-7008.
    • Cannot confirm that an electronic part is new or not previously used and that it has not been comingled in supplier new production or stock with used, refurbished, reclaimed, or returned parts.
Category 1 suppliers include the original manufacturer, their authorized suppliers or suppliers who obtain parts exclusively from the original manufacturers of the parts or their authorized dealers. It should be noted that the DFARS specifically states that even if a part is not in production but is available from an authorized supplier, it MUST be procured from a category 1 supplier. Likewise, if it is in production but not available in stock, it must be procured from a category 1 supplier regardless of cost or schedule.

Category 2 suppliers are suppliers that have been identified by the contractor as “contractor-approved”. For this category of supplier the contractor must use established counterfeit prevention industry standards and processes, be responsible for part authenticity and the selection is subject to review, audit and approval (“approval” is from the 2016 NDAA revision, see DFARS case 2016-D010 now finishing the public comment period) by the contracting officer.

Category 3 suppliers are everyone else, i.e., any supplier that does not fall into the first two categories, plus a subcontractor, at any level, who refuses to accept the flow down of DFARS 252.246-7008. This additionally includes if a supplier cannot confirm that an electronic part is new or not previously used AND that it has not been comingled in supplier new production or stock with used, refurbished, reclaimed OR returned parts.

The DFARS also discusses procuring parts from government sources. It imposes the same contractor requirements on government sources that it does on contractor sources. For example, if a part is procured from a QSDL or QML, contractors and subcontractors are still required to comply with the supplier selection (and traceability) requirements discussed above.

One of the intents of the DFARS was to clarify traceability requirements. Many in industry believe that the DFARS fell short in this area and, in fact, raised new questions and concerns. The May 2014 version of the -7007 text required traceability, “back to the original manufacturer”. It was interpreted by many that this was the original manufacturer of the electrical component so was interpreted as meaning back to the OCM. The August 2016 revision provided a new definition of the “original manufacturer” which now includes, “the original component manufacturer, the original equipment manufacturer or the contract manufacturer”.

The traceability debate now centers on the fact that the -7008 DFARS does not need to be flowed down to the “original manufacturer” plus the requirement is only for traceability to the OEM. Many contractors are by definition an OEM (a company that manufactures products that it has designed from purchased components and sells those products under the company’s brand name). The question that has been raised is does traceability stop at the OEM? It is believed this is not the intent of the DFARS.

In the government response to the public comments that are contained in the Federal Register publication, the government goes to great lengths to recognize that traceability comes with a cost. There are some inferences in the discussion that the traceability the government is looking for consists of “as-built” traceability. However, that is contradicted by the DFARS requirements that states, “have risk-based processes (taking into consideration the consequences of failure of an electronic part) that enable tracking of electronic parts from the original manufacturer to product acceptance by the Government…”. However, the following statement was also made in the government’s recognition that traceability comes with a cost:

“While DoD acknowledges the burden associated with this requirement and that establishing such traceability does not guarantee the authenticity of all parts, nevertheless DoD considers the costs associated with this burden to be justified in comparison to the harm that can result from introduction of counterfeit parts into the DoD supply chain.”

Lastly, the DFARS is very specific that this clause is to be used in the procurement of all commercial items and commercial electronic parts. For example, medical equipment procured by DoD was specifically used as an example. DoD specifically commented that even if commercial items are regulated by other parts of the government, any DoD procurement containing electrical parts must comply with this clause.

As we continue through the DFARS “understanding” process, it could argue that once again we may be seeing some unintended consequences. How the current version is reviewed/audited for compliance will help us understand what the intent is. However, it looks like there will be more controversy to come.

About Bob

Bob Bodemuller currently works at Lockheed Missiles & Fire Control (MFC) in Grand Prairie, Texas in supply chain quality where he is the subject matter expert (SME) in counterfeit part avoidance and risk mitigation and a Distinguished Member of the MFC Quality and Mission Success Technical Excellence Staff. Bob has over 40 years’ experience in the Engineering and Mission Assurance area in Space, Aviation and Defense industries. Experiences include over twenty years focused on Supply Chain Quality working extensively in supplier quality with both suppliers and receiving inspection operations.

Bob joined the SAE G-19 committees in mid-2000 where he participated with the development and release of AS5553 Rev. A and B and has worked on the AS6081 standard committee since its inception. He is a member of the SAE G-21 committee, which developed the AS6174 standard for counterfeit mitigation for materials. He now serves as the Chairman of the Counterfeit Avoidance Accreditation Committee, an industry managed third party certification administered by PRI, which has developed an industry managed certification scheme for AS5553A.

Bob has worked with industry as a member of the AIA Counterfeit Avoidance Working Group on counterfeit issues in the legislative area and has provided input during the public comment periods to DoD on the newly drafted DFARS.

Bob has presented at several conferences on the counterfeit standards. He has a mechanical engineering degree from Purdue University and a Masters of Management degree from University of Phoenix.

What’s Being Said About the New DFARS Clauses

Cross Your Heart and Hope to Die – New DFARS Clauses Target Counterfeit Electronic Parts

DoD issues final rule addressing allowability of costs related to counterfeit electronic parts

DOD Final Rule Addresses Source Requirements and Cost Recovery for Use of Counterfeit Electronic Parts

DoD’s New Rule Helps Contractors from Buying Counterfeit Parts

Latest DoD Counterfeit Parts Rule Narrows the Supply Chain for Contractors

US DoD finalises anti-counterfeit electronic measures

DFARS Clauses Target Counterfeit Electronic Parts
  1. Training personnel.
  2. Inspection and testing of electronic parts.
  3. Processes to abolish counterfeit parts proliferation.
  4. Risk-based processes that enable tracking of electronic parts from the original manufacturer to product acceptance by the Government, whether supplied as discrete electronic parts or contained in assemblies.
  5. Use of suppliers in accordance with 252.246-7008, Sources of Electronic Parts (described above).
  6. Reporting and quarantining of counterfeit electronic parts and suspect counterfeit electronic parts.
  7. Methodologies to identify and rapidly determine if a suspect counterfeit part is, in fact, counterfeit.
  8. Design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts.
  9. Flow down of these requirements to all subcontractors that supply electronic parts or assemblies containing electronic parts, or perform authentication testing.
  10. Process for staying abreast of current counterfeiting information and trends.
  11. Process for screening Government-Industry Data Exchange Program (GIDEP) reports and other credible sources of counterfeiting information to avoid the purchase or use of counterfeit electronic parts.
  12. Control of obsolete electronic parts.

SAE International Publishes Revision B of AS5553 and ARP6328

By Anne-Liese Heinichen, ERAI

On September 12, 2016, SAE International published Revision B of Aerospace Standard AS5553 Counterfeit Electrical, Electronic, and Electromechanical (EEE) Parts; Avoidance, Detection, Mitigation, and Disposition along with ARP6328 Guideline for Development of Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Systems.

The first obvious difference between Revision A and B is the visible reduction of the standard from 43 to 8 pages. SAE AS5553 Revision A, published on January 21, 2013, contained eight appendices. While the appendices were intended to provide guidance and best practices, industry feedback revealed that the inclusion of the appendices was causing confusion during implementation and the certification process. To better clarify the requirements outlined in AS5553, the G-19 CI Committee decided to parse out the content of the appendices to form a new aerospace recommended practice document, ARP6328, as a complimentary document to AS5553 Revision B. As was the case with the appendices in Revision A, the content in ARP6328 should not be considered as required, unless invoked by a customer as part of a contractual requirement. ARP6328 is designed to provide guidelines for implementing a counterfeit mitigation program per the requirements of AS5553.

Another large influence on Revision B was the publication of U.S. Department of Defense, Defense Federal Acquisition Regulation Supplement: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D055), Part 252.246-7007 on May 6, 2014. This amendment defined new requirements for Cost Accounting Standards-covered contractors to establish and maintain a counterfeit detection and avoidance system and to flow down the requirements to lower tiers. These DFARS requirements would be applicable to many organizations that are purchasers and integrators of EEE parts, part of the target audience of AS5553.

Along with the release of the ARP and alignment to DFARS requirements, other changes in revision B include:

Removal of the term “fraudulent” throughout the standard, as the term was more applicable to an act performed by an individual or organization rather than a description of the parts themselves.

Revision of the term electronic parts to EEE parts to include electrical, electronic and electromechanical parts.

The Purpose and Application sections of the Scope were merged to provide clarification that the intent of the document is that it be used as a supplement to the requirements of a high level quality standard (e.g. ISO 9001, AS9120) and not as a stand-alone document.

Documents not specifically referenced in AS5553 were removed from the Applicable Documents section.

Several terms and definitions were either removed since they were not used in the standard or revised. One noteworthy change was made to the definition of counterfeit part to include a previously used part which is knowingly misrepresented as new. Accordingly, the definition of fraudulent part was removed from Revision B as previously mentioned. Additionally, a new term, authorized source, was defined relative to the purchasing process and includes suppliers who exclusively obtain parts from an OCM. On a side note, SAE International is developing AIR6273 which is intended to serve as a standardization document with regard to terms and definitions used throughout various counterfeit-related SAE standards. Once AIR6273 is published, it is the intent that the G-19 and G-21 Committees will refer to the terms and definitions contained therein by default.
  • Within the Purchasing Process requirements, Revision B states that the Counterfeit EEE Parts Control Plan must also address identification, detection, and avoidance of suspect counterfeit parts (in addition to mitigation, disposition and reporting from Revision A). To align with DFARS 252.246-7007 requirements, the Control Plan must also be updated as counterfeiting trends evolve and allow for the use of avoidance techniques from industry standards.
  • With regard to Personnel Training and for alignment with the DFARS 252.246-7007 requirements, the requirement that training must be updated was added.
  • In the Purchasing Process section, an emphasis was placed on sourcing parts from “authorized sources”. Requirements were added to “document and retain objective evidence” that the supplier is an authorized source and to assess and screen suppliers that are not authorized sources taking into consideration industry and government sources (e.g. ERAI). In addition, new requirements were defined for an organization’s risk assessment and risk mitigation plan per DFARS 252.246-7007 requirements.
  • With the Purchasing Information section, the requirement to obtain traceability from the OCM to the source of supply that includes all of the “supply chain intermediaries” was removed as many times this is not feasible.
  • The Failure Analysis section in Revision A was removed as this is already addressed in Verification of Purchased Parts.
  • The Material Control Section underwent a rewrite and combined some elements from Purchasing Information and Verification of Purchased/Returned Parts(s) from Revision A including: traceability must be maintained to the source during the procurement and receiving process; to control counterfeit parts, an organization can now disposition the parts when legal requirements allow (e.g. scrapping the parts including packaging material to avoid reuse); inventory affected by a counterfeit part(s) must be addressed; and a documented process for the verification of returned material is required to assure its authenticity.
  • Lastly, an Auditing section was added to require periodic internal auditing to ensure the organization’s compliance to their counterfeit control plan.
To Purchase:

AS5553B - Counterfeit Electrical, Electronic, and Electromechanical (EEE) Parts; Avoidance, Detection, Mitigation, and Disposition

ARP6328 - Guideline for Development of Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Systems

Latest AS9100 standard brings counterfeit part control to aerospace manufacturing

By: Christopher Paris, VP Operations, Oxebridge Quality Resources International LLC

The aerospace standards AS9100, AS9110 and AS9120 aim to establish minimum baselines for quality management systems for manufacturers, repair stations and stockist distributors, respectively. Companies are then audited against those standards in order to achieve “certification” by an accredited third party registrar; this certification can open access to contracts available from government agencies, OEMs and aerospace primes.

Prior editions of AS9110 and AS9120 included language about counterfeit part control, but the AS9100 standard – the most well-known of the three – did not. With the latest update to revision D, however, AS9100 brings manufacturers into the fold. Specifically, the standard’s clause 8.1.4 now requires:

The organization shall plan, implement, and control processes, appropriate to the organization and the product, for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product(s) delivered to the customer.

The change is unlikely to affect some electronic assembly manufacturers who would have been operating with such awareness even prior to AS9100’s discovery of it. The vast majority of AS9100 users, however, are going to find themselves struggling with a generically-worded clause that invokes a critically important concept, forcing users to interpret it as best they can for their particular organization. History tells us that when standards are poorly worded, implementation and subsequent auditing rarely go well.

The best approach for all user organizations is to tailor their QMS so that it matches what they do, rather than a literal blow-by-blow mimicking of the AS9100 standard. This results in flexible, organic quality systems that eventually drive the greatest levels of compliance and improvement; however, this requires one to take the AS9100 standard and hammer it into shape around the company’s QMS, through interpretation, rather than shaping the QMS to fit the standard. The trick here is to do this as much as possible without pushing the interpretation so far that the organization no longer complies with AS9100.

As always, different companies will face different challenges based on their particular products and the materials they use. For manufacturing companies utilizing electronic components or assemblies, they should implement a counterfeit part control program that aligns with industry best practices and, to the extent that they apply, the AS5553 and AS6081 standards. Because those standards already exist, and so there is a mature and robust support infrastructure already in place to assist companies in understanding and implementing those standards. It will be important to implement only the aspects of those standards that apply to the organization, of course.

For aircraft or spacecraft contract manufacturers who typically don’t utilize electronic components, things get trickier. The AS9100D standard doesn’t distinguish specific rules for electronics vs. raw materials like metals or plastics, but a literal reading of the requirement doesn’t distinguish: they all need to be controlled. Machine shops struggle with understanding this, since it’s rare that anyone receives “counterfeit” steel bar stock or aluminum extrusions, but if we view this as another means of ensuring raw material conformity, it becomes easier to understand. This means ensuring raw materials are suitable through heat lot traceability and material test reports, and by ensuring only established, vetted and evaluated suppliers are used. “Grandfathering” established providers of such material – especially if they are large, established suppliers – is a perfectly acceptable first step.

Additional assurance may require getting additional documentation to know where your suppliers are buying their materials from, but in many cases the documentation they already provide might be sufficient; e.g., batch records, certificates of analysis, etc. AS9100 already had stricter traceability requirements than the more generic ISO 9001 standard for manufacturers, so aerospace manufacturers may find little to worry about.

One side note: more and more aerospace contracts also invoke conflict-free mineral sourcing, and while that’s not included in AS9100, if you are already assessing conflict-free sources, this helps in meeting the new AS9100 requirements on counterfeit product, too.

It may not simply apply to raw materials, but also consumables and hardware kit components; however, if normal controls are implemented which aim to ensure the products are exactly what they claim they are – say, through receiving inspection and review of the accompanying certifications or documentation – you’ve done much of the work required to ensure they are not counterfeit.

AS9100D adopts the “risk-based thinking” approach of the latest revision of ISO 9001, and while controversial, this nevertheless gives AS9100 companies an additional tool to invoke when deciding on how much oversight to put into the various types of materials. It would be worthwhile for companies to do a simple risk assessment of all the types of materials they utilize, compared against historical evidence of counterfeiting and the risks to final products, to determine which materials it will apply counterfeit controls for, and which might only be managed through typical inspection and testing methods. For example, the world doesn’t have a history of counterfeit shipping labels or packing peanuts, so you might not want to invest a lot of time and effort on ensuring those; meanwhile, you will definitely want to put your efforts into the assurance activities of electronic components and, to a lesser degree, raw materials.

In all cases, if there is any suspicion about the origin of raw materials, the company should work to obtain enough documentation or evidence to alleviate that suspicion. It’s not one size fits all, and the rules for electronic counterfeit part control won’t work for raw materials or kit components. You must tailor the approach.

About Christopher:

Christopher Paris is founder of Oxebridge Quality Resources International LLC, http://www.oxebridge.com, a provider of AS9100 training, and consultant. His clients include SpaceX, Northrup Grumman, NASA and more than 200 small to medium subtier suppliers. He is a vocal advocate for the rights of standards users, and is the author of the upcoming book Surviving ISO 9001: What Went So Terribly Wrong with the World’s Foremost Quality Management Standard, and How to Implement It Anyway.

U.S. Government Adds Russian Electronics Companies to the Entity List in Accordance with Russian Sanctions

By Anne-Liese Heinichen, ERAI

On September 7, 2016, the Department of Commerce, Bureau of Industry and Security (BIS) added eighty-one (81) entities to the Entity List. These entities were, “determined by the U.S. Government to be acting contrary to the national security or foreign policy interests of the United States. BIS is taking this action to ensure the efficacy of existing sanctions on the Russian Federation (Russia) for violating international law and fueling the conflict in eastern Ukraine.”1

A number of these entities have been identified as organizations involved in the manufacture and/or trade of electronic components and electronic equipment in connection to the Russian defense industry.

Among the entities located in Russia, Hong Kong and India are:


Joint Stock Company Angstrem

Joint Stock Company Angstrem-T

Joint Stock Company Foreign Economic Association (FEA) Radioexport

Joint Stock Company Perm Scientific Industrial Instrument-Making Company (PNPPK)

Joint Stock Company Mikron

Joint Stock Company Research and Production Company Micran

NPC Granat

Technopole Company

Technopole Ltd.

Giovan Ltd.

These restrictions impose strict controls on exports, re-exports and the sale of materials and technology through additional licensing requirements. According to 15 CFR 744.11 (License requirements that apply to entities acting contrary to the national security or foreign policy interests of the United States), BIS may make additions to the Entity List for, “entities for which there is reasonable cause to believe, based on specific and articulable facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities may be added to the Entity List.”2

The addition of these Russian organizations further expands sanctions initially imposed in 2014 by the U.S. Government in response to the Russian Government’s connection to the conflict in eastern Ukraine and annexation of Crimea. On March 6, 2014 President Obama invoked the International Emergency Economic Powers Act and ordered sanctions including freezing assets and travel bans for individuals. Subsequent sanctions in April and July banned business transactions for certain Russian officials, energy firms and banks, arms and related materials and dual-use technology intended for military use.

While BIS may remove an organization from the Entity List or modify the license exceptions and license application review policies at its discretion, organizations are advised to contact an export control specialist prior to entering into a transaction with a company or individual named on the Entity List.
1Russian Sanctions: Addition of Certain Entities to the Entity List, 15 CFR Part 744,

2"15 CFR 744.11 - License Requirements That Apply to Entities Acting Contrary to the National Security or Foreign Policy Interests of the United States." LII / Legal Information Institute.

Criminal Sentencings and Prosecutions Continue

Alexander Brazhnikov Jr., who pleaded guilty to conspiracy to commit money laundering, conspiracy to smuggle goods and conspiracy to violate the IEEPA, was sentenced on June 30, 2016 to 70 months’ imprisonment, 3 years supervised release, alcohol/drug treatment and forfeiture of monies. A joint investigation started in 2012 discovered that Brazhnikov, with the help of his father, funneled funds totaling $65 million from Russia to offshore bank accounts and eventually into U.S. bank accounts controlled by Brazhnikov and his companies: ABN Universal Inc; Zond-R, Inc; Telecom Multipliers; and Electronics Consulting, Inc. He then purchased large quantities of electronic components which he repackaged, falsified the true value of the exported items and concealed the destination of the parts in shipping documents, all of which were intended for use by the Russian Government and FSB in violation of the IEEPA.

In December of 2015, Daofu Zhang, Jiang Guanghou “Ben” Yan and Xianfeng Zuo, operating as HK Potential Electronics in Shenzhen, China, were arrested on federal charges on selling counterfeit semiconductors for U.S. Navy use, asking an undercover agent to steal authentic semiconductors from a U.S. Navy base and offering to provide counterfeit substitutes so that the theft would not be easily noticed. The three defendants are being tried separately and have all entered guilty pleas. Daofu Zhang was sentenced on July 13, 2016 to 15 months’ imprisonment and forfeiture of $63,000.00 for conspiracy to traffic in counterfeit goods. According to the Federal Bureau of Prisons’ inmate locator, Zhang is currently incarcerated in Pennsylvania and is scheduled to be released on January 10, 2017. Xianfeng Zuo is scheduled for sentencing on November 4, 2016; Jiang “Ben” Yang is scheduled for sentencing on December 20, 2016.

Sentencing was held on July 21, 2016 for Alexander Fishenko, the former president of Arc Electronics Inc. Fishenko pleaded guilty to all charges against him in September 2015 including acting as an agent of the Russian government without prior notification to the Attorney General and illegally exporting microelectronics to Russia. While various counts were dismissed upon a motion by the Government, Fishenko was sentenced to a total term of 120 months’ (10-year) imprisonment, 3 years supervised release, a special assessment fine totaling $1,900.00, mandatory drug abuse treatment and forfeiture of various bank accounts and real estate properties. Fishenko is currently in remand in Oklahoma.

On August 16, 2016, Pavel Flider pleaded guilty to counts 1 and 2 for smuggling of goods. Flider and his company, Trident International Corporation, LLC, knowingly sent shipments containing false export information to promote unlawful activity in violation of Title 18, United States Code, Section 554. The shipments were sent to freight forwarders in Finland and Estonia for subsequent transport to Russia. Sentencing is scheduled for February 16, 2017.

Meanwhile, on August 19, 2016 in Florida, sentencing was held for Wenxia “Wency” Man for conspiracy to commit offenses against the United States through the export of defense articles without a license. Man was remanded into custody to a federal detention center in Miami to serve a 50-month sentence. Upon release from prison, Man will be on supervised release for two years. Man had attempted to purchase and ship military drones and jet fighter engines to China through her company, AFM Microelectronics.

Major Criminal Complaints Filed by US Prosecutors Relevant to Electronics Industry

Name (Last, First) Company Name(s) Court Complaint Date (mm/dd/yy) Offense(s) Guilty Plea? Sentence Date (mm/dd/yy) Sentence
Wu, Zhen Zhou (Alex) Chitron Electronics MA 12/4/08 Munitions export violation
Commerce control export violation
Conspiracy to violate Munitions List & Commerce Control List
Conspiracy to file materially false shippers export declarations
No 1/26/11 84 months imprisonment
$15,000.00 fine
McCloskey, Stephanie VisionTech Components DC 9/14/10 Conspiracy and aiding and abetting Yes 10/28/11 38 months imprisonment
3 years supervised release
Restitution of $166,141.23 paid through forfeiture
Aljaff, Mustafa MVP Micro DC 8/21/09 Conspiracy to defraud United States
Trafficking in counterfeit goods
Yes 2/28/12 30 months imprisonment
Restitution $177,862.22 joint w/Felahy
Felahy, Neil MVP Micro DC 8/21/09 Conspiracy
Trafficking in counterfeit goods
Yes 3/16/12 20 months imprisonment
Restitution $184,612.57 joint w/Aljaff
Hashemi, Mohammad Excellent PetroAlloy South CA 8/14/12 Conspiracy to Export to Embargoed Country (Iran) Yes 12/16/13 27 months imprisonment
Yang, Hao MS Technologies Inc. MD 6/12/13 Conspiracy to traffic in counterfeit goods and counterfeit military goods No 4/23/14 21 months imprisonment, deportation
Forfeiture $59,000.00 cash and items valued at $280,720.00
Frediani, Steven InstoComp South FL 2/26/13 Conspiracy to commit aircraft parts fraud
Aircraft parts fraud
Yes 4/28/14 18 months imprisonment
12 months home detention with electronic monitoring
1400 hours community service
Restitution $229,494.24 joint w/Nichols
Nichols, Glenn InstoComp South FL 2/26/13 Conspiracy to commit aircraft parts fraud Yes 5/13/14 15 months imprisonment
Restitution $229,494.24 joint w/Frediani
Picone, Peter Epic International Tytronix CT 6/25/13 Conspiracy to traffic in counterfeit military goods Yes 10/8/15 37 months imprisonment
Restitution $325,088.00
Krantz, Jeffrey Harry Krantz CT 7/28/15 Wire Fraud Yes 12/10/15 3 years probation
$100,000.00 fine
$402,500 restitution joint w/Warga
Warga, Jeffrey Bay Components CT 12/10/14 Conspiracy to commit wire fraud Yes 1/22/16 3 years probation
$402,500 restitution joint w/Warga
Wren, Shannon VisionTech Components DC 9/14/10 Conspiracy; Trafficking in counterfeit goods; Mail fraud No - Died May 2011
Flider, Pavel Semenovich Trident International Flider Electronics North CA 3/5/15 Smuggling goods
Conspiracy to commit money laundering
Money laundering
Yes Sched. 2/16/17
Brazhnikov Jr., Alexander ABN Universal
Telecom Multipliers
Electronics Consulting, Inc.
NJ 6/26/14 Conspiracy to commit money laundering
Conspiracy to smuggle goods out of US
Conspiracy to violate IEEPA
Yes 6/30/16 70 months imprisonment
3 years supervised release
Forfeiture seized assets
Mandatory drug/alcohol abuse treatment
Zhang, Daofu HK Potential Electronics CT 12/10/15 Conspiracy to traffic in counterfeit goods Yes 7/13/16 15 months imprisonment
Forfeiture of $63,000.00
Fishenko, Alexander Arc Electronics East NY 9/28/12 Acting as an agent without notifying Attorney General. Conspiring to export microelectronics to Russia. Illegally exporting microelectronics to Russia
Money laundering conspiracy
Obstruction of justice
Yes 7/21/16 120 months imprisonment
3 years supervised release
$1,900.00 fine
Forfeiture money and real estate assets
Mandatory drug/alcohol abuse treatment
Man, Wenxia (Wency) AFM Microelectronics South FL 8/21/14 Violation of Arms Export Control Act No 8/19/16 50 months imprisonment
2 years supervised release
Zuo, Xianfeng HK Potential Electronics CT 12/10/15 Conspiracy to traffic in counterfeit goods Yes Sched.
Yan, Jiang (Ben) HK Potential Electronics CT 12/10/15 Conspiracy to traffic in counterfeit goods
Attempt to violate IEEPA
Yes Sched.
Skiscim, Paul Aerospace Fasteners East NY 2/24/16 Fraud involving aircraft of space vehicles
Wire Fraud; False claims
Forfeiture of monies and real estate properties

ERAI New Features

High Risk and Suspect Counterfeit Parts Database Enhancements

At ERAI, we are constantly evolving and finding ways to better serve our Members. We have expanded the data that is presented to you in our High Risk and Suspect Counterfeit Parts Database. Along with the standard report categories and nonconformance description, Members can now see the components’ type and a new section cross referencing alerts issued for similar parts.

For each part report in the database, ERAI has collected the component type (e.g. analog IC, memory IC, microprocessor); however, it was previously not displayed in the parts’ report. The component type field now displays in the part report directly under the manufacturer’s brand name.

Below the date reported field, you will now see a section of three cross references:
  1. Number of alerts for this part number:  Displays the total number of reports for this exact part number contained in the ERAI High Risk and Suspect Counterfeit Parts Database. In the example report above, this part has been reported six (6) times to ERAI.
  2. Number of alerts for this manufacturer brand:  This shows the total number of reports contained in the ERAI High Risk and Suspect Counterfeit Parts Database for the same manufacturer’s brand. In other words, in the example, there are 192 other parts bearing this manufacturer’s brand that were reported to ERAI.
  3. Number of alerts for this component type:  This field displays the number of reported part alerts in ERAI’s database for parts of the same component type. In this case, there are 1496 reported parts that are categorized as memory ICs.
Clicking on any of the cross references will display a list of the parts included in the statistic. Therefore, clicking on the 200 next to Number of alerts for this Manufacturer Brand will display the 200 other parts contained in ERAI’s High Risk and Suspect Counterfeit Parts Database that have the same selected manufacturer brand as this reported part.

We hope these cross references will enable our Members to make more informed decisions during their counterfeit mitigation processes.

White Paper Reviews

Security as a Service – Incorporating NIST 800-171 Requirements into the Defense Supply Chain

Why you should read it: EXOSTAR and Robert Metzger’s White Paper outline the new NIST SP 800-171 requirements for commercial companies to protect “Covered Defense Information” (CDI).

ERAI Insight: Along with recent DFARS regulations for the detection and avoidance of counterfeit electronic parts, additional regulations have been established that require protection of Controlled Unclassified Information (CUI) as well as CDI. These regulations are imposed on DoD contractors and are to be included in subcontracts affecting up to 10,000 contractors in the supply chain. While full compliance is not required until December 31, 2017, every contractor subject to this DFARS is required to immediately provide “adequate security” for CDI and must report “cyber incidents” within 72 hours of discovery. While most top-tier defense contractors have existing systems in place, the 109 security safeguards outlined in NIST SP 800-171 will pose a large-scale problem for many small and mid-size companies to whom these flow-down requirements will apply. At issue as well is the fact that the DFARS do not require third party assessments or monitoring, there is no accreditation system currently in place and the use of cloud services is not effectively covered as a method of securing CDI.


Share Counterfeit and Nonconforming Part Data

Join ERAI, Counterfeit Part Avoidance, Detection, Disposition and Reporting Follow ERAI on Twitter(@ERAI_Inc) Like ERAI on Facebook Follow ERAI on Slideshare www.erai.com