From: "C.H.J. Hartgerink" <[log in to unmask]>
Date: Wed, 17 May 2017 01:43:37 -0400

Ransomware occurs on the end-user's equipment; incorporating that into
an agreement implies that the publisher would be responsible for the
end-user's computer, which doesn't make sense. One scenario is that
one could incorporate something into a license that publishers will
maximize security of the platform for the end-user, which would be
more versatile if a range of cyber-attacks occur. But this would be
accompanied with liability, and I am unsure whether that commitment
will go through negotiations.

Something that can be addressed in licenses fairly easily, and is a
larger threat I think, is that of publisher websites not using HTTPS.
It allows for someone in the network to hijack the content being
served really easily. For example, ScienceDirect isn't HTTPS by
default and if someone in a hospital network would hijack that domain
and replace all mentions of a drug (e.g., "norepinephrine" with
"glucose"; this is simple to do for any cyber-attacker) it could
affect treatment decisions. There are many scenario's I can imagine
that would be detrimental to society and science.

I recommend to include a clause for any agreement that the publisher
commits to serving their content and platform only in HTTPS. This is
super easy to do with tools like CertBot, so insufficient funds are
for most publishers not a problem.

Cheers,
Chris



-------- Original Message --------
From: "Maher, Stephen" <[log in to unmask]>
Date: Tue, 16 May 2017 19:22:53 +0000

Random questions about ransomware:

Is ransomware and other malware a concern to publishers in relation to
making its content accessible online to its customers?

Can/should we call for specific language in our licenses with
publishers that addresses the threat of ransomware?

(e.g. in the event a publisher's contents are blocked due to ransomware)

Thank you,

Stephen


Stephen Maher, MSIS | Assistant Director
NYU Health Sciences Library
212.263.8935
[log in to unmask]