20 August 2016

Strategic Foresight: Risk Leadership into the Future...

When you really start to think long and deep on the discipline of the agile startup community,  you keep coming back to a single word.  Improvise.  The more you analyze what it takes to get an idea from "Zero to One" to a Minimum Viable Product (MVP), the more you need Operational Risk Management (ORM).  At the same time, this thought might question the notion of previous planning or preparedness:
im·pro·vise [im-pruh-vahyz] Show IPA verb, im·pro·vised, im·pro·vis·ing.
verb (used with object) 
1.  to compose and perform or deliver without previous preparation; extemporize: to improvise an acceptance speech.
2.  to compose, play, recite, or sing (verse, music, etc.) on the spur of the moment.
3.  to make, provide, or arrange from whatever materials are readily available.

Yet what the true startup and ORM professional understands is the origin of the word:

1820–30; French improviser, or its source, Italian improvisare (later improvvisare ), verbal derivative of improviso improvised; Latini mprōvīsus, equivalent to im- im-2 + prōvīsus past participle of prōvidēre to see before hand, prepare, provide for (a future circumstance). See proviso
And so this brings us to the importance today of utilizing the power of "Strategic Foresight."
Strategic foresight is a fairly recent attempt to differentiate "futurology" from "futures studies". It arises from the premise that:
  • The future is not predictable;
  • The future is not predetermined; and
Future outcomes can be influenced by our choices in the present. [1]  Strategic foresight may be used as part of the corporate foresight in large companies.[2] It is also used within various levels of Government and Not for Profit organizations. Many concepts and tools are also suited to 'personal futures' thinking.
The "Asymmetric Attributes" of enterprise risk and "Big Picture Security" today is making predictability a major task going forward.  So what do improvising and strategic foresight have to do with startups and Operational Risk Management?  Everything.  Let's go back in the "Time Machine" for a minute:
The 2010 eruption of Eyjafjallajökull were volcanic events at Eyjafjallajökull in Iceland which, although relatively small for volcanic eruptions, caused enormous disruption to air travel across western and northern Europe over an initial period of six days in April 2010. Additional localised disruption continued into May 2010. The eruption was declared officially over in October 2010, when snow on the glacier did not melt. From 14–20 April, ash covered large areas of northern Europe when the volcano erupted. About 20 countries closed their airspace (a condition known as ATC Zero) and it affected more than 100,000 travellers.
"As the crisis ran its course it went on to paralyze or seriously limit air traffic in 23 countries around the EU and its periphery bringing 300 airports to a standstill and cancelling 100,000 flights, representing three-quarters of all European traffic. Ten million individuals were affected and had to cancel their trips or find alternative travel arrangements at serious economic cost for the passengers, carriers, and insurers involved."
So what?  So the future state of a High Risk X Low Frequency event is unlikely to get the attention it requires.  The 1-in-100 year probability of an event occurrence, has been so integrated with insurance industry underwriting group think, it often falls on deaf ears.  Resources and attention are increasingly directed towards potential crisis events, that are considered High Risk X High Frequency.

Could the EU have imagined the impact of volcanic ash from an erupting volcano in Iceland?  Most certainly.  Did the EU have the strategic foresight to know what to do when and if this happened?  The point is that sometimes improvising and the success of improvisation is a result of having devoted resources and time towards the planning and behavioral prediction of future outcomes.  Influenced by our choices in the present.  The impact to the organization, enterprise, nation state or individual is going to be a factor of how much is devoted to strategic foresight initiatives.

It is also imperative that we discern the risk of natural incidents caused by mother nature, to human threat actors. We must continue to evaluate the characteristics of other threat vectors related to our daily Operational Risk spectrum.  Using only the imagination of low-tech, less sophisticated and tried-and-true methods, our human adversary has a "Modus Operandi" with a continued low-risk of failure.  That low tech lower risk of failure, is still one of our greatest vulnerabilities:
The Joint Improvised Explosive Device Defeat Organization (JIEDDO, pronounced like "ji-dough") is a jointly operated organization of the U.S. Department of Defense established to reduce or eliminate the effects of all forms of improvised explosive devices used against U.S. and coalition forces.[4]
  • Formed February 14, 2006
  • Headquarters The Pentagon
  • Employees 435 government civilians and military personnel; ~1,900 contract personnel
  • Annual budget $1.6 billion for fiscal year 2013 [1]
JIEDDO is making a difference and the metrics prove that our Operational Risk Management professionals here, need to continue the course.  Not just for what has happened overseas on foreign soil, but for the surging wave on our own U.S. Homeland:  Boston, MA is one recent and relevant example.

Be Vigilant America!  Use Strategic Foresight to imagine such interdependent, unpredictable scenarios.  These growing interdependencies, are becoming ever more so prevalent:

• Rapid global economic growth
• Industrial development of non-OECD nations
• Interlinked global supply chains
• Increased worldwide awareness
• Increased media reach and individual power

These five interdependencies will be the catalyst of our future High Risk X Low Frequency incidents.
The future success ratio of agile startups and the ability for new innovation to pivot effectively, will be determined by an Operational Risk Management maturity factor. 

13 August 2016

CityNext: Trust in a New Age Public Sector...

What if you had the opportunity to establish and design a new city in the United States?  Where would you decide to put it and how would you do it differently than it has ever been done before?

This would be a Public Sector project worth doing differently than we ever have imagined.  After all, how much have we learned by 2016 about critical infrastructure, including electrical grids, solar energy, water resources and waste management?  What about the latest inventions with 5G wireless and how broadband information systems have evolved to satisfy our insatiable appetites for data, entertainment and knowledge working professionals?

How would you design the transportation systems and how would you put the economic and governance factors of the new city into place?  The Urban Planning and CityNext initiatives today are trying to apply many new ideas and thinking to established cities, not just starting from a clean slate if you will.  There might be many discussions on what U.S. State was most suited for the city,  what the size in population and square miles that would encompass housing, commercial development and the social support systems to include health care, public safety and public works.

There are several global livability indexes that exist today and ranking cities by criteria on being the most livable.  Each may put cities such as Melbourne or Zurich,  Boulder or Santa Barbara, Rochester or Bellevue at the top.  This depends on the geographic scope and other criteria to rank cities by all of these particular index factors.

Realizing that there are also so many subjective reasons for wanting to live in an environment near the ocean or the mountains, let us just focus for a minute on all the factors that make the city operate effectively and produce positive economic and governance outcomes for its citizens.  Now how would you design this ideal ecosystem for the future?

If we could do it in such a way that you could replicate the model and the support systems then is it possible that you could put a new city in the middle of some U.S. state and have it flourish over the next 2 decades and beyond?  What factors would we focus on when it comes to how people make a living and sustain their families with a decent standard of living?

All of these considerations and questions are similar whenever you are talking about putting tens, hundreds or thousands of humans together to live, work and play together.  The anthropologists, economists, architects, scientists and doctors would all have their thoughts on what to avoid and how to do it correctly.

So what?  What does any of this have to do with Operational Risk Management (ORM)?

The truth is, that the design of the ideal city, the ideal business, the ideal product or the ideal operations plan, can't evolve and survive without Operational Risk Management:
Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:

* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.

* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.

* Systems risk – disruption and outright system failures in both internal and outsourced operations.

* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.
It really does not matter whether it is a single household, an enterprise business or the ideal city.  How much you focus on the "TrustDecisions" that are made each moment of every day, will determine the outcomes of your vision?

Now consider this:
Every transaction creating wealth first requires an affirmative decision to trust.

Building trust creates new wealth. Sustaining trust creates recurring wealth.

Achieving trust superior to your competition achieves market dominance.

Leadership rises (or falls) based on trust (or the absence of trust).

Take a moment and think about each of these with respect to what you do in your business or in your job. How does the organization acquire wealth? Where does new wealth originate? How are customers retained? What provokes them to keep coming back and paying for your goods or services? Why does the leader in your market succeed? If you are not the market leader, why not? How is the loyalty of your team maintained?  Source:  "Achieving Digital Trust" - Jeffrey Ritter
 "Trust is achieved by making decisions that produce favorable outcomes."  These words and more from Jeffrey Ritter should give us pause, as we advance or society and we design new cities.

The truth is, the "Public Sector" needs to create more trusted environments, more trusted transportation, more trusted water supplies, more trusted communications, more trusted safety and security.  The public sector needs systems that use trusted data to fuel all of this and provides continuous Confidentiality, Integrity and Assurance for all of its citizens.

If the public sector can attain these levels of performance, the vast spectrum of knowledge workers will flourish and data driven business models of the future will thrive and they will have new levels of trust.  Trust in their choice on where to live, to work, to raise a family and:
We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

07 August 2016

IT Transformation: Change Agent Journey into the Unknown...

The era of cloud computing is upon us and business innovation is rapidly adopting a new Information Technology strategy.  Planning for the business to be more adaptive, requires that the IT organization become more embedded with the functional leaders who are tasked with guiding the people, process and technology of the enterprise into the future.

Operational Risk Management (ORM) is about building an effective framework for business transformation executives at the CxO level to effectively coordinate and collaborate with the IT leadership.  Together, business and IT executives shall provide the organization and its customers with a seamless and almost undetectable transformation.

True "IT Transformation" has a trajectory to an unknown destination that is constantly adapting and becoming more agile.  It is a non-linear project plan, that is evolving towards a "Future State" where people and culture must change with it.  As a result, true "IT Transformation" requires experts in managing Operational Risks that encompass far more than just new cloud infrastructure for compute, storage, database and networking.

A culture transformation from an "As is" to a "Future State" is a professional services initiative that senior leaders are co-designing.  It is recognized that the vision of the future is still unknown as the business adapts to its environment and marketplace.  If you were an organization that had made the decision to move the business into international locations, how would you do that effectively?

An "IT Transformation" initiative to a new international marketplace requires far more time and resources.  The change mindset and culture shift for the employees will be imperative in order for the IT mechanisms to perform effectively and successfully.  How will this shift in business strategy impact the coding, architecture, inventory and customer service processes in the enterprise?
Let us be clear.  Transformation is different.  It is not "Developmental Change".  It is not "Transitional Change".  It requires a mindset, culture and systems change that operates in the unknown and where peoples emotions and behaviors are exaggerated.  It can't follow a linear project plan and that is why some organizations never attempt true transformation.
So what?  The decision for true "IT Transformation" requires a journey into the unknown yes, just as any explorer. This however also requires a mindset shift to that of the explorer, to prepare for the unknown and to plan for the contingencies to survive the trip.  Whether the journey is weeks or months does not matter.  There is always an opportunity to prepare before the launch.

 Consider these ORM categories as you begin the preparation for your true "IT Transformation":
  • Governance of Accounting (International pricing/regulatory compliance)
  • Access and Security Controls (Data privacy or legal considerations)
  • Asset Management
  • Application Risk (Availability, Disaster Recovery and backup)
  • Incident Triage and Continuous Monitoring
  • Configuration Change Management
  • Release and Deployment Management
 Now consider this:

Who will you embark on the journey with?  Who are the people in your organization that are ready, in condition and have the time to devote to your exploration journey?  What is each person currently working on and what is their particular "Powerbase" in the enterprise?

Now, who is the partner outside the organization that you will utilize as your "Change Agent"?  That change agent who is currently external to your company and enterprise is a vital choice.  How will the firm or company you choose to assist you in your transformation work with you side-by-side to endure the hardships, the emotions and the outcomes of the work ahead?

As your change agent team embarks on your "IT Transformation" journey, remember that the unknown is the reason that you were chosen.  You were chosen because your experience and skill sets add overall strength and resilience to the entire team.  The resilience of the team requires that you endure the journey until the objectives for innovation have been achieved.

Achieving the future state of your journey, puts you in a place you never imagined, because you have never been there before.  Yet the experience of getting there and the knowledge gained during the preparation, the team interaction and the accomplishments along the way, have made you a better person.  A trusted team member.

An "IT Transformation" professional...

30 July 2016

POTUS 45: The Future of Information Warfare...

The spectrum of asymmetric warfare being waged across the globe has been accelerating for over a decade.  The physical realm, has now migrated to an environment of "zeros and ones" traveling at the speed of light.  Operational Risk Management (ORM) remains a significant factor for Senior Leadership in government and the private sector.

Information collection, deception, attribution and mutual response is consuming our airwaves and IP addresses, like a digital Tsunami.  Wikileaks vs. Edward Snowden, is a battle for digital privacy branding and a communications platform for the evidence of the truth.

The average world citizen is now reading content and consuming video by the petabyte, to satisfy their particular knowledge appetite.  The personal or nation state requirements of the continuous search for the truth, or perseverating on a single target to achieve a mission, is now the state of play.

As the United States pursues the election of its 45th President, the digital trust of our electoral systems and historical decision process are currently at stake.  Data provenance is at the center of legal and national security policy discussions.  "Trust Decisions" are ever more in our minds and simultaneously at the center of our democratic way of life.
Gawker publishing opposition research.  APT29 malware?  Guccifer2 account by a lone individual? Any similar attributes between the U.S. DNC malware servers and the German Bundestag malware servers?
The speed and sophistication of nation state plots or non-state actors, will continue to feed the novels for people such as John le Carre and yet to be written movie screenplays.  Yet what is now over the horizon for humanity and our future, lies in the innovation and current capability of Artificial Intelligence (AI):
Rob McHenry: Public-funded research has always pushed the state-of-the-art in advanced autonomy, which then drives commercial AI. I think many people would be surprised by the advanced capabilities that autonomous systems for defense are already demonstrating – capabilities that many might guess wouldn’t be achievable for many years.

For example, DARPA and the Navy are testing at sea today an autonomous ship that is designed to go “toe-to-toe” against a human adversary in the wild during complex unconstrained military operations. The ACTUV (Anti-submarine warfare Continuous Trail Unmanned Vessel) program has delivered an unmanned ship that can not only comply with the complex Rules of the Road in the open ocean, but simultaneously track and harass a manned submarine, keeping a step ahead of a highly trained human submarine captain. This is an example of AI that can understand humans, in both competitive and supportive roles.
As the U.S. Navy and others pursue the asymmetric battlefield across the oceans, we can only hope the human factor remains the man-in-the-middle.  Artificial Intelligence may very well be good at searching, collecting and manipulating data, yet it is still the human behind the intent.

In essence, humans remain the architects of the design, coding and the implementation of the programs, weapons and capabilities.  Where is the trail of evidence leading and where is the response?

Achieving digital trust and the future integrity of our global "TrustDecisions" will remain a tremendous challenge for our governments and the private sectors,  that establish our critical infrastructure.

You can be certain that the response will be calculated and the attribution will be thorough, even as new classified information is involved in the analysis.

23 July 2016

ECPA: Reality of Homegrown Violent Extremism...

In the United States, Operational Risk Management Executives in the private sector are consistently balancing the legal requirements for public safety and their customers right to privacy. The Internet Service Provider (ISP) General Counsel's duty to facilitate the rule of law within the private sector organization, has been on a collision course with protecting the homeland for over a decade since 9/11.

One of the critical tools for Homeland Security Intelligence (HSI) is the "Electronic Communications Privacy Act (ECPA) and for good reason. The law provides the tools for law enforcement and national security intelligence analysts while simultaneously protecting the privacy interests of all Americans. In a 2011 statement before the Committee on Judiciary, United States Senate, Associate Deputy Attorney General - James A. Baker outlines the basis for ECPA:
"ECPA has never been more important than it is now. Because many criminals, terrorists and spies use telephones or the Internet, electronic evidence obtained pursuant to ECPA is now critical in prosecuting cases involving terrorism, espionage, violent crime, drug trafficking, kidnappings, computer hacking, sexual exploitation of children, organized crime, gangs, and white collar offenses. In addition, because of the inherent overlap between criminal and national security investigations, ECPA’s standards affect critical national security investigations and cyber security programs."
The criminal elements and their organized syndicates are leveraging modern day technologies and capabilities of the private sector. The legal first responders for our 21st century homeland threats don't always wear a badge and drive a Crown Vic on patrol around our city streets. Many spend their hours on patrol in cyberspace or analyzing terabytes of data online with sophisticated software to determine the what, who, why and how of the current threat stream.

The US government has a fiduciary and legal duty to protect the privacy and civil liberties of all US citizens. Parallel to this task is the rapidly changing use of communications and other mobile technologies to facilitate and support the activities and operations of individuals and networks of people, who exploit the design, configuration or implementation of our countries homeland defense architecture.

Whether this architecture includes the utilization of 72 Fusion Centers or the methods for collecting "Suspicious Activity Reports" (SARS) from those first responders, the fact remains that the pursuit of national security threats is a lofty task. This is happening today, on the ground and in the digital domain. Therefore, the speed that these individuals can legally obtain the data they require to make informed decisions is at stake and so we must eliminate any new impediments put before them. From Mr. Bakers statement on "Government Perspectives on Protecting Privacy in the Digital Age" he explains further:
Addressing information associated with email is increasingly important to criminal investigations as diverse as identity theft, child pornography, and organized crime and drug organizations, as well as national security investigations. Moreover, email, instant messaging, and social networking are now more common than telephone calls, and it makes sense to examine whether there is a reasoned basis for distinguishing between the processes used to obtain addressing information associated with wire and electronic communications. In addition, it is important to recognize that addressing information is an essential building block used early in criminal and national security investigations to help establish probable cause for further investigative techniques. Congress could consider whether this is an appropriate area for clarifying legislation.
Any changes to the ECPA laws should be considered carefully with not only the government but the private sector. The combination shall work together to find the correct balance between national security requirements and the privacy of the customers of mobile communications, e-mail, and social networking entities. The time that it takes our first responders to rule-in or rule-out a person of interest in an ongoing investigation can mean the difference between a failed or successful attack on the homeland. The private sector shall determine the prudent cost to the government for providing the legally obtained information of non-telephone records such as a name, address and other metadata. By the way, has anyone noticed that the criminals, terrorists, spies and other malicious actors have decided to use Telegram, or WhatsApp instead of their mobile telephone?

Homeland Security Intelligence (HSI) first responders will be the first to tell you that the crime syndicates and non-state actors have gone underground and have stopped using the tools that leave the data more easily accessible by law enforcement. Now, they are creating and operating their own private and secure infrastructures within the confines of private sector companies. These clandestine groups have organized hierarchy and specialized skills and therefore, the US government must continue to step up the pace, legally.

What does this all mean? It means that there will be a lower chance of under cover law enforcement officers becoming members of the these organized crime syndicates that in many cases are the genesis for homegrown violent extremism (HVE).

Homegrown extremists can be individuals who become violently radicalized, perhaps after exposure to jihadi videos, sermons and training manuals available on the Internet, security officials say. Such plotters are harder for counterterrorism officials to spot because they have few links with known terrorist operatives and often don’t travel overseas for training.

Another implication is that there is a higher chance that private sector researchers will understand the new trade craft of HVE actors, long before law enforcement and national security intelligence analysts. This is because the standard approach to the "Seven Signs of Terrorism" have been focused on the physical infrastructure. Organizations in the private sector have been researching, tracking and profiling since the late 1990's on the methods and modus operandi of the digital extremists who have plagued our banks and other financial institutions with cyber crime.

The time is now for these two distinct disciplines and professionals to converge. The public as eyes and ears combined with the legal tools to extract the timely information from technology providers is part one. Part two is the integration of intelligence analytic training with the curriculum of the police and fire academies for new recruits. Providing these first responders with the methods, tools and capabilities to be more effective collectors on the street level, will provide the fusion centers with a more robust set of relevant information streams. Here is an example from a graduate certificate class in criminal intelligence analysis from AMU:

The graduate certificate in Intelligence Analysis provides you with a fundamental understanding of the issues, problems, and threats faced by the intelligence community. This online graduate program helps you develop a comprehensive knowledge of how intelligence agencies in the U.S. assess and counter international threats in order to guard U.S. global interests and protect U.S. national security from adversaries. Knowledge from this certificate program is applicable to many career fields within the military, security companies, government contractors, or federal agencies.

We have a choice to provide our first responders with the correct training and OPS Risk education for today's Homeland Security Intelligence (HSI) mission. Our national policy makers have a choice to assist them in getting the information they need to do their jobs quickly, efficiently and while protecting civil liberties. The choices that we make fifteen years after 9/11, will define the landscape for homegrown extremism and the legal framework for ensuring the safety and security of all Americans for years to come.

16 July 2016

Utility of Attack: Target Selection and Execution...

The threat spectrum for Operational Risk Management (ORM) professionals is wide and they are constantly evaluating opportunities to learn.  Recent data breaches, terrorist attacks and the strategies utilized by adversaries online and on the ground, has surfaced another key lesson learned:
u·til·i·ty n. (pl. -ties) 1 the state of being useful, profitable, or beneficial (in game theory or economics) a measure of that which is sought to be maximized in any situation involving a choice.  The New Oxford American Dictionary
Here are two data breach examples:
  1. On May 30, 2016, Omni Hotels discovered they were the victim of malware attacks on their network affecting specific point of sale systems on-site at some Omni properties. The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date. They have no indication that reservation or Select Guest membership systems were affected.  50,000 records are impacted.
  2. Prior to May 2016, identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year. Atlanta-based Equifax’s W-2 Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people.  According to a letter Kroger sent to employees dated May 5 2016, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
Here are two terrorist attack examples:

In two major domestic terrorism events in the United States this past year, "Utility" was a major factor and should not be discounted, in analyzing motivations and "modus operandi" of homegrown violent extremists.  In San Bernardino, CA the adversaries were planning a major attack and had already stockpiled explosives and ammunition.  In Dallas (Mesquite), TX the adversary was planning a major attack and had already stockpiled a cache of explosives as well.

In both of these cases, the adversaries had accumulated and trained to use explosives in an attack.  Then they came upon a choice.  A utility.
  1. In San Bernardino, an incident with government co-workers motivated the employee attacker to deviate from the intended plans and to capitalize on the "Utility" of a workplace holiday gathering at the county facilities.
  2. In Dallas, a peaceful protest march that would attract a significant government presence of police officers, motivated the attacker to deviate from future plans and to capitalize on the "Utility" of a public gathering.
Dr. Erroll Southers is correct:
While the impetus for attack is rooted in beliefs, a terrorist’s selection of how and where to attack is based on a consideration of utility. This is the estimate of an attack’s consequences with respect to the intended target’s value as a domestic or international interest and the political impact the attack will have on the intended audience. Utility is a primary consideration for extremists during preparation for an attack, weighing desired results against the investment in activities to plan, rehearse and execute an operation. Always mindful of the aftermath, utility weighs heavily in the decision-making process of target selection, possible attack paths, methodologies and execution.  Southers, Erroll (2014-09-25). Homegrown Violent Extremism (pp. 9-10).
In both cases, the adversaries accelerated their plans.  They abandoned their use of explosives and a future planned event, to act on their emotions and motivations of the moment.  Domestic Terrorism in the United States will continue at a rapid pace without a more serious focus, on Homegrown Violent Extremism.

Whether it be online with the trust of your data systems or offline with the safety and security of your citizens, employees and facilities, beware of the changing opportunities for your adversaries, to launch their attack...
Utility, leveraged by your adversaries, is a consideration that must be continuously evaluated and analyzed in your particular threat environment. 

09 July 2016

Domestic Terrorism: Tears for Those in Blue...

The sniper ambush on those sworn officers to protect us in Dallas, Texas USA on July 7, 2016, is yet another portrait of tragedy and sorrow in our Homeland.  Whether you are an American safe today in your home after another graveyard shift or at high risk on the front lines in the shadows of a foreign country, it does not matter.  This particular domestic event targeting our protectors, and so soon after Orlando, FL, should be a another wake up call to area code (202).

Operational Risk Management (ORM) professionals across the U.S. are unified once again, in our vigilance and our mission.  Domestic Terrorism in our world, will continue to be manifested as long as people can read, listen and be influenced by other people.  Here or abroad.  The methods used for this indoctrination, whether delivered in small groups sitting in a circle over a cup of coffee or tea, or increasingly over the Internet does not matter.  The process is the same.

The "Cues and Clues to Teach" have been detailed before in this blog.  Domestic Terrorism in the United States has been moving along a spectrum of incidents at a pace that seems to be accelerating.  Lone individuals or groups who plan, train and act in order to bring their own psychological justice to reality, is one of our greatest challenges:
The statutory definition of domestic terrorism in the United States has changed many times over the years; also, it can be argued that acts of domestic terrorism have been occurring since long before any legal definition was set forth.

Under current United States law, set forth in the USA PATRIOT Act, acts of domestic terrorism are those which: "(A) involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; (B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and (C) occur primarily within the territorial jurisdiction of the United States."[2] 
The pace and the origins of domestic terrorism in the United States are vast and metastasizing.

In order to begin or enhance your journey into understanding the root causes of this growing threat in America you should start with Eric Hoffers book: The True Believer: Thoughts on the Nature of Mass Movements.  And once you are finished with it, turn to Erroll Southers Homegrown Violent Extremism.

Developing your awareness is the beginning of any journey to solving problems and developing more effective and comprehensive preventative solutions.  Building knowledge about how people can transform from a individual working in a war zone or sequestered from society, to the front pages of the Washington Post, is a worthy goal for any Operational Risk professional.  As a human resources professional at Company or Agency USA or the retail employee in the ammunition section of Dicks Sporting Goods, you also have a role to play.

Vigilant "Employees and Citizens" must be continuously trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational.  Based on the O'Toole study, these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:
  • Low tolerance for frustration
  • Poor coping skills
  • Failed relationships
  • Signs of depression
  • Exaggerated sense of entitlement
  • Attitude of superiority
  • Inappropriate humor
  • Seeks to manipulate others
  • Lack of trust/paranoia
  • Access to weapons
  • Abuse of drugs and alcohol
What did you know?  When did you know it?  What have you done about it?  They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace.  What grade would you give your organization today for these fundamentals?
Godspeed to all of those on their journey now, to better comprehend this event and to all the grieving family members across our Homeland...

03 July 2016

4th of July: Flying the Stars & Stripes of Freedom...

The United States of America celebrates 240 years tomorrow.  The Stars and Stripes of our flag will be flying high.  How far we have come and yet we still envision that we have so far to go.

Celebrating the 4th of July in the United States means different things to different people.  It all depends on your tenure here and how you have contributed to defending the freedoms we all share. And for those who have made the trip to our borders or overseas to defend our country, we give special thanks.

Nine years ago we saluted Spencer S. on Memorial Day, as he prepared to make his way to being deployed to Iraq.  An Airborne Medic and now home safe in Chicago, we are thinking about him and all those other families who have sent their sons and daughters, husbands and wives, brothers and sisters, or fathers and mothers into harms way to defend our freedom.  We are humbled by your courage and thank you for your selfless contributions to keep us more safe and secure back home.

The Patriots of the U.S. are vast and found everywhere, serving the country in uniform by military or law enforcement, in suits and ties or dresses among the halls of government agencies found in small towns and famous suburbs like Langley.  These millions of shadow patriots and citizen soldiers are working to defend the truth of the Declaration of Independence and our Constitution each day.

At the same time, they are all Operational Risk Managers, mitigating the daily risks to life, property and our vital economic assets.  Mike Stanley of the American Legion captures the essence of the early days of our country:
The United States of America began as thirteen different English colonies established along the eastern seaboard during the 17th and early 18th centuries. Gradually many of the colonists began to think of themselves more as Americans and less as Englishmen, a feeling that was spurred on by the decision of the British Parliament in the 1760s to tax the colonies for the expenses associated with keeping them in the British Empire. Since the colonists had no elected representatives in the British Parliament, they felt that these new taxes were “taxation without representation” and therefore, illegal.
From this point, the situation escalated quickly as Patriot groups formed to discuss the possibilities, and by the early 1770s, the Patriots had their own Provincial Congresses in each of the thirteen colonies, effectively replacing the representatives of the British government. In 1775, the Second Continental Congress was established, the Continental Army was organized, and fighting broke out when the British responded by sending combat troops to the colonies.
Finally, on July 4, 1776, the Declaration of Independence was signed, establishing the United States of America. The fierce determination of the Patriots to prevail, plus the important military and political support of the French, the Spanish and; the Dutch, insured an American victory, and in 1783, the signing of the Treaty of Paris ended the American War of Independence and guaranteed the sovereignty of the United States of America.
Conflicts in the 21st century will be fought for many of the same reasons, and with a revolution of robots.  In P.W. Singer's book, "Wired for War" he prepares us for the next 100 years:
What happens when science fiction becomes battlefield reality?
An amazing revolution is taking place on the battlefield, starting to change not just how wars are fought, but also the politics, economics, laws, and ethics that surround war itself. This upheaval is already afoot -- remote-controlled drones take out terrorists in Afghanistan, while the number of unmanned systems on the ground in Iraq has gone from zero to 12,000 over the last five years. But it is only the start. Military officers quietly acknowledge that new prototypes will soon make human fighter pilots obsolete, while the Pentagon researches tiny robots the size of flies to carry out reconnaissance work now handled by elite Special Forces troops.
Wired for War takes the reader on a journey to meet all the various players in this strange new world of war: odd-ball roboticists working in latter-day “skunk works” in the midst of suburbia; military pilots flying combat mission from their office cubicles outside Las Vegas; the Iraqi insurgents who are their targets; journalists trying to figure out just how to cover robots at war; and human rights activists wrestling with what is right and wrong in a world where our wars are increasingly being handed over to machines.
Maybe someday, Spencer will be able to stay hundreds or thousands of miles out of harms way to defend our countries freedoms, because they won't need medics on the battlefield anymore.
...and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor. 

26 June 2016

Resilience 3.0: Next Generation Operational Risks...

Operational Risks are being exacerbated due to the tension and competition, for people to be noticed and heard, within a vast ocean of zeros and ones, all invisible to the human eye.  Trusted systems on the Internet, once thought to be impervious to the asymmetric threats of "Transnational Organized Crime" (TOC), Hacktivists, and even nation states are now ever so more in peril.  The next generation has four main fronts:
  • Sovereignty
  • Piracy and Intellectual Property
  • Privacy
  • Security
The global conflict being waged 24/7/365 on the Internet continues and in the next decade the Yottabytes of data will continue to be ingested, analyzed, digested and excreted at the speed of business and social commentary.  The United Nations has been gearing up for years with the UN Global Pulse Project concerning the future of the Internet:

"Global Pulse functions as a network of innovation labs where research on Big Data for Development is conceived and coordinated. Global Pulse partners with experts from UN agencies, governments, academia, and the private sector to research, develop, and mainstream approaches for applying real-time digital data to 21st century development challenges. "

As Michael Joseph Gross illustrates in his Vanity Fair article "World War 3.0"; Battle lines have been drawn between repressive regimes and Western democracies, corporations and customers, hackers and law enforcement:
"The War for the Internet was inevitable—a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off­-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded."
The resilience of an organization has for hundreds and thousands of years relied upon sufficient resources:  Food, water, energy, capital, trade, defense.  Communications was long ago recognized as a game changer for achieving a greater degree of resilience and historically made the difference in World Wars and other significant planetary conflicts.

Today it is no different as the Arab Spring has seen another anniversary and people leverage the use of silicon based devices in concert with wireless mesh networks on the borders of failing nation states.

Humanitarian operations are evolving to go far beyond the establishment of the standard platforms for responding to natural disasters and other atrocities of mankind.  The ability for people to develop and run their own businesses, creates a sustainability factor that can not be underestimated.  Whether that occurs, first has to do with knowledge and resources but when you add communications to the mix the advantages of survival increase exponentially.

The Internet and wireless technologies combined with the rapid adoption of IoTs, iPhones and iPads has created another key resource that organizations must manage and plan for in the vast spectrum of Operational Risk Management (ORM).  As the governments of the world debate the Sovereignty of Internet assets and the rebels of the world order more wireless enabled devices for communications; the requirements for prudent risk management endure.

Whether you are a private sector company or the leader of an organization simply trying to communicate the truth to the rest of the world, managing Operational Risks effectively will be a continuous factor of your resilience.

The ranks of those organizing themselves on the Internet continues for every instance of what people are thinking, saying and doing in the name of communications to enable their resilience:
"Aside from wealth or arcane knowledge, the only other guarantor of security will be isolation.  Some people will pioneer new ways of life that minimize their involvement online.  Still others will opt out altogether—to find or create a little corner of the planet where the Internet does not reach.  Depending on how things go, that little corner could become a very crowded place.  And you’d be surprised at how many of the best informed people about the Internet have already started preparing for the trip."

18 June 2016

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:
Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.
The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum.

Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers.

Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

11 June 2016

Breakpoint and Beyond: The Naivety of Change...

The discontinuity of our society, our governments, our weather and the digital innovations of this modern generation creates simultaneous paths of challenge.  One of crisis and another of opportunity.

Yet without a thorough analysis and comprehension of the discontinuous change before us, how can you manage the Operational Risks that occur, at any point in time?  What path will you choose...
World English Dictionary

— n , pl -ties
1. lack of rational connection or cohesion
2. a break or interruption
3. maths
a. the property of being discontinuous
b. the point or the value of the variable at which a curve or function becomes discontinuous
4. geology
a. See also Mohorovičić discontinuity a zone within the earth where a sudden change in physical properties, such as the velocity of earthquake waves, occurs. Such a zone marks the boundary between the different layers of the earth, as between the core and mantle
b. a surface separating rocks that are not continuous with each other

"Discontinuity of Change" is a subject well understood by the average person walking the streets of Anacostia near the U.S. Navy Yard in Washington, DC, San Bernardino, CA or Orlando, FL.

Perhaps those walking down Saeb Salaam in the heart of Beruit, Lebanon as refugees  also can comprehend, as they become vulnerable to arrest, detention and deportation.   Learning about change itself and the underlying systemic nature of the phases of change, can provide people in the middle of crisis or opportunity, with new found context.

In 1992, this blogger had the fortune to spend a significant amount of time with the authors of
Breakpoint and Beyond: Mastering the Future Today.  Dr. George Land and Dr. Beth Jarman wrote an extraordinary book and created an organization to teach what was inside it's covers.  To help us all make better sense of change and to discover our own ability, for innovation and creativity:
In our over four decades of research and work across many cultures, we have found that practically all humans have a vast capacity for imaginative, creative thinking. Although this ability has been dampened by social forces, it can be reawakened. We have also found that people have the capacity to put judgments and fears aside and work truly creatively and collaboratively in diverse and even divisive groups.
The path of crisis or opportunity is not a choice in what direction, it is a better understanding of change itself.  The systemic nature of the three phases of change and the ability to know where you are in the growth curve of the system, is the core.  Yet to innovate and to leap beyond a breakpoint to master the future, requires finding your own creativity once again.

The creativity that we are all born with, begins to dissolve at an early age.  Once we reach our teens and early adulthood, our cultural systems have stripped innovation from our potential known capabilities as a child.  As we grow older, our aspirations to be creative is subjected to influence by our parents, friends, teachers or by the 1 or 2%, in our particular ecosystem.  Is "Out-of-the-Box" thinking a good thing where you live or work?  Does your environment encourage divergence or convergence?

You see, the "Discontinuity" in society creates breakpoints.  The "Arab Spring" and the forming digital systems social revolution before us, creates new crisis and simultaneous opportunities.  Both are challenges for people, business, governments and global economies to analyze and rationalize.

Will you innovate?

If you are a policy maker in your organization, what are you doing to innovate?  Do you have new solutions for the changing operational risks encountered, as your employees travel the globe and make decisions for the enterprise? If you are the main policy bodies within your government, what have you done lately to find new creativity to address the potential opportunity before you?

In either case, the speed of change and the ability to rapidly innovate, will certainly decide your future.  Did you make it beyond the bifurcation and breakpoint?  Here is a great scientific example:
The miniaturization of electronic devices has been the principal driving force behind the semiconductor industry, and has brought about major improvements in computational power and energy efficiency. Although advances with silicon-based electronics continue to be made, alternative technologies are being explored. Digital circuits based on transistors fabricated from carbon nanotubes (CNTs) have the potential to outperform silicon by improving the energy–delay product, a metric of energy efficiency, by more than an order of magnitude. Hence, CNTs are an exciting complement to existing semiconductor technologies12.
Mastering the future today, is about better understanding the discontinuity of change around you. Managing "Operational Risk" is simple.  Continuously grow or die.

06 June 2016

Data Provenance: The Truth of Information...

Our ability to make trust decisions that we know are sound and effective, begins with the provenance of data.  When you trust the source of information that is being communicated, it makes all the difference in your final decision to trust.  Operational Risk Management (ORM) is quickly evolving to a next generation of truth.

What publications do you read?  Who wrote the article?  What is the authors reputation?  Is it a book on Amazon or a newsletter delivered via e-mail?  These are all questions you ask yourself as you absorb the content and process the information being conveyed and the evidence available to you.

What important truth do very few people agree with you on?

Most people think that traditional Risk Management is a sound process.  Risk Management Frameworks in a digital environment do not work and are soon to be extinct.  The truth is, human beings are incapable of effectively managing the "Zeros and Ones" with a simple "Likelihood vs. Impact" matrix.  The complexity and speed of change is just too great.

Why?  The answer is, that very few people really can even understand the fundamental engineering of the digital inventions we are operating or encountering each day.  How can you expect them to judge whether a digital asset is more likely or not, to encounter a serious integrity threat?  How can you really expect them to judge the origin value of the digital asset to themselves or others?

However, once you have closely studied and researched around a hypothesis long enough, some clarity and new truths are capable of being discovered.  This is when new discoveries are made and the opportunity for mankind to advance or decline takes place.  That is why humans have built other kinds of digital machines, to assist them in making these trust decisions to manage risk.

You see, when the dark side actions of the Internet started to become more of a reality (probe, scan, flood, authenticate, bypass, spoof, read, copy, steal, modify, delete) to most people using it, we invented new safeguard computing machines.  Some were called "Intrusion Detection Systems" (IDS) and others were called "Firewalls".  This was just the beginning.

Soon after the dawn of the 21st century, we began hearing the names of new digital software machines to battle viruses that were described using terms such as "Deep-Packet-Inspection" and digital forensics.

Now in 2016, we have Microsoft and Facebook engineering their own fiber-optic cable network to cross the ocean to deliver data at 160 terabits.  Why?
Facebook and Microsoft are laying a massive cable across the middle of the Atlantic.

Dubbed MAREA—Spanish for “tide”—this giant underwater cable will stretch from Virginia to Bilbao, Spain, shuttling digital data across 6,600 kilometers of ocean. Providing up to 160 terabits per second of bandwidth—about 16 million times the bandwidth of your home Internet connection—it will allow the two tech titans to more efficiently move enormous amounts of information between the many computer data centers and network hubs that underpin their popular online services.
 The decision to trust begins with the control end-to-end of the system.  How many hand-offs were there for the courier to carry the message from point A to point B along the path?  Who was in control of the path along the journey?  What assurance do you have that the message was not altered in it's content during the transit.  Now you are starting to get the big picture.

If your name is HP, or Cisco and many others in the telecom industry, your competition is not the normal hardware infrastructure companies anymore.  Soon corporate enterprises will be seeking specialized networks on a case-by-case basis, that are not controlled by Verizon, AT&T or BT.  It goes far beyond control of equipment and physical assets.

The "TrustDecisions" that you and your organizations encounter in the next decade may very well rely on a whole new set of rules.  The integrity of information will rely on a whole new set of networks and a whole new level of truth, on the provenance of data.

28 May 2016

Memorial Day 2016: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2016, we reflect on this remembrance.

In order to put it all in context, we looked back 36 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was also one of the 22 that day in early May, that could not defeat the legacy of demons he fought each night, as he fell deep asleep.

On Memorial Day 2016, we again honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have sacrificed and defended our freedoms for 239 years. Simultaneously, we do the same for the people behind the "Stars" on a wall in Langley, Va for those officers who have done the same.

Together we are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from a UAS.  We are all the same, in that we share the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

21 May 2016

Social Engineering: CxO Leadership for BEC...

In the context of cyber security, many practitioner experts are already familiar with the "Business E-Mail Compromise" (BEC).  Operational Risk Management (ORM) professionals know this:
"Amateurs attack machines, Professionals attack people"

The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/20131 to 12/01/2014, the following statistics are reported: 

  • Total U.S. victims: 1198
  • Total U.S. dollar loss: $179,755,367.08
  • Total non-U.S. victims: 928
  • Total non-U.S. dollar loss: $35,217,136.22
  • Combined victims: 2126
  • Combined dollar loss: $214,972,503.30
The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase.
What executives at most organization understand, is that they are a potential target for all kinds of threats from inside and outside the company.  Fortune 500 companies already have sophisticated internal accounting controls and "Personal Protection Specialists" who are doing advance work, for travel that the CxO takes across town or overseas.  Yet what about the Small-to-Medium Enterprise with just tens of millions of dollars in annual revenues?  Are they prepared as they could be for the BEC?

It does not take much for the financial controls and the accounts payable process to break down for companies and organizations, that have not prepared for this continuous threat, by your own insiders (employers, partners, suppliers) cooperation.  The numbers tell the whole story.  Countless times each year, companies are convinced to act upon a simple e-mail crafted by clever "Social Engineering" experts, to transfer money out of their corporate banking accounts.

So what are you doing to prepare, educate and deter this continuous wave of "Social Engineering" attacking your employees and key stakeholders?  How many computers and iPhones in your business or organization receive e-mail on a daily basis?  Each one of these is a threat vector, along with each one of your employees who is the human factor behind the device.

What is amazing today, is that a cyber threat like this, that has been talked about for over a year, is still growing.  Perhaps it is a leadership problem.  Perhaps it is a public safety announcement campaign problem.  In either case, you have to realize, there are some very specific remedies that can be exercised by your organization to deter, detect and defend yourself from "Business E-mail Compromise" (BEC).

Executives and senior staff are busy.  They are running the business and rarely have time for that two hour or half day training session.  This is your largest vulnerability to begin with at your organization.  An apathetic CEO or senior staff is the perfect target for any transnational organized crime (TOC) syndicate on the other side of the globe.

As a CxO, when was the last time you had a campaign within the organization to address these threats?  Weeks, Months, Years?  Why haven't you incorporated a continuous program to keep your employees and staff up to date?  If you have 1247 employees, then you have 1247 vulnerabilities walking around in your enterprise.

When you look at the line item in the Information Technology budget this year for hardware, software, maintenance and cloud computing, look a little further.  Where is the line item for the education program and the tactical awareness, to keep your people on the leading edge of deterring the social engineering wave of attacks in your organization?
There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.
This is just a small example, of the continuous trend across the small-to-medium enterprise landscape.  You have the control and the ability to make a difference in your enterprise.  The time and the services exist for you to keep your organization more safe and secure than it is today.  When will you decide it is your "Duty of Care" to protect corporate assets and to start using some of the tools to make "Business E-mail Compromise" (BEC) extinct?

15 May 2016

Know Your Customer: ISP Future Horizon...

The American public is changing their behavior as a result of the privacy and security failures across the private sector business policy landscape.  As the latest NTIA survey data reveals again, online commerce is being impacted and government agencies are now trying to further communicate there is a growing problem:

Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities
May 13, 2016 by Rafi Goldberg, Policy Analyst, Office of Policy Analysis and Development

Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. Users send and store personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.

NTIA’s analysis of recent data shows that Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent. These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA [1] in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.

Perhaps the most direct threat to maintaining consumer trust is negative personal experience. Nineteen percent of Internet-using households—representing nearly 19 million households—reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior to the July 2015 survey. Security breaches appear to be more common among the most intensive Internet-using households.

This survey is indeed only one facet of a much larger topic and pervasive problem.  Digital Trust is the output of making affirmative "Trust Decisions" with computing devices. Whether they are machine-to-machine, person-to-machine, or machine-to-person requires several technology engineering elements and business rules, that are understood and agreed upon.  The question is by whom?

Consumers who are using the Internet for communications and commerce and are the victims of Identity theft, stolen funds or other fraudulent schemes, are just the first wave of targets for transnational organized crime (TOC).  We have known this since the invention of virus scanners and bug bounty programs, in the early days of the 21st century.

Yet fifteen plus years later, the government is doing a study on the consumers feelings about privacy and security.  As a business or a consumer, we understand that the speed of commerce and technology is always far ahead of the regulations and the laws.  When enough people or businesses seem to be harmed, then the momentum begins for policy shifts and new laws are sometimes enacted after thousands of pages of semantic negotiation.

The answers and the outcomes we seek will come.  However, they will not first be solved by politicians and lawyers.  They will be mostly solved by our brilliant mathematicians, software engineers and data scientists.  At this point in time, we are getting so much closer to achieving digital trust through new innovations and inventions.  Just look at IBM Watson.

It is now time for business and commerce to begin the process of finding the truth.  Why do we continue to allow the levels of known bad actors to operate inside and within our networks?  It's a numbers game and it is because the criminals also employ the smartest social engineers and data scientists.

Digital Trust in the next fifteen years will mean something different than it does today.  We will have found the formula along the journey, the new equations and the rules agreed upon by all to make online and digital commerce more safe and secure.  So what will we do today and tomorrow, until the engineers and scientists save the day?

At this point in time, it is simply called "Know-Your-Customer"(KYC).  If this was utilized more effectively across critical infrastructure sectors beyond finance in our digital economy, then we would be making some progress.  Where are we talking about next? 

The FTC and FCC are well on their path to defining those critical elements of improving the trust that consumers have using their digital tools with ICT and on service providers web sites.  Yet even to this day, you still can find the criminals using and leveraging our own Internet Service Providers (ISP) to launch their attacks and perpetuate their fraudulent schemes.  How will this ever be deterred?  Could a version of KYC work with the ISP's?

Even with a global banking system in place you have pockets of greed and deceit.  Rogue nations or territories that have become the go-to-locations for the transnational organized crime syndicates to flourish.  Yet we can do much better, than we are today.

Just ask any "BlackHat" hacker from Eastern Europe who they prefer to do business with.  Query the experts that exist on the dark side and you will find the ISPs they prefer to do business with.  One day the regulators will realize this is where the business of e-crime has an opportunity for change and additional reform.  It will be more than just opening an account to gain access to the Internet.  It will be about scaling up our systems to a future horizon with new rules and robust real-time behavioral predictive analytics.  In the mean time:
May 11, 2016 
In testimony before Congress today, the Federal Trade Commission outlined its work over the past 40 years to protect consumers’ privacy at a hearing convened to examine privacy rules proposed by the Federal Communications Commission.

Chairwoman Edith Ramirez and Commissioner Maureen Ohlhausen testified on behalf of the Commission. The testimony before the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law provided background on FTC law enforcement efforts, policy work and consumer and business education programs related to protecting consumers’ privacy.

The testimony highlighted the FTC’s extensive history of privacy-related work. The testimony noted that the agency has brought more than 500 privacy-related enforcement cases in its history against online and offline companies of varying sizes, including companies across the internet ecosystem. In addition, the testimony highlighted a number of recent cases of note.

The testimony also provided information on the FTC’s policy work in the privacy area, going back to its first internet privacy workshop in 1996. The testimony noted that recent policy work has been based on principles featured in the FTC’s 2012 privacy report, and also highlighted workshops and reports related to the Internet of Things, big data, and other issues, including cross-device tracking.

The testimony also described the FTC’s extensive consumer and business education efforts related to privacy, including the FTC’s Start With Security campaign for businesses, and the newly-updated IdentityTheft.gov.

07 May 2016

The Third Offset: Seeking the Speed of Trustworthiness...

The U.S. national security "Insider Threat Score" is on it's way as a result of the aftermath of the Office of Personnel Management (OPM) hack.  The National Background Investigation Bureau (NBIB) is now standing up operations within the Pentagon umbrella.  Operational Risk Management (ORM) professionals are tracking this closely for good reason.  Social media activities such as this one, could one day be a factor in that score.

Simultaneously, the NIST Special Publication 800-160 2nd Draft has been released.  This document entitled:  Systems Security Engineering "Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems" addresses a key component in the national security mosaic.

So if the goal of creating the "Insider Threat Score" is to help automate and maintain the process for better understanding trustworthiness, then the NIST publication should be at the center of the table at the National Background Investigation Bureau.  Why?  Definitions in Appendix B of the SP 800-160 Second Draft:

Trustworthiness: An attribute associated with an entity that reflects confidence that the entity will meet its requirements.

Note: Trustworthiness, from the security perspective, reflects confidence that an entity will meet its security requirements while subjected to disruptions, human errors, and purposeful attacks that may occur in the environments of operation.

Trust: A belief that an entity will behave in a predictable manner in specified circumstances.

The degree to which the user of a system component depends upon the trustworthiness of another component.

Note 1: The entity may be a person, process, object, or any combination thereof and can be of any size from a single hardware component or software module, to a piece of equipment identified by make and model, to a site or location, to an organization, to a nation-state.

Note 2: Trust, from the security perspective, is the belief that a security- relevant entity will behave in a predictable manner while enforcing security policy. Trust is also the degree to which a user or a component depends on the trustworthiness of another component (e.g., component A trusts component B, or component B is trusted by component A).

Note 3: Trust is typically expressed as a range (e.g., levels or degrees) that reflects the measure of trustworthiness associated with the entity.
The future of the automation of the clearance process, continuous monitoring of "Insider Threat Scores" and the trustworthy secure systems software engineering for accomplishing this remains mission critical.  The "Cleared Community" of private sector "Defense Industrial Base" (DIB) contractors will also be impacted by the convergence of both.

So who are the personnel who could be impacted by these two converging initiatives:
  • Individuals with systems engineering, architecture, design, development, and integration responsibilities; 
  • Individuals with software engineering, architecture, design, development, integration, and software maintenance responsibilities; 
  • Individuals with security governance, risk management, and oversight responsibilities;
  • Individuals with independent security verification, validation, testing, evaluation, auditing, assessment, inspection, and monitoring responsibilities;
  • Individuals with system security administration, operations, maintenance, sustainment, logistics, and support responsibilities;
  • Individuals with acquisition, budgeting, and project management responsibilities;
  • Providers of technology products, systems, or services; and
  • Academic institutions offering systems security engineering and related programs.
As the government moves towards more trustworthy secure computing systems the private sector will be there to assist.  Yet the future of our trusted environments will depend on how often we perform and how well we perform without error.

Software is continuously changing and the fear of changing it too often, has been one of our greatest downfalls.  That fear of change has created our largest exposures to continued exploits and attacks, by our most sophisticated adversaries.  Remember, Edward Snowden worked for a private sector contractor.

There are a few trustworthy organizations that have realized this fact and are now on an accelerating path for reaching a higher level of trust.  With their software systems and their people.  However, they did this with a leap of faith and the understanding that the speed to reach more trusted computing environments, was absolutely vital.

Look around the Nations Capital beltway and you will find a few examples of the ideal innovation architecture strategy that will propel us into that next level of trustworthiness.  An affirmative decision to trust is now before us and the time we take to make that trust decision is our greatest challenge.  Will it be hours, minutes, seconds or nanoseconds?  Marcel Lettre, undersecretary of Defense for Intelligence has this perspective:
"The intelligence community’s role in what Pentagon planners call “the third offset”—the search for continuing technological advantage over enemies—will feature robotics, artificial intelligence, machine learning and miniaturization. They will be applied in the areas of “pressing for global coverage capabilities, anti-access/area denial, counterterrorism and counter-proliferation, cybersecurity and countering insider threats,” Lettre said.

He said Defense is reaching out to obtain the expertise of its industrial partners, including Silicon Valley, while workforce planners are focused on “bringing in another generation skilled at innovating in the technology sector.”