23 February 2010

NIS: Homeland Security & Economic Espionage...

The National Intelligence Strategy (NIS) of the United States was published in August of 2009.

The tone at the top of your enterprise will go a long way if you ever end up in litigation associated with the Economic Espionage Act of 1996 or even the Foreign Corrupt Practices Act. As a CxO with the ultimate responsibility for the resilience of your organization, pay attention. The internal threats to your global 500 company and the Operational Risks associated with the following Mission Objectives are the focus of this posting:

  • MO4: Integrate Counterintelligence
  • MO5: Enhance Cybersecurity

The U.S. NIS spells out these two mission objectives and for good reason. One may be obvious and we have all heard it before. 80+% of the nations critical infrastructure is owned and operated by the private sector. The reason why the Energy, Financial, and other heavy R & D sectors are being subjected to more attacks by insiders is because these assets are the most valuable in the eyes of the enemy.

The other reason that these two areas are called out in the National Intelligence Strategy is because these are the country's greatest vulnerabilities. So what can a private sector Board of Directors be doing these days to address the two mission objectives that have the greatest nexus with being vigilant and creating the correct "Tone at the Top":

  • Implement Human Factors Analysis and Risk Assessments on employees, partners, suppliers and 3rd parties.
  • Revitalize, Energize and Capitalize on redesigned policy governance, integrity management and a sound legal framework.
  • Create an aggressive corporate executive intelligence and anti-fraud program that is integrated into a robust risk management ecosystem.
  • Develop wellsprings of knowledge that engages people in a dialogue focused on intellectual property, valuable corporate assets and their nexus with national security.

The preparation for enterprise disasters has been going on in the Operational Risk environment for years. Even in the most sophisticated companies, these efforts have included the implementation of IT related disaster recovery programs and plans (DRP) as mandated by rules and laws regarding Business Continuity and Continuity of Operations. When and how often these are exercised is another matter.

The crisis management plan is sitting on the shelf next to the DRP or even might be another tab in the same three ring binder. And who knows, perhaps some Director of BCP has even convinced senior management on the use of an EOC portal. This are all fundamentals, baseline and items for every organization to have soon after establishing themselves in business.

What is still being left out, not considered a priority are the two items highlighted above from the United States National Intelligence Strategy, MO4 and MO5. These two items are an Operational Risk Management priority by the Board of Directors in each global 500 company. Why?

USAO/Southern District New York, 11 Feb 10: Mr. Aleynikov was indicted today on charges related to his theft of proprietary computer code concerning a high-frequency trading platform from his former employer, Goldman Sachs. Aleynikov was previously arrested and is expected to be arraigned in Manhattan federal court at a later date.

Beginning at approximately 5:20 p.m. on June 5, 2009 –Aleynikov s last day working at Goldman Sachs — Aleynikov , from his desk at Goldman Sachs, transferred substantial portions of Goldman Sachs’s proprietary computer code for its trading platform to an outside computer server in Germany. Aleynikov encrypted the files and transferred them over the Internet without informing Goldman Sachs. After transferring the files, Aleynikov deleted the program he used to encrypt the files and deleted his computer’s “bash history,” which records the most recent commands executed on his computer.

In addition, throughout his employment at Goldman Sachs, Aleynikov transferred thousands of computer code files related to the firm’s proprietary trading program from the firm’s computers to his home computers, without the knowledge or authorization of Goldman Sachs. Aleynikov did this by e-mailing the code files from his Goldman Sachs e-mail account to his personal e-mail account, and storing versions of the code files on his home computers, laptop computer, a flash drive, and other storage devices.


The theft of trade secrets, economic espionage and the movement of data that may have business oriented implications may also have national security impacts. Whether it's going to a competitor or into the hands of foreign entities is not the priority issue. Let's be very specific on this point.

If the vital secret, intellectual property or other data is copied, then how do you know if it's missing from your organization? Sensitive, classified or otherwise proprietary information that is copied and then sold or given to competitors, adversaries of our enemies requires a whole new mind set and a whole new approach to deter, detect, defend and document this behavior in the enterprise.

Aleynikov, 40, is charged with one count of theft of trade secrets, one count of transportation of stolen property in foreign commerce, and one count of unauthorized computer access. If convicted on these charges, Aleynikov faces a maximum sentence of 25 years in prison.

The case associated with competitive intelligence where intellectual property is being transferred to another U.S. company may be just as harmful to the economic fabric of our country. What is more alarming and perhaps the final questions on Operational Risk Management is this:

  1. What do we know?
  2. When did we know it?
  3. What are we going to do about it?

The Board of Directors will be asking these after the crisis is unfolding. The law enforcement investigators will be asking these soon after the immediate incident. The final and perhaps the most painful of all the people who will asking these questions are the lawyers during your deposition and in the court room. Those questions and more will be asked from the front lines of the Goldman Sachs trading pit battlefield to the highly polished tables inside the corporate Board Room.

Revisit the Mission Objectives (MO) in your organization that pertain to MO4 and MO5. It may mean the difference to your corporate shareholders, or to all the citizens of the United States of America.

15 February 2010

Risk Appetite: Board of Directors Engage...

New management and faces around the Bank of America Board room are taking a new approach to Operational Risk Management. Compliance and other Operational Risk functions are being separated. Most importantly and perhaps a lesson for those institutions that are on the ropes, B of A is pushing the risk management debate from the Board Room to the associates on the front lines.

A Message from Brian Moynihan

Protect Our Company

To my Bank of America teammates:

Bank of America is in the business of taking risk and our goal is to make every good loan and transaction we can within our company’s overall risk appetite. Yet our recent performance demonstrates the need for enhancements. Our management, board and regulators have determined that our risk management practices must improve.

So we have updated our risk framework — or how we manage risk at Bank of America — with the following:

Risk Appetite - The senior team will recommend, and the Board of Directors will approve, an annual risk appetite that establishes how much we are willing to take as a company.


Debate - We’re requiring all associates to openly debate risk related issues…and we’re escalating issues and taking action based on those debates.


Roles - We’ve clarified risk management roles and responsibilities, and all associates will fall into one of three groups, each with specific accountabilities: Line of Business associates, Governance and Control associates (those in Global Risk and our other support groups) or Corporate Audit associates.


Governance - We strengthened the way we oversee risk with new committees at the board and management levels.


Operational Risk - We separated compliance and operational risk functions to have more targeted and focused attention on both.
For those of you who work in a line of business, your job is to serve the clients’ financial needs and to protect the company. You may take only those risk that are within our company’s overall risk appetite as established by the Board of Directors. Senior management will determine the risk appetite for your line of business and will communicate that to you. You will be assessed on your risk-taking results.


Managing risk within the confines of the corporate enterprise goes beyond the awareness building of risk appetite with front line associates. It requires getting the Board of Directors spending more time on the front lines and embedded in the business lines to better understand the operational risks that exist in that particular business. As an example, it would seem that in a rush to reduce expenses, call center operations are being moved offshore to India. Offshoring in itself brings to bear a whole new set of risk issues, especially when you are talking about "Call Center Operations."

Interacting with customers on the telephone subjects the caller and the service provider to the exchange of Personally Identifiable Information (PII). Utilizing new technologies to validate the geographic location of callers is available and the use of more sophisticated means for verifying the caller is who they say they are is being implemented with other technologies. Yet what about the people working in the call centers themselves. Whenever you have an outsourced provider in another country taking calls from US consumers and exchanging PII there are several other operational risks on the table.

Fraud associated with call centers is on the rise and is being facilitated by transnational criminal organizations. There are two primary types of fraud scenarios being perpetuated with call centers:

  • The use of phishing e-mails provides credentials for a criminal fraudster to log-in to your online banking account. However, because of certain online controls and security measures, the fraudster may need to make contact with call center for something as easy as a password reset to further their scheme.
  • In another use of a form of phishing e-mail, a consumer is asked to phone a fake 800 number that is routed to a fraudulent call center operation, where the banking customer is then asked for PII, mothers maiden name or other security credentials under the guise of an account problem or other account related issue.


Bank of America and other call center operations have integrated analytics with call centers that are specific to only the online banking inquiries. In addition, these integrated call centers should be utilizing the depth of data that exists for consumers from public records, credit and real estate records. Integrating the use of "Visual Analytics" and intelligence-led investigations can provide the institution with the insight and decision advantage to stem the growth of call center fraud across a myriad of industries beyond banking. RSA FraudAction Research Lab has this to say on the subject at hand:

Since the beginning of the year, RSA has uncovered several one-stop-shop call centers in the fraud underground that provide fraudsters with all the tools they need to commit fraud over the phone. These “tools” include:

  • “Professional callers”: fluent in numerous languages, both male and female
  • Caller-ID spoofing
  • Service availability during American and Western European business hours.
These comprehensive criminal services, to which we will refer as “fraudster call centers,” have proliferated in the underground economy over the past year.


As the likes of B of A and other organizations rely on the human factor on the other end of the telephone the operational risk factors increase dramatically. What would be an interesting question to the Board of Directors is this: When was the last time you visited your call center in "XYZ Country" and sat on the line with one of their offshore operators listening to consumer calls from the United States? This could be an eye opening exercise in better understanding Operational Risk Management on the front lines.

08 February 2010

Adaptive CxO: Utilizing a Decision Advantage...

How fast can you and your organization adapt? 5 minutes. 5 hours. Or 5 days. An adaptive enterprise that is capable of rapidly adapting to a continuously changing "Operational Risk Ecosystem" within minutes or hours, will have the highest likelihood to survive. Days could mean the end of the relationship with customers, employees and your vital supply chain. Corporate obituaries are all too common soon after a significant business disruption. Whether physical, cyber or both the adaptive enterprise is not only resilient but also possesses the most sought after business risk asset, an effective "Decision Advantage."

This past weekend, the Wasington, DC region has been crippled and brought to it's knees by "Mother Nature". Not an earthquake, nor tornado or even fires or floods (yet) but a tremendous amount of frozen precipitation.

Parts of the eastern United States remain largely paralysed for a third day after some of the heaviest snowfalls in decades.

Transport links in Washington DC and nearby states have been severely disrupted and hundreds of thousands of people are still without power.

Federal government offices and most schools are shut after the authorities advised people to stay indoors.

Weather forecasts are warning of fresh blizzards due on Tuesday.

The storm has disrupted transport from West Virginia to southern New Jersey.

Some parts of Washington experienced up to 32in (81cm) of snow, one of the heaviest snowfalls in decades.


The ability for a metro area, enterprise or even household to adapt and recover will be directly in correlation with the amount of practice, training and prediction excellence. Time and resources utilized by many to anticipate, drill, enhance skills and tweak the intelligence feeds will make all the difference in the outcomes. Many will survive and some will perish. It's in most cases directly proportional to the investment in the preparedness for all threats and all hazards. This is the core of the true Operational Risk professional.

And while your financial institution, defense industrial base firm or telecom or energy company was being tested in the "Continuity of Operations" plans this past few days in the National Capital Region (NCR), as the CxO for your enterprise, what grade would you give yourself in terms of business resilience?

On the Digital battlefield the corporate enterprise is getting a much better understanding of the economics of a data breach:

PGP and the Ponemon Institute have just announced results of the fifth annual U.S. Cost of a Data Breach Study. The overarching conclusion is that breaches are getting more expensive.

Data breaches cost U.S. companies $204 per compromised customer Relevant Products/Services record in 2009. That compares to $202 in 2008. Despite an overall drop in the number of reported breaches -- the Identity Theft Resource Center reports 498 in 2009 vs 657 in 2008 -- the average total per-incident cost in 2009 was $6.75 million. In 2008, that number was $6.65 million.

"In the five years we have conducted this study, we have continued to see an increase in the cost to businesses for suffering a data Relevant Products/Services breach," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach."


The Cyber Economics of losing laptops, internal data exfiltration and the effectiveness of industrial espionage make the "Brain" of any enterprise vulnerable to the loss of vital information and trade secrets. One of the the latest spy cases is now at the sentencing stage:


An elderly Chinese-born engineer convicted of economic espionage for hoarding sensitive documents that included space shuttle details faces sentencing Monday, and prosecutors are seeking a 20-year term.

A judge found Dongfan "Greg" Chung, 74, guilty in July of six federal counts of economic espionage and other charges for keeping 300,000 pages of sensitive papers in his home. The documents also included information about the fueling system for a booster rocket.

Despite Chung's age, prosecutors have requested a 20-year sentence, in part to send a message to other would-be spies.

Assistant U.S. Attorney Greg Staples noted in sentencing papers that Chung amassed a personal wealth of more than $3 million while betraying his adopted country.

"The (People's Republic of China) is bent on stealing sensitive information from the United States and shows no sign of relenting," Staples wrote. "Only strong sentences offer any hope of dissuading others from helping the PRC get that technology."


In a continuously evolving "Operational Risk Ecosystem" the corporate executive making decisions must be able to command a "DecisionAdvantage." Utilizing the latest technologies, networks and resilient designs for critical cyber infrastructure and combining this with the correct software is only the beginning. Again, you must ask the question. How long does it take your enterprise to adapt?

Whether the executive makes the phone call to keep employees working from previously designated remote sites; sends the "All Hands" text message to be on the look out (BOLO) for foreign nationals with US visas taking home work on sensitive projects or enabling the corporate networks to withstand the latest DDOS attack does not matter. What ultimately will be a CxO's best opportunity to survive or perish will be the "DecisionAdvantage."

05 February 2010

Legal Risk: Early Case Assessment...

After a few days at LegalTech New York this week, it's now confirmed that a very small percentage of small to medium enterprises (SME) are truly ready for the Operational Risk of litigation. How can a General Counsel achieve a defensible standard of care in this vast sea of software, technology and vendors that are trying to address the modern day business problem called "Electronic Stored Information?" (ESI)

Yet the likes of Bank of America and the Attorney General of New York are well aware of the importance of the "Meet-and-Confer" process as the allegations of fraud look for the "Digital Smoking Gun". Let the metadata wars begin:

Legal action has begun against Bank of America and its former bosses, accusing them of duping investors and taxpayers during the takeover of Merrill Lynch.

The defendants are accused of intentionally withholding details of huge losses Merrill was suffering.

New York state officials have filed the action against the bank, former chief executive Kenneth Lewis and former chief financial officer Joseph Price.


Principle 12 to the Sedona Principles states: Absent party agreement or court order specifying the form or forms of production, production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible metadata that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and the needs of the case. Sedona Principles 2d Principle 12

The issues faced by legal counsel at large Fortune 50 organizations are no different with the Small to Medium Enterprise when it comes to the "Meet-and-Confer." Making the decisions on what is relevant and the scope of eDiscovery is increasingly about the economics of litigation. Law firms are trying to reduce their costs and impact of billable hours with their clients and General Counsels are making sure that internal IT records management tasks are a top priority.

What many vendors are advocating in process and tools at LegalTech is the idea of Early Case Assessment (ECA). In other words, the Plaintiff is going to have to show their hand early and without slight of hand. These interviews with the Hon. James Holderman explains:

Editor: Doesn't that pretty much move in the direction of requiring the plaintiff to provide specific facts about the basis for the complaint? How can the discoverable "ESI" to be preserved and produced be determined unless the plaintiff comes forward with the specific facts on which its case is based?

Holderman: It cannot be done, and that is why the plaintiff needs to cooperate by divulging that information at the outset. Hiding the ball is a concept from the last century that can't be a part of present-day litigation. This is reflected in the Supreme Court's decisions in Iqbal and Twombly . Discovery is expensive and let's get the information out early. What is the benefit of bare-bones pleadings when the expense of e-discovery is so great? If the plaintiff has information then let's see whether the plaintiff has a sufficient basis for going forward to withstand a motion for summary judgment.


Where is the information you seek? In more places than you may realize as the investigation, forensics collection and rules of evidence are engaged. The risk of sanctions is real. The analysis of custodians Blackberry e-mails, BBM's and just plain text messages will be overwhelming as the Attorney General builds the case for fraud. The US Treasury, Federal Reserve and other government agencies will also be producing Terabytes of data for inquiry.

Regardless of the General Counsel's approaches at Bank of America or Merrill, the key risk items that they should have been addressing long before this trial with outside counsel are some of the following topics, again from LegalTech:

  • Cloud-based email and records management provides a new approach for cost-effectively managing law firm content
  • Securely archive information assets and maintain compliance with all regulatory standards, including the FRCP
  • Meaning Based Computing to enable automatic categorization of ESI for the application of retention policies
  • Sophisticated retention policies that enable non-critical data to be purged appropriately
  • The ability to easily and transparently retrieve archived data, prepare the data for potential future legal holds or preservation, and to rapidly respond to a litigation and investigation pertaining to the firm
  • How has legal changed the way we think about back-up?
  • What does "inaccessible" mean in discovery?
  • How can you implement a reasonable, defensible information management strategy that reduces risk?
As a law firm you always have to look at the fine print. B of A's procedures with outside counsel are available for review online:

These Procedures shall constitute the written engagement, or contract, of the firm for any matter for which it is engaged on behalf of Bank of America, and shall govern the terms of the engagement. These Procedures are applicable to all law firms and attorneys providing legal services to Bank of America. Law firms retained by Bank of America should ensure that a copy of these Procedures is provided to all attorneys, paralegals, administrative, clerical or other assistants assigned to a particular matter before work begins on any matter.