23 July 2016

ECPA: Reality of Homegrown Violent Extremism...

In the United States, Operational Risk Management Executives in the private sector are consistently balancing the legal requirements for public safety and their customers right to privacy. The Internet Service Provider (ISP) General Counsel's duty to facilitate the rule of law within the private sector organization, has been on a collision course with protecting the homeland for over a decade since 9/11.

One of the critical tools for Homeland Security Intelligence (HSI) is the "Electronic Communications Privacy Act (ECPA) and for good reason. The law provides the tools for law enforcement and national security intelligence analysts while simultaneously protecting the privacy interests of all Americans. In a 2011 statement before the Committee on Judiciary, United States Senate, Associate Deputy Attorney General - James A. Baker outlines the basis for ECPA:
"ECPA has never been more important than it is now. Because many criminals, terrorists and spies use telephones or the Internet, electronic evidence obtained pursuant to ECPA is now critical in prosecuting cases involving terrorism, espionage, violent crime, drug trafficking, kidnappings, computer hacking, sexual exploitation of children, organized crime, gangs, and white collar offenses. In addition, because of the inherent overlap between criminal and national security investigations, ECPA’s standards affect critical national security investigations and cyber security programs."
The criminal elements and their organized syndicates are leveraging modern day technologies and capabilities of the private sector. The legal first responders for our 21st century homeland threats don't always wear a badge and drive a Crown Vic on patrol around our city streets. Many spend their hours on patrol in cyberspace or analyzing terabytes of data online with sophisticated software to determine the what, who, why and how of the current threat stream.

The US government has a fiduciary and legal duty to protect the privacy and civil liberties of all US citizens. Parallel to this task is the rapidly changing use of communications and other mobile technologies to facilitate and support the activities and operations of individuals and networks of people, who exploit the design, configuration or implementation of our countries homeland defense architecture.

Whether this architecture includes the utilization of 72 Fusion Centers or the methods for collecting "Suspicious Activity Reports" (SARS) from those first responders, the fact remains that the pursuit of national security threats is a lofty task. This is happening today, on the ground and in the digital domain. Therefore, the speed that these individuals can legally obtain the data they require to make informed decisions is at stake and so we must eliminate any new impediments put before them. From Mr. Bakers statement on "Government Perspectives on Protecting Privacy in the Digital Age" he explains further:
Addressing information associated with email is increasingly important to criminal investigations as diverse as identity theft, child pornography, and organized crime and drug organizations, as well as national security investigations. Moreover, email, instant messaging, and social networking are now more common than telephone calls, and it makes sense to examine whether there is a reasoned basis for distinguishing between the processes used to obtain addressing information associated with wire and electronic communications. In addition, it is important to recognize that addressing information is an essential building block used early in criminal and national security investigations to help establish probable cause for further investigative techniques. Congress could consider whether this is an appropriate area for clarifying legislation.
Any changes to the ECPA laws should be considered carefully with not only the government but the private sector. The combination shall work together to find the correct balance between national security requirements and the privacy of the customers of mobile communications, e-mail, and social networking entities. The time that it takes our first responders to rule-in or rule-out a person of interest in an ongoing investigation can mean the difference between a failed or successful attack on the homeland. The private sector shall determine the prudent cost to the government for providing the legally obtained information of non-telephone records such as a name, address and other metadata. By the way, has anyone noticed that the criminals, terrorists, spies and other malicious actors have decided to use Telegram, or WhatsApp instead of their mobile telephone?

Homeland Security Intelligence (HSI) first responders will be the first to tell you that the crime syndicates and non-state actors have gone underground and have stopped using the tools that leave the data more easily accessible by law enforcement. Now, they are creating and operating their own private and secure infrastructures within the confines of private sector companies. These clandestine groups have organized hierarchy and specialized skills and therefore, the US government must continue to step up the pace, legally.

What does this all mean? It means that there will be a lower chance of under cover law enforcement officers becoming members of the these organized crime syndicates that in many cases are the genesis for homegrown violent extremism (HVE).

Homegrown extremists can be individuals who become violently radicalized, perhaps after exposure to jihadi videos, sermons and training manuals available on the Internet, security officials say. Such plotters are harder for counterterrorism officials to spot because they have few links with known terrorist operatives and often don’t travel overseas for training.


Another implication is that there is a higher chance that private sector researchers will understand the new trade craft of HVE actors, long before law enforcement and national security intelligence analysts. This is because the standard approach to the "Seven Signs of Terrorism" have been focused on the physical infrastructure. Organizations in the private sector have been researching, tracking and profiling since the late 1990's on the methods and modus operandi of the digital extremists who have plagued our banks and other financial institutions with cyber crime.

The time is now for these two distinct disciplines and professionals to converge. The public as eyes and ears combined with the legal tools to extract the timely information from technology providers is part one. Part two is the integration of intelligence analytic training with the curriculum of the police and fire academies for new recruits. Providing these first responders with the methods, tools and capabilities to be more effective collectors on the street level, will provide the fusion centers with a more robust set of relevant information streams. Here is an example from a graduate certificate class in criminal intelligence analysis from AMU:

The graduate certificate in Intelligence Analysis provides you with a fundamental understanding of the issues, problems, and threats faced by the intelligence community. This online graduate program helps you develop a comprehensive knowledge of how intelligence agencies in the U.S. assess and counter international threats in order to guard U.S. global interests and protect U.S. national security from adversaries. Knowledge from this certificate program is applicable to many career fields within the military, security companies, government contractors, or federal agencies.

We have a choice to provide our first responders with the correct training and OPS Risk education for today's Homeland Security Intelligence (HSI) mission. Our national policy makers have a choice to assist them in getting the information they need to do their jobs quickly, efficiently and while protecting civil liberties. The choices that we make fifteen years after 9/11, will define the landscape for homegrown extremism and the legal framework for ensuring the safety and security of all Americans for years to come.

16 July 2016

Utility of Attack: Target Selection and Execution...

The threat spectrum for Operational Risk Management (ORM) professionals is wide and they are constantly evaluating opportunities to learn.  Recent data breaches, terrorist attacks and the strategies utilized by adversaries online and on the ground, has surfaced another key lesson learned:
u·til·i·ty n. (pl. -ties) 1 the state of being useful, profitable, or beneficial (in game theory or economics) a measure of that which is sought to be maximized in any situation involving a choice.  The New Oxford American Dictionary
Here are two data breach examples:
  1. On May 30, 2016, Omni Hotels discovered they were the victim of malware attacks on their network affecting specific point of sale systems on-site at some Omni properties. The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date. They have no indication that reservation or Select Guest membership systems were affected.  50,000 records are impacted.
     
  2. Prior to May 2016, identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year. Atlanta-based Equifax’s W-2 Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people.  According to a letter Kroger sent to employees dated May 5 2016, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
Here are two terrorist attack examples:

In two major domestic terrorism events in the United States this past year, "Utility" was a major factor and should not be discounted, in analyzing motivations and "modus operandi" of homegrown violent extremists.  In San Bernardino, CA the adversaries were planning a major attack and had already stockpiled explosives and ammunition.  In Dallas (Mesquite), TX the adversary was planning a major attack and had already stockpiled a cache of explosives as well.

In both of these cases, the adversaries had accumulated and trained to use explosives in an attack.  Then they came upon a choice.  A utility.
  1. In San Bernardino, an incident with government co-workers motivated the employee attacker to deviate from the intended plans and to capitalize on the "Utility" of a workplace holiday gathering at the county facilities.
  2. In Dallas, a peaceful protest march that would attract a significant government presence of police officers, motivated the attacker to deviate from future plans and to capitalize on the "Utility" of a public gathering.
Dr. Erroll Southers is correct:
While the impetus for attack is rooted in beliefs, a terrorist’s selection of how and where to attack is based on a consideration of utility. This is the estimate of an attack’s consequences with respect to the intended target’s value as a domestic or international interest and the political impact the attack will have on the intended audience. Utility is a primary consideration for extremists during preparation for an attack, weighing desired results against the investment in activities to plan, rehearse and execute an operation. Always mindful of the aftermath, utility weighs heavily in the decision-making process of target selection, possible attack paths, methodologies and execution.  Southers, Erroll (2014-09-25). Homegrown Violent Extremism (pp. 9-10).
In both cases, the adversaries accelerated their plans.  They abandoned their use of explosives and a future planned event, to act on their emotions and motivations of the moment.  Domestic Terrorism in the United States will continue at a rapid pace without a more serious focus, on Homegrown Violent Extremism.

Whether it be online with the trust of your data systems or offline with the safety and security of your citizens, employees and facilities, beware of the changing opportunities for your adversaries, to launch their attack...
Utility, leveraged by your adversaries, is a consideration that must be continuously evaluated and analyzed in your particular threat environment. 

09 July 2016

Domestic Terrorism: Tears for Those in Blue...

The sniper ambush on those sworn officers to protect us in Dallas, Texas USA on July 7, 2016, is yet another portrait of tragedy and sorrow in our Homeland.  Whether you are an American safe today in your home after another graveyard shift or at high risk on the front lines in the shadows of a foreign country, it does not matter.  This particular domestic event targeting our protectors, and so soon after Orlando, FL, should be a another wake up call to area code (202).

Operational Risk Management (ORM) professionals across the U.S. are unified once again, in our vigilance and our mission.  Domestic Terrorism in our world, will continue to be manifested as long as people can read, listen and be influenced by other people.  Here or abroad.  The methods used for this indoctrination, whether delivered in small groups sitting in a circle over a cup of coffee or tea, or increasingly over the Internet does not matter.  The process is the same.

The "Cues and Clues to Teach" have been detailed before in this blog.  Domestic Terrorism in the United States has been moving along a spectrum of incidents at a pace that seems to be accelerating.  Lone individuals or groups who plan, train and act in order to bring their own psychological justice to reality, is one of our greatest challenges:
The statutory definition of domestic terrorism in the United States has changed many times over the years; also, it can be argued that acts of domestic terrorism have been occurring since long before any legal definition was set forth.

Under current United States law, set forth in the USA PATRIOT Act, acts of domestic terrorism are those which: "(A) involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; (B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and (C) occur primarily within the territorial jurisdiction of the United States."[2] 
The pace and the origins of domestic terrorism in the United States are vast and metastasizing.

In order to begin or enhance your journey into understanding the root causes of this growing threat in America you should start with Eric Hoffers book: The True Believer: Thoughts on the Nature of Mass Movements.  And once you are finished with it, turn to Erroll Southers Homegrown Violent Extremism.

Developing your awareness is the beginning of any journey to solving problems and developing more effective and comprehensive preventative solutions.  Building knowledge about how people can transform from a individual working in a war zone or sequestered from society, to the front pages of the Washington Post, is a worthy goal for any Operational Risk professional.  As a human resources professional at Company or Agency USA or the retail employee in the ammunition section of Dicks Sporting Goods, you also have a role to play.

Vigilant "Employees and Citizens" must be continuously trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational.  Based on the O'Toole study, these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:
  • Low tolerance for frustration
  • Poor coping skills
  • Failed relationships
  • Signs of depression
  • Exaggerated sense of entitlement
  • Attitude of superiority
  • Inappropriate humor
  • Seeks to manipulate others
  • Lack of trust/paranoia
  • Access to weapons
  • Abuse of drugs and alcohol
What did you know?  When did you know it?  What have you done about it?  They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace.  What grade would you give your organization today for these fundamentals?
Godspeed to all of those on their journey now, to better comprehend this event and to all the grieving family members across our Homeland...

03 July 2016

4th of July: Flying the Stars & Stripes of Freedom...

The United States of America celebrates 240 years tomorrow.  The Stars and Stripes of our flag will be flying high.  How far we have come and yet we still envision that we have so far to go.

Celebrating the 4th of July in the United States means different things to different people.  It all depends on your tenure here and how you have contributed to defending the freedoms we all share. And for those who have made the trip to our borders or overseas to defend our country, we give special thanks.

Nine years ago we saluted Spencer S. on Memorial Day, as he prepared to make his way to being deployed to Iraq.  An Airborne Medic and now home safe in Chicago, we are thinking about him and all those other families who have sent their sons and daughters, husbands and wives, brothers and sisters, or fathers and mothers into harms way to defend our freedom.  We are humbled by your courage and thank you for your selfless contributions to keep us more safe and secure back home.

The Patriots of the U.S. are vast and found everywhere, serving the country in uniform by military or law enforcement, in suits and ties or dresses among the halls of government agencies found in small towns and famous suburbs like Langley.  These millions of shadow patriots and citizen soldiers are working to defend the truth of the Declaration of Independence and our Constitution each day.

At the same time, they are all Operational Risk Managers, mitigating the daily risks to life, property and our vital economic assets.  Mike Stanley of the American Legion captures the essence of the early days of our country:
The United States of America began as thirteen different English colonies established along the eastern seaboard during the 17th and early 18th centuries. Gradually many of the colonists began to think of themselves more as Americans and less as Englishmen, a feeling that was spurred on by the decision of the British Parliament in the 1760s to tax the colonies for the expenses associated with keeping them in the British Empire. Since the colonists had no elected representatives in the British Parliament, they felt that these new taxes were “taxation without representation” and therefore, illegal.
From this point, the situation escalated quickly as Patriot groups formed to discuss the possibilities, and by the early 1770s, the Patriots had their own Provincial Congresses in each of the thirteen colonies, effectively replacing the representatives of the British government. In 1775, the Second Continental Congress was established, the Continental Army was organized, and fighting broke out when the British responded by sending combat troops to the colonies.
Finally, on July 4, 1776, the Declaration of Independence was signed, establishing the United States of America. The fierce determination of the Patriots to prevail, plus the important military and political support of the French, the Spanish and; the Dutch, insured an American victory, and in 1783, the signing of the Treaty of Paris ended the American War of Independence and guaranteed the sovereignty of the United States of America.
Conflicts in the 21st century will be fought for many of the same reasons, and with a revolution of robots.  In P.W. Singer's book, "Wired for War" he prepares us for the next 100 years:
What happens when science fiction becomes battlefield reality?
An amazing revolution is taking place on the battlefield, starting to change not just how wars are fought, but also the politics, economics, laws, and ethics that surround war itself. This upheaval is already afoot -- remote-controlled drones take out terrorists in Afghanistan, while the number of unmanned systems on the ground in Iraq has gone from zero to 12,000 over the last five years. But it is only the start. Military officers quietly acknowledge that new prototypes will soon make human fighter pilots obsolete, while the Pentagon researches tiny robots the size of flies to carry out reconnaissance work now handled by elite Special Forces troops.
Wired for War takes the reader on a journey to meet all the various players in this strange new world of war: odd-ball roboticists working in latter-day “skunk works” in the midst of suburbia; military pilots flying combat mission from their office cubicles outside Las Vegas; the Iraqi insurgents who are their targets; journalists trying to figure out just how to cover robots at war; and human rights activists wrestling with what is right and wrong in a world where our wars are increasingly being handed over to machines.
Maybe someday, Spencer will be able to stay hundreds or thousands of miles out of harms way to defend our countries freedoms, because they won't need medics on the battlefield anymore.
...and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor. 

26 June 2016

Resilience 3.0: Next Generation Operational Risks...

Operational Risks are being exacerbated due to the tension and competition, for people to be noticed and heard, within a vast ocean of zeros and ones, all invisible to the human eye.  Trusted systems on the Internet, once thought to be impervious to the asymmetric threats of "Transnational Organized Crime" (TOC), Hacktivists, and even nation states are now ever so more in peril.  The next generation has four main fronts:
  • Sovereignty
  • Piracy and Intellectual Property
  • Privacy
  • Security
The global conflict being waged 24/7/365 on the Internet continues and in the next decade the Yottabytes of data will continue to be ingested, analyzed, digested and excreted at the speed of business and social commentary.  The United Nations has been gearing up for years with the UN Global Pulse Project concerning the future of the Internet:

"Global Pulse functions as a network of innovation labs where research on Big Data for Development is conceived and coordinated. Global Pulse partners with experts from UN agencies, governments, academia, and the private sector to research, develop, and mainstream approaches for applying real-time digital data to 21st century development challenges. "

As Michael Joseph Gross illustrates in his Vanity Fair article "World War 3.0"; Battle lines have been drawn between repressive regimes and Western democracies, corporations and customers, hackers and law enforcement:
"The War for the Internet was inevitable—a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off­-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded."
The resilience of an organization has for hundreds and thousands of years relied upon sufficient resources:  Food, water, energy, capital, trade, defense.  Communications was long ago recognized as a game changer for achieving a greater degree of resilience and historically made the difference in World Wars and other significant planetary conflicts.

Today it is no different as the Arab Spring has seen another anniversary and people leverage the use of silicon based devices in concert with wireless mesh networks on the borders of failing nation states.

Humanitarian operations are evolving to go far beyond the establishment of the standard platforms for responding to natural disasters and other atrocities of mankind.  The ability for people to develop and run their own businesses, creates a sustainability factor that can not be underestimated.  Whether that occurs, first has to do with knowledge and resources but when you add communications to the mix the advantages of survival increase exponentially.

The Internet and wireless technologies combined with the rapid adoption of IoTs, iPhones and iPads has created another key resource that organizations must manage and plan for in the vast spectrum of Operational Risk Management (ORM).  As the governments of the world debate the Sovereignty of Internet assets and the rebels of the world order more wireless enabled devices for communications; the requirements for prudent risk management endure.

Whether you are a private sector company or the leader of an organization simply trying to communicate the truth to the rest of the world, managing Operational Risks effectively will be a continuous factor of your resilience.

The ranks of those organizing themselves on the Internet continues for every instance of what people are thinking, saying and doing in the name of communications to enable their resilience:
"Aside from wealth or arcane knowledge, the only other guarantor of security will be isolation.  Some people will pioneer new ways of life that minimize their involvement online.  Still others will opt out altogether—to find or create a little corner of the planet where the Internet does not reach.  Depending on how things go, that little corner could become a very crowded place.  And you’d be surprised at how many of the best informed people about the Internet have already started preparing for the trip."

18 June 2016

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:
Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.
The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum.

Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers.

Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

11 June 2016

Breakpoint and Beyond: The Naivety of Change...

The discontinuity of our society, our governments, our weather and the digital innovations of this modern generation creates simultaneous paths of challenge.  One of crisis and another of opportunity.

Yet without a thorough analysis and comprehension of the discontinuous change before us, how can you manage the Operational Risks that occur, at any point in time?  What path will you choose...
World English Dictionary
discontinuity

— n , pl -ties
1. lack of rational connection or cohesion
2. a break or interruption
3. maths
a. the property of being discontinuous
b. the point or the value of the variable at which a curve or function becomes discontinuous
4. geology
a. See also Mohorovičić discontinuity a zone within the earth where a sudden change in physical properties, such as the velocity of earthquake waves, occurs. Such a zone marks the boundary between the different layers of the earth, as between the core and mantle
b. a surface separating rocks that are not continuous with each other

"Discontinuity of Change" is a subject well understood by the average person walking the streets of Anacostia near the U.S. Navy Yard in Washington, DC, San Bernardino, CA or Orlando, FL.

Perhaps those walking down Saeb Salaam in the heart of Beruit, Lebanon as refugees  also can comprehend, as they become vulnerable to arrest, detention and deportation.   Learning about change itself and the underlying systemic nature of the phases of change, can provide people in the middle of crisis or opportunity, with new found context.

In 1992, this blogger had the fortune to spend a significant amount of time with the authors of
Breakpoint and Beyond: Mastering the Future Today.  Dr. George Land and Dr. Beth Jarman wrote an extraordinary book and created an organization to teach what was inside it's covers.  To help us all make better sense of change and to discover our own ability, for innovation and creativity:
In our over four decades of research and work across many cultures, we have found that practically all humans have a vast capacity for imaginative, creative thinking. Although this ability has been dampened by social forces, it can be reawakened. We have also found that people have the capacity to put judgments and fears aside and work truly creatively and collaboratively in diverse and even divisive groups.
The path of crisis or opportunity is not a choice in what direction, it is a better understanding of change itself.  The systemic nature of the three phases of change and the ability to know where you are in the growth curve of the system, is the core.  Yet to innovate and to leap beyond a breakpoint to master the future, requires finding your own creativity once again.

The creativity that we are all born with, begins to dissolve at an early age.  Once we reach our teens and early adulthood, our cultural systems have stripped innovation from our potential known capabilities as a child.  As we grow older, our aspirations to be creative is subjected to influence by our parents, friends, teachers or by the 1 or 2%, in our particular ecosystem.  Is "Out-of-the-Box" thinking a good thing where you live or work?  Does your environment encourage divergence or convergence?

You see, the "Discontinuity" in society creates breakpoints.  The "Arab Spring" and the forming digital systems social revolution before us, creates new crisis and simultaneous opportunities.  Both are challenges for people, business, governments and global economies to analyze and rationalize.

Will you innovate?

If you are a policy maker in your organization, what are you doing to innovate?  Do you have new solutions for the changing operational risks encountered, as your employees travel the globe and make decisions for the enterprise? If you are the main policy bodies within your government, what have you done lately to find new creativity to address the potential opportunity before you?

In either case, the speed of change and the ability to rapidly innovate, will certainly decide your future.  Did you make it beyond the bifurcation and breakpoint?  Here is a great scientific example:
The miniaturization of electronic devices has been the principal driving force behind the semiconductor industry, and has brought about major improvements in computational power and energy efficiency. Although advances with silicon-based electronics continue to be made, alternative technologies are being explored. Digital circuits based on transistors fabricated from carbon nanotubes (CNTs) have the potential to outperform silicon by improving the energy–delay product, a metric of energy efficiency, by more than an order of magnitude. Hence, CNTs are an exciting complement to existing semiconductor technologies12.
Mastering the future today, is about better understanding the discontinuity of change around you. Managing "Operational Risk" is simple.  Continuously grow or die.

06 June 2016

Data Provenance: The Truth of Information...

Our ability to make trust decisions that we know are sound and effective, begins with the provenance of data.  When you trust the source of information that is being communicated, it makes all the difference in your final decision to trust.  Operational Risk Management (ORM) is quickly evolving to a next generation of truth.

What publications do you read?  Who wrote the article?  What is the authors reputation?  Is it a book on Amazon or a newsletter delivered via e-mail?  These are all questions you ask yourself as you absorb the content and process the information being conveyed and the evidence available to you.

What important truth do very few people agree with you on?

Most people think that traditional Risk Management is a sound process.  Risk Management Frameworks in a digital environment do not work and are soon to be extinct.  The truth is, human beings are incapable of effectively managing the "Zeros and Ones" with a simple "Likelihood vs. Impact" matrix.  The complexity and speed of change is just too great.

Why?  The answer is, that very few people really can even understand the fundamental engineering of the digital inventions we are operating or encountering each day.  How can you expect them to judge whether a digital asset is more likely or not, to encounter a serious integrity threat?  How can you really expect them to judge the origin value of the digital asset to themselves or others?

However, once you have closely studied and researched around a hypothesis long enough, some clarity and new truths are capable of being discovered.  This is when new discoveries are made and the opportunity for mankind to advance or decline takes place.  That is why humans have built other kinds of digital machines, to assist them in making these trust decisions to manage risk.

You see, when the dark side actions of the Internet started to become more of a reality (probe, scan, flood, authenticate, bypass, spoof, read, copy, steal, modify, delete) to most people using it, we invented new safeguard computing machines.  Some were called "Intrusion Detection Systems" (IDS) and others were called "Firewalls".  This was just the beginning.

Soon after the dawn of the 21st century, we began hearing the names of new digital software machines to battle viruses that were described using terms such as "Deep-Packet-Inspection" and digital forensics.

Now in 2016, we have Microsoft and Facebook engineering their own fiber-optic cable network to cross the ocean to deliver data at 160 terabits.  Why?
Facebook and Microsoft are laying a massive cable across the middle of the Atlantic.

Dubbed MAREA—Spanish for “tide”—this giant underwater cable will stretch from Virginia to Bilbao, Spain, shuttling digital data across 6,600 kilometers of ocean. Providing up to 160 terabits per second of bandwidth—about 16 million times the bandwidth of your home Internet connection—it will allow the two tech titans to more efficiently move enormous amounts of information between the many computer data centers and network hubs that underpin their popular online services.
 The decision to trust begins with the control end-to-end of the system.  How many hand-offs were there for the courier to carry the message from point A to point B along the path?  Who was in control of the path along the journey?  What assurance do you have that the message was not altered in it's content during the transit.  Now you are starting to get the big picture.

If your name is HP, or Cisco and many others in the telecom industry, your competition is not the normal hardware infrastructure companies anymore.  Soon corporate enterprises will be seeking specialized networks on a case-by-case basis, that are not controlled by Verizon, AT&T or BT.  It goes far beyond control of equipment and physical assets.

The "TrustDecisions" that you and your organizations encounter in the next decade may very well rely on a whole new set of rules.  The integrity of information will rely on a whole new set of networks and a whole new level of truth, on the provenance of data.

28 May 2016

Memorial Day 2016: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2016, we reflect on this remembrance.

In order to put it all in context, we looked back 36 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was also one of the 22 that day in early May, that could not defeat the legacy of demons he fought each night, as he fell deep asleep.

On Memorial Day 2016, we again honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have sacrificed and defended our freedoms for 239 years. Simultaneously, we do the same for the people behind the "Stars" on a wall in Langley, Va for those officers who have done the same.

Together we are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from a UAS.  We are all the same, in that we share the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

21 May 2016

Social Engineering: CxO Leadership for BEC...

In the context of cyber security, many practitioner experts are already familiar with the "Business E-Mail Compromise" (BEC).  Operational Risk Management (ORM) professionals know this:
"Amateurs attack machines, Professionals attack people"

The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/20131 to 12/01/2014, the following statistics are reported: 

  • Total U.S. victims: 1198
  • Total U.S. dollar loss: $179,755,367.08
  • Total non-U.S. victims: 928
  • Total non-U.S. dollar loss: $35,217,136.22
  • Combined victims: 2126
  • Combined dollar loss: $214,972,503.30
The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase.
What executives at most organization understand, is that they are a potential target for all kinds of threats from inside and outside the company.  Fortune 500 companies already have sophisticated internal accounting controls and "Personal Protection Specialists" who are doing advance work, for travel that the CxO takes across town or overseas.  Yet what about the Small-to-Medium Enterprise with just tens of millions of dollars in annual revenues?  Are they prepared as they could be for the BEC?

It does not take much for the financial controls and the accounts payable process to break down for companies and organizations, that have not prepared for this continuous threat, by your own insiders (employers, partners, suppliers) cooperation.  The numbers tell the whole story.  Countless times each year, companies are convinced to act upon a simple e-mail crafted by clever "Social Engineering" experts, to transfer money out of their corporate banking accounts.

So what are you doing to prepare, educate and deter this continuous wave of "Social Engineering" attacking your employees and key stakeholders?  How many computers and iPhones in your business or organization receive e-mail on a daily basis?  Each one of these is a threat vector, along with each one of your employees who is the human factor behind the device.

What is amazing today, is that a cyber threat like this, that has been talked about for over a year, is still growing.  Perhaps it is a leadership problem.  Perhaps it is a public safety announcement campaign problem.  In either case, you have to realize, there are some very specific remedies that can be exercised by your organization to deter, detect and defend yourself from "Business E-mail Compromise" (BEC).

Executives and senior staff are busy.  They are running the business and rarely have time for that two hour or half day training session.  This is your largest vulnerability to begin with at your organization.  An apathetic CEO or senior staff is the perfect target for any transnational organized crime (TOC) syndicate on the other side of the globe.

As a CxO, when was the last time you had a campaign within the organization to address these threats?  Weeks, Months, Years?  Why haven't you incorporated a continuous program to keep your employees and staff up to date?  If you have 1247 employees, then you have 1247 vulnerabilities walking around in your enterprise.

When you look at the line item in the Information Technology budget this year for hardware, software, maintenance and cloud computing, look a little further.  Where is the line item for the education program and the tactical awareness, to keep your people on the leading edge of deterring the social engineering wave of attacks in your organization?
There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.
This is just a small example, of the continuous trend across the small-to-medium enterprise landscape.  You have the control and the ability to make a difference in your enterprise.  The time and the services exist for you to keep your organization more safe and secure than it is today.  When will you decide it is your "Duty of Care" to protect corporate assets and to start using some of the tools to make "Business E-mail Compromise" (BEC) extinct?

15 May 2016

Know Your Customer: ISP Future Horizon...

The American public is changing their behavior as a result of the privacy and security failures across the private sector business policy landscape.  As the latest NTIA survey data reveals again, online commerce is being impacted and government agencies are now trying to further communicate there is a growing problem:

Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities
May 13, 2016 by Rafi Goldberg, Policy Analyst, Office of Policy Analysis and Development

Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. Users send and store personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.

NTIA’s analysis of recent data shows that Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent. These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA [1] in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.

Perhaps the most direct threat to maintaining consumer trust is negative personal experience. Nineteen percent of Internet-using households—representing nearly 19 million households—reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior to the July 2015 survey. Security breaches appear to be more common among the most intensive Internet-using households.

This survey is indeed only one facet of a much larger topic and pervasive problem.  Digital Trust is the output of making affirmative "Trust Decisions" with computing devices. Whether they are machine-to-machine, person-to-machine, or machine-to-person requires several technology engineering elements and business rules, that are understood and agreed upon.  The question is by whom?

Consumers who are using the Internet for communications and commerce and are the victims of Identity theft, stolen funds or other fraudulent schemes, are just the first wave of targets for transnational organized crime (TOC).  We have known this since the invention of virus scanners and bug bounty programs, in the early days of the 21st century.

Yet fifteen plus years later, the government is doing a study on the consumers feelings about privacy and security.  As a business or a consumer, we understand that the speed of commerce and technology is always far ahead of the regulations and the laws.  When enough people or businesses seem to be harmed, then the momentum begins for policy shifts and new laws are sometimes enacted after thousands of pages of semantic negotiation.

The answers and the outcomes we seek will come.  However, they will not first be solved by politicians and lawyers.  They will be mostly solved by our brilliant mathematicians, software engineers and data scientists.  At this point in time, we are getting so much closer to achieving digital trust through new innovations and inventions.  Just look at IBM Watson.

It is now time for business and commerce to begin the process of finding the truth.  Why do we continue to allow the levels of known bad actors to operate inside and within our networks?  It's a numbers game and it is because the criminals also employ the smartest social engineers and data scientists.

Digital Trust in the next fifteen years will mean something different than it does today.  We will have found the formula along the journey, the new equations and the rules agreed upon by all to make online and digital commerce more safe and secure.  So what will we do today and tomorrow, until the engineers and scientists save the day?

At this point in time, it is simply called "Know-Your-Customer"(KYC).  If this was utilized more effectively across critical infrastructure sectors beyond finance in our digital economy, then we would be making some progress.  Where are we talking about next? 

The FTC and FCC are well on their path to defining those critical elements of improving the trust that consumers have using their digital tools with ICT and on service providers web sites.  Yet even to this day, you still can find the criminals using and leveraging our own Internet Service Providers (ISP) to launch their attacks and perpetuate their fraudulent schemes.  How will this ever be deterred?  Could a version of KYC work with the ISP's?

Even with a global banking system in place you have pockets of greed and deceit.  Rogue nations or territories that have become the go-to-locations for the transnational organized crime syndicates to flourish.  Yet we can do much better, than we are today.

Just ask any "BlackHat" hacker from Eastern Europe who they prefer to do business with.  Query the experts that exist on the dark side and you will find the ISPs they prefer to do business with.  One day the regulators will realize this is where the business of e-crime has an opportunity for change and additional reform.  It will be more than just opening an account to gain access to the Internet.  It will be about scaling up our systems to a future horizon with new rules and robust real-time behavioral predictive analytics.  In the mean time:
May 11, 2016 
In testimony before Congress today, the Federal Trade Commission outlined its work over the past 40 years to protect consumers’ privacy at a hearing convened to examine privacy rules proposed by the Federal Communications Commission.

Chairwoman Edith Ramirez and Commissioner Maureen Ohlhausen testified on behalf of the Commission. The testimony before the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law provided background on FTC law enforcement efforts, policy work and consumer and business education programs related to protecting consumers’ privacy.

The testimony highlighted the FTC’s extensive history of privacy-related work. The testimony noted that the agency has brought more than 500 privacy-related enforcement cases in its history against online and offline companies of varying sizes, including companies across the internet ecosystem. In addition, the testimony highlighted a number of recent cases of note.

The testimony also provided information on the FTC’s policy work in the privacy area, going back to its first internet privacy workshop in 1996. The testimony noted that recent policy work has been based on principles featured in the FTC’s 2012 privacy report, and also highlighted workshops and reports related to the Internet of Things, big data, and other issues, including cross-device tracking.

The testimony also described the FTC’s extensive consumer and business education efforts related to privacy, including the FTC’s Start With Security campaign for businesses, and the newly-updated IdentityTheft.gov.

07 May 2016

The Third Offset: Seeking the Speed of Trustworthiness...

The U.S. national security "Insider Threat Score" is on it's way as a result of the aftermath of the Office of Personnel Management (OPM) hack.  The National Background Investigation Bureau (NBIB) is now standing up operations within the Pentagon umbrella.  Operational Risk Management (ORM) professionals are tracking this closely for good reason.  Social media activities such as this one, could one day be a factor in that score.

Simultaneously, the NIST Special Publication 800-160 2nd Draft has been released.  This document entitled:  Systems Security Engineering "Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems" addresses a key component in the national security mosaic.

So if the goal of creating the "Insider Threat Score" is to help automate and maintain the process for better understanding trustworthiness, then the NIST publication should be at the center of the table at the National Background Investigation Bureau.  Why?  Definitions in Appendix B of the SP 800-160 Second Draft:

Trustworthiness: An attribute associated with an entity that reflects confidence that the entity will meet its requirements.

Note: Trustworthiness, from the security perspective, reflects confidence that an entity will meet its security requirements while subjected to disruptions, human errors, and purposeful attacks that may occur in the environments of operation.

Trust: A belief that an entity will behave in a predictable manner in specified circumstances.

The degree to which the user of a system component depends upon the trustworthiness of another component.

Note 1: The entity may be a person, process, object, or any combination thereof and can be of any size from a single hardware component or software module, to a piece of equipment identified by make and model, to a site or location, to an organization, to a nation-state.

Note 2: Trust, from the security perspective, is the belief that a security- relevant entity will behave in a predictable manner while enforcing security policy. Trust is also the degree to which a user or a component depends on the trustworthiness of another component (e.g., component A trusts component B, or component B is trusted by component A).

Note 3: Trust is typically expressed as a range (e.g., levels or degrees) that reflects the measure of trustworthiness associated with the entity.
The future of the automation of the clearance process, continuous monitoring of "Insider Threat Scores" and the trustworthy secure systems software engineering for accomplishing this remains mission critical.  The "Cleared Community" of private sector "Defense Industrial Base" (DIB) contractors will also be impacted by the convergence of both.

So who are the personnel who could be impacted by these two converging initiatives:
  • Individuals with systems engineering, architecture, design, development, and integration responsibilities; 
  • Individuals with software engineering, architecture, design, development, integration, and software maintenance responsibilities; 
  • Individuals with security governance, risk management, and oversight responsibilities;
  • Individuals with independent security verification, validation, testing, evaluation, auditing, assessment, inspection, and monitoring responsibilities;
  • Individuals with system security administration, operations, maintenance, sustainment, logistics, and support responsibilities;
  • Individuals with acquisition, budgeting, and project management responsibilities;
  • Providers of technology products, systems, or services; and
  • Academic institutions offering systems security engineering and related programs.
As the government moves towards more trustworthy secure computing systems the private sector will be there to assist.  Yet the future of our trusted environments will depend on how often we perform and how well we perform without error.

Software is continuously changing and the fear of changing it too often, has been one of our greatest downfalls.  That fear of change has created our largest exposures to continued exploits and attacks, by our most sophisticated adversaries.  Remember, Edward Snowden worked for a private sector contractor.

There are a few trustworthy organizations that have realized this fact and are now on an accelerating path for reaching a higher level of trust.  With their software systems and their people.  However, they did this with a leap of faith and the understanding that the speed to reach more trusted computing environments, was absolutely vital.

Look around the Nations Capital beltway and you will find a few examples of the ideal innovation architecture strategy that will propel us into that next level of trustworthiness.  An affirmative decision to trust is now before us and the time we take to make that trust decision is our greatest challenge.  Will it be hours, minutes, seconds or nanoseconds?  Marcel Lettre, undersecretary of Defense for Intelligence has this perspective:
"The intelligence community’s role in what Pentagon planners call “the third offset”—the search for continuing technological advantage over enemies—will feature robotics, artificial intelligence, machine learning and miniaturization. They will be applied in the areas of “pressing for global coverage capabilities, anti-access/area denial, counterterrorism and counter-proliferation, cybersecurity and countering insider threats,” Lettre said.

He said Defense is reaching out to obtain the expertise of its industrial partners, including Silicon Valley, while workforce planners are focused on “bringing in another generation skilled at innovating in the technology sector.”

01 May 2016

Innovation: Truth in Data Provenance...

For years mathematicians and computer scientists have written about the trustworthiness of data provenance.  Relying on the integrity of data collection, transport and of course the source of data is a real science.  Our modern day zeros and ones span all aspects of our lives and Operational Risk Management (ORM) professionals have encountered the questions surrounding trust and the process of decision making long before the invention of computing machines.

At the root of decision making with integrity the source of data is questioned.  The reliability and history of previous data from the source.  As the data was transported from Point A to Point B was there any possibility that the data was altered, modified or corrupted.  Couriers and the use of a "Hawala" type system have been used by traders and terrorists for hundreds of years.

"Truth in Data Provenance" is the question mark that enables our trust decisions.  This is why modern day cryptography is at the center of so many arguments and debates, when it comes to the topic of trusted information.  Yet hundreds of years ago, long before telecom and ICT was invented, the trustworthiness of data provenance was a vital factor.  The use of transposition ciphers were in use by the ancient Greeks.

So what?  In 2016 what does the truth in data provenance have to do with our business commerce, our transportation, our banking, even our abilities as governments to maintain our defense against attack?

The topic is vast and deep and worth exploration at the top level of human decision-making.  Yes, it is vital that our computing machines have high-assurance data integrity, in order for our global systems to operate day-to-day.  Yet what impact does trusted information have with humans in an environment of work and daily collaboration?  How does truth in data provenance, affect our decision making and the environments we work in?

In a recent report by LRN, the subject of trust in the work environment as a motivator has become more apparent:
Another fascinating result of the study had to do with two squishy-sounding characteristics of a company: character and trust. Companies deemed by employees to have both strong character and inspired trust performed almost four times better, using the metrics mentioned earlier, than those that had other positive cultural attributes, such as collaboration and celebrating others. (This applied to all three types of companies, though, naturally, culture and trust were much more prevalent in the self-governing ones) What’s more, “high trust” organizations were 11 times as likely to be called more innovative than their competitors. Trust, the How Report suggests, is more important than virtually any other characteristic.
How organizations address the trustworthiness of data provenance is still a new frontier in this day and age.  The use of new sensors, sophisticated analysis of "Big Data" by computer algorithms and the pace at which new data is generated by the "Internet of Things" (IOT) makes this a significant area of focus for our current executives and enlightened organizational leadership.

Why?
But what does that really mean? How does one measure the absence or presence of something as abstract as trust? The How survey defines it as “a catalyst that enhances performance, binds people together, and shapes the way people relate to each other.” High trust groups encourage risk-taking, which in turn is what is necessary for true innovation to occur. When innovation fails, says Seidman, it’s because companies don’t put enough faith in employees to let them take risks. The industries with the highest amount of trust were “computers/electronics,” followed by “software/Internet.” Coming in last? Government.
At the most fundamental level, the culture you are operating in has all to do with the trust that exists or is absent.  It has all to do with the trustworthiness of data provenance.  Leadership in any organization, must see the relevance between trust and innovation.  Between innovation and risk-taking.  Your future and your culture depends on it.

23 April 2016

Trust Decisions: The Wealth of Our Cognitive and Digital Transactions...

As you embark on your journey out the door today, you will be required to make dozens of "Trust Decisions".  You and the digital smart machines and the numerous human and digital trust transactions that you will encounter is quite fundamental.  Or is it?  As you walk into your office building the surveillance cameras are watching you and recording your behavior.  The iPhone in your pocket is transmitting your unique signals to digital data sensors embedded in the lobby.  As you press the button on the elevator to go up to your office, you are making another affirmative decision to trust.

When you step off at your floor and approach the door to your office, you might utilize your small "Radio Frequency Identity (RFID) device to swipe a small square mounted on the wall.  You hear the deadbolt unlock and you are now granted access to your office space to start your workday.  Now as you walk to your corner office, you glance at the top of the screen of your iPhone to see if you are connected automatically to the corporate wireless network and the VPN.  When you were granted access to the office, the corporate computer network knew you were now present in the office and you have been automatically granted access for your role on numerous software applications on your computing devices.

Start your day at work and now the number of digital trust encounters has just begun.  The "Trust Decisions" that you and your digital devices will be making, could reach into the hundreds after a long 8 hour day.  Yet there are five principles that emerged in May of 2015 from Oxford professor and author Jeffrey Ritter in his book "Achieving Digital Trust" we should consider now:
  • Every transaction creating wealth first requires an affirmative decision to trust.
  • Building trust creates new wealth.
  • Sustaining trust creates recurring wealth.
  • Achieving trust superior to your competition achieves market dominance.
  • Leadership rises (or falls) based on trust (or the absence of trust).
Think about a day in the life of your entire organization and the number of digital trust transactions that have nothing to do with actual monetary currency transfers.  The wealth that is being described here on first glance may be thought of in terms of dollars or yuan or property, yet what about the wealth of human trust?  A plentiful amount or an abundance of anything.  How tangible is the decision to trust the computing machine before you, or the person sitting across the desk who is a key supplier or that new client half way around the world just sending you a text message?

You see, we walk to work and communicate everyday, making hundreds of trust decisions.  Our corporate computing devices are making tens of thousands or millions of transactions of trust each hour.  The rules, information and calculations are known, because they are being measured.  Jeffrey Ritter says it this way:
Take a moment and think about each of these with respect to what you do in your business or in your job. How does the organization acquire wealth? Where does new wealth originate? How are customers retained? What provokes them to keep coming back and paying for your goods or services? Why does the leader in your market succeed? If you are not the market leader, why not? How is the loyalty of your team maintained? 
 The future is clear and becoming more revealing to us each day.  Digital trust, security and privacy of your organization and our societies are being defined before us in plain sight.  Can you see it?  The Washington Post illustrates a single example:

By Hayley Tsukayama and Dan Lamothe April 22 at 7:22 PM

Ever since Chinese computer maker Lenovo spent billions of dollars to acquire IBM’s personal-computer and server businesses, some lawmakers have called on federal agencies to stop using the company’s equipment out of concerns over Chinese spying.

This past week, those lawmakers thought the Pentagon finally heeded their warnings. An email circulated within the Air Force appeared to indicate that Lenovo was being kicked out.

“For immediate implementation: Per AF Cyber Command direction, Lenovo products are being removed from the Approved Products List and should not be purchased for DoD use. Lenovo products currently in use will be removed from the network,” stated the message. The apparent directive was generally welcomed as it circulated around Capitol Hill.

Then the Pentagon’s press office weighed in. Not so fast, it said.
Making "trust decisions" today at work and as you navigate home for the evening will be more apparent.  A heightened understanding of digital trust and how you engage with these transactions each waking hour may assist you in creating new wealth.  Improving the trust you have with computing machines and others at home or work, can make all the difference in life.

Where do you work and live?  Washington, DC.  London.  Moscow.  Beijing.  New Delhi.  Sydney.  It doesn't matter anymore because we are all connected by the Internet.  The opportunity for the societies of our planet to utilize "Information & Communication Technology" (ICT) to produce greater wealth is before us.  How will you proceed with your Trust Decisions?

16 April 2016

Leadership in Crisis: Building Trust with Continuous Training...

How often have you ever heard the leadership management philosophy that you must "Train Like You Fight"?  Here is another way to look at it:
The more you sweat in peace, the less you bleed in war.
Norman Schwarzkopf
The theme is all too familiar with Operational Risk Management (ORM) teams that operate on the front lines of asymmetric threats, internal corruption, natural disasters and continuous adversaries in achieving a "Defensible Standard of Care."

As the senior leader in your unit, department or subsidiary the responsibility remains high for preparedness, readiness and contingency planning.  Your personnel and company assets are at stake and so what have you done this month or quarter to train, sweat and prepare?  How much of your annual budget do you devote to the improvement of key skills for your people in a moment of crisis or chaos?

What will the crisis environment look like?  Will it develop with clouds, water and wind or the significant shift in tectonic plates?  Will it begin with the insider employee copying the most sensitive merger and acquisition strategy to sell to the highest bidder?  Will it start with a single IT server displaying a warning to pay a ransom or lose all possibility of retrieving it's data and operational capacity to serve your business?  Will it end up being another example of domestic terrorism or workplace violence like San Bernadino, Paris or Ft. Hood?

Leaders across our globe understand the waves of risk and the possible issues that they may encounter each year.  Many travel to Davos to the World Economic Forum where the world tackles these disruptive events, with the best minds and exchange of information.  Why?  They understand that vulnerability is what they fear the most.

Yet what can you do in your own community, at your own branch office to address the Operational Risks you face?  How can you wake up each day with the confidence as a leader, that you have trained and prepared for the future events that will surprise you?  It begins with leadership and a will to lead your team into the places no one really likes to talk about.  The scenarios that people fear to train for, because they think they will never happen.

Achieving any level of trust with your employees, your customers and your supply chain revolves around your leadership.  The discipline of "Operational Risk Management" is focused on looking at all of the interdependent pieces of your business mosaic.  The environment you operate in, even the building that houses your most precious assets.  All of these factors are considered in developing and executing your specific plan for training and readiness.

So what?  The question is "Why Don't Employees Trust Their Bosses"?
Why this lack of trust?

There is a disparity, the survey revealed, between areas that employees said were important for trust, and the performance of company leaders in these areas.

For example, half of respondents said it was important for the CEO to be ethical, take responsible actions in the wake of a crisis and behave in a transparent way. However, a much lower number of respondents actually felt their CEO was exhibiting these qualities.

This disparity is in part responsible for trust decreasing as you move down an organization’s hierarchy. So, while two-thirds of executives trust the company, less than half of rank-and-file employees do. Equally, peers were rated as much more credible than CEOs.
As a leader your roles are multi-faceted and there is never enough time or money in the budget.  The leaders who excel in the next decade, will find a way.  They will invest in their teams training and the systems to increase trust, by addressing Operational Risk Management (ORM) as a key component of the interdependent enterprise.

The "TrustDecisions" you require and the understanding developed to insure effective "Trust Decisions" by all of your stakeholders will remain your most lofty goal as a leader.  How you train to fight and how you sweat now will make all the difference in your next war.  From the boardroom to the battlefield your leadership is all that is needed.  Your leadership will make a difference.

09 April 2016

Trade Secrets: Gearing up for DTSA...

The Fortune Global 500 and the smallest research and development organizations in the U.S. have another ruleset to keep their eye on this week.  It is named DTSA or S.1890 - Defend Trade Secrets Act of 2016 has passed the Senate.  Operational Risk Management (ORM) is preparing for the next addition to national laws.

The attribution of cyberespionage adversaries has been gearing up since the Sony Pictures hack.  The private sector has been hunting and identifying those shadow individuals and nation state special units for years.  Now the lawyers can get more aggressive with civil actions.

The question remains, will another law deter the actions by global organized crime and the intelligence community of some significant nations?  How will attribution and more aggressive civil actions in foreign jurisdictions make a difference?

As a global organization, can you access your database of confidential trade secrets?  No different than the task of the identification of information assets that you are going to protect, you need an inventory.  What are they and where are they?  Everyone knows the formula for "Coca-cola" is written on a single piece of paper that is locked up in a vault in Atlanta, GA right?  Or is it?

There are trade secrets across America that have been stolen by operatives working inside organizations.  They may be preparing to leave the U.S. for another country outside the reach of law enforcement and the legal process for seizing the stolen property.  That is going to change soon.
The EX-Parte Seizure Order is part of the Trade Secrets bill that allows a trade secret owner to obtain an order from a judge for U.S. marshals to seize back the trade secret from the alleged bad actor without prior warning. This is to protect the trade secret owner from having the alleged bad actor skip the country or destroy the evidence before it is recaptured.
Now that Trade Secrets are in the same legal and enforcement category with patents and trademarks, you can predict that your legal budgets will need to be adjusted, upwards.  In general, what is a Trade Secret?
The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. While a final determination of what information constitutes a trade secret will depend on the circumstances of each individual case, clearly unfair practices in respect of secret information include industrial or commercial espionage, breach of contract and breach of confidence.
The effort to make intellectual property a "Trade Secret" is another strategy in itself. The determinations to designate something a trade secret is going to depend on the invention or the data itself. We understand. So what?
A Chinese businessman pleaded guilty Wednesday (March 23) in federal court in Los Angeles to helping two Chinese military hackers carry out a damaging series of thefts of sensitive military secrets from U.S. contractors.

The plea by Su Bin, a Chinese citizen who ran a company in Canada, marks the first time the U.S. government has won a guilty plea from someone involved with a Chinese government campaign of economic cyberespionage.

The resolution of the case comes as the Justice Department seeks the extradition from Germany of a Syrian hacker — a member of the group calling itself the Syrian Electronic Army — on charges of conspiracy to hack U.S. government agencies and U.S. media outlets.
Our adversaries are determined. They are already here. It has been documented for years. Let the next wave of legal indictments and seizures begin. One thing is certain. The "Insider Threat" is still present and your organization can do better. The ability to effectively utilize the correct combination of controls, monitoring, technology and internal corporate culture shifts will make all the difference. What are you waiting for?

03 April 2016

Fifth Discipline: The Evolution of Digital Intelligence...

"Learning organizations themselves may be a form of leverage on the complex system of human endeavors.  Building learning organizations involves developing people who learn to see as systems thinkers see, who develop their own personal mastery, and who learn how to surface and restructure mental models, collaboratively.  Given the influence of organizations in today's world, this may be one of the most powerful steps towards helping us "rewrite the code," altering not just what we think but our predominant ways of thinking.  In this sense, learning organizations may be a tool not just for evolution of organizations, but for the evolution of intelligence."  --Peter M. Senge -The Fifth Discipline - 1990

Many senior executives and a cadre of experienced Ops Risk professionals who are waking up across the globe today, keep this text book within arms reach.  Why?  All 413 pages of wisdom and knowledge transfer, is applicable this moment, even though it was written and practiced several years before the commercial Internet was born.  Our respective cadre of "Intelligence Analysts" spans the organization continuously seeking the truth, analyzing the growing mosaic, applying new context and taking relevant actions.

In an environment now vastly more virtual, far beyond the paper pages of Senge's book, lies the contemporary intelligence of "IBM's Watson."  At the finger tips of the FireEye operators or the Palantir Forward Deployed Engineer, we have new insights almost in real-time.  The "Learning Organizations" are no longer in a traditional hierarchy.  They are flat, agile and capable of tremendous autonomy at light speed.

So what is the opportunity now?  How can we potentially move towards more collaborative systems thinking and "rewrite the code" even in the 2nd decade of the 21st century?  It starts with rewriting the new digital code.  It continues as we reengineer our "Learning Organizations" for a digital environment that operates 24 x 7 and is ever more so fragile where trust is so inherent.  We can still create and deploy systems thinkers to question the truth and learn from the speed and capabilities of our new intelligent machines.

Peter Senge outlines five learning disciplines in his book on three levels:
  • Practices:  What you do
  • Principles:  Guiding ideas and insights
  • Essences:  The state of being of those with high levels of mastery in the discipline
The five disciplines are:
  • Systems Thinking
  • Personal Mastery
  • Mental Models
  • Building Shared Vision
  • Team Learning
The enterprise architecture for our modern day learning organization is in it's infancy.  You see, the technologies and the software has outpaced our human ability to apply it effectively, with the five disciplines.  One of our continued vulnerabilities is the ignorance of information governance as it pertains to the truth of data provenance and how as humans, we apply the disciplines of learning in our digital organizations.
The international hacker who allegedly accessed personal emails and photographs belonging to the family of former president George W. Bush and whose cyber-mischief revealed that Hillary Clinton was using a private email address appeared in a U.S. court for the first time Friday.

Marcel Lehel Lazar — better known by the moniker “Guccifer” that he is said to have affixed to the materials he stole — is charged with cyber-stalking, aggravated identity theft and unauthorized access of a protected computer in a nine-count indictment filed in 2014 in federal district court in Alexandria, Va. He was extradited to the United States recently from Romania, his home country, where he had been serving a sentence for hacking.
 Our organizations are a "plume of digital exhaust" that is invisible to many and crystal clear to some.  As you begin to capture and document the digital footprint of today's knowledge worker, the trail is long and deep.  Even for those shadow planners, logistics experts and operators, they can not escape the digital encounters they have each day.  However, the apparent threat is that they will continuously become more aware and more disciplined.

The art and practice of gaining and preserving "Digital Trust" is at stake for all of us.  The vast and consistent application of understanding "trust decisions" in our digital lives, will forever provide us new found challenges and new discoveries.  How we consistently apply our digital disciplines going forward, will make all of the difference in our prosperity or our future peril.  How we reengineer our learning organizations for 2025 and beyond, is now at our doorstep.
Today, privacy, information security, cyber defenses—all revolve around the same target: achieving trust to sustain electronic commerce and create new wealth. Digital trust is not only required; achieving digital trust will prove to be the competitive differential for the winners of the next generation.  --Jeffrey Ritter
Think about your digital footprints as you interact, communicate, travel and read the news today.  Activity-based Intelligence (ABI) is a business and you are the product.  The question is, how can you and your learning organization move from the "Fifth Discipline" to the next one?  What cognitive strategies and new disciplines will you and your organization deploy this year to attain new levels of prosperity and insight?

The journey will be long and the opportunities will be explored.  It's time that more learning organizations start the reengineering with the right tools and talent.  Yes, this is the next evolution of intelligence.