22 November 2009

National Security: Cyber Infrastructure Risk...

Is your organization a threat to national security? That depends on whether you own, install, and maintain critical infrastructure. When you hear that term, "Critical Infrastructure" what comes instantly to mind? A bridge, a road or some other shovel ready project impacted by the EESA?

Yes, the hard leap for many to get their head around is that your cell phone, TV and Internet connection are vital "Critical Infrastructure" and if you are a Verizon, AT&T, Sprint or large cable company in the United States; national security is a top of mind issue. Is it possible that our country is at risk because of the same "Risk Management" paradigm that has plagued the Financial Services industry? A lack of resources and focus to detect, deter, defend and document risks to critical infrastructure could turn into a systemic and interdependent threat to our national security.

How can you make the case for the economic meltdown in the financial services sector to be similar to the potential failure of the communications, IT, water or energy sector? It's easy. Look at human behavior and to the motivators of greed, selfishness and just plain blindness to a "risk bubble" just waiting to burst. Who will be the next Bear Stearns in the communications sector? The fact is that a marketing department may have a larger budget than the internal audit department and the security department combined. When the nuts and bolts, concrete and plumbing associated with electronic commerce, banking, and just plain office automation come to a slow crawl or halt in it's tracks the government will have to do the same thing all over again. Bail out the industry and the companies who are the lifeblood of our critical infrastructure.

Our national security is at stake and the owners and operators are still waiting for the right incentives to invest in robust maintenance and security programs, instead of more marketing. After all, market share is what shareholders ask about along with how many new subscribers you won or lost last quarter. How often do we hear the question at the shareholders meeting that asks about the amount of downtime, failed systems or customers without service as a result of a "Glitch" or fried circuit board?

So how does the electronic critical infrastructure really impact national security? Homeland Security Presidential Directive 7 gives us some insight:

1. This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

2. Terrorists (including Cyber) seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence.

3. America's open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy.

4. Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being.

5. While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.

A culture of risk management is slowly moving it's way into the Board Room conversations and the CEO may be on notice if the "Tone at the Top" is not focused on risk mitigation. However, that "Tone at the Top" needs to go beyond the shareholder value conversation to the national security topic. One only has to review what is happening in Brazil to get any sense of what may be heading to North America. The Toronto Sun reports:

SAO PAULO — Brazil’s president says last week’s massive blackouts in Latin America’s largest nation were caused by a short-circuit in a transmission tower. But President Luiz Inacio Lula da Silva says it’s unclear how the short-circuit happened.

The outages left nearly a third of Brazil’s 190 million citizens in the dark — raising concerns about energy security for football’s 2014 World Cup in Brazil, and the 2016 Olympic games in Rio de Janeiro.

Silva said Monday on his weekly radio program that the short-circuit happened in the rural Sao Paulo state town of Itabera. He says an investigation will determine why but offered no prediction on when it will be concluded.

Silva also says he will work hard to make sure similar blackouts don’t happen again.

One only has to look further in a few places on the "Net" to get some idea of what the offensive cyberwarfare conversation is all about. Once you understand that the Brazil incidents are just a test, then you realize that US shovel ready projects need a new public service announcement (PSA) with a shock value of texting while driving. The risk of a specific kind of behavior on the road or within the corporate enterprise can have the same results. We have already nationalized the likes of AIG, Freddie Mac and Fannie Mae. Perhaps it time to do the same for Cisco, Verizon, AT&T and others who are vital to national security and have them report to the Pentagon.

14 November 2009

Infinistructure: Who Knew What When...

Who knew what when? This is the question of the last year as we now embark on the path towards recovery. The Operational Risks that brought down our economic institutions are growing and the convergence has brought us even bigger systemic organizations "Too Big To Fail."

While many will be side tracked by the need to deal with the toxic assets still on the books or in sinking portfolios the "Zero's and One's" don't lie. The information, digital evidence and just pure data audit trails will remain for many to be caught, charged, indicted and then sent before a jury to decide their fate.

Managing risks in the enterprise today takes on many flavors and within several departmental or enterprise domains of expertise. Whether it be the legal department, the IT department, Internal Audit, Security department or even the Operational Risk Management Committee the "Zero's and One's" don't lie. Think about how much time the people behind corporate malfeasance spend on trying to cover their tracks, clean up the digital "Blood Trail" of their crimes and wrong doing all the while knowing that someday, a smart investigator or forensic examiner will connect the dots. Game over. Amir Efrati at WSJ writes:

Federal prosecutors in Manhattan brought criminal charges Friday against two men for allegedly being the technological brains behind Bernard Madoff's multibillion-dollar Ponzi scheme, and suggested charges against others could follow.

The case against two former computer programmers, Jerome O'Hara and George Perez, may help fill in key blanks in the timeline of how Mr. Madoff, who pleaded guilty to fraud earlier this year, masterminded a scheme that has cost thousands of investors more than $20 billion. The complaint hints at other unnamed "co-conspirators" at the Madoff firm who are now being targeted by prosecutors.

Regardless if you are two paid-off programmers who have been enforcing the "Business Rules" in their software by the boss or an internal threat actor does not matter. Whether they are copying, stealing, altering or damaging the digital information within the organization does not matter; these Operational Risks remain constant. The resources and the money devoted to continuous due diligence, monitoring and preemptive strategy to deter, detect and defend the digital assets of the enterprise need to grow dramatically to stay ahead of the curve.

The best way to figure out what to do and how to do it will require outside assistance. Moving your digital assets to be professionally managed makes sense for economic and other financially prudent reasons. Yet this migration away from large numbers of people managing and maintaining your information technology infrastructure internally and on your payroll is just the standard "outsourcing" strategy right? It has it's own set of 3rd party supply chain set of risks. After your next incident who will be asking: Who knew what when?

Many private sector and government enterprises who are augmenting their COOP and the economic strategy of "Cloud Computing" have realized the smart course of implementing and migrating to managed services and infrastructure suppliers such as Terremark:

Terremark Worldwide (NASDAQ:TMRK) is a leading global provider of IT infrastructure services delivered on the industry's most robust and advanced operations platform. Leveraging purpose-built datacenters in the United States, Europe and Latin America and access to massive and diverse network connectivity from more than 160 global carriers, Terremark delivers government, enterprise and Web 2.0 customers a comprehensive suite of managed solutions including managed hosting, colocation, network and security services.

Terremark's acclaimed Infinistructure utility computing architecture has redefined industry standards for scalable and flexible computing infrastructure and its digitalOps service delivery platform combines end-to-end systems management workflow with a comprehensive customer portal.

How can the utilization of an "Infinistructure" with the knowledge and application of a legal compliance ecosystem in your enterprise mitigate the risks associated with bad actors, unprepared personnel and the digital loss of key evidence? Stay tuned for more on this later. In the mean time remember this. All of the newest technology, faster computers and networks enabled with encryption and secured physical locations will not be enough to save your institution from Operational Risks. It is just one more piece of the total risk management mosaic that will still require the smartest people and the most robust policy and processes imaginable.

Who knew what when? This will continue to be the biggest question of the next decade.