31 December 2009

NSPD-54: The Risk of Privacy...

It has been six days since one of the latest attempts to compromise the "Air Domain" and attack the United States. Aviation, homeland security and transportation, intelligence and law enforcement officials are burning the midnight oil but this is standard operating procedure. Operational Risk Management is in the cross hairs of the core conversation associated with the threat and the likelihood of a similar incident happening again. The Washington Post is now reporting:

President Barack Obama said he would meet the heads of U.S. intelligence agencies on Tuesday to discuss ways of preventing a repeat of the attempted bombing of a Detroit-bound airliner on December 25.

Obama said in a statement he expected to receive assessments from several intelligence agencies Thursday evening and would review them during the weekend. He ordered the assessments after criticizing what he called the systemic failure that allowed the accused bomber to board the plane in Amsterdam.


So what does this incident have to do with NSPD-54? What is the nexus between information collection, analysis and action to defend our cyber infrastructure while simultaneously defending the public from other threats to the homeland?

NSPD-54 known as the CNCI (Comprehensive National Cybersecurity Initiative) attempts to unify agencies' fragmented approach to federal cybersecurity by reworking and expanding existing programs and developing new security programs that are better at reducing the risk that networks can be hacked.

The initiative's budget officially has been kept secret, but some cyber analysts estimated it to be $40 billion, spread over several years. According to the Washington Post, Bush's single-largest request for funds in the fiscal 2009 intelligence budget was for CNCI, although specific figures were not released.


Monitoring your information whether Personal or not is a National Priority and the telecom companies are collaborating with the correct US agencies to make sure that privacy is at the forefront of the conversation. The risk of too much privacy will continue to be one of our greatest vulnerabilities and the bad guys know this.

The "Risk of Privacy" and Einstein 2 or 3 will be at the top of the agenda for Howard Schmidt and his new role as Cyber Space Coordinator. The industry groups are pleased that he understands the private sector and the fact that he has served in previous administrations may assist in his ability to build important bridges across deep chasms of relationships.

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.

It is recognized that certain criminal activities including but not limited to loan sharking, drug trafficking, trafficking in stolen property, gambling, extortion, smuggling, bribery, and corruption of public officials often involve some degree of regular coordination and permanent organization involving a large number of participants over a broad geographical area. The exposure of such ongoing networks of criminal activity can be aided by the pooling of information about such activities. However, because the collection and exchange of intelligence data necessary to support control of serious criminal activity may represent potential threats to the privacy of individuals to whom such data relates, policy guidelines for Federally funded projects are required.

Fortunately for most, the opportunity exists for our government to "Connect The Dot's", prevent the next significant or systemic intelligence failure with the use of the correct technologies. After all, the human factors will continue to compromise our ability to achieve the level of "Predictive Analytics" and the intelligence we seek.

19 December 2009

Operational Risk: Where Men Win Glory...

As the blizzard of snow descends on the Nations Capital of the United States today, almost everything has come to a halt. The quiet calm of +16" of white fluffy snow a week before Christmas puts Emergency Operation Commands into action and "All Hands" are on deck.

Three people have died in Virginia as a major snowstorm slams the East Coast on the weekend before Christmas, said Virginia's emergency management department.

One person died late Friday and two others died Saturday in a pounding storm. More heavy snow was expected in the state.

The foul weather prompted an emergency declaration in the nation's capital, stranded hundreds of motorists, brought havoc at airports, caused power outages, and threatened to keep hordes of Christmas shoppers indoors.

The storm is blanketing the mid-Atlantic region and the heavily populated Interstate 95 corridor, and 10 to 20 inches of snow were predicted for swaths of the region.

The National Weather Service issued a blizzard warning for the D.C. area. Snowfall accumulations from 12 and 22 inches along with 40-mph wind gusts were "expected to create whiteout conditions later this afternoon."



Simultaneously, the mechanism of defending the country and our most valued democratic nations states is in full swing with the logistics of war. Men and women, Moms and Dads, Brothers and Sisters, or Sons and Daughters are being deployed to Afghanistan. Their Christmas will not be with their family, but with their fellow patriots.

"Who among mortal men are you, good friend? Since never before have I seen you in the fighting where men win glory, yet now you have come striding far out in front of all others in your great heart..."
--Homer, The Iliad

The September 11, 2006 issue of Sports Illustrated has a young soldier sitting in the base of a tree on a hillside on the Afghanistan-Pakistan border. Remember His Name is the cover story. Pat Tillman walked away from his $3.6M contract in the National Football League (NFL) in May of 2002 to join the US Army. On April 22, 2004 Pat lost his life to friendly fire, as a result of a complete failure of Operational Risk Management.

Jon Krakauer's book "Where Men Win Glory" The Odyssey of Pat Tillman was published in 2009.

This time around we can only pray that "Operational Risk Management" (ORM) is being practiced and with diligence. The SOCOM operator under extreme stress requires controls and training in order to perform effectively. ORM is all about loss events and the pursuit of reducing or eliminating those events whether they be measured in dollars or human lives.

As 2010 approaches, Operational Risk Management will be ever so more important to our commanders in Afghanistan, corporate CEO's and our Public Safety officials. Each has a role in mitigating the risk to people, vital assets and our national security. And maybe more importantly, they should remember Pat Tillman.

10 December 2009

Legal Doctrine: Intelligence - led Threat Assessment...

Corporate Threat Assessment is gaining new momentum as "Operational Risk Management" professionals utilize new business processes and tools to preempt human malfeasance. Whether it is the disgruntled employee who has just been separated from the company or the college student who acts against his math teacher for grades; the question remains: How could this have been prevented?
The Washington Post reports:

A disgruntled 20-year-old student walked into a classroom at the Northern Virginia Community College campus in Woodbridge on Tuesday afternoon and fired at least two shots from a high-powered rifle at his math teacher, authorities said.

The teacher saw the gun, yelled for her 25 students to duck and then hit the floor.

"We heard a boom," one of the students said later. "I thought to myself, did a computer explode?"

The student's shots missed. He put the gun down, sat on a chair in a fourth-floor hallway and calmly waited for police.

Jason M. Hamilton of Baneberry Circle in the Manassas area was charged with attempted murder and discharging a firearm in school zone. He was being held without bail, and police officers said they wanted to question him about a motive.

The legal machine is at work to determine the multitude of reasons why this incident occurred and to collect the evidence in the case. The investigation into "Who Knew What When" will be spinning up almost simultaneously as the plaintiff lawyers determine what opportunities might exist for a law suit. Several areas of questioning for Northern Virginia Community College (NOVA) will include:

1. What evidence is there of a Duty to Care: Did NOVA provide training for professors to alert an internal "Threat Assessment Team" whenever they witnessed or found evidence of specific pre-incident indicators?

2. What evidence is there of a Duty to Warn: Did NOVA warn fellow employees to keep an eye out for any students carrying long slender bags into campus buildings or to monitor parking lots for suspicious activity?

3. What evidence is there of a Duty to Act: Did NOVA provide notice to security employees on the student who was absent during the term for over three weeks ?

4. What evidence is there of a Duty to Supervise: Did NOVA professors report any strange behavior, statements, or even the fact that the student had been absent almost a month?

Human behavioral studies regarding workplace safety suggest, that one in five people come to the institution every day with a serious problem going on in their personal life. This has a dramatic effect not only on workplace performance but also the potential for bad behavior. This bad behavior could be acted out physically or quietly and in stealth mode. In either case, the company, it's employees and the reputation of the institution are at stake. What is your Corporate Threat Assessment Team working on today to preempt the next incident?

As the investigators evaluate the digital evidence in the case such as e-mails, Facebook Wall postings or other information found on a PDA, laptop or home computer the "Smoking Gun" may be uncovered. And when it becomes public, the game changing events will begin to unfold. Many companies feel that having a formal internal "Threat Assessment Team" sends the wrong message to the employees that "Big Brother" is watching. This could not be further from the true state of mind by many employees today. Knowing that a team is proactively addressing the one in five employees everyday in the workplace should provide more peace of mind than the thought of an invasion of privacy.

So what are the typical channels that an employee will use to communicate their grievance or threat?

  • Letter - 2%
  • Phone message - 5%
  • Social Networking site - 7%
  • Text message - 9%
  • e-Mail - 22%
  • Verbal threat - 46%

Source: Laurence Barton, Ph.D. - Current Study to be completed in February, 2010

If this trend continues then over half of the communicated threat will be via a digitally based medium. What is your organization doing today to monitor communications for specific threats to your employees, suppliers or partners? The modification of Acceptable Use Policy and the other legal policy regarding the workplace monitoring of e-mail is not a new phenomenon in many organizations, notably those in the Defense Industrial Base (DIB.)

Recent changes in the privacy settings of Facebook makes much of the information placed in these 350 million profiles public information and therefore, capable of being viewed and analyzed by a proactive threat management team. Here is the analysis from the EFF:

The Ugly: Information That You Used to Control Is Now Treated as "Publicly Available," and You Can't Opt Out of The "Sharing" of Your Information with Facebook Apps

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI." Before, users were allowed to restrict access to much of that information. Now, however, those privacy options have been eliminated. For example, although you used to have the ability to prevent everyone but your friends from seeing your friends list, that old privacy setting — shown below — has now been removed completely from the privacy settings page.


There are legal cases pending and there will be more to come about whether the mining of public data for profiling people is against the law. In most cases, it will be dependent on who is doing the collecting and for what reasons. Yet the most sophisticated systems for doing analytics or the latest matrix or mosaic methodology will not be able to provide a fail safe for the corporate enterprise. This is precisely why the earlier mentioned employer "Duties" are so vital to day to day operational risk management. The actions you take before, during and after an incident will be the most vital to your legal and reputations survival.

TWO computer programmers who worked for convicted fraudster Bernie Madoff were charged with bribery by the US Securities and Exchange Commission today.

Jerome O'Hara and George Perez allegedly took bribes to create false documents and trading records for Bernard L Madoff Investment Securities LLC for more than 15 years, according to the SEC's complaint.

"Without the help of O'Hara and Perez, the Madoff fraud would not have been possible," George S Canellos, director of the SEC's New York regional office, said.

"They used their special computer skills to create sophisticated, credible and entirely phony trading records that were critical to the success of Madoff's scheme for so many years."

Operational Risk Management requires a vigilance of monitoring digital information inside and outside the workplace. Those institutions who combine the correct legal doctrine, business processes and technology will prevail in the vast chaos of litigation and human threats within the workplace.

04 December 2009

Lying in Wait: Cyber Pearl Harbor...

The Operational Risks associated with the corporate battle against "Conficker" are still a true threat to our cyber infrastructure and maybe more than we could have ever imagined. Is this "Botnet" lying in wait for some future 4th Generation Warfare master plan?

Speaking at an end of year wrap, F-Secure chief research officer, Mikko Hypponen, said 2009 was an exceptional year in IT security.

“We never see huge malware outbreaks anymore — except this year we did,” he said “Conficker peaked with over 10 million infected computers around the world and at the end of 2009 is still in millions of computers.

“This was very advanced malware using several tricks we have never before seen. [It was] a massive botnet not being used by the malware operators for anything useful and we still don’t the real story behind Conficker and that makes it one of the biggest mysteries in the history of malware.”

DHS CyberStorm III is scheduled for September 2010 and will leverage the lessons learned from I and II. What are some of the major "Wake-up Calls" in the CSII Final report:

  • Finding 1: Value of Standard Operating Procedures (SOPs) and Established Relationships.
  • Finding 2: Physical and Cyber Interdependencies. Cyber events have consequences outside the cyber response community, and non-cyber events can impact cyber functionality.
  • Finding 3: Importance of Reliable and Tested Crisis Communication Tools.
  • Finding 4: Clarification of Roles and Responsibilities.
  • Finding 5: Increased Non-Crisis Interaction.
  • Finding 6: Policies and Procedures Critical to Information Flow.
  • Finding 7: Public Affairs Influence During Large Scale Cyber Incidents.
  • Finding 8: Greater Familiarity with Information Sharing Processes.
  • Source: CyberStorm II Final Report - Page 3-4 - July 2009
The Homeland Security Department's third large-scale cybersecurity drill in September 2010 will test the national cyber response plan currently being developed by the Obama administration, said industry and government participants in the simulation exercise during a conference on Tuesday.

Cyber Storm III will build upon the lessons learned in the two previous exercises that took place in February 2006 and March 2008, and provide the first opportunity to assess the White House strategy for responding to a cyberattack with nationwide impact.


You are not going to hear very many people talking about "Conficker" being the beginning of a "Cyber Pearl Harbor" sneak attack and for good reason. SEE FINDING 2.

Physical and cyber attacks are rarely mutually exclusive. Physical attacks impact cyber infrastructure and cyber disruptions can have acute physical impact. This is why an "All Threats and All Hazards" approach has been adopted by many, including this blogger.

The 20+ page report from DHS took thirteen months to produce. Exercise in March 2008 and report in July 2009.

Yet the realistic future scenario is not too much of a stretch to imagine. At some point after the "Conficker" malicious code is put into action, a "Stall" warning light comes on at US-CERT. The Internet is the mechanism for the delivery of a lethal payload never before experienced in any previous tests, or real events. William Jackson has this to say:

"Dec. 7 is the anniversary of the Japanese attack against Pearl Harbor that crippled the U.S. Pacific fleet and brought this country into World War II. What have we learned in the 68 years since that world-changing day?

The threat in our age is less to ships and aircraft than to the technology that controls so many aspects of our lives. Many observers have warned that our defenses are not adequate to protect our nation’s critical infrastructure, and the phrase Electronic or Digital Pearl Harbor has been commonly used to describe a surprise cyber attack that could cripple our military and commercial capabilities. Dire as these warnings are, we should take them with a grain of salt.

Although cyber threats are real, the chances of a Digital Pearl Harbor remain small. This is due not so much to the success of our cyber defenses, which in many places remain inadequate, but to the realities of warfare and networking."

Perhaps there really is an "E-Qaida" as Brian Krebs of the Washington Post has alluded to in his Security Fix column. An insurgency from non-state actors and not China as many would say is our largest cyber enemy from a non-nations state. If this is true and the "E-Qaida" are out there, then you can quickly make the leap to counter insurgency, irregular warfare and other metaphors in the wars of Iraq and with the drug cartels of Latin America. Fourth Generation Warfare (4GW) insurgencies can't be compared to traditional insurgency models in that they do not intend merely to replace the existing government. The target is the state itself.

Physical weapons are not the only tools of the insurgents. Recently, the internet and satellite television have increased the opportunities for insurgent groups to recruit, communicate, and wage war to win the opinions of their target populations whether they are the local populace, foreign governments or the world public at large. In 4GW environments, physical weapons may be counterproductive to the cause of the insurgents. The prodigious use of propaganda may be all that is needed to achieve their goals. Source: FMFM 3-25
So if you are reading this now, is it working?