28 May 2011

OPSEC: TQM in the Defense Industrial Base...

OPSEC in the Defense Industrial Base (DIB) is on high alert since the RSA SecureID vulnerability was revealed several months ago. The Operational Risks Management discipline is now ever so pervasive in private sector companies who have outsourced national security programs. When top secret information is at risk, the game plan shifts from a single company incident to a federal priority.

By Jim Finkle and Andrea Shalal-Esa

BOSTON/WASHINGTON, May 27 (Reuters) - Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N: Quote, Profile, Research, Stock Buzz) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N: Quote, Profile, Research, Stock Buzz) RSA security division, said the person who was not authorized to publicly discuss the matter.

It was not immediately clear what kind of data, if any, was stolen by the hackers. But Lockheed's and other military contractor networks house sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.



The SecureID hack has been an eye opening wake up call for those Operational Risk professionals who are charged with keeping information safe from foreign adversaries. The "One-Time-Password" (OTP) market place is gearing up for a dramatic shift. Organizations such as EMC the parent to RSA are still back pedaling from the crisis and cooperating with three letter U.S. agencies to determine the culprits. Not only do organizations such as Lockheed Martin hold the nations major weapons systems contracts they are also prime contractors for defending the cyber security networks across the government.

So what is the answer for keeping the nations states across the globe from continuously probing and successfully compromising secret systems networks by hacking tools like the SecureID?

The answer lies within the private sectors approach to quality assurance in software development. The vulnerability that all security-based companies and defense industrial based companies face is the flaws in software quality assurance practices. The known fact is that in any process for software development there is a testing phase to determine whether the product requirements have been satisfied. In the lifecycle of software development, the QA testing phase is still the most neglected and under staffed. Raising the bar on software quality testing is not the only answer, it is just a facet of the security mosaic that continues to be a major challenge.

Total Quality Management (TQM) initiatives not only should be mandated by software development organizations, the Defense Industrial Base needs to require new levels of software code testing by companies that are charged with securing the secrets of the company and the nation. As each new product or software version is launched into the marketplace it should have a label on it that discloses how diligent the vendor was in testing the software for defects. Reducing those defects before it lands in the hands of the consumer is one major path to reducing the vulnerabilities of such serious breaches of trade secret or national security information.

Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life.



What will soon be the norm in the software development industry is the TQM mind-set that has been at the forefront of other manufacturers for decades. Once the regulators get the gears rolling the private sector will finally change and work towards "Six Sigma" in software in combination with more effective approaches to Operational Risk Management:

The approach to managing operational risk differs from that applied to other types of risk, because it is not used to generate profit. In contrast, credit risk is exploited by lending institutions to create profit,market risk is exploited by traders and fund managers, and insurance risk is exploited by insurers. They all however manage operational risk to keep losses within their risk appetite - the amount of risk they are prepared to accept in pursuit of their objectives. What this means in practical terms is that organisations accept that their people, processes and systems are imperfect, and that losses will arise from errors and ineffective operations. The size of the loss they are prepared to accept, because the cost of correcting the errors or improving the systems is disproportionate to the benefit they will receive, determines their appetite for operational risk. Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale,Barings, AIB and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.

As OPSEC evolves in the Defense Industrial Base, the risk appetite and TQM conversation will continue to be on the agenda. The degree to which it makes it to the Board Rooms of EMC, still remains to be seen.

22 May 2011

Battle of Narratives: Fukushima to Abbottabad...

The U.S. Energy companies are getting ready for an audit report on their facilities after the Fukushima Daiichi nuclear plant disasters in Japan. The results will not be an Operational Risk Management executives favorite topic, across the Board Room table of Pacific Gas & Electric (PG&E), Entergy and Duke. In the aftermath of any disaster such as the earthquake in Japan, or the financial economic armageddon of 2008 spawned by greed and unregulated markets, the auditors reports will uncover the vulnerabilities in the mechanisms for industry oversight.

Vulnerabilities found at dozens of U.S. reactors

By PETER BEHR of ClimateWire

Something under one-third of the 104 U.S. reactors were found to have some vulnerabilities to extreme emergencies, according to the NRC, which is preparing a summary of its post-Fukushima findings.

The NRC says that all issues have been fixed or put on schedule for correction, and that the safety of the reactors was not compromised.

PG&E spokesman Paul Flake said issues reported by the NRC had been identified by the company's own review after Fukushima, and an inspection by the Institute for Nuclear Power Operations, the industry's confidential safety monitor.


Information and the transparency of information will continue to be at the center of investigations on wall street or the energy industry. "Who knew what when" is the mantra being repeated in various command posts and within task forces who are responsible now for insuring the safety and security of future employees of these firms but also the national security of the country. Insider Risk of leaked information is at an all time high whether you are in the "C" suite in Manhattan or the "Situation Room" on Pennsylvania Avenue. Josh Rogin of Foreign Policy explains the predicament in Washington over the raid on Usama Bin Laden's compound in Abbottabad, Pakistan:


The nation's top civilian and military defense officials are calling on their government colleagues to shut up about the details of the May 1 raid in Pakistan that killed Osama bin Laden.

Defense Secretary Robert Gates and Joint Chiefs Chairman Adm. Mike Mullen held their first press conference on Wednesday since the mission to kill bin Laden. Gates stood by a remark he made May 12 at Camp Lejeune, in which he said there was an agreement by top Obama officials in the Situation Room to not reveal details of the raid -- but that the agreement fell apart the next day.

"My concern is that there were too many people in too many places talking too much about this operation. And we had reached agreement that we would not talk about the operational details, and as I said at Camp Lejeune, that lasted about 15 hours," Gates said on Wednesday. "And so I just -- I'm very concerned about this because we -- we want to retain the capability to carry out these kinds of operations in the future. And when so much detail is available, it makes that both more difficult and riskier."

Neither Gates nor Mullen called out any Obama administration officials by name, but Mullen, sounding even more frustrated, implied that the breaches of security by administration officials are ongoing and still a problem to this day.


The energy industry in the U.S. is now under the magnifying glass just as the banks, mortgage companies, brokers and hedge funds have been scrutinized since the financial meltdown over mark to market and predatory lending practices. The Nuclear Regulatory Commission is akin to the Securities and Exchange Commission as the federal agency who has oversight and jurisdiction when it comes to keeping the country safe and secure from private industry misdeeds or mistakes.

Information is the lifeblood of any highly functioning organization whether in the private sector or government agencies. Protecting that information of leaks to third parties who do not have a need to know is the crux of the "Insider Trading" cases on Wall Street or even the comments made within the confines of the situation room during Bin Laden's operation. So why do people want to tell another person something that they know is forbidden? Why do they risk sharing information with the media or others who may not have a legitimate reason to know the information?

And what about the opposite? Withholding information from the public or others who have a need to know the information especially if it will save lives or keep the country out of harms way. The decisions to tell or withhold information has serious consequences in either case and requires a mechanism for making sure that humans know when it is right and wrong. Unfortunately, we live today in a world of information warfare and information operations that spans the globe from Hollywood to Kabul or London to Hong Kong.

The "Human Factors" motivation for withholding or sharing information has been studied for decades if not hundreds of years. The gratification one receives from telling another a secret only known to one person or a few provides the stimulus. Whether that human gratification is the result of seeing someone else in pain or suffering, surprise or elation doesn't really matter. Recognizing that humans thirst for information is relentless when it comes to being first, or to gain power can provide you with the understanding to better prepare your organization for "Information Operations" (IO):

"A Theory of Conflict and Cooperation Model" that describes how each actor is attempting to expand, protect, or exploit existing powerbases through cooperative or conflicting relationships with other local actors. Vol. 2 Issue 3 August 2010 IO Journal


Effective Operational Risk Management begins with understanding information and ends with protecting or sharing information. It's your challenge to determine what is real and what is just another narrative to influence your perception as a human being.

08 May 2011

Vigilance: Risk After Bin Laden...

Usama Bin Laden is no longer a risk to the operations of many high value targets across the globe. Yet, now that he is dead, the distributed network of followers may soon carry out his blueprints for destruction. Large U.S. conglomerates doing business overseas are on high alert announced from their 24 x 7 Crisis Operations and Security Risk Management centers.

The raid on Osama bin Laden's compound yielded a trove of intelligence the size of a small college library, a top White House official said Sunday.

In a series of coordinated news-show appearances National Security Adviser Tom Donilon said information seized during last week's killing of the Al Qaeda leader represents the largest cache ever obtained from a terrorist. He said it indicates that in addition to being the group's symbolic leader, bin Laden was involved in strategic operations, including Al Qaeda's propaganda effort.


Al Qaeda's network is decentralized and therefore more resilient to defeat. It will not simply disappear by having one of it's founding leaders gone forever. Corporate institutions who have their American citizens in distant high risk countries such as Algeria, Pakistan, Philippines, Iraq, Mexico, Venezuela, Nigeria, Kenya, Sudan are on heightened alert. Kidnapping is now even more of a risk in these countries especially in rural areas.

At the speed of business in 2011, the infrastructure companies have found new opportunities to build out energy and telecommunications projects using the latest "Green" and "Wireless" technologies. The threat and risk to those who represent the enemy in the eyes of Al Qaeda include the U.K. and the growth of "Homegrown Violent Extremists" (HVE) in America:

To date, cells detected in the United States have lacked the level of sophistication, experience, and access to resources of terrorist cells overseas. Their efforts, when disrupted, largely have been in the nascent phase, and authorities often were able to take advantage of poor operational tradecraft. However, the growing use of the Internet to identify and connect with networks throughout the world offers opportunities to build relationships and gain expertise that previously were available only in overseas training camps. It is likely that such independent groups will use information on destructive tactics available on the Internet to boost their own capabilities.

Operational Risk Management professionals have watched the unfolding information in Abbottabod and realized one thing. Our vigilance is now more important than it has ever been in the past ten years. The preparation, training, exercises and intelligence collection is increasingly more justified and vital. These simple 4 steps in this continuous process shall be even more integrated into the fabric of our corporate and institutional landscapes:

  • Deter
  • Detect
  • Defend
  • Document

This "4D" strategy will provide your employees with the kind of mindset necessary to help keep them safe and secure from unknown future adversaries. They may be coming from the outside while on a foreign business trip overseas or within the confines of your own headquarters in Chicago, Illinois. Complacency is our largest and most active threat today. Let the death of Usama Bin Laden and the turmoil unfolding in the Middle East remind us to continue our Operational Risk Management missions.

Remember people like Pat Tillman, Michael P. Murphy, OP Restrepo, Jeremy Wise, Dane Paresi, Scott Roberson, Elizabeth Hanson, Tim Hetherington, and Lara Logan who continues the fight. Their courage and sacrifice will never be forgotten...

01 May 2011

Global Risk Economy: Follow the Money...

Operational Risk in the global economy is migrating to places that 10 years ago would not have been easily forecasted. New countries, financial institutions and software technologies have changed the playing field for risk management executives.

Why is this happening? One example is the movement of employment to more emerging markets where corporate tax rates are lower and the supply of talented workers with specific skill sets is prevalent. The simple movement of people and systems to those new countries creates new found risks that may not have been as pervasive in the past for the institution.

Another example is the evolution of new computing platform paradigms such as the emergence of "The Cloud" or "Infrastructure-as-a-Service". This outsourced IT model not only provides economy of scale in terms of just in time computing power but also the more economical licensing models for primary office automation Apps such as word processing, spreadsheets, presentations and simple databases.

Operational Risk within the confines of the global workplace will continue to follow where these people and the systems are operating from. Along with this migration of responsibilities of vital corporate processes to other cultures and countries comes the risks associated with potential lack of safeguards both legally and to the physical protection of key corporate assets.

In the United States, The "ABC's of the International Economy" explains why there are 22 million employees now working for US-based corporations outside the country. One may have heard the phrase "Follow The Money" in several contexts in the past. Whether it was Watergate investigations in the 70's or the new war on terror the tracking of where money flows can be a real indicator of where operational risk managers need to keep their radar focused and on high alert. Keep your eye on firms like The Carlyle Group:

On the face of it, Carlyle has started fooling around again. It completed the most deals and spent the most money of any private-equity firm in 2010 (see table). In January it bought AlpInvest, a private-equity fund of funds that manages €32.3 billion ($43.3 billion) on behalf of two Dutch pension schemes. The deal will close in the next several weeks, making Carlyle one of the world’s two largest private-equity firms, with $150 billion under management—neck-and-neck with the Blackstone Group, and more than twice as big as Kohlberg Kravis & Roberts (KKR).

Size certainly matters for Carlyle, since the firm is expected to go public soon. The more assets and sources of cashflow it has, the more attractive it will be to potential shareholders. But this is not a return to the promiscuity of the boom. Carlyle likes to do things differently. It eschewed the obvious buy-out hubs of New York and London and has its headquarters in Washington, DC, a few blocks from the White House. And whereas most big firms concentrated on billion-dollar “mega-funds” before the crisis and have only recently begun raising smaller, more focused funds, Carlyle has been doing things that way for years. It has 84 active funds, many of which have narrow mandates, like investing in Mexico or energy companies. KKR, in contrast, has around 12 active funds.


Carlyle was one of the first to China and now is headed to sub-Saharan Africa in the face of a evolving political and legal climate. Soon after security is established, the capitalists will arrive and commerce will take on a whole new perspective. Infrastructure will soon follow and the playing field is set for the global economy to engage in the development of new markets and new opportunities.

About the DIFC
The Dubai International Financial Centre (DIFC) is an onshore finance and business hub connecting the Middle East, Africa and South Asia region (MEASA) and the rest of the world.

Since its launch in 2004, the DIFC has established a current client base of 780 firms which have registered at the Centre, including 16 of the world’s largest 20 banking institutions. Thousands of employees operate in an open environment complemented by international regulations, laws and standards. The DIFC offers its member institutions incentives such as 100 per cent foreign ownership, zero percent tax rate on income and profits and no restriction on capital convertibility or profit repatriation. In addition, the DIFC’s clients benefit from modern infrastructure, operational support services and business continuity facilities.


Operational Risk Management in the next ten years will take on a whole new meaning than it does today. Fueled by the likes of places such as the DIFC the risks associated with people, processes, systems and external events will become exponential.