28 May 2011

OPSEC: TQM in the Defense Industrial Base...

OPSEC in the Defense Industrial Base (DIB) is on high alert since the RSA SecureID vulnerability was revealed several months ago. The Operational Risks Management discipline is now ever so pervasive in private sector companies who have outsourced national security programs. When top secret information is at risk, the game plan shifts from a single company incident to a federal priority.

By Jim Finkle and Andrea Shalal-Esa

BOSTON/WASHINGTON, May 27 (Reuters) - Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N: Quote, Profile, Research, Stock Buzz) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N: Quote, Profile, Research, Stock Buzz) RSA security division, said the person who was not authorized to publicly discuss the matter.

It was not immediately clear what kind of data, if any, was stolen by the hackers. But Lockheed's and other military contractor networks house sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.

The SecureID hack has been an eye opening wake up call for those Operational Risk professionals who are charged with keeping information safe from foreign adversaries. The "One-Time-Password" (OTP) market place is gearing up for a dramatic shift. Organizations such as EMC the parent to RSA are still back pedaling from the crisis and cooperating with three letter U.S. agencies to determine the culprits. Not only do organizations such as Lockheed Martin hold the nations major weapons systems contracts they are also prime contractors for defending the cyber security networks across the government.

So what is the answer for keeping the nations states across the globe from continuously probing and successfully compromising secret systems networks by hacking tools like the SecureID?

The answer lies within the private sectors approach to quality assurance in software development. The vulnerability that all security-based companies and defense industrial based companies face is the flaws in software quality assurance practices. The known fact is that in any process for software development there is a testing phase to determine whether the product requirements have been satisfied. In the lifecycle of software development, the QA testing phase is still the most neglected and under staffed. Raising the bar on software quality testing is not the only answer, it is just a facet of the security mosaic that continues to be a major challenge.

Total Quality Management (TQM) initiatives not only should be mandated by software development organizations, the Defense Industrial Base needs to require new levels of software code testing by companies that are charged with securing the secrets of the company and the nation. As each new product or software version is launched into the marketplace it should have a label on it that discloses how diligent the vendor was in testing the software for defects. Reducing those defects before it lands in the hands of the consumer is one major path to reducing the vulnerabilities of such serious breaches of trade secret or national security information.

Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life.

What will soon be the norm in the software development industry is the TQM mind-set that has been at the forefront of other manufacturers for decades. Once the regulators get the gears rolling the private sector will finally change and work towards "Six Sigma" in software in combination with more effective approaches to Operational Risk Management:

The approach to managing operational risk differs from that applied to other types of risk, because it is not used to generate profit. In contrast, credit risk is exploited by lending institutions to create profit,market risk is exploited by traders and fund managers, and insurance risk is exploited by insurers. They all however manage operational risk to keep losses within their risk appetite - the amount of risk they are prepared to accept in pursuit of their objectives. What this means in practical terms is that organisations accept that their people, processes and systems are imperfect, and that losses will arise from errors and ineffective operations. The size of the loss they are prepared to accept, because the cost of correcting the errors or improving the systems is disproportionate to the benefit they will receive, determines their appetite for operational risk. Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale,Barings, AIB and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.

As OPSEC evolves in the Defense Industrial Base, the risk appetite and TQM conversation will continue to be on the agenda. The degree to which it makes it to the Board Rooms of EMC, still remains to be seen.

22 May 2011

Battle of Narratives: Fukushima to Abbottabad...

The U.S. Energy companies are getting ready for an audit report on their facilities after the Fukushima Daiichi nuclear plant disasters in Japan. The results will not be an Operational Risk Management executives favorite topic, across the Board Room table of Pacific Gas & Electric (PG&E), Entergy and Duke. In the aftermath of any disaster such as the earthquake in Japan, or the financial economic armageddon of 2008 spawned by greed and unregulated markets, the auditors reports will uncover the vulnerabilities in the mechanisms for industry oversight.

Vulnerabilities found at dozens of U.S. reactors

By PETER BEHR of ClimateWire

Something under one-third of the 104 U.S. reactors were found to have some vulnerabilities to extreme emergencies, according to the NRC, which is preparing a summary of its post-Fukushima findings.

The NRC says that all issues have been fixed or put on schedule for correction, and that the safety of the reactors was not compromised.

PG&E spokesman Paul Flake said issues reported by the NRC had been identified by the company's own review after Fukushima, and an inspection by the Institute for Nuclear Power Operations, the industry's confidential safety monitor.

Information and the transparency of information will continue to be at the center of investigations on wall street or the energy industry. "Who knew what when" is the mantra being repeated in various command posts and within task forces who are responsible now for insuring the safety and security of future employees of these firms but also the national security of the country. Insider Risk of leaked information is at an all time high whether you are in the "C" suite in Manhattan or the "Situation Room" on Pennsylvania Avenue. Josh Rogin of Foreign Policy explains the predicament in Washington over the raid on Usama Bin Laden's compound in Abbottabad, Pakistan:

The nation's top civilian and military defense officials are calling on their government colleagues to shut up about the details of the May 1 raid in Pakistan that killed Osama bin Laden.

Defense Secretary Robert Gates and Joint Chiefs Chairman Adm. Mike Mullen held their first press conference on Wednesday since the mission to kill bin Laden. Gates stood by a remark he made May 12 at Camp Lejeune, in which he said there was an agreement by top Obama officials in the Situation Room to not reveal details of the raid -- but that the agreement fell apart the next day.

"My concern is that there were too many people in too many places talking too much about this operation. And we had reached agreement that we would not talk about the operational details, and as I said at Camp Lejeune, that lasted about 15 hours," Gates said on Wednesday. "And so I just -- I'm very concerned about this because we -- we want to retain the capability to carry out these kinds of operations in the future. And when so much detail is available, it makes that both more difficult and riskier."

Neither Gates nor Mullen called out any Obama administration officials by name, but Mullen, sounding even more frustrated, implied that the breaches of security by administration officials are ongoing and still a problem to this day.

The energy industry in the U.S. is now under the magnifying glass just as the banks, mortgage companies, brokers and hedge funds have been scrutinized since the financial meltdown over mark to market and predatory lending practices. The Nuclear Regulatory Commission is akin to the Securities and Exchange Commission as the federal agency who has oversight and jurisdiction when it comes to keeping the country safe and secure from private industry misdeeds or mistakes.

Information is the lifeblood of any highly functioning organization whether in the private sector or government agencies. Protecting that information of leaks to third parties who do not have a need to know is the crux of the "Insider Trading" cases on Wall Street or even the comments made within the confines of the situation room during Bin Laden's operation. So why do people want to tell another person something that they know is forbidden? Why do they risk sharing information with the media or others who may not have a legitimate reason to know the information?

And what about the opposite? Withholding information from the public or others who have a need to know the information especially if it will save lives or keep the country out of harms way. The decisions to tell or withhold information has serious consequences in either case and requires a mechanism for making sure that humans know when it is right and wrong. Unfortunately, we live today in a world of information warfare and information operations that spans the globe from Hollywood to Kabul or London to Hong Kong.

The "Human Factors" motivation for withholding or sharing information has been studied for decades if not hundreds of years. The gratification one receives from telling another a secret only known to one person or a few provides the stimulus. Whether that human gratification is the result of seeing someone else in pain or suffering, surprise or elation doesn't really matter. Recognizing that humans thirst for information is relentless when it comes to being first, or to gain power can provide you with the understanding to better prepare your organization for "Information Operations" (IO):

"A Theory of Conflict and Cooperation Model" that describes how each actor is attempting to expand, protect, or exploit existing powerbases through cooperative or conflicting relationships with other local actors. Vol. 2 Issue 3 August 2010 IO Journal

Effective Operational Risk Management begins with understanding information and ends with protecting or sharing information. It's your challenge to determine what is real and what is just another narrative to influence your perception as a human being.

08 May 2011

Vigilance: Risk After Bin Laden...

Usama Bin Laden is no longer a risk to the operations of many high value targets across the globe. Yet, now that he is dead, the distributed network of followers may soon carry out his blueprints for destruction. Large U.S. conglomerates doing business overseas are on high alert announced from their 24 x 7 Crisis Operations and Security Risk Management centers.

The raid on Osama bin Laden's compound yielded a trove of intelligence the size of a small college library, a top White House official said Sunday.

In a series of coordinated news-show appearances National Security Adviser Tom Donilon said information seized during last week's killing of the Al Qaeda leader represents the largest cache ever obtained from a terrorist. He said it indicates that in addition to being the group's symbolic leader, bin Laden was involved in strategic operations, including Al Qaeda's propaganda effort.

Al Qaeda's network is decentralized and therefore more resilient to defeat. It will not simply disappear by having one of it's founding leaders gone forever. Corporate institutions who have their American citizens in distant high risk countries such as Algeria, Pakistan, Philippines, Iraq, Mexico, Venezuela, Nigeria, Kenya, Sudan are on heightened alert. Kidnapping is now even more of a risk in these countries especially in rural areas.

At the speed of business in 2011, the infrastructure companies have found new opportunities to build out energy and telecommunications projects using the latest "Green" and "Wireless" technologies. The threat and risk to those who represent the enemy in the eyes of Al Qaeda include the U.K. and the growth of "Homegrown Violent Extremists" (HVE) in America:

To date, cells detected in the United States have lacked the level of sophistication, experience, and access to resources of terrorist cells overseas. Their efforts, when disrupted, largely have been in the nascent phase, and authorities often were able to take advantage of poor operational tradecraft. However, the growing use of the Internet to identify and connect with networks throughout the world offers opportunities to build relationships and gain expertise that previously were available only in overseas training camps. It is likely that such independent groups will use information on destructive tactics available on the Internet to boost their own capabilities.

Operational Risk Management professionals have watched the unfolding information in Abbottabod and realized one thing. Our vigilance is now more important than it has ever been in the past ten years. The preparation, training, exercises and intelligence collection is increasingly more justified and vital. These simple 4 steps in this continuous process shall be even more integrated into the fabric of our corporate and institutional landscapes:

  • Deter
  • Detect
  • Defend
  • Document

This "4D" strategy will provide your employees with the kind of mindset necessary to help keep them safe and secure from unknown future adversaries. They may be coming from the outside while on a foreign business trip overseas or within the confines of your own headquarters in Chicago, Illinois. Complacency is our largest and most active threat today. Let the death of Usama Bin Laden and the turmoil unfolding in the Middle East remind us to continue our Operational Risk Management missions.

Remember people like Pat Tillman, Michael P. Murphy, OP Restrepo, Jeremy Wise, Dane Paresi, Scott Roberson, Elizabeth Hanson, Tim Hetherington, and Lara Logan who continues the fight. Their courage and sacrifice will never be forgotten...