27 November 2011

Intelligence Analysis: Robust and Resilient...

Operational Risks are on the rise for Top Secret America. Now that the "Super Committee" has thrown in the towel, there are several companies beginning to ask what it will mean in the next few years. Intelligence Analysis has been a tremendous windfall for large and small businesses especially in the National Capital Region of the United States.

The analysis of information, from open sources (e.g., information that appears in the news media or on the Internet) to the most sensitive information collected or gleaned from human and technical sources. Since 9/11, there has been an explosion of the amount of information obtained via technical means, particularly imagery and communications intercepts, necessitating new analytic methods of sorting and exploiting incoming information, as well as data mining to discover patterns of information and intelligence contained within huge quantities of data. Document exploitation (DOCEX) and forensic methods are also growing areas of intelligence analysis for captured materials and site exploitation.

39 government organizations and 358 companies are at the nexus of "Intelligence Analysis" according to the work by Dana Priest and William Arkin of the Washington Post. The next 24 months will tell us how this vital discipline begins to morph from agency to agency and company to company based upon who is deemed most essential and what information is most highly valued.

40 large companies, 57 medium companies and 261 small companies, comprise the majority of the firms who are the supply chain to many of the core intelligence apparatus of the U.S. Government. When these supply chains are impacted by the quantity and potential quality of intel, the opportunity for operational risks will increase. If you can imagine a pipeline of information coming from the street and keyboard level, all the way up to the Presidential Daily Brief (PDB) 365 days a year, this is what is at stake.

So what could you expect to happen in the next few years when it comes to the "Intelligence Analysis" pipeline and the rate and quality of information that is flowing to provide "Decision Advantage"? It's going to increase and for good reason. The traditional nation states and the threat of an attack from conventional means is diminishing. The new threats are morphing into the new normal. The asymmetric methods of warfare in the digital domain:

Congress will pay the FBI an additional $18.6 million to better investigate computer hacking cases, following a federal study that found a third of bureau agents probing breaches significant to national security lacked the necessary networking and counterintelligence skills.
A spending package passed Nov. 17 to fund many federal agencies through September 2012 includes President Obama's full request for $166.5 million to tackle computer crimes, an 11.2 percent increase over last year's appropriations. The bureau must use the money to hire an additional 42 computer security professionals, including 14 special agents, according to a report accompanying the legislation.

The new funds will also assist in the continuous analysis of information, to ascertain the origin and the legitimacy of attacks agains U.S. Critical Infrastructure, the next frontier for insider threats and cyber terrorists:

An ongoing investigation into the possible hack of a U.S. water plant should trigger a methodical analysis of the security of the nation's industrial systems to avoid jumping to the wrong conclusions, former federal cybersecurity officials say.
The Homeland Security Department's cyber response team and the FBI are gathering facts about a report of a water pump failure in Springfield, Ill., according to DHS officials. Their actions follow a state fusion center alert, first reported by noted security specialist Joe Weiss and later publicized by media outlets, that apparently suggests intruders may have lingered in the system for weeks. Some security experts familiar with the report are attributing the malfunction to a targeted attack originating from a Russian network access point, or IP address. If the report bears truth, then this incident represents the first known intentional intrusion into a U.S. industrial control system.
But some experts caution that many organizations don't have the computer forensics expertise to pinpoint the cause of suspicious network events, let alone the identities of perpetrators.

Intelligence Analysis is alive and well and the education and quality of the analysis will not be disrupted regardless of what law makers may fail to do behind closed doors. Operational Risk Management in the 358 companies is on high alert, yet diligently working to ensure the supply chain is robust and resilient for a long time to come.

20 November 2011

Continuous Continuity (C2): BCCM 24/7...

Corporate Directors charged with Operational Risk Management oversight are ultimately responsible for Continuous Continuity (C2) of the Enterprise.

The modern enterprise that effectively manages the myriad of potential threats to its people, processes, systems and critical infrastructures stands to be better equipped for sustained continuity. A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing. Corporate Directors must scrutinize organizational survivability on a global basis.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C2, or "Continuous Continuity". A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are "Loss Events" that could have been prevented or mitigated all together.

According to the risk management best practices from sources such as the Turnbull Report and specifically Principle 13 of the Basel II Capital Accord, the Board of Directors and corporate management are responsible for the effectiveness of the Business Crisis and Continuity Management of an organization. The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

  • Table-top testing: Discussing how business recovery arrangements would react by using example interruptions
  • Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles
  • Technical recovery testing: Testing to ensure information systems can be restored effectively
  • Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location
  • Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions.
  • Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions.

Many of these best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as supply chain management. The effective BCCM framework will become a core process within the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C2 , or "Continuous Continuity".

Having survived several large quakes in Southern California in years past, we are not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd floor of the 50+ sky scraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people. Certainly the largest organizations realize that the external threats are taking on new and different forms than the standard fire, flood, earthquake and twister scenarios.

These historically large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the internal facets of the organization having to do with people, processes and systems. Corporate Boards of Director’s are now being consistently subjected to regulatory scrutiny across the globe to ensure the continuity and survivability of the enterprise. It is their duty and responsibility to their shareholders to make sure this occurs on a continuous basis. The world can only hope that our Global 500 companies are well on their way to achieving C2 already.