04 August 2012

SCRM: ICT Supply Chain Risk Management...

What is your private sector enterprise doing today to improve your ICT Supply Chain Risk Management (SCRM)?  Cyber-espionage campaigns have been operating for years across the ICT domains and are exposed every year in the trade press to John Q. Citizen, soon after "Black Hat" and "Defcon".  Once again, the origins of these sophisticated and viable adversaries are located inside nation states.

The head of U.S. Cybercom continues to emphasize to the White House and Capitol Hill, the need for more effective legislation to modify behavior on the cyber security of critical infrastructure.  For many who remain committed to the silent war and the warriors who are fighting it each day on a 24 x 7 basis, they know the operational risks associated with this modern day battlefield.

Do you know where your information is today?  No, not your "Personal Identifiable Information" (PII), but the crown jewels of your latest Research and Development project.  Or the details on the "Merger and Acquisition" (M&A) activity associated with your cash cow law firm client.  Guess again, because you may not be the only one who now has copies of these trade secrets or confidential and proprietary information.  Bloomberg's Michael Riley and Dune Lawrence capture some of the discussion that follows:
The methods behind China-based looting of technology and data -- and most of the victims -- have remained for more than a decade in the murky world of hackers and spies, fully known in the U.S. only to a small community of investigators with classified clearances. 
"Until we can have this conversation in a transparent way, we are going to be hard pressed to solve the problem," said Amit Yoran, former National Cyber Security Division director at the Department of Homeland Security." 
Yoran now works for RSA Security, Inc., a Bedford, Massachusetts-based security company which was hacked by Chinese teams last year.  "I'm just not sure America is ready for that," he said.
The Information Communications Technology (ICT) supply chain is at risk and the days are numbered until our final realization that this issue is far past the policy makers control.  Is this an operational risk that we have done all we can do, to mitigate the impact on our U.S. national security?  Everyone should know the answer to this question.

The complexity and the complacency of the problem continues to plague those who are working so diligently to fend off the daily attacks or counterfeit micro-components.  The strategy is now morphing as we speak, from defense to offense and the stage is being set for our next generations reality of global cyber conflicts and ICT due diligence.  Richard Clarke and others are beyond the ability to say much more than they already have so far.

So where are the solutions?  Where are the answers?  They can be found very much in the same way organizations, companies and nation states realized what was necessary to deter, detect, defend and document operational risks to their institutions for the past several decades.  The science has changed rapidly but the foundational solutions remain much the same using these six factors:

  • Identify
  • Assess
  • Decide
  • Implement
  • Audit
  • Supervise

These six factors of your respective "Operational Risk Management Enterprise Architecture," is the framework for these solutions.  The ability for these to continuously operate within your enterprise will determine how effective you are in surviving what Richard Clarke and others have predicted for a long time.  Dave Aitel captures much of the issue before us in getting the private sector to get it right in making changes to its defense:
The key hangup for this bill is that its solution is unprecedented. Until now we've never viewed private industries, like FPL, Duke Energy, Exxon and NASDAQ, as being responsible for the nation's defense. But that's just what this bill does -- it recognizes "critical' industries like energy, transportation, emergency services and financial networks, as the new targets in the cyberwar battlefield and requires them to upgrade to military-style defense. This won't be easy, but it's the right thing to do. For the first time ever, rival nations now have the ability to launch relatively easy "kinetic" attacks on U.S. soil, complete with plausible deniability. This is the new world we live in.

No comments:

Post a Comment