17 August 2013

Privacy 3.0: The Genesis of EarthCom...

Information classification in the private sector is gaining traction again as the nature of sensitive national security leaks are published in the popular press.  Data breach laws and cyber legislation is a daily discussion on Capitol Hill.  CISOs and CSOs even at the Washington Post are in "Incident Response Mode" after a successful phishing exploit by the Syrian Electronic Army.  These Operational Risk Management (ORM) challenges are not only on the rise because of the amount of information that is exchanged each day in an era of the "Internet of Things"; these risks are now front and center as "Privacy 3.0" evolves in the Cloud.

Andrew Serwin of The Lares Institute puts it all in context:
The question confronting modern-day privacy scholars is this: Can a common law based theory adequately address the shifting societal norms and rapid technological changes of today’s Web 2.0 world where legislatures and government agencies, not courts, are more proactive on privacy protections?
As private sector companies produce the technology solutions to accomodate the exponential expansion of our global ICT ecosystem, we must acknowledge the genesis of it's origin.  Human beings.  The products, systems, software and patents are the result of inventions by mankind.  Yet there is evidence that the evolution of ICT, whether it be in hardware, software or the data itself has similarity to biological evolution.  For decades scientists have studied the similarity of the ecosystems of information to the biology of immune systems.  These same smart and bold people have written books, journals and peer tested papers on the subject of transformational systems thinking.  Growth and change in the digital universe follows a biological path found in nature.

The organizational growth cycles are:
  • Forming = entrepreneurship
  • Norming = production
  • Integrating = diversification
This cycle of growth has many labels, yet systems and organizational experts will say that the integrating phase of growth will encounter a bifurcation point, where it is necessary for the system to again innovate and form something new.  To adapt to its new environment.  If the system does not break away and create a new forming stage of the growth cycle, it will eventually perish.  This is why organizational change experts invented such innovations as the "Skunk Works" or why a private sector company breaks off a business unit and creates a whole new company.

Privacy 3.0 is now four years old.  Are we now at the bifurcation stage of the societal information growth cycle and the speed of business is leaving existing government rule of law in the rear view mirror?  Andy Serwin from his 2009 paper said:
Given the changes in society, as well as the enforcement mechanisms that exist today, particularly given the FTC's new focus on “unfairness,” and the well-recognized need to balance regulation and innovation, a different theoretical construct must be created--one that cannot be based upon precluding information sharing via common law methods. Instead, the overarching principle of privacy of today should not be the right to be let alone, but rather the principle of proportionality. This is Privacy 3.0.
As information flows through the manmade veins of supersonic light or invisible waves of zeros and ones around our planet, we are approaching a "Breakpoint."  A place in time, where the system will need to bifurcate in order to survive.  The system of privacy proportionality in government circles has been four levels of classification:
  • Restricted = For Official Use Only (FOUO)
  • Confidential
  • Secret
  • Top Secret (TS)
In the years ahead, as you hold your IP Phone (iPhone) to update Twitter, Foursquare, Facebook or WordPress App, you are behaving in the Privacy 3.0 ecosystem.  While you are at work in the public or private sector using Google Business Apps in the cloud, your behavior and your words including personal data such as your semantics or GPS coordinates, are entering one of four levels of sensitivity.

In order to make the leap to our next systemic "Breakpoint", we will need to design in proportional privacy to our Operational Risk Framework.  Without it, the system will decay and ultimately cease to exist.  Is privacy an after thought in your organization?  What information governance education takes place on a continuous basis?  How do you monitor and measure?  Have you tagged the information into four levels of sensitivity?  These are just a few of the questions that the Privacy 3.0 enterprise is encountering, at the genesis of an ICT "EarthCom."

04 August 2013

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events.  The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.  This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance.  The design and architecture of software needs a human-based fail-safe.  It requires a human interface that allows and simultaneously requires human intervention.  Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities for a human-factor to ask "What if" questions.  Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.  Now we go back to Operational Risk and the nature of thinking from a security and safety perspective.  What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?  We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth?  Is it true?  What evidence do we have that this is true?  How do know that the evidence is not spoiled or compromised?  If we know the truth, then what do we do next?  Is the software telling us the truth?

The security and the safety of the enterprise is counting on you.  And more importantly, the enterprise is asking you to question the software.  The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Sixty-four percent of organizations attacked in 2012 took more than 90 days to detect an intrusion with the average time for detection being 210 days – 35 days longer than in 2011, according to a report released earlier this year from data security firm Trustwave.
Five percent took more than three years. 
The Weak Link
Especially unnerving is the widespread success of SQL injections. Remote access and SQL attacks, the tool of choice by hackers in the scheme unveiled last week, together made up 73% of the infiltration methods used by criminals in 2012, according to Trustwave.

“This is not anything new for people in the space, it’s an old approach that has been used for decades,” said Dov Yoran, co-founder and CEO of malware analysis and threat intelligence firm Threat Grid. “And it's only going to grow as these systems get more complicated." 
Some industries have been forced to adapt and alter faster than others due to the high level of attacks, particularly U.S. banks like J.P. Morgan Chase (JPM) and Bank of America (BAC), card companies like Visa (V) and MasterCard (MA) and retailers that have a more direct line to cash. 
Nearly a year ago DDoS attacks in September temporarily downed the consumer websites of some major U.S. banks. But a fourth wave of attacks declared last week against some of the same victims has so far proven uneventful.
Is our system learning?  In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions?  Are you with us?  The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.  "Active Defense" is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.  Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.  Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety.