29 June 2014

Trust Decisions: The Risk of a Digital Supply Chain...

Are you a business that is operating internationally?  What components of Operational Risk Management (ORM) currently intersect with your international business operations?  The safety and security of your employees who travel into countries with unstable political elements are no doubt of immediate concern.  There may even be a heightened sensitivity with whom your international business executives are meeting with and the tremendous U.S. rule-base associated with OFAC, as one example.

Fortune 500 organizations are all too familiar with these concerns, as major players in international business. The Chief Security Officers (CSO) and other key executives charged with the safety, security and integrity of employees, are focused on those who are traveling and meeting across the globe.  This is considered ORM 101.  This facet of ORM is quite mature and familiar to the Board of Directors who are charged with the Enterprise Risk Management (ERM) of the company.

What is growing more pervasive and continues to plague organizations doing business internationally is the risk of a Digital Supply Chain.  Trusted information and the confidentiality, integrity and assurance of data.  The "Genie" is out of the bottle and even the most mature and risk adverse global organizations, are continuously barraged by sudden incidents that interface with privacy and security of information.

Here is a recent example:
After a public comment period, the Federal Trade Commission has approved final orders that settle charges against 14 companies for falsely claiming to participate in the international privacy framework known as the U.S.-EU Safe Harbor. Three of the companies were also charged with similar violations related to the U.S.-Swiss Safe Harbor.
The FTC previously announced the settlements in January, February and May of 2014 with the following companies: 
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program may visit http://export.gov/safeharbor to see if the company holds a current self-certification.
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
So what is the real underlying issue here?  It is about "Trust Decisions".

These organizations were representing themselves as compliant with a U.S.-EU framework designed and established to protect their constituents, under the jurisdiction of the Federal Trade Commission (FTC).  The decisions to trust these organizations by an individual or business, regarding the perception that they are in compliance with a framework for privacy and security, is what is true.

How often have you ever made a "Trust Decision," based upon your knowledge that a business is displaying an official seal, mark or a sign that your information is safe and secure?  There are dozens of high profile companies operating across the globe that are in the business of selling "Trust".  Symantec, TRUSTe and GeoTrust to name a few.  The reason that a business buys one of these trusted seals or marks is because it wants to increase it's perception of trust, to the consumer or business that it is engaged with to transact business.

The business wants to display that they are compliant with the particular laws or rules associated with their industry or country.  It wants to create a sense of business assurance or peace of mind for the buyer of their products or services.  When you use one of these seals to assist in making an affirmative "Trust Decision" based upon the display of one of these badges, marks, signs or even special symbols or colors; the consumer still assumes risk of the unknown risks.  So what?

So how many consumers on a daily basis do you think visit this web site to get their free annual credit report? Green Padlock https://www.annualcreditreport.com/index.action

This is the official web site advocated by the U.S. Federal Trade Commission (FTC) for consumers to get a free annual credit report in compliance with Fair Credit Reporting Act (FCRA).  When you visit this site, you see that the URL displays a green padlock and the https: designating that the site is using secure protocols to transmit your Personal Identifiable Information (PII).  Or is it?

When you test the Annual Credit Report web site with a SSL security test service, run online by Qualys SSL Labs, https://www.ssllabs.com/ssltest/ this is their rating, on the security of Annual Credit Report.com as of 6/28/14.

Overall Rating
Protocol Support
Key Exchange
Cipher Strength

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
This server is not vulnerable to the Heartbleed attack.

Q: What information do I need to provide to get my free report? 
A: You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.
On a daily basis, humans are subjected to signs, marks, badges and other indicators that help them make more informed affirmative "Trust Decisions".  Whether it is the "Green Light" at the local intersection or the "Green Padlock" on the web site where we are being asked to give up our Personal Identifiable Information (PII).  The regulatory and private entities that are tasked to ensure that the signs, marks, badges and even colors are in compliance, must also look to their own level of trust of their Digital Supply Chain.

This is just one glaring example of why "Trust Decisions" are so vital to online global e-commerce.  It is also a wake-up call for any organization that is advocating trust by using a digital third party that the consumer relies on every day.  However, the FTC and other government agencies rely on private sector companies to assist them in outsourced services such as hosting Annual Credit Report. com.  The site is hosted by:

IP LocationUnited States - Massachusetts - Cambridge - Akamai Technologies Inc.

How confident are you, that your organizations digital supply chain is ensuring safe and secure "Trust Decisions" for your customers?

22 June 2014

Asymmetric Warfare: Board Room to Battlefield...

The planet Earth is experiencing a multitude of historical and 21st century "Asymmetric Wars" from the Board Rooms of the Global 500, Internet Cafes of Third World countries and the Miranshah.

Operational Risk Management (ORM) doctrine will continue to be a factor:


  [ey-suh-me-trik, as-uh-]  Show IPA
not identical on both sides of a central line;
"Asymmetric warfare" can describe a conflict in which the resources of two belligerents differ in essence and in the struggle, interact and attempt to exploit each other's characteristic weaknesses. Such struggles often involve strategies and tactics of unconventional warfare, the "weaker" combatants attempting to use strategy to offset deficiencies in quantity or quality.[1] Such strategies may not necessarily be militarized.[2] This is in contrast to symmetric warfare, where two powers have similar military power and resources and rely on tactics that are similar overall, differing only in details and execution.
The Irish Republican Army (IRA) perfected the car bomb against the British.  Now "Improvised Explosive Devices" (IED) and suicide bombers continue to be the single greatest threat to U.S. troops in Afghanistan as we withdraw and in Iraq as we engage once again. The Middle East has been embroiled in conflicts with the modern use of "Social Media" and an asymmetric rebel element to initiate change in labor laws or to overthrow a nation states leadership.

A laymen may not understand the relevance of "Asymmetric Warfare" on the corporate battlefield. Some would describe the age old tactic of industrial espionage, competitive intelligence or even patent litigation as a method for a small unknown company to gain an advantage over a much larger and established institution. This is a strategy of Asymmetric Warfare, nothing new. In any case, the perception is that the small and agile still have the means, tools and tactics to defeat the large and overbearing with the benefit of time, resources and the will of the people.

So what are some good examples of modern day asymmetric conflicts:
  • Apple vs. Google
  • NATO vs. Putin
  • Sunni vs. Shiite
  • BMW vs. Jaguar
  • Earth vs. Anonymous
  • Taliban vs. Afghans
  • United States vs. Jones
Each of these represent a conflict between two able parties, regardless of the perception of who is the "David" and who is the "Goliath". So what can your organization or nations state do to prepare yourself for the inevitable risks that will be associated with doing business or operating your enterprise across countries and in hostile environments? By providing your employees and stakeholders the best education, research, training and exercise programs; technology test and evaluation and capability improvement programs that your resources can offer.  Why?  In a few words, to make faster and more informed "Trust Decisions".

The desire to Deter, Detect, Defend and Document is prudent doctrine in Operational Risk Management (ORM). You may call these steps or tactics by other names in your particular process; such as Observe, Orient, Decide Act. What matters most is that the environment and landscape for the "Asymmetric Threats" and "Asymmetric Warfare" will continue to be challenging and dynamic.
WASHINGTON — Judges around the country are grappling with the ripple effects of a 2-year-old Supreme Court ruling on GPS tracking, reaching conflicting conclusions on the case’s broader meaning and tackling unresolved questions that flare in a world where privacy and technology increasingly collide. 
The January 2012 opinion in United States v. Jones set constitutional boundaries for law enforcement’s use of GPS devices to track the whereabouts of criminal suspects. But the different legal rationales offered by the justices have left a muddled legal landscape for police and lower-court judges, who have struggled in the last two years with how and when to apply the decision — especially at a time when new technologies are developed at a faster rate than judicial opinions are issued. 
The result is that courts in different jurisdictions have reached different conclusions on similar issues, providing little uniformity for law enforcement and judges on core constitutional questions. Technological advancements are forcing the issue more and more, a development magnified by a heightened national debate over privacy versus surveillance and the disclosure of the National Security Agency’s bulk collection of Americans’ telephone records.

15 June 2014

TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.  Operational Risk Management (ORM) is present in any serious business that makes important "Trust Decisions" on a minute-by-minute basis.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks, can be a very beneficial lesson to all.

Beyond the cost of a breach of data, Operational Risk Management (ORM) professionals understand that human behavior is the reason behind many of these incidents. Employees and supply chain insiders not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer or CISO do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the "Trust Decision" process itself is the place to begin.

Information Governance and the steps that are utilized to ingest or acquire and process that information is also paramount.  Hayley Tsukayama from the Washington Post highlights part of the issue:
Facebook came under fire Thursday from privacy advocates who say that changes to its ad network mark an unprecedented expansion of its ability to collect users' personal data. The advocates are also criticizing the Federal Trade Commission for allowing Facebook to make the changes and argue that the network's size gives it too much knowledge about its users.
Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and so the U.S. government (USG) has ramped up in the past 3 years to address the threat. Combined with other factors associated with legitimate business operations, organized digital crime syndicates have infiltrated the country and is costing the United States billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy continues to be enabled:


  • Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
  • Prevent or disrupt criminal involvement in emerging and strategic markets.
  • Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
  • Develop a mechanism that would make unclassified data on TOC available to private sector partners.
  • Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
  • Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
  • Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
  • Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
  • Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
  • Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is continuously working with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public-Private partnerships are in full swing and are making some progress.

In addition, nation state industrial intellectual property theft and economic espionage has eroded our global competitive advantage in several industry segments.  Ellen Nakashima explains:
A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. 
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm. 
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at the risk of your organizations own peril!

08 June 2014

Algo Bots: The Risk of Human Error...

What "Trust Decisions" did you make this past week?  How fast did you make them?  The ability to manage an entire portfolio of operational risks in a daily routine is daunting.  How do you prioritize? What Operational Risk Management (ORM) process will you engage in, with so many uncertain outcomes?  Why will you sit up in bed at 3AM, to read the latest alert on your smartphone?

In October of 2012, this ORM blog discussed the topic of "Algo Bots" and "Dark Pools".  Machine language talking to other machines, to make optical network speed decisions and more precise, "Trust Decisions."  What is the risk of a low probability and high consequence incident when humans are taken out of the equation?  Dave Michaels of Bloomberg explains the current focus:
Mary Jo White’s blueprint for imposing tighter controls on high-frequency traders and some of the murky venues they inhabit stops short of a crackdown. 
The U.S. Securities & Exchange Commission’s plan, unveiled by White in a speech this week, advanced some new ideas while borrowing heavily from existing proposals and measures that already have support on Wall Street. While stock exchanges, rapid-fire traders and private trading venues known as dark pools all would come under new scrutiny, White didn’t embrace the kind of tighter restraints that have been enacted in countries such as Australia and Canada. 
White isn’t acting in a vacuum. She is responding to political pressures raised by an investigation by the New York attorney general into whether speed traders prey on slower-moving investors as well as a book by Michael Lewis, “Flash Boys,” that condemned the role of exchanges and brokers in enabling unfairness. She announced the initiatives even as she said U.S. markets aren’t rigged and serve the goals of retail and institutional investors.
As an Operational Risk Management (ORM) professional, you have to stay on the edge.  You must imagine the future and dive into the current R&D of innovation.  Being a futurist is staying on the bleeding edge of technology and this is just one facet of the risk mosaic.  The other and more human factor oriented component are the TTP's.  Tactics, Techniques and Procedures (TTP) are what you need your own "Opposition Research" team to be studying.  This is your opportunity to gather the intelligence on your competition and simultaneously look at your own vulnerabilities.  Sam Mamudi and Keri Geiger explain:
The U.S. Securities and Exchange Commission cited Wedbush Securities Inc. and Liquidnet Holdings Inc. for violations of stock market rules, taking tangible steps a day after Chairman Mary Jo White outlined her plan to improve Wall Street trading. 
Wedbush, which the SEC said is among the five biggest Nasdaq Stock Market traders, failed to vet clients who broke the law as they placed billions of dollars of transactions in the stock market, the regulator said. Two current and former Wedbush executives, Jeffrey Bell and Christina Fillhart, were also targeted in the complaint. 
Liquidnet, one of the biggest independent dark pool operators, agreed to pay a $2 million fine for not living up to client secrecy standards on its private trading platform.
So what?  The Rise of the Machine Traders:
In the beginning was Josh Levine, an idealistic programming genius who dreamed of wresting control of the market from the big exchanges that, again and again, gave the giant institutions an advantage over the little guy. Levine created a computerized trading hub named Island where small traders swapped stocks, and over time his invention morphed into a global electronic stock market that sent trillions in capital through a vast jungle of fiber-optic cables. 
By then, the market that Levine had sought to fix had turned upside down, birthing secretive exchanges called dark pools and a new species of trading machines that could think, and that seemed, ominously, to be slipping the control of their human masters. Dark Pools is the fascinating story of how global markets have been hijacked by trading robots--many so self-directed that humans can't predict what they'll do next.
So how do you mitigate the potential risk of a rogue algorithm? Some have devised a mechanism called a circuit-breaker. In other words, an alarm that something is not normal. Let's slow down until we can understand what is going on here. What are some other ways that we could potentially address the threat or the vulnerability? Was the "Flash Crash" a weak signal of a pending melt down of the complete system?

Or is this just the next natural phase of the future growth curve.  Who will you put your faith in for your next "Trust Decisions"...

operational risk