Blackhat: Corporate Counterintelligence Capability...

If you are an Operational Risk Management (ORM) professional you should invest time to see the latest movie on Information Security this weekend.  Michael Mann's latest production is entitled "Blackhat" and it has a few lessons learned including several stark reminders of the current state of industrial asymmetric warfare.

While you may laugh at some of the scenes, there are some effective learning points along the way.  Even better, consider inviting one of your corporate executives to the movie with you.  They could walk away with a better understanding of the active cybercrime and cyberterrorism syndicates that have global operations.

The motivations for these continuous cyber attacks in most cases can be described in one word, "Greed".  The human factors associated with greed continue to become more exemplified in the digital Internet of Things (IoT) domain year-to-year.  So what does Wired Magazine and Cade Metz have to say about this latest hacker movie?

For Parisa Tabriz, who sits at the center of the info-sec universe as the head of Google’s Chrome security team, it’s a Hollywood moment that rings remarkably true. “It’s not flashy, but it’s something that real criminals have tried—and highlights the fundamental security problems with foreign USB devices.” 

Tabriz will also tell you that such accuracy—not to mention the subtlety of the scene with the coffee-stained papers—is unusual for a movie set in the world of information security. And she’s hardly alone in thinking so. Last week, Tabriz helped arrange an early screening of Blackhat in San Francisco for 200-odd security specialists from Google, Facebook, Apple, Tesla, Twitter, Square, Cisco, and other parts of Silicon Valley’s close-knit security community, and their response to the film was shockingly, well, positive. 

Judging from the screening Q&A—and the pointed ways this audience reacted during the screening—you could certainly argue Blackhat is the best hacking movie ever made.

Hollywood, California is getting closer to understanding how to reach a broad audience who are interested in the commercial cyber thriller.  The cyber themed movies have been around for years including "Sneakers" with Robert Redford in 1992.  So what has changed, after all of these attempts to help illustrate the spectrum of Operational Risks impacting the corporate enterprise?  Sabotage on critical infrastructure is ever more present.  So what has remained the same?

Still to this day there remains a tremendous amount of complacency on the risk of "Insider Threat." To illustrate this further; what are some of the common factors in all espionage incidents in the U.S. since 1950?

• More than 1/3 of those who committed espionage had no security clearance. 
• Twice as many “insiders” volunteered as were recruited. 
• 1/3 of those who committed espionage were naturalized U.S. citizens. 
• Most recent spies acted alone. 
• Nearly 85% passed information before being caught. 
• Out of the 11 most recent cases, 90% used computers while conducting espionage and 2/3 used the Internet to initiate malicious contact.

What can a corporation do in an environment of competing resources for talent, new tools and an increasing focus on consumer privacy?  Having an effective counterintelligence program within your organization is paramount to preserving your intellectual property and the integrity of the U.S. industrial supply chain.  So where should you start?

Begin your organizations awareness building with a robust program on cyber security:

Welcome to the InfraGard Awareness Security Awareness Course - We all have a role to play in protecting ourselves and the nation from the impact of cybercrime and identity theft, and that role can begin in the workplace. 

The better you are at protecting your own workplace from cybercrime and identity theft, the fewer opportunities criminals, petty thieves, and even terrorists will have to exploit security vulnerabilities for their own purposes.

1. "What technologies do you want to protect from your competitors (e.g., R&D, supply chain, pricing and customer service information, contracts, production and maintenance records, etc.)  Do you believe you are adequately protecting them?  Can you rank these items by level of importance?  
2. What information or technology (including expertise in manufacturing, production, or operations) are foreign competitors lacking that keeps them from being competitive?  Identify the various applications (both military and commercial) of your product or service.
3. Do you have a reporting program in place to track how and where your critical/emerging technologies are being targeted by domestic and foreign adversaries?  If so, what trends have you seen?"

• Source:  FBI SPIN:  15-001

The genesis of any mature insider threat program beings with the strategic development of a robust counterintelligence capability within your Operational Risk Management (ORM) framework.  The future of your organization and the safety and economic security of the entire nation is at stake.