31 May 2015

Trust Decisions: Human-to-Human Open Transaction Systems...

"Let us not look back in anger, not forward in fear, but around us in awareness"
-James Thurber-

When you become independent of the core group and the impact of your own bias, a whole new world unfolds before you.  The truth is discovered and the true reality becomes clear.  How often does the Board of Directors convene an emergency meeting as a result of a surprise Operational Risk loss event?

When you start listening to the explanation and you hear words such as "complex" and "3rd parties" this should sound an alert.  From the "Boardroom to the Battlefield" executive management is still flying blind on many fronts.  They have become so risk adverse, that in many cases the automated machines have taken over group think with their sophisticated high technology sensors.

Trusted sources from a human perspective are still the basis for vital decision support and monetary transactions.  Human-to-human information transfer via a trusted chain of sources is still thriving.  Trust is at the center of systems for significant transfer of information and assets to this day:
Hawala or Hewala (Arabic: حِوالة‎, meaning transfer), also known as hundi, is an informal value transfer system based on the performance and honour of a huge network of money brokers, primarily located in the Middle East, North Africa, the Horn of Africa, and the Indian subcontinent, operating outside of, or parallel to, traditional banking, financial channels, and remittance systems.
Does the Hawala have an emerging digital variant?  Why is the understanding of a blockchain-enabled digital ledger important in this day and age?  The reason becomes more apparent as we study how it works and where it is being utilized and for what purpose:

Example A
Silk Road was an online black market, best known as a platform for selling illegal drugs. As part of the Dark Web,[7] it was operated as a Tor hidden service, such that online users were able to browse it anonymously and securely without potential traffic monitoring. The website was launched in February 2011; development had begun six months prior.[8][9] Initially there were a limited number of new seller accounts available; new sellers had to purchase an account in an auction. Later, a fixed fee was charged for each new seller account.[10][11]
 Example B
NEW YORK, May 11, 2015 (GLOBE NEWSWIRE) -- Nasdaq (Nasdaq:NDAQ) today announced plans to leverage blockchain technology as part of an enterprise-wide initiative. Nasdaq will initially leverage the Open Assets Protocol, a colored coin innovation built upon the blockchain. In its first application expected later this year, Nasdaq will launch blockchain-enabled digital ledger technology that will be used to expand and enhance the equity management capabilities offered by its Nasdaq Private Market platform.

Importantly, the creation of a securities distributed ledger function using blockchain technology will provide extensive integrity, audit ability, governance and transfer of ownership capabilities.

"Utilizing the blockchain is a natural digital evolution for managing physical securities," said Bob Greifeld, CEO, Nasdaq. "Once you cut the apron strings of need for the physical, the opportunities we can envision blockchain providing stand to benefit not only our clients, but the broader global capital markets."
 Whether the "Digital Hawala" continues to thrive in the years ahead will depend on several key market issues.  Transparency, accountability and documentation.  Accurate record keeping.

At the center of this evolving system are two key attributes.  Speed and trust.  That is why you now see the private equity and venture capital community investing in companies such as Ripple Labs:
Ripple Labs (formerly OpenCoin) developed the Ripple protocol. Its team of experienced cryptographers, security experts, distributed network developers, Silicon Valley and Wall Street veterans contributes code to the open-source software and works with financial institutions and payment networks to accelerate the growth of the protocol. The team shepherds a movement to evolve finance so that payment systems are open, secure, constructive and globally inclusive.
"Trust Decisions" are at the heart of the future of trading, decision support and the speed of human knowledge.  The fusion of ancient and modern protocols for global commerce and achieving digital trust are on our door step.  Let your awareness begin...

23 May 2015

Memorial Day 2015: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2015, we reflect on this past year.

In order to put it all in context, we looked back 24 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2015, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

17 May 2015

Feeling Vulnerable: The Risk of the Unknown...

There are Operational Risk Management (ORM) professionals down range today.  They operate in the shadows continuously in some facet of the OODA Loop.  Whatever the specific mission may be and from most any Lat/Long on the planet, these professionals are paid to "Think-Outside-The-Box" as the cliche says.  What is it that these ORM professionals fear the most?  Feeling vulnerable.

You may have had this feeling in your life at some point.  Whether those early days in high school when the jocks are ganging up on the geeks in between classes or in that special relationship with the opposite sex.  What about all those days, weeks or years when you were aspiring to get that next great job in the organizational hierarchy?

Were you ever politically vulnerable?  When you have the feeling that you are vulnerable, that could have several implications.  Psychologically and physically.  The question has to be asked.  As a person, what is vulnerable?  Your Ego.  Emotions.  Relationship.  Finances.  Health.  Career.  Reputation.  Or even your life, or the lives of people you are charged with to keep safe and secure?

Feeling vulnerable is not what humans like to have swirling around in their head when they go to sleep at night or wake up in the morning.  As an Operational Risk Management (ORM) professional, our job is to experience all of those feelings on a select and continuous basis.  We do this so that we know what impact these feelings will have on us, our family, friends, neighbors and co-workers.  How will each and all of us behave, under each of these special circumstances of vulnerability?

Why do we want to experience and record the behavior of individuals, systems and even the unexpected natural event from mother nature?  So that we can be more predictive and ever more resilient.  This improves our self-confidence and our ability to become more adaptive.  In life and in our chosen vocations, in your local town or the federated state.  In the nation or continent we live. The Operational Risk Management (ORM) professional is forever learning and testing, in order to survive another day.

When the sounds and smells of your particular battlefield have dissipated, or the feelings of the intravenous (IV) needles taped to the inside of your forearm are gone, your vulnerabilities are changing. When the touch of your loved one on your shoulder makes you cry, you realize that you too are now on your way to surviving another day.  Together.

Godspeed!

10 May 2015

Metadata: Evidence of Terrorism vs. Crime...

What are the enterprise risks when metadata is legally defined as property?  Operational Risk Management (ORM) professionals are on high alert these days.  The court systems within the EU and now the United States, are building new cases and establishing new arguments.

As a steward of data and providing oversight on the transparency of how information is tagged, sorted, stored and archived, the ORM professional is right in the middle of the debate.  Metadata relevance is known to those who have been practicing the science and art of digital forensics for years.

Does your organization issue corporate devices for use in the workplace or on the job?  What transparency was provided when the digital device was issued on the use and ownership of the data associated with the device?  How many pages is the "Acceptable Use Policy" at your organization?

These policies on Mobile Device Management (MDM) or Bring Your Own Device (BYOD) are not new, yet they are still evolving.  This is because the technology innovation is so far advanced than the current legal precedence or court rulings.  The law will always catch up to technology and now the law is getting to an important milestone.

This however does not change how our adversaries are operating.  The current environment over the relevance of data, or who owns the metadata on our mobile devices, will not change the appetite for those who seek the data or exploit systems to cause failure or destruction.  If all of the laws in our land would stop crime or malicious intent in its tracks, then we could eliminate the entire legal enforcement structure.

The General Counsel and the outside legal teams at your organization are already working to reduce the risk of adverse litigation by employees, partners and customers.  The Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) are working 24/7 in tandem to operate legally and to insure the confidentiality, integrity and assurance of metadata across the globe.  Unfortunately they operate in an environment that involves humans, using digital devices.

The legal frameworks are quickly responding to the rising digital crime rate across the globe.  They are weary of the "Asymmetric Warfare" being waged by nation states.  Plaintiff lawyers are now preparing their new privacy and data breach cases on a weekly basis.  Organizations are seeking avenues of "Safe Harbor" by using certain products inside their infrastructure.  Yet will this all stem the tide of what weapons the adversaries are deploying, to perpetuate their business or espionage models?

This brings us to a prediction.  We predict the rise of metadata evidence that proves that organizations are the victims of cyber-terrorism, not cyber-crime.  Terrorism not fraud.  And now the courts and the jury pools will now decide what metadata is evidence and what the definition is of "Terrorism" in the cyber realm.  Marketing is a powerful engine to influence buyers.  Buyer beware:
"Last week, the Department of Homeland Security (DHS) certified FireEye under the SAFETY Act, providing their customers protection from lawsuits or claims alleging that the products failed to prevent an act of cyber-terrorism.
The news of the certification was reported by FireEye in a press release, and stipulates that FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are the two products now on the SAFETY Act approved technologies list."
"The core of this is something we’ve been debating for a while: the definition of terrorism, and whether or not it can apply to cyber-stuffs. The end result looks like a legal get-out-of-jail-free card for businesses that use FireEye, but for that to actually happen, it seems like we’d need a computer-related incident or breach to actually be declared an official 'Act of Terrorism' by the US government."

03 May 2015

Human Behavior: Learning in a New Age of Unreason...

The Human Factors in our organizations continue to be a tremendous challenge.  Operational Risk Management (ORM) has a focus on human behavior because it remains an unpredictable catalyst for substantial loss events in the enterprise.

The decision to trust, is an art that is quickly becoming more of a science.  The ability for the human being to utilize our God given senses of sight, hearing, touch, smell and even cognitive intuition is just not enough to protect us, within our pervasive and expanding digital ecosystem.

Insider information leaks.  Spear phishing.  Intellectual property theft.  Industrial espionage.  You name the vectors involving a human being and you suddenly realize the size and the magnitude of the digital challenge ahead.  The Board of Directors and Executive Management are consistently reminded by the General Counsel about the "Duty of Care" with employees, partners and allies.

So what does all this have to do with your current state of running your organization?  Believe it when we say, that you are not spending enough time or the correct focus of time changing human behaviors in your enterprise.  Historically, the plaintiff lawyers, the States Attorney General or the thousands of international "Black Hat" nation state hackers will make you pay, one way or another.

Your favorite Big Four consulting firm will talk to you all day about errors, omissions and fraud.  The Chief Security Officer (CSO) is operating a sophisticated Security Operations Center (SOC) gathering situational awareness on a 24/7 basis.  So why are we continuously amazed and surprised at our own human behavior and what we are capable of doing?

By now, you have been lectured in depth about having a Layered Defense.  You may have even been told you need an "Active Defense".  Are you still testing new tools and corporate training programs to influence the human behaviors that will ultimately defend or compromise your organization?  Do you recognize the acronym MDM?  Are you as well prepared as you could be for tomorrow's digital work day?  In the cockpit, behind the desktop or navigating at night, across an environmentally austere foreign terrain.

Depending on your up bringing and how you were raised by your parents influences each of us, individually.  Even the types or the content that is taught to us by the institutions we attended in our lifetime, has some impact.  Who do we trust?  What do we trust?  When do we trust?  Why do we trust?  How do we make our "Trust Decisions"?  Trial and error, alone?

Trial and error to this day is a powerful way to change human behavior.  Yet without the continuous education and training to produce new habits and to reinforce quick and sustained responses, it is futile.  The long term reinforcement of human learning changes behavior, with the right incentives in place.  The correct rewards are necessary for the human being to continue achieving, testing and adjusting to any dynamic environment.  At home, at work or out on the frontier of a new and unfamiliar place.  It is a system.  One that we shall design, engineer and replicate with precision.

So the New Age of Unreason is now our Operational Risk Management (ORM) challenge:
  • First, identify where active learning systems are operating within your organization.  There will be formal systems within your HR or training departments, but where are the informal learning systems located; where are the mentors?  Good and rogue actors will exist.
  • Second, document each of these formal and informal learning systems within the enterprise.
  • Third, catalog the human behaviors that each are influencing to serve your customer and/or to protect the organization.
  • Finally, build an interactive learning systems matrix, so that you have the context you need to redesign, upgrade and fill the gaps as you embark on your new learning mission.
We are reminded of the wisdom of Charles Handy:
"We may not, individually, be able to make the world safer from nuclear war, or to preserve the rain forests better, or to keep the ozone layer intact, but, as I argued in the beginning, it is often the little things of life that matter most, the ways we work and love and play, the ways we relate to people, and the manner in which we spend our days as well as our money.  These things we can affect.  We do not have to accept them as they are.  The Age of Unreason is inevitably going to be something of an exploration, but exploring is at the heart of learning, and of changing and of growing.  This is what I believe, and this is what gives me hope."