30 April 2017

Complacency Risk: The Next Attack...

 In Ronald Kessler's book "The Terrorist Watch" you get the impression that this journalist, author and nonfiction story teller is walking a thin line. A line between telling us too much, because it could compromise national security and not telling us enough, so that the public can really visualize what the truth is.

"Inside the desperate race to stop the next attack". This book tag line says it all.
Drawing on unprecedented access to FBI and CIA counterterrorism operatives, New York Times bestselling author Ronald Kessler presents the chilling story of terrorists’ relentless efforts to mount another devastating attack on the United States and of the heroic efforts being made to stop those plots.

Kessler takes you inside the war rooms of this battle—from the newly created National Counterterrorism Center to FBI headquarters, from the CIA to the National Security Agency, from the Pentagon to the Oval Office—to explain why we have gone so long since 9/11 without a successful attack and to reveal the many close calls we never hear about. The race to stop the terrorists, Kessler shows, is more desperate than ever.

Never before has a journalist gained such access to the FBI, the CIA, the National Counterterrorism Center, and the other agencies that are doing the unheralded work of finding and capturing terrorists.

Ronald Kessler’s you-are-there narrative tells the real story of the war on terror and will transform the way you view the greatest problem of our age.
OK, so what? So how does this war on terror and media leaks within the context of Operational Risk impact your institution or organization? Here are a few ways:
  • Will your company have staffing challenges as a result of new immigration legislation or limits on H1-B Visas? Remember the 9/11 hijackers?
  • Will your institution require new systems and processes to meet increased compliance or regulatory mandates? Remember the Patriot Act?
  • Will you or a senior staff member be the target of a kidnapping, ransom or extortion plot at the hands of a terrorist cell? Remember Danny Pearl?
  • Will your organization be impacted by the leaks in the press regarding your operational strategy or Board Room discussions? Remember pretexting at Hewlett Packard (HP)?
Sharing information. Too much or not enough. The paradox of our generation as we all go digital. The speed of business in the connected economy and 24 hour news cycles has created a beast that will not ever be tamed or controlled.

Operational risks are a result of the continuous challenges to the collection, dissemination and analysis of information. Think about your own institution and those who hold the keys to the most valuable information.

Those who disclose operational secrets could be putting that "deal" in jeopardy just as easily as putting that "life" in harms way. Those who try to sleep at night in close proximity of their "Blackberry" know the feeling of information overload, or starvation. Both represent operational risks that keep the same people grabbing the Prilosec OTC or the AmbienCR.

Ronald Kessler's book is a wake-up call for all of us in the United States. A Presidential election is behind us and there has been over eight years of testing and waiting by those who wish to do us harm.
"To many fail to recognize that al Qaeda's long-term goal is to send the US the way of the Roman Empire. And too many in the press are willing to take the chance of compromising the lives of innocent Americans by running stories that gratuitously disclose operational secrets."
The risk of complacency is and will continue to be our greatest threat...

22 April 2017

Go Fast or Go Far: Professionals of Operational Risk...

As the sun sets less than a mile from the Pacific ocean, dozens of security researchers from across Los Angeles are converging on this modern technology office park.  The meeting presentation this evening, will be focused on unveiling vulnerabilities within one of sixteen U.S. Critical Infrastructures.  Why?

Operational Risk Management (ORM) is a discipline that is a dynamic matrix, of columns and rows of the architecture and intersections of your entire enterprise.  The places and ways that the organization is exposed to potential failures of people, processes, systems or other external events.

Think about how many people you have working with you, the number of locations they work and travel, the number of technology devices running software to compute algorithm operations to enable your particular mission.  Think about all the potential ways that adverse weather and natural disasters or the simple loss of electrical power or communications in a few square blocks of your city, will impact you today.

Security researchers are also converging into a conference room somewhere in your organization this week, to discuss and show evidence of your organizations vulnerabilities today.  They might be experts in "Ruby on Rails" or how to optimize "SecDevOps".

They might be experts in counterintelligence or the detection of rogue/activist human behavior by analyzing open source social media.  They might be experts in using offensive tools, operating armored vehicles and flying aircraft into hostile environments.  Among them are also your legal experts in privacy and regulatory compliance.

Why these individual professionals are working 24x7 to expose, document and provide evidence of your vulnerabilities is complex.  Yet you should know, that they are doing it because they understand that your adversaries are also hard at work, to do the same.  Is it a competitor or a nation state?  Is it a disgruntled employee or an external extremist?  Is it the next tornado, hurricane or earthquake?  The landscape is vast and is continuously changing by the minute.

As an executive within your organization, when was the last time you devoted an hour or even two, to lock yourself in the same room with your Operational Risk professionals.  To see what they are working on to Deter, Detect, Defend and Document, all that is happening in their environment today.

What if you had that hour to turn off your busy executive life and so what might you learn?
You might learn that your organization is being attacked every day by "Spear Phishing" experts from the other side of the globe.  More importantly, the source of the attacks is by an organized cadre of criminal experts in social engineering and SQL injection.

You might learn that one of your employees has set up a Twitter account with an anonymous user name and identity.  The daily "Tweets" are telegraphing your corporate strategy to your competitors or leaking proprietary internal protected information about rogue co-workers behavior.

You might learn that the Commercial-Off-The-Shelf (COTS) sensor you utilize within your flagship transportation vehicle, is being exploited by a highly trained clandestine military unit from another country.

You might learn that a key manufacturing location is about to be surrounded by environmental activists who are planning to camp out on your entrance until their demands are met.
So what?

The question is necessary to get to the bottom line.  It helps to define the purpose for why you have these resources working with you.  The reason that they are working 24x7 to keep you and your organization even more aware and resilient.  Why they are converging on a conference room in Los Angeles after working all day to learn about new vulnerabilities?

Take the time this week to meet with them.  Ask them the question.  Listen to their answers.  You might be surprised at what you hear.  You will probably learn something new.  Work with them to improve the Operational Risk Management (ORM) capabilities and functions within the enterprise.

"If you want to Go Fast go alone.  If you want to Go Far, go together".
--African Proverb

15 April 2017

Insider Threat: Duty of Care in the Workplace...

The summer of 2017 is approaching and soon thereafter the world will view the new documentary film "Risk" by Laura Poitras, about Wikileaks founder Julian Assange.  This week in Washington, DC, the CIA characterized Wikileaks as a "non-state hostile intelligence service".

Almost the same day, another case of insider threat was unveiled by the US Attorney for the Southern District of New York.  The alleged theft of proprietary trading code for a trading platform from a financial services firm by a software engineer named Dmitry Sazonov will not be the last case in 2017.

The ongoing theft of trade secrets and proprietary data from both private organizations and our governments remains a global epidemic.  A tremendous amount of effort continues by Operational Risk Management professionals, to address the growing plague.  Insider Threat's as a whole and the theft of trade secrets, continues as a significant challenge for CISO's, Chief Privacy Officers and the Human Resources executives.

Whether the incident is the lone software engineer, the contractor analyst, or a disgruntled employee does not matter.  They all are motivated for different reasons to carry out their actions as a "Trusted Insider".  Mark Pomerleau explains that technology alone may not be the answer:

Insider threats have disclosed and improperly removed troves of sensitive information from government networks that compromise secrets and highly secretive security programs. While various technical and cyber-enabled monitoring tools have been applied to prevent such actions, the intelligence community’s top counterintelligence officer believes understanding the human element is the most important component.

“The mind of the insider threat: That is what I believe to be the critical component of stopping, if we can,” the individual that wants to be nefarious and do malicious behavior, said William Evanina, the national counterintelligence executive within the Office of the Director of National Intelligence.


All the technology and software will not be able to eliminate this kind of "Insider Threat" for continuous monitoring.  It is however a key component no different than any other layered-defense risk management system.  Sometimes, it just comes down to good management practices from one person to another.

The education necessary for mid-tier management is imperative, if this layer of defense in the enterprise is going to work effectively.  Observing first hand an fellow employees behavior in the workplace or after hours in social settings, could be the "Early Warning System" each organization has been seeking for decades.

The learning and education associated with elevating managements understanding and policy implications in the workplace around counterproductive work behaviors is vital.  A malicious insider who is trusted in the workplace environment may be there operating for years.  Yet what are some of the key areas of observable behaviors:
  • Production Deviance:  Poor attendance, poor quality of work, misuse of resources and time
  • Property Deviance:  Destruction of property, misuse of information and theft
  • Indirect Aggression:  Unsafe behaviors, politically deviant behaviors
  • Direct Aggression:  Inappropriate verbal or physical behavior
Source:  Assessing The Mind of the Malicious Insider  White Paper - Security Policy Reform Council - INSA - Insider Threat Subcommittee
"Introducing sophisticated new tools and effective monitoring immediately raises a host of questions that require further discussion to assess how best to incorporate them in Continuous Evaluation programs. These include how to balance privacy and security, assess the impact on workplace morale, determine the triggers for undertaking additional monitoring and action, and incorporate oversight and protections for civil liberties."
The 21st century organization with flexible work schedules, telecommuting, work from home policies and the utilization of cloud computing will accelerate the "Insider Threat".  The naive enterprise that perpetually operates without a comprehensive education and continuous learning program in place, does so at its own peril.

Simultaneously, the organization shall utilize the corporate governance tools known for years as the Office of Professional Responsibility, Employee Assistance Program (EAP) and other emerging capabilities such as Ginger.io.

You have an opportunity to provide your organization with the protection of your intellectual property and trade secrets, while synchronizing the privacy and civil liberties of your employees.  Wikileaks or some other entity will exist for years to come.  Your particular "Trusted Insider" will not be the last person to steal proprietary or classified information or be the perpetrator of workplace violence.

As a senior executive in your organization, your "TrustDecisions" will make the Duty of Care difference...

09 April 2017

Critical Infrastructure: Maritime Cyber Resilience...

The Maritime Cyber Resilience evolution continues in the United States.  Strategic ports for commerce and our Transportation Command (TRANSCOM) of the Department of Defense, are adapting to the threat.  The Critical Infrastructure Protection domains and the Operational Risk Management professionals are continuously on alert.

The resilience standards for protecting the Critical Infrastructure of U.S. ports and the Cyber domain, traditionally would fall to U.S. Homeland Security and then the United States Coast Guard (USCG).  TRANSCOM also has its own Cyber components that may interface with the seaport maritime infrastructure including our commercial ports.

There is significant collaboration that must be coordinated with commercial private sector carriers and companies:

Military Sealift Command (MSC) provides high-quality, efficient and cost-effective ocean transportation for the Department of Defense and other federal agencies during peacetime and war.

USTC will execute sealift movements through Military Sealift Command (MSC) and Surface Deployment and Distribution Command (SDDC). Planners within these organizations will work together to provide optimal transportation solutions that are cost efficient and operationally effective and are within policy and law.

  • Surface Deployment and Distribution Command (SDDC) provides commercial sealift for customers through Liner Service.
  • Charter vs. Liner Vs Organic: By policy USTRANSCOM must consider commercial assets before organic assets. Charter and Liner services are commercial methods of moving cargo with different benefits.
How vast is the Cyber landscape for the U.S. Coast Guard's mission regarding Homeland Security across the maritime facilities across the nation?
The U.S. Coast Guard (USCG) oversees approximately 800 waterfront facilities that, among other activities, transfer hazardous liquids between marine vessels and land-based pipelines, tanks or vehicles. These “maritime bulk liquid transfers” increasingly rely on computers to operate valves and pumps, monitor sensors, and perform many other vital safety and security functions. This makes the whole system more vulnerable to cybersecurity issues ranging from malware to human error, and is the reason behind a new voluntary cybersecurity guide for the industry.
 So what?

The current cyber threat environment for TRANSCOM is a parallel focus with the USCG, as they are both operating at commercial maritime facilities and seaports.  The single set of standards they rely on for establishing, maintaining and testing their respective Cyber Domain readiness, is the NIST Cybersecurity Framework:

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order "Improving Critical Infrastructure Cybersecurity" has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.

TRANSCOM and the USCG are both operating in maritime domains, in concert with private commercial enterprises.  The growing interdependent systems being utilized for cargo logistics, navigation and other computer automation systems, provides some insight into the vulnerability landscape from a Cyber perspective.

Still to this day, other Critical Infrastructure sectors that are far more advanced in their defense of their Cyber domains, are trying to increase their resilience.  The current nation state adversaries who are operating within the Financial and Commercial Facilities sector alone, gives us some degree of awareness on the magnitude of the current problem-set.

Utilizing the NIST standard across Critical Infrastructure sectors as the baseline is only the start.  Raising the bar of Cybersecurity Readiness and Defense across the maritime and seaport domains adds tremendous new challenges.

As the U.S. Department of Defense moves personnel, supplies and utilizes commercial port facilities they will be constantly interacting with private sector entities and assets they have little control over. The Cyber domain vulnerabilities that may occur with these commercial enterprises is unknown.  The U.S. Coast Guard does not regulate the commercial companies and their state of Cyber readiness directly:

American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.

In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.


The Maritime Cyber Resilience challenges are similar to other Critical Infrastructure sectors, yet how mature is the collaboration with Defense, Homeland Security and Commercial Private Sector organizations?

01 April 2017

True North: A Decision to Trust...

When you awakened this morning did you immediately know your "True North"?  Are you heading in the direction of your passion in life?  How do you know when you are off course and need to correct your path before it is too late?

This metaphor for knowing and feeling whether you are on the right path for your passion, begins with a visual sign.  A star in the distance to keep you focused and on track.  A reminder.  You know the one I am talking about.  Maybe it's the magnet on your refrigerator.  Is it a person?  Is it a place?  Or just a 3M Post-It note, placed strategically at your desk, to keep you centered.

Your particular "True North" is what keeps you going every day.  At certain intervals however, course corrections are always necessary, yet you don't want to deviate too long away from your desired outcome.

Any Operational Risk "Professional" understands the true mission because somewhere along the path, they have encountered difficulties and significant hardships.  And they have adapted.  They have pivoted.  They have endured the negative emotions and counter productive environment, to survive another day.

Now, think about the most difficult time in your life and how you were able to navigate back to "True North".  How did you do it?  How were you able to stay on course?  This is how.  You made a series of "Trust Decisions".

You made a decision to trust someone, something or some direction to navigate towards your "True North".  Who is it?  What is it?  Where is it?  Perhaps more importantly, Why is it?

Whether you are heading in the right direction requires a perseverance and a belief.  It means that you will have many emotions as you travel forward in the hours, weeks, years and decades ahead.  You can expect that to be the case, no matter what happens.

As you navigate your path towards your "True North" you must reflect along the journey.  What have you learned?  Why is this important?  It is because of these lessons and the knowledge that you have learned, that will now make a difference and influence your next "Trust Decision".
  • A Decision to Trust incorporates data that comes from a network of sensors.  These points of data collection are important to the future of your survival.  They are where you must continue to improve, correct and test in order to be assured that they are operating effectively and as planned.
  • A Decision to Trust is a series of calculations, that involves the data you are collecting from sensors.  The calculations and formula is different for each node or mechanism, that you are utilizing to achieve the outcomes you seek.
  • A Decision to Trust becomes automated, once you have the highest assurances that you can rely on your sensors and believe in the calculations.
Once you have determined your course and are relying on your sensors to be accurate, discipline is the final quest.  What discipline do you follow?  This is where you may now have the greatest risk of failure.  The risk you deviate from your discipline.  You forget your "True North".

Your direction and your ability to reach your destination, will be ultimately determined by your discipline...

God speed!