20 August 2017

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events, requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making".

This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with such machine learning threat intelligence systems such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas.

Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.
"On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan? --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.
In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story? This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:
  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new domestic counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime.

Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative applications, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" lying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

13 August 2017

Capitol Hill: Zeros and Ones of Resilient Vigilance...

Walking past the Cannon House Office Building this week, on the way to a meeting at the U.S. Capitol, created some reflective thoughts.  As our Capitol came into full view, you have to wonder how many congressman have made that walk since the early 1900's?  How many representatives from across America contemplated whether their work was making a real difference, for their constituents and for our country.

The future of America is bright and our level of resilience as a nation has endured, yet we must remain vigilant.  There are thousands of people who get up every day and travel into the District of Columbia and surrounding suburbs, because they are Patriots and they care so very much about our growing Republic.  You have to see it in their eyes, to realize how much that is true.

Entering the South door on the House side, we proceeded to our meeting room, H-137.  As our small cadre sat down for a light meal, the focus quickly turned to our purpose for gathering.

National Security and Intelligence was the high level reason, yet the dialogue quickly drifted into what was an 80/20.  It seems that the "Cyber" related conversations these days are taking up about 80% of the nuances to Critical Infrastructure Protection (CIP) and for good reason.  The fact is, more than 85% of our nations Critical Infrastructure are out of the direct control and ownership of the government.

Private Sector companies and other non-government entities control 16+ vital sectors of the nations infrastructure assets.   They are the owners and operators of Energy companies, Telecommunications, Financial, Water, Transportation and our Information Technology Sectors and including the Defense Industrial Base to name a few.

What was not mentioned in the room over our 90 minutes, were some of the most sensitive issues confronting those on the front lines of the private sector critical infrastructure protection industry.  "Fancy Bear," "Eternal Blue," "Vault7" were on some peoples mind.  These references mean nothing to many of the "John Q. Citizens" in America who are working using smart phones and lap top computers at home, on the job or in our free lance economy.  Until these electronic tools are no longer functioning correctly.

So what?

Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June.

The owners and operators of Critical Infrastructure across the globe, are now operating on high alert.  The executives and policy-makers in discussion behind closed doors, around the U.S. Capitol understand the magnitude of the current problem-set.  Utilization of these exploit tools will continue by rogue individuals, Crime, Inc., and cyber terrorists that are no different than other examples in the physical world associated with IED's or weapons of mass destruction.

The Private Sector will need to step up its resilience and readiness game in the next few years, if not months.  The capabilities and Return-on Investment (ROI) for non-state actors to play in a whole new league, are becoming ever more apparent.

To continue our resilient vigilance across the nation, we will require a whole spectrum of new capabilities and some, that have worked for years...

05 August 2017

LIGHTest: An Open Global Ecosystem of Trust...

On the dusk of another day in Southern California, there are new TrustDecisions being made, that will impact how our IoT and Critical Infrastructure evolves in the decades ahead.  Operational Risk Management (ORM), will continuously adapt to our global future of "Achieving Digital Trust."

Yet, this innovative catalyst and consortium has been forming over the past year, from the European Union.  It is called LIGHTest.
"Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Stakeholders and Trust scheme"
"This is achieved by reusing existing governance, organization, infrastructure, standards, software, community, and know-how of the existing Domain Name System, combined with new innovative building blocks. This approach allows an efficient global rollout of a solution that assists decision makers in their trust decisions. By integrating mobile identities into the scheme, LIGHTest also enables domain-specific assessments on Levels of Assurance for these identities."

Trustworthy computing is not new and it has been evolving since the beginning of the Internet with PKI.  What is encouraging and worth pursuing now, is a better understanding of the problem-set.

What is the real problem, that LIGHTest will address and try to solve?
"The DNS translates domain names that humans can remember into the numbers used by computers to look up destination on the Internet. It does it incrementally. Vulnerabilities in the DNS combined with technological advances have given attackers methods to hijack steps of the DNS lookup process.
They want to take control and direct users to their own deceptive Web sites for account and password collection to perpetuate their Internet disruption attacks and crime schemes. The only long-term solution to this vulnerability, is the end-to-end-deployment of a security protocol called DNS Security Extensions – or DNSSEC."
So what?

The Domain Name System (DNS) relies on these foundational entities for our Global Internet. Designated by letter, they are the operators of the root servers:

A) VeriSign Global Registry Services;
B) Information Sciences Institute at USC;
C) Cogent Communications;
D) University of Maryland;
E) NASA Ames Research Center;
F) Internet Systems Consortium Inc.;
G) U.S. DOD Network Information Center;
H) U.S. Army Research Lab;
I) Autonomica/NORDUnet, Sweden;
J) VeriSign Global Registry Services;
K) RIPE NCC, Netherlands;
L) ICANN;
M) WIDE Project, Japan.

Ref: http://www.root-servers.org

Now when you are just starting to understand the complexity of the problem that LIGHTest is attempting to solve, you add "Mobile Identities" to the dialogue.

It is one step towards trust to get machines to complete a transaction with integrity and consistent trustworthiness.  When you add the challenge of validating reputation and identities of people, the scale of the entire problem-set soars.  The geopolitical and organization boundaries that are now the state-of-play are tremendous.  The United States Department of Commerce is at the table.

Think about how far we have come in our technological history and enterprise architecture, with the pervasive use of communications satellites and 30 billion mobile devices by 2020, now imagine how far we still have to travel, to attain true "Digital Trust."  The infrastructure is global and the complexity is far greater than most humans can truly understand.  To trust one another, to trust transactions, to trust our machines and digital inventions implicitly.  That is our lofty aspiration.

LIGHTest is heading in an innovative direction, in the pursuit of greater trustworthiness and we have to keep reminding ourselves why:

Instilling fear in peoples minds about monetary losses, stolen intellectual property, hackers, cyber criminals and rogue web sites is important.  Buyer beware!  Stranger danger!  See something Say something.  WannaCry.  AlphaBay.  No different than wanted posters for bank robbers, fraudsters, or terrorists.
Companies, people, products or services that continue to serve up messages of digital fear, uncertainty and doubt, are in need of even more clarity and education.  The real problem-set to be solved is about trust and making more highly effective trust decisions, at increasing velocity...