26 January 2019

Davos 2019: A War on Trust...

As the World Economic Forum Annual Meeting comes to a close in Switzerland, "Trust Decisions" are on our mind.
"The corporate, political and cultural elite gathered in Davos are expressing worries about a disturbing trend: The erosion of public trust in institutions and companies.

World Economic Forum attendees said the lack of faith in everything from governments to social media platforms is hampering innovation and contributing to widening inequality."
 Why?

Over five years ago the new rules for business and the Net were in plain sight.  Articulated in a way that most business owners, CEO's of global enterprises and even our politicians could understand.

Yet at this years Annual Meeting, trust is becoming a buzzword in the panel discussions and around the dinner tables in Davos.  How might the institutions attending the World Economic Forum, strive to build a planet where "Achieving Digital Trust," is the basis for starting a business or at ground zero of creating a new product?

In 2015, Jeffrey Ritter published his book:

"In reading this book, you will explore and acquire an entirely new portfolio of tools and strategies to help shift the momentum of that war. As in any combat or battle, to succeed, it is essential for you to understand what is at stake. What we are facing is more than a war to control information. It is a war on our ability to trust information. Yes, a war on trust." Achieving Digital Trust by Jeffrey Ritter

To presume the trustworthiness of information is now a continuous question. GDPR and other forward leaning regulations are beginning to shape the way we design our systems.

So what?

How will those citizens and consumers that are devouring information from that electronic photography and RF device in the palm of their hand, think differently in the next few years?

How will the designers and engineers of Samsung, Apple, IBM, Amazon, Google, Facebook and others architect their new software and solutions with trust embedded in all that they produce?

When will our citizens understand that not selling your data, does not actually mean that your data has not been given away for free?

The future of our institutions, governments, products and relationships must be built on trust.  As you sit across the table from your editor, your CEO, your elected official or your senior software engineer you must ask the question, how will we achieve digital trust?

What if there was a Green, Yellow, or Red banner across the top of the display screen, as a quick identifier whether the information being delivered and displayed was in compliance with the new "World Digital Trust Standard"?

Yet we know that "Green Padlocks" in front of our URL and the "Privacy Essentials" grade in the top of our browser, just isn't enough.  Especially when we know that there are U.S. DHS Emergency Directives such as 19-01 in place:

"In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering." 


Jeffrey Ritter is correct.  It is a war on our ability to trust information.  Do you understand what is at stake in your nation state?  Your organization?  Your household?  Yes, a "War on Trust"...

19 January 2019

International Risk: Cyberwarfare Rules of Engagement...

When the financial private sector views the actions of government, in terms of regulation and compliance, it is often considered another risk to its operations. Why? More rules and the need to report on oversight, creates new obstacles to other more valuable revenue producing activities.

CDOs were a focus in the movie "The Big Short" and is an example of a financial product that explains why the government regulation mechanisms continue to exist. Yet the implementation of internal controls, to thwart the embezzlement of funds or the theft of proprietary intellectual secrets, is something that is encouraged and welcomed in the banking community. This paradox is something that continues to occur in the cyber risk management domain.

The dawn of Internet banking, spawned many of the Operational Risks associated with using public networks for our various banking transactions. The oversight of cyber risk management in the financial institution, is still a major challenge yet becoming more mature by the day.

Government is more effectively learning how to apply the right oversight with private sector institutions, through the use of International Standards such as ISO 27001 and NIST best practices to protect Critical Infrastructure.

The newest strategies for cyber risk management have been a robust topic of global conversation. New reports on the origin of state sponsored hacking and cyber crime data breach incidents, has produced some new theories on how to address these international Operational Risks:

"Deadly force against organized hackers could be justified under international law, according to a document created by a panel of legal and cyber warfare experts. Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I. Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press."

Even the most knowledgeable cyber experts, are at odds over the topic of "Active Defense" and the use of asymmetric cyber force, to retaliate against a so called attack or denial of service. A kinetic response is much more clear, based upon the source or attribution evidence of the attack. In the cyber domain, the word "Attribute" has some very interesting ramifications.

The State-of-Play will remain the same and for good reason. The governments of the world do not have issue with each other performing reciprocal cyber espionage. This practice is just a new version of intelligence collection and the next manifestation of Tinker Tailor Soldier Spy. However, if there should be any visible or kinetic damage to infrastructure, then the Tallinn Manual will be a vital resource for all. The question remains, what is a cyberattack? Jim Lewis said over five years ago:
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so."
  Cyberwarfare Rules of Engagement remains a significant international Operational Risk...

12 January 2019

4th Generation Warfare: Insider Risk...

Flashback to 2010.  Over 8 years ago, this author discussed the situational awareness and the implications of the "Stuxnet" malware that was being investigated by international authorities. In January 2011, the New York Times published a more detailed set of facts and a hypothesis that the sophisticated "worm code" was tested in Israel:

William J. Broad, John Markoff and David E. Sanger.
The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.
4th Generation Warfare (4GW) and the implications for global critical infrastructure organizations is obvious. The Operational Risks associated with targeted infiltration of systems that control machines, manufacturing processes and software that manages transportation, has now changed the baseline for where to begin mitigating this asymmetric threat.

Executives then and to this day, realize the continuous requirement for improved focus on the "Insider Threat" to their systems operations. Why?
This particular worm was initially delivered by a USB Thumb Drive according to various reports. This means that someone would have to have been inside the facility targeted for the attack, to actually introduce the malware to the actual system controller. A person within the perimeter of the organization with this single device, could set the chain reaction in motion.

Whether you are a major manufacturer or an electric utility doesn't matter. The person you trust to access systems inside the organization, is the basis for mitigating this type of attack. Most important is the scrutiny associated with the extended supply chain of semi-trusted contractors or others known to the organization. 
All of the back ground checks and other methods for determining someone's character will not be the major deterrent to a worm introduced internally to an Intranet, with the use of a USB thumb drive.

So what is the answer to address this threat?
A TSA-style check, scan and pat down at the entrance to every commercial enterprise that has computers inside with open USB ports? This is very unlikely in the near term for most facilities.

What about disablement of the technology itself, that turns off the ports themselves on each system inside the organization perimeter? This solution is more likely to deter many opportunities for this type of USB style attack to occur, yet still doesn't remove all of the risks against another possible vector to the network through a CD drive as an example.
Regardless of the method or the controls you employ to mitigate this risk, it will not eliminate the entire threat from your organization. Even the use of a "Digital Sandbox", Endpoint security measures or other methods to disable ports on systems will entirely lock down your organization.

There is only the ability to create a more resilient and durable environment to survive a significant business disruption. The mind set shift to durability and the latency to recover, now becomes the new strategy for these kinds of risks.
Using a strategy for "Business Resilience" is one that requires significant resources, a Global Security Operations Center (GSOC) and a committed management team. The ability to survive is the first part of the process and how soon you return to full operational capability is the metric. How long does it take to bounce back to normal from a major crisis, in your organization?

The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption or crisis, will be a competitive differentiator for companies and countries alike in the 21st century.

Homeland security is often seen as a protective, even defensive, posture. But Maginot lines are inherently flawed. Fences and firewalls can always be breached. Rather, the national focus should be on risk management and resilience, not security and protection.
Resilience—the capability to anticipate risk, limit impact and bounce back rapidly—is the ultimate objective of both economic security and corporate competitiveness...

05 January 2019

Quantum Governance: The Rules of Trust...

People are learning to trust an AI, to make decisions on their behalf.  This will change our world exponentially in the next 10 years.

Now that we have reached connectivity to the Net with 50% of the human connected population, the AI of the IoT will be a growing trust factor in our daily lives.

We are accelerating beyond the simple tools of trusting that the answers to our questions are correct from "Siri" or "Alexa."  Accepting the trusted route from Google Maps on the most ideal navigation to our destination is already a given.

Beyond the consumer, the "Algo Bots" and Algorithmic Trading have already replaced the previous years of approximately 600 Goldman Sachs traders with 2 people, to oversee daily operations on the floor.  There are others who have already predicted the replacement of other human operators in various public and private decision-making bodies.

So what?

Trust Decisions in the next decade will be augmented by "Artificial Intelligence" on a more frequent basis.  That is already a given for many groups of decision makers across the globe.  The question is, how will governments begin to regulate AI?

Who will be in charge of making sure that the code and the algorithmic activity is correct?  That the rules behind the Trust Decisions are correct?

You see, as the software becomes more invasive in an individuals daily life and we rely on it for the truth, governments will be involved.  They already are.

The "rules for composing the rules, that lead to millions of peoples trusted decisions is at stake.  Maybe even more so, the evolution of "Quantum Law."  For those thought leaders such as Jeffrey Ritter who have for years been so keen to articulate the emergence of the thought of governance of unstructured data, there is this:
"We are moving from a time in which we presume that all electronic information is true to a time in which we can affirmatively calculate what it is and know the rules by which it is governed on the fly," Ritter said. "That's quantum governance."
You realize that the words will live on for eternity and for others to always contemplate.  That is a given, that all of us shall be considering for our future, sooner than later.

So how might decision making bodies such as the U.S. National Security Council (NSC) utilize AI?  Greg Lindsay and August Cole have already addressed this years ago with METIS:

"The result is a national security apparatus capable of operating at, as you like to say, “at the speed of thought”—which is still barely fast enough to keep up with today’s AI-enhanced threats. It required a wrenching shift from deliberative policymaking to massively predictive analysis by machines, with ultimate responsibility concentrated in your hands at the very top."

In 2019, begin thinking deeper and longer about your TrustDecisions...