Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why?

Stuxnet is and was ground zero for a new generation of digital infrastructure cyber weapons.

The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets in passive mode.

"The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers."

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise.

In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed?

"In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit” (CIU) is alive and thriving."

A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean”?

It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

operational risk

Secure: Find it...

What are you and your team doing this week to create a “Secure” environment?

Your organization is counting on you for all that defines this adjective:

Secure

adjective

se· cure si-ˈkyu̇r  -ˈkyər

securer; securest

1a: free from danger

b: affording safety

c: TRUSTWORTHY, DEPENDABLE

a secure foundation

d: free from risk of loss

2a: easy in mind : CONFIDENT

b: assured in opinion or expectation : having no doubt

How are you creating and maintaining a continuously “Secure” workplace, church, school, home, transportation system, main street or entire country environment?

It’s not the role or responsibility of One person. One department. One agency. One camera.

"Leadership as a CEO, Principal, Parent, Mayor or President requires you to continuously pursue a more “Secure” environment that requires focus and a persistent innovation mindset."

Your family, your employees, your town and your own nation are watching you.

You may think you understand the problem-set. You might try to use one tool. You will learn that you must continuously adapt. Build prototypes. Test again.

Your creative ability to change on the fly, your capability to act faster than the threat will make all the difference in your counter-response.

What are you measuring this day, week or month to determine what and where you need to adapt?

It is not always what you will be able to hear, smell or see with the naked eye. This is why innovators designed detectors, radar, alarms, cameras and even binoculars.

Asymmetric threats to our environments are Invisible. Undetectable. Irregular. Disordered. Atypical.

So what?

All of us, into eternity will remain responsible for our “Secure” environment.

Whether it may be in your global neighborhood, on campus, at the Mall, in your software, undersea, aerial or to Mars, you too shall have a role.

Find it…

Metadata: What, Who, Correlate...

As you scrolled through your digital feed today on your favorite Social Media App, what did your finger stop and pause upon?

Was it a particular person you were connected with, who was posting a question Poll?  Why this person?

Was it a specific topic of political interest with a headline that caught your attention? Why this topic?

Was it a picture of your favorite place in the city you live in?  Why this picture?

Maybe it was a combination of all, so you then took the time to do some more research, some background, to try to satisfy a curious state of mind that took over your thinking.

What questions did you seek answers to, in your journey to satisfy your own curiosity?

You are exactly the kind of person the state or private entity is watching and measuring.

Cookies and metadata are their tools:

 

Metadata means "data about data". Although the "meta" prefix means "after" or "beyond", it is used to mean "about" in epistemology. Metadata is defined as the data providing information about one or more aspects of the data; it is used to summarize basic information about data that can make tracking and working with specific data easier.

So what?

The person on this web page or in this rental vehicle, or this retail store has this “name associated” with the user name or mobile device they have carried within 5 feet of the digital sensor:  John Doe’s iPhone 11.

Whether he is on the browser visiting the web page or has the small radio frequency (RF) device in his pocket, it is being measured.  It is being correlated.  It is being shared.

You see, John/Jane Q. Public for the most part does not care.  He does not think about it.  She is unaware of the implications of the ip, location or metadata they are sharing in their own home, in public locations, or the workplace.

With whom?  The answer to this question depends…

SCRM: ICT Supply Chain Risk Management...

What is your private sector enterprise doing today to improve your ICT Supply Chain Risk Management (SCRM)?  Cyber-espionage campaigns have been operating for years across the ICT domains and are exposed every year in the trade press to John Q. Citizen, soon after "Black Hat" and "Defcon".  Once again, the origins of these sophisticated and viable adversaries are located inside nation states.

The beltway has been talking about the need for more effective legislation to modify behavior on the Supply Chains of Critical Infrastructure.  For many who remain committed to the silent war and the warriors who are fighting it each day on a 24 x 7 basis, they know the operational risks associated with this modern day battlefield.

Do you know where your information is today?  No, not your "Personal Identifiable Information" (PII), but the crown jewels of your latest Research and Development project.  Or the details on the "Merger and Acquisition" (M&A) activity associated with your cash cow law firm client.  Guess again, because you may not be the only one who now has copies of these trade secrets or confidential and proprietary information.

 

The Information Communications Technology (ICT) supply chain is at risk and the days are numbered until our final realization even after SolarWinds, that this issue is far past the policy makers control.  Is this an operational risk that we have done all we can do, to mitigate the impact on our U.S. national security?  Everyone should know the answer to this question.

The complexity and the complacency of the problem continues to plague those who are working so diligently to fend off the daily attacks or counterfeit micro-components.  The strategy is now morphing as we speak, from defense to offense and the stage is being set for our next generations reality of global cyber conflicts and ICT due diligence.  Richard Clarke and others are beyond the ability to say much more than they already have so far.

So where are the solutions?  Where are the answers?  They can be found very much in the same way organizations, companies and nation states realized what was necessary to deter, detect, defend and document operational risks to their institutions for the past several decades.  The science has changed rapidly but the foundational solutions remain much the same using these six factors:

• Identify
• Assess
• Decide
• Implement
• Audit
• Supervise

These six factors of your respective "Operational Risk Management Enterprise Architecture," is the framework for these solutions.  The ability for these to continuously operate within your enterprise will determine how effective you are in surviving what others have predicted for over a decade...

Asymmetric Warfare: Computer Jihad...

A person does not have to spend years analyzing and witnessing the phenomenon of the Internet to understand why the pornography industry has flourished.

 

Like other social and religious facets of our global culture, connected by hyper links, web sites and chat rooms, human beings are able to quickly and efficiently discover what they are looking for. Good and bad.

 

If the Internet is just a mirror of society itself, then of course it will have both the positive and humanitarian aspects along with the negative, criminal and evil elements.

Learning new skills and spreading new ideas via the Internet is nothing new. However, one could predict that the acceleration of threats to our youth, families and nations states has been influenced by the proliferation of Apples, Dells, and Androids across the globe.

 

Whether it's in the kitchen, the library, university dorm room or the corner cyber cafe the ubiquitous ICT 5G access now available has increased our operational risks at home, at work and to our economic well being.

When subjects such as this are discussed at length in the Board Room, NOC or War Room the arguments always come back to the same thing. How many people have been killed as a result of cyber-warfare?

 

Justification of spending dollars and allocating resources is in many cases a factor of the risk management exercise, likelihood vs. impact.

 

After all, the Internet seems to be self-healing and resilient to any long term outage. But those who are well versed in 4th Generation Warfare (4GW) sitting around the table know, that computerized jihad is a tactic of a far more encompassing strategy:

"Reflecting Sun Tzu’s philosophy, many recent Chinese writings have focused on asymmetric warfare as a means of defeating a militarily superior enemy. Asymmetric warfare uses political, economic, informational and military power. Military power is the least emphasized."

The silent war being waged each second of each minute of every hour every day, over every week and month of the year is taking place on a vast digital battlefield. Who will be the victor?

Travel Risk: Adaptive Survival Instruction...

Travel risk to corporate executives is on the rise. Even if you are not an executive who can afford the services of personal body guards and armored cars, there are some prudent ways to mitigate the risk of traveling to the global hot spots.

The Mission

Travel safety is becoming more of a main stream issue with savvy Operational Risk Managment (ORM) leaders. The fact is, most of these so called travel safety courses are being taught from only one side of the equation.

"In a world of global commerce, CSOs are often tasked with building their company's corporate travel safety programs. The job calls for a proactive approach to educate employees about precautions they can take to stay safe, whether they're the CEOs of multibillion-dollar conglomerates who fly on company jets that land on secured tarmacs or rank-and-file staff riding in commercial airline coach."

The Take-Away

Business has to be done in some of the most dangerous places on the planet, even when it comes to being exposed to kidnapping, terrorism and corrupt governments. Our advice is to make sure your instructor transfers skills to people on "how" to detect, deter and defend against the attackers. Not just the "What to do".

The how is not easy to teach unless you have been there and experienced it. One of the reasons why most CEO's are "Age Experienced" is that it takes time to acquire enough valid leadership lessons.

It does not happen in a week or a month or even a few years. Learning the skills to survive in strange cities, cultures and countries requires instruction by age experienced and "Quiet Professionals". Much of this instruction is about training people to be "Adaptive."

Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to reduce the operational risks associated with key personnel in your organization.

Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

Comprehensive "Adaptive Survival Instruction" for international business executives, is a primary mission for OPS Risk leadership, because it saves lives.

The One Percent Doctrine: Prepared When Things Go Wrong...

There is no avoiding the realities of the information age. Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all. Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril. Stanley A. McChrystal
Read more at: https://www.brainyquote.com/search_results?q=mccrystal

There is no avoiding the realities of the information age. Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all. Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril. Stanley A. McChrystal
Read more at: https://www.brainyquote.com/search_results?q=mccrystal

There is no avoiding the realities of the information age. Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all. Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril. Stanley A. McChrystal
Read more at: https://www.brainyquote.com/search_results?q=mccrystal

"There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  --Stanley A. McChrystal

In David Suskind's book The One Percent Doctrine we are reminded that planners need to continue to focus on the 1%.  The "One Percent" doctrine considers threats with even a 1% likelihood, to be treated as certainties.  How proactive are you and your organization?

Do you think you're spending too much time with your team planning and training? You haven't.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

The organizations whose team has proactively planned for every possible scenario and trained together in live simulations, will become the most successfully resilient to uncertain change.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like, let alone know what to do next to mitigate the risk to them and the organization?

Even if Mr. Suskind's book is somewhat critical of the US Government, looking in our own corporate mirror of preparedness, should be enough to get most executives rethinking their resource allocations for the current and future budget for planning, rehearsing and exercising for uncertain events:

Analysts at two security firms, Crowdstrike and Dragos, tell WIRED that they've seen a new campaign of targeted phishing emails sent to a variety of US targets last week from a hacker group known by the names APT33, Magnallium, or Refined Kitten and widely believed to be working in the service of the Iranian government. Dragos named the Department of Energy and US national labs as some of the half-dozen targeted organizations. A third security firm, FireEye, independently confirmed that it's seen a broad Iranian phishing campaign targeting both government agencies and private sector companies in the US and Europe, without naming APT33 specifically. None of the companies had any knowledge of successful intrusions.

Powerbase: Information Operations in the Workplace...

How robust is your organizations "Information Operations"(IO) capabilities? The degree to which the threat to your institution escalates in a war of words is going to be in direct proportion to your ability to monitor and counter the "Powerbase" within your Information-centric community.

Operational Risk within the institution, the city or the country is a factor of the likelihood of a particular threat and the ability to deter, detect, defend and document the threat.

However, the overt abilities to sensor, block or suppress your particular community from communicating freely, will be difficult if not impossible. Or will it?

Nations states have for years been subjected to the technology innovation of proxy servers and other methods for obtaining blocked Internet content.

The human element of the insatiable pursuit of information will continuously provide for the innovation to obtain that information that has been withheld from the community.

Whether that community is a corporation or a country, the employees or the citizens will find a way to gain the access and obtain the information they seek.

The ability to utilize ubiquitous devices such as camera enabled wireless smart phones has changed the landscape for "Information Operations" within your company and your local community.

Operational Risk professionals are keenly aware of the requirements to monitor and detect the use of rogue communications devices in the workplace, including unauthorized broadband hot spots (simple and effective).

Yet the state of business and politics precludes these individuals from truly understanding what their real role should be in this fight for zero's and one's. The fight is not about learning who has unauthorized access, it is about understanding human behavior and the "Powerbases" within a particular community.

Even the use of more sophisticated wireless mesh networks has been pervasive for years within the context of the USIC and where U.S. defense forces need to operate in areas with little or no telecommunications infrastructure.

The questions begs then, to what degree are these same kinds of capabilities being utilized within the context of industrial espionage and foreign intelligence services within the skyscrapers of downtown Washington, DC, Chicago, New York or Los Angeles?

"Having a better understanding of the powerbase of each actor, the number and types of dimensions of that power, which elements of the powerbase are inherent or inferred, and whether it is growing or shrinking through cooperation or conflict, are all essential elements of information in stability operations and prerequisites for effective influence operations. Understanding Local Actor Bases of Power" - Col. Patrick D. Allen, USA (Ret.)

So how easy or difficult would it be to set up a relatively effective mesh network? Look to one of the leaders in the technology itself for guidance.

If the City of Houston or the country of Singapore can utilize these capabilities to create their own information networks for voice, video and data applications, then so too could any private enterprise with the right funding and the people to operate these systems.

Your organizations "Information Operations" capabilities go far beyond the IT department and their ability to sweep for rogue "Wi-Fi Hotspots" in the workplace. It could mean the difference between the safety and security of your municipality or the entire academic R&D campus.

In either case, the Powerbase of information will still have to be analyzed and understood. Without this Powerbase insight your organizational "Operational Risks" will remain unknown and your ability to mitigate these risks unknowable.

4th Generation Warfare: Insider Risk...

Flashback to 2010.  Over 8 years ago, this author discussed the situational awareness and the implications of the "Stuxnet" malware that was being investigated by international authorities. In January 2011, the New York Times published a more detailed set of facts and a hypothesis that the sophisticated "worm code" was tested in Israel:

William J. Broad, John Markoff and David E. Sanger.

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

4th Generation Warfare (4GW) and the implications for global critical infrastructure organizations is obvious. The Operational Risks associated with targeted infiltration of systems that control machines, manufacturing processes and software that manages transportation, has now changed the baseline for where to begin mitigating this asymmetric threat.

Executives then and to this day, realize the continuous requirement for improved focus on the "Insider Threat" to their systems operations. Why?

This particular worm was initially delivered by a USB Thumb Drive according to various reports. This means that someone would have to have been inside the facility targeted for the attack, to actually introduce the malware to the actual system controller. A person within the perimeter of the organization with this single device, could set the chain reaction in motion.

Whether you are a major manufacturer or an electric utility doesn't matter. The person you trust to access systems inside the organization, is the basis for mitigating this type of attack. Most important is the scrutiny associated with the extended supply chain of semi-trusted contractors or others known to the organization. 

All of the back ground checks and other methods for determining someone's character will not be the major deterrent to a worm introduced internally to an Intranet, with the use of a USB thumb drive.

So what is the answer to address this threat?

A TSA-style check, scan and pat down at the entrance to every commercial enterprise that has computers inside with open USB ports? This is very unlikely in the near term for most facilities.

What about disablement of the technology itself, that turns off the ports themselves on each system inside the organization perimeter? This solution is more likely to deter many opportunities for this type of USB style attack to occur, yet still doesn't remove all of the risks against another possible vector to the network through a CD drive as an example.

Regardless of the method or the controls you employ to mitigate this risk, it will not eliminate the entire threat from your organization. Even the use of a "Digital Sandbox", Endpoint security measures or other methods to disable ports on systems will entirely lock down your organization.

There is only the ability to create a more resilient and durable environment to survive a significant business disruption. The mind set shift to durability and the latency to recover, now becomes the new strategy for these kinds of risks.

Using a strategy for "Business Resilience" is one that requires significant resources, a Global Security Operations Center (GSOC) and a committed management team. The ability to survive is the first part of the process and how soon you return to full operational capability is the metric. How long does it take to bounce back to normal from a major crisis, in your organization?

The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption or crisis, will be a competitive differentiator for companies and countries alike in the 21st century.

Homeland security is often seen as a protective, even defensive, posture. But Maginot lines are inherently flawed. Fences and firewalls can always be breached. Rather, the national focus should be on risk management and resilience, not security and protection.

Resilience—the capability to anticipate risk, limit impact and bounce back rapidly—is the ultimate objective of both economic security and corporate competitiveness...

Veterans Day: The Spectrum of Those Who Serve...

On this Sunday in the United States of America, it is Veterans Day November 11. As you look around your neighborhood, how many others are flying the colors of our American Flag?

Veterans Day (originally known as Armistice Day) is an official United States public holiday, observed annually on November 11, that honors military veterans; that is, persons who served in the United States Armed Forces.

As the son of a U.S. Marine, the thought of what our country has endured and how people like him loved all that the Flag stands for, brings tears.  This morning, we are the only house on our street with the "Stars and Stripes" on display flying in the wind.  Why?

It is hard to understand and yet most people on the block have never read "Team of Teams" either.   There are millions in the U.S. Armed Forces who have lived their whole career, experiencing when people working with a sense of mission can be so remarkable.

Yet you don't have to be holding your Form DD-214 to understand, that the American people on your block, in your town or across your state, need a clear mission to come together.  A purposeful mission helps most people get out of bed in the morning.  To go to school.  To show up at work.  Are you a leader of people or a leader of a true Team?

Sure, you can use the sports analogies to get the point across.  The Vince Lombardi stories are famous for getting people to understand team work and winning the game.  Yet ask any Veteran, and they will probably say that a game that lasts years, is so much different.  Lombardi coached at West Point at one point in his career, and this had a lasting impact on him.

The new rules of engagement for a complex world, is the name of the game today.  The rapidly advancing tools of conflict are changing from superior geographic positions on the hill with a Combat Controller (CCT), to the stealth of an exploit code software payload.

So what?

Start thinking about the spectrum of digital members of our military who serve our country each day.  Some are behind a keyboard, or working on the front lines of software maintenance to keep the data centers operating at peak efficiency.  Think about all of the professionals in the shadows, who are collecting and analyzing intelligence for us all to better anticipate, prepare and to be more resilient.

The asymmetric conflicts here are going on 24 hours a day, 7 days a week.  Right in your own city or business.  Everyone has their specialty, and each finds there way into the job they are destined to perform.  And they are truly a "Team of Teams"...

Thank you for all that you have done for our country.  Thank you for what you are doing today for us here and in the rest of the world...

9/11: Seventeen Years of Resilience...

Flying over the rolling mountains of Virginia, on the final approach to IAD for the 17th year ceremonies since September, 11 2001, there are so many thoughts and memories of that tragic day in U.S. history.

Being in the Washington, DC area on that morning, is forever etched in visions of chaos, uncertainty and fear. Yet remembering each 9/11 anniversary, is important on several fronts.

The process of analyzing that day and all that we have learned since then, assists us with the healing and the ability to become more resilient. It answers the question of "Why," for some of the reasons we continuously send our military training assistance to foreign nations.

Watching footage of the Twin Towers, Shanksville, PA or the Pentagon with rising smoke that morning, brings tears so easily, just as the memory of any trauma in your life will do. A smell, a picture, a sound. It makes you remember a point in your life, that brought tremendous emotions.

Are you as a person more resilient some 17 years later? Is your family? What about your business? What have you done to be even more ready, able and substantially more resilient since 9/11/2001?

So what?

If you are government DoD, IC, DHS or a First Responder, you are training all the time. It is almost a constant state of readiness, preparedness and Operational Risk Management (ORM). You are anticipating the next incident, the next attack or the next emergency. You understand. Thank you!

When was the last time you were certified in advanced first aide, how to use a tourniquet or a defibrillator? How have you been training to notify your employees of a major incident and what plan to execute? Do you even know about your local CERT and how it can save lives?

Whether on the home front, in a strange city or country, or back at your place of work, the focus on increasing resilience never ends.

Never Forget.  Be more Resilient...

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22

"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”

A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

• Hacker
• Spies
• Terrorists
• Corporate Raiders
• Professional Criminals
• Vandals
• Voyeurs

Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

• Attackers
• Tool
• Vulnerability
• Action
• Target
• Unauthorized Results
• Objectives

Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:

• Existence addresses the question of who is hostile to the assets of concern?
• Capability addresses the question of what weapons have been used in carrying out past attacks?
• History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
• Intention addresses the question of what does the potential threat element hope to achieve?
• Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?

Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.

Homeland Security: The Risk of Fusion Man...

Modern Day Operational Risk Management, requires a multi-skilled and versatile individual. Someone who understands the difference between "Information Warfare" and "Cyberterrorism." And if you were born after 1980 and part of Generation Y, then you might even have more insight on how Sam Fisher has managed his way through unimaginable risks throughout his career as a Splinter Cell operative.

You understand why Homeland Security is evermore focused on HUMINT and our national security is ever so vulnerable to an increasing reliance on the Internet Protocol (IP).

Information warfare is an attack against computers, networks, or information systems to coerce or intimidate a government and its people. These attacks result in violence against people or property and generate fear.

Attacks that disrupt nonessential services or create a costly nuisance are not considered information warfare. Cyberterrorism results in severe effects such as death, bodily injury, explosions, plane crashes, water contamination, severe economic loss, and so on.

Information warfare is easily and most effectively waged against civilians. Because of its size and reliance on technology, no nation is as vulnerable to information warfare as the United States. Information warfare can be waged anonymously, or with all the publicity in the world.

If were born before 1960 and you fall into the "Baby Boomer" category, you better spend some time with your "Generation Y" kids or nieces or nephews, if you want to better understand what is now coming over the threat horizon. There are Global Hawks and Predators seeking out their targets with skilled aviators located thousands of miles away.

These tools and systems of warfare are easily turned in our own direction and now Homeland Security finds it nexus with some new Operational Risk challenges. Accomplished authors such as P.W. Singer writes about "What happens when science fiction becomes battlefield reality"?

"If issues like these sound like science fiction, that’s because many of the new technologies were actually inspired by some of the great scifi of our time ­ from Terminator and Star Trek to the works of Asimov and Heinlein. In fact, Singer reveals how the people who develop new technologies consciously draw on such sci-fiction when pitching them to the Pentagon, and he even introduces the sci-fi authors who quietly consult for the military.

But, whatever its origins, our new machines will profoundly alter warfare, from the frontlines to the home front. When planes can be flown into battle from an office 10,000 miles away (or even fly themselves, like the newest models), the experiences of war and the very profile of a warrior change dramatically. Singer draws from historical precedent and the latest Pentagon research to argue that wars will become easier to start, that the traditional moral and psychological barriers to killing will fall, and that the “warrior ethos” ­ the code of honor and loyalty which unites soldiers ­ will erode."

Homeland Security professionals and new recruits to the various public and private sector organizations are ever more savvy and vital to managing the risks of the coming decades. Technology and the newest inventions of the human mind are consistently applied for the purpose of good and the well being of our fellow man. We are consistently pushing the outside of the envelope to fly farther and faster, even if it means becoming a "Fusion Man."

"Swiss adventurer Yves Rossy flew from France to Britain Friday propelled by a jetpack strapped to his back -- the first person to cross the English Channnel in such a way.

Rossy, a pilot who normally flies an Airbus airliner, crossed the 22 miles between Calais and Dover at speeds of up to 120 mph in 13 minutes, his spokesman said.

When the white cliffs of Dover came into view, he opened a blue and yellow parachute and drifted down in light winds to land in a British field where he was mobbed by well-wishers.

"Everything was perfect," he said afterwards. "I showed that it is possible to fly a little bit like a bird."

Rossy traced the route of French aviator Louis Bleriot, who became the first person to fly across the Channel in an aircraft in 1909.

The Swiss pilot was propelled by four kerosene-burning jet turbines attached to a wing on his back. He ignited the jets inside a plane before jumping out more than 8,000 feet above ground."

We suspect that Mr. Rossy has hired some very competent lawyers to work on his patents and licensing of intellectual property. By now, it all may be classified and Sam Fisher is taking his first test flights.

OPSEC: Knowledge Ecosystem Risk...

The "Leadership of Security Risk Professionals" is consistently in the news because Operational Risks within the enterprise are becoming ever more exponential.  The ability for specialists in the field or the C-Suite to operate on a 24/7/365 basis is a tremendous challenge.  In order to address a continuous spectrum of operational risks, we must actively monitor our culture and those behaviors that could make us lose sight of what we know is right.

At this moment, the explosion of mobile technologies has created a simultaneous set of new risks and opportunities to be leveraged.  Each human asset in your organization is another node in your digital ecosystem of connected machines.  The person now has the ability to stream live video from their mobile phone camera back to an Emergency Operations Center (EOC) or become an active participant in Irregular Warfare (Security, Development, Governance).  All they require is the correct App on their smart phone and 3G connectivity.  How the leaders in the enterprise that are charged with the risk management functions operate, collaborate and share relevant information, is just as important as what information.

In the private sector, as the leader of the HR functions responsible for hiring and terminations of employees, you are in the nexus of Operational Risk Management (ORM) and legal compliance.  The threats and vulnerabilities you experience and are accountable for mitigating, are going to be quite different than your fellow leader in the Information Technology department.  This is where we want to emphasize a major point:

The leader of HR, does not possess the same domain knowledge that the IT leader has, with respect to risks to the confidentiality, integrity and assurance of information stored in a Virtual Machine VM) at a third-party data center.  Just as the IT leader, does not possess the same domain knowledge that the HR leader has, with respect to the employees who have just given their two week notice.  Therefore, since both are accountable and responsible for their specific domain roles to mitigate risks to the security of the enterprise, how do they share information, collaborate and operate simultaneously to ensure the safety and security of the organization?

In order to act with unity of purpose throughout the global enterprise, each of these domains must be able to operate seamlessly, within the context of the larger enterprise ecosystem.  The leaders and stewards of the security risk profession must continue to adapt and continuously improve the decision advantage of the vast knowledge ecosystem before them.  The cultural and behavioral attributes of this ecosystem, can be a single point of failure that continues to plague our non government organizations, our private industry sectors and even our country.

What if your only role and job inside your particular organization was to make sure that information is being shared on operational risks?  How would you accomplish this?  How would you organize the mechanisms in each department for collection and dissemination of relevant information, to the other security risk professionals in the enterprise?  Believe us when we say that the answer is not another digital dashboard or wiki.

On September 30th, 2012, the 2nd season of the hit Showtime Television series "Homeland" aired in the United States.  The writers for this first episode of the season with Emmy winner Claire Danes,  made a reference in the script at one point, that brought back horrific memories of a failure of U.S. operational security. 

This reference, was to a real world event.  It was December 30th, 2009 at Forward Operating Base Chapman, in Khost Afghanistan.

This single mention in the script by the "Homeland" writers of this devastating event in history, should remind us all once again, that people, culture and the soft skills of communication, can and will be our most deadly vulnerability.  As a result of this set of cascading circumstances, five more stars are now on a wall in Langley.  This is another stark reminder of how personalities, power base and trust of information, can still fool us into a social engineering nightmare.

The future "Leadership of Security Risk Professionals" will use this event at FOB Chapman as a classic case study.  In order to enhance the effectiveness of the field specialists and the C-Suite, they must improve their ability to operate in a continuously dynamic sea of cultural behaviors, within a vast and expanding knowledge ecosystem.

Cyber Deterrence: Chief Information Warfare Officer (CIWO) is born...

In 2017 there has been a significant amount of news and dialogue on the topic of information security. America is now waking up to the reality that it's true vulnerability is critical infrastructure reliance on strategic networks and is worth analyzing in depth.

Operational Risk Management (ORM) in critical infrastructure sectors such as Energy, Finance, Transportation, Defense Industrial Base (DIB) and a dozen more, is alive and well. Yet the long view, requires a pivot from the cyber analogies of immune systems and daily hygiene scenarios simply to address cyber theft, denial of service, viruses and ransomware.

The growing priority problem-set is "Cyber Deterrence" and the U.S. is still a long way off from having this strategy in place. The current abilities of several known nation state adversaries, to launch and maintain a persistent attack on our critical infrastructure, requires a new and robust set of initiatives to solve this new reality and immediate cyber problem for national security.

The fusion of Homeland Security with U.S. Department of Defense planning to address "Cyber Deterrence" is necessary and beyond what has been accomplished to date. The attributes focused on "Continuity of Government" (COG) and "Continuity of Operations" (COOP) are paramount with solving the hard problem-set of U.S. Cyber Deterrence. Why?

A wider range of military cyber options are needed beyond diplomatic expulsions and economic sanctions and a clear policy framework must be in place for these deterrence options to be utilized against nation states.

The growing use of cyber offensive weapons requires an increased level of preparedness, offensive war games and planning including substantial integration with the U.S. private sector critical infrastructure companies. The resilience factors associated with Fortune 500 private sector companies is vital.

First, a substantial portion of the new problem-set, involves the use of offensive cyber weapons and the declaratory engagement policy with adversaries such as Russia, China, Iran and North Korea. This must include the key dialogue on attribution capabilities. Have you ever had a conversation with your information security team on the topic of attribution? If you haven't then now is the time to better understand this set of issues.

Second, the degree to which a private sector company has been under attack by non-state actors will in many cases provide an indicator of their current cyber deterrence capabilities. The question is, how would they respond and how resilient would they be if any new attacks were exponential in proportion to previous adversarial campaigns?

Third, the coordination with not only DOD and private sector companies also requires significant integration with the Department of Homeland Security (DHS), State Department and the Intelligence Community (IC).

Non-Kinetic cyber actions utilized by the military is not new. Strategic U.S. ICT (Information, Communications & Technology) capabilities working side-by-side and in concert with the military is now more necessary than ever. Private sector organizations interacting and engagement with USCYBERCOM to establish working relationships that include COG and COOP level planning also needs to accelerate.

So what?

The House has joined the Senate in calling for the Department of Defense to update its cyber strategy and to more clearly define the meaning of cyber deterrence.

The House on July 14 overwhelmingly passed the 2018 National Defense Authorization Act, which included a number of cyber-related amendments, including a provision directing the secretary of defense to "develop a definition of the term 'deterrence' as such term is used in the context of the cyber operations of the Department of Defense; and assess how the definition...affects the overall cyber strategy of the Department."

The Senate's draft of the NDAA establishes a U.S. cyber deterrence and response policy and calls on the administration to develop a clear cyber deterrence strategy.

The Chief Information Warfare Officer (CIWO) has been born...is it a myth?

The Network: 4th Industrial Revolution Strategy...

There is wisdom in continuously sensing and understanding the environment that people are operating in for their daily work or a specific mission.  The culture of an organization will determine why people are focused on the tasks and work they are performing each day; and that is where Operational Risk Management (ORM) begins.

If you are waking up today and know you may not return home alive, how would that change your thoughts about the tasks and environment ahead of you?  What kind of attitude would you have about your ability to improvise, adapt and navigate over the course of your mission that day, to return safe and secure?

Working along side individuals each day that are vital to a "Network" that knows the risk of survival is low, changes you.  The Operational Risks that you will likely encounter, can make you deviate from the primary goal for the mission.  The outcomes that are primary on the minds of each person on the team are the same, until you have to adjust, pivot and adapt on the fly.

This is where the mindset of "Resilience" is born.  The brain learns what is working, and when it encounters a setback, a shock, or a denial of the goal, it quickly responds to the new environment.  You change your tactics to keep moving forward in pursuit of your planed destination.  Resilience and networks have been symbiotic since Genesis.

So where is your environment located today?  Are you waking up in the Hindu Kush or Palo Alto?  Is it going to be sunny in the Sahel or downtown London?  How will you travel today, by foot or in a vehicle that travels fast enough to require a seat belt?  If it requires a seat belt, you are already applying your OP Risk skills to survive the day.

Now pivot your thoughts back to the asymmetric "Network".  You may not be tasked today to travel in a physical environment.  Your mission is to navigate across the globe to a different place, and the map you will use looks like this.  The network you will operate in today, has hundreds of thousands of adversaries.  Most will not be human, they are nodes and machines that will sense your presence and try to deter your assigned mission.

The resilience of the "Network" is not about just the other people on your team.  It is about the intelligence of your abilities to navigate, adapt and survive the minute, hour or day of your mission.  Whether the resilience is in the physical realm or inside the zeros and ones of a virtual cyberspace, there are some similarities to achieve survival.

Whether you have an OODA Loop or "Board Principles of Resilience" does not matter as long as you understand the culture and the environment you will be operating in that day.  Then use it.  Operational Risk Management works when you apply the right tools, tactics and procedures to the time, place and circumstances.  Consider these principles from Future of Digital Economy and Society System Initiative  | World Economic Forum:

• Responsibility for Resilience
• Command of the Subject
• Accountable Officer
• Integration of Resilience
• Risk Appetite
• Risk Assessment & Reporting
• Resilience Plans
• Community
• Review
• Effectiveness

The "Network," is the new playing field.  The new market.  The new adversary.  The new strategic thinking necessary, to make it through the day safely and securely.  To come home to your loved ones.  Use Operational Risk Management (ORM), in order to thrive and survive:

Against the background of these developments, this year’s Global Risks Report explores five gravity centres that will shape global risks. First, continued slow growth combined with high debt and demographic change creates an environment that favours financial crises and growing inequality. At the same time, pervasive corruption, short-termism and unequal distribution of the benefits of growth suggest that the capitalist economic model may not be delivering for people. The transition towards a more multipolar world order is putting global cooperation under strain. At the same time, the Fourth Industrial Revolution is fundamentally transforming societies, economies, and ways of doing business. Last but not least, as people seek to reassert identities that have been blurred by globalization, decision-making is increasingly influenced by emotions. World Economic Forum - Global Risks Report 2017

Symbiosis: Information Advantage in a Virtual Battlespace...

Symbiosis with machines to gain information advantage, is a challenging problem-set.  The magnitude of Operational Risks will now soar, as we pivot towards machines that are performing more as autonomous colleagues.  Pre-programmed instructions has been the standard for our software-based systems, until now.

The integration challenges ahead on the leading edge of "Information Advantage", produces a spectrum of new-born problems to solve.  User interfaces that are speech driven or by a new Virtual Reality (VR) capability, is just the dawn of a new era.  DARPA (BAA-16-51) is already headed this direction:

The symbiosis portfolio develops technologies to enable machines to understand speech and extract information contained in diverse media, to learn, to reason and apply knowledge gained through experience, and to respond intelligently to new and unforeseen events. Application areas in which machines will prove invaluable as partners include: cyberspace operations, where highly-scripted, distributed cyber attacks have a speed, complexity, and scale that overwhelms human cyber defenders; intelligence analysis, to which machines can bring super-human objectivity; and command and control, where workloads, timelines and stress can exhaust human operators.

"Technological surprise" is a complex area of research.  The problems to be solved are tremendous.  Information advantage in virtual environments has been developing for years.  15 plus years before the U.S. Department of Defense utilized the concept of a public "Bug Bounty" style program for vulnerability discovery on public-facing systems, Bug Bounties were used by the private sector.

Automated Testing tools and the ability to run software scripts that can simulate a human behind the keyboard, were invented more than a decade ago.  It is time for the next generation of information advantage to be addressed; combined with a strategic and policy focused initiative.

Why?

Principal Investigators understand the stakes within the cyber domains.  The myriad of adversaries have advanced far beyond current capabilities and are even utilizing our own infrastructure against us.  Their abilities to adapt and change direction, cloak their presence and attack from new locations is finally being understood in the Board Room.

Yet what is the business problem that is being addressed?  Who are going to be the primary beneficiaries of any new invention or solution?  More importantly, why will they continue to use it?

In between commercial-off-the-shelf (COTS) and military unique systems is the zone we shall be navigating to in the next few years.  Military adapted commercial technology is the place for tremendous opportunity and new innovation.

How will we get there?

Since there is no viable rapid acquisition structure in place, it means that new leadership and resources will be required to deploy these solutions.  The entrants to this area will prosper, if they are able to mobilize strategically and with speed.

Information advantage is a lofty goal and worth the ambition to achieve it soon.  The speed to attain even a slight edge over the adversary is a whole different strategy when you are talking about information operations.  Different than traditional air or sea domains, the speed and ability to scale, deploy and execute with COTS is exponential.

How long did it take start to finish, for physical solutions such as "PackBot", "TALON", "Sand Flea", "BigDog", "Cheetah", "Perdix", "RiSE", "BEAR" and "WASP" to make it onto the operational arena?  The ARGUS-IS camera on a "Global Hawk" UAS generates 1 million terabytes of data daily with a "persistent stare", to track all ground movements in a medium size city from 60,000 ft.  How long did the procurement take to get this capability into the physical domain?

The speed in the current information warfare domain is exponential using COTS and IoT.  Using existing Virtual Machines on AWS-like infrastructure, combined with IP-addressable CCTV cameras to launch a DDoS on a DNS provider in minutes or hours is just one example. The "Mirai botnet" is just another tool (weapon) in the information advantage virtual battlespace.

So what?

Symbiosis with machines to gain information advantage, is a challenging problem-set.  Think about the time it takes to design, procure and deploy a robot solution on the physical field of play.  Now think about the same, in the almost limitless virtual domains across the globe.  The challenges ahead are formidable and the really hard problems to be solved, remain endless...

4th of July: Flying the Stars & Stripes of Freedom...

The United States of America celebrates 240 years tomorrow.  The Stars and Stripes of our flag will be flying high.  How far we have come and yet we still envision that we have so far to go.

Celebrating the 4th of July in the United States means different things to different people.  It all depends on your tenure here and how you have contributed to defending the freedoms we all share. And for those who have made the trip to our borders or overseas to defend our country, we give special thanks.

Nine years ago we saluted Spencer S. on Memorial Day, as he prepared to make his way to being deployed to Iraq.  An Airborne Medic and now home safe in Chicago, we are thinking about him and all those other families who have sent their sons and daughters, husbands and wives, brothers and sisters, or fathers and mothers into harms way to defend our freedom.  We are humbled by your courage and thank you for your selfless contributions to keep us more safe and secure back home.

The Patriots of the U.S. are vast and found everywhere, serving the country in uniform by military or law enforcement, in suits and ties or dresses among the halls of government agencies found in small towns and famous suburbs like Langley.  These millions of shadow patriots and citizen soldiers are working to defend the truth of the Declaration of Independence and our Constitution each day.

At the same time, they are all Operational Risk Managers, mitigating the daily risks to life, property and our vital economic assets.  Mike Stanley of the American Legion captures the essence of the early days of our country:

The United States of America began as thirteen different English colonies established along the eastern seaboard during the 17th and early 18th centuries. Gradually many of the colonists began to think of themselves more as Americans and less as Englishmen, a feeling that was spurred on by the decision of the British Parliament in the 1760s to tax the colonies for the expenses associated with keeping them in the British Empire. Since the colonists had no elected representatives in the British Parliament, they felt that these new taxes were “taxation without representation” and therefore, illegal.

From this point, the situation escalated quickly as Patriot groups formed to discuss the possibilities, and by the early 1770s, the Patriots had their own Provincial Congresses in each of the thirteen colonies, effectively replacing the representatives of the British government. In 1775, the Second Continental Congress was established, the Continental Army was organized, and fighting broke out when the British responded by sending combat troops to the colonies.

Finally, on July 4, 1776, the Declaration of Independence was signed, establishing the United States of America. The fierce determination of the Patriots to prevail, plus the important military and political support of the French, the Spanish and; the Dutch, insured an American victory, and in 1783, the signing of the Treaty of Paris ended the American War of Independence and guaranteed the sovereignty of the United States of America.

Conflicts in the 21st century will be fought for many of the same reasons, and with a revolution of robots.  In P.W. Singer's book, "Wired for War" he prepares us for the next 100 years:

What happens when science fiction becomes battlefield reality?
An amazing revolution is taking place on the battlefield, starting to change not just how wars are fought, but also the politics, economics, laws, and ethics that surround war itself. This upheaval is already afoot -- remote-controlled drones take out terrorists in Afghanistan, while the number of unmanned systems on the ground in Iraq has gone from zero to 12,000 over the last five years. But it is only the start. Military officers quietly acknowledge that new prototypes will soon make human fighter pilots obsolete, while the Pentagon researches tiny robots the size of flies to carry out reconnaissance work now handled by elite Special Forces troops.

Wired for War takes the reader on a journey to meet all the various players in this strange new world of war: odd-ball roboticists working in latter-day “skunk works” in the midst of suburbia; military pilots flying combat mission from their office cubicles outside Las Vegas; the Iraqi insurgents who are their targets; journalists trying to figure out just how to cover robots at war; and human rights activists wrestling with what is right and wrong in a world where our wars are increasingly being handed over to machines.

Maybe someday, Spencer will be able to stay hundreds or thousands of miles out of harms way to defend our countries freedoms, because they won't need medics on the battlefield anymore.

...and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor. 

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:

Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.

The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum.

Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers.

Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

Breakpoint and Beyond: The Naivety of Change...

The discontinuity of our society, our governments, our weather and the digital innovations of this modern generation creates simultaneous paths of challenge.  One of crisis and another of opportunity.

Yet without a thorough analysis and comprehension of the discontinuous change before us, how can you manage the Operational Risks that occur, at any point in time?  What path will you choose...

World English Dictionary
discontinuity

— n , pl -ties
1. lack of rational connection or cohesion
2. a break or interruption
3. maths
a. the property of being discontinuous
b. the point or the value of the variable at which a curve or function becomes discontinuous
4. geology
a. See also Mohorovičić discontinuity a zone within the earth where a sudden change in physical properties, such as the velocity of earthquake waves, occurs. Such a zone marks the boundary between the different layers of the earth, as between the core and mantle
b. a surface separating rocks that are not continuous with each other

"Discontinuity of Change" is a subject well understood by the average person walking the streets of Anacostia near the U.S. Navy Yard in Washington, DC, San Bernardino, CA or Orlando, FL.

Perhaps those walking down Saeb Salaam in the heart of Beruit, Lebanon as refugees  also can comprehend, as they become vulnerable to arrest, detention and deportation.   Learning about change itself and the underlying systemic nature of the phases of change, can provide people in the middle of crisis or opportunity, with new found context.

In 1992, this blogger had the fortune to spend a significant amount of time with the authors of
Breakpoint and Beyond: Mastering the Future Today.  Dr. George Land and Dr. Beth Jarman wrote an extraordinary book and created an organization to teach what was inside it's covers.  To help us all make better sense of change and to discover our own ability, for innovation and creativity:

In our over four decades of research and work across many cultures, we have found that practically all humans have a vast capacity for imaginative, creative thinking. Although this ability has been dampened by social forces, it can be reawakened. We have also found that people have the capacity to put judgments and fears aside and work truly creatively and collaboratively in diverse and even divisive groups.

The path of crisis or opportunity is not a choice in what direction, it is a better understanding of change itself.  The systemic nature of the three phases of change and the ability to know where you are in the growth curve of the system, is the core.  Yet to innovate and to leap beyond a breakpoint to master the future, requires finding your own creativity once again.

The creativity that we are all born with, begins to dissolve at an early age.  Once we reach our teens and early adulthood, our cultural systems have stripped innovation from our potential known capabilities as a child.  As we grow older, our aspirations to be creative is subjected to influence by our parents, friends, teachers or by the 1 or 2%, in our particular ecosystem.  Is "Out-of-the-Box" thinking a good thing where you live or work?  Does your environment encourage divergence or convergence?

You see, the "Discontinuity" in society creates breakpoints.  The "Arab Spring" and the forming digital systems social revolution before us, creates new crisis and simultaneous opportunities.  Both are challenges for people, business, governments and global economies to analyze and rationalize.

Will you innovate?

If you are a policy maker in your organization, what are you doing to innovate?  Do you have new solutions for the changing operational risks encountered, as your employees travel the globe and make decisions for the enterprise? If you are the main policy bodies within your government, what have you done lately to find new creativity to address the potential opportunity before you?

In either case, the speed of change and the ability to rapidly innovate, will certainly decide your future.  Did you make it beyond the bifurcation and breakpoint?  Here is a great scientific example:

The miniaturization of electronic devices has been the principal driving force behind the semiconductor industry, and has brought about major improvements in computational power and energy efficiency. Although advances with silicon-based electronics continue to be made, alternative technologies are being explored. Digital circuits based on transistors fabricated from carbon nanotubes (CNTs) have the potential to outperform silicon by improving the energy–delay product, a metric of energy efficiency, by more than an order of magnitude. Hence, CNTs are an exciting complement to existing semiconductor technologies1, 2.

Mastering the future today, is about better understanding the discontinuity of change around you. Managing "Operational Risk" is simple.  Continuously grow or die.