QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term.

In any case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

Even if your Corporate Compliance Programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation.

Regardless of the amount of awareness building, education and corporate window dressing, you can't ultimately control human behavior. 

More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively.

And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex.

One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision.

QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process.

As an example, let's take the Request for Proposal (RFP).

Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response.

Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business environment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions.

More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

Infinistructure: Who Knew What When...

Who knew what when? This is the question of the last few months as we now embark on the path towards recovery.

The Operational Risks that have plagued our aging county, state and federal institutions are growing and the convergence factor has brought us even bigger systemic organizations "Too Big To Fail."

While many will be side tracked by the need to deal with the toxic assets still on the books or in sinking agencies the "Zero's and One's" don't lie.

The information, digital evidence and just pure data audit trails will remain for many to be caught, charged, indicted and then sent before a jury to decide their fate.

Managing risks in the enterprise today takes on many flavors and within several departmental or enterprise domains of expertise.

Whether it be the C-Suite, legal department, the IT department, Internal Audit, Security department or even the Operational Risk Management Committee the "Zero's and One's" don't lie.

Think about how much time the people behind organizational malfeasance spend on trying to cover their tracks, clean up the digital "Blood Trail" of their crimes and wrong doing all the while knowing that someday, a smart investigator or forensic examiner will connect the dots. Game over.

Regardless if you are two paid-off programmers who have been enforcing the "Business Rules" in their software by the boss or an internal threat actor does not matter.

Whether they are copying, stealing, altering or damaging the digital information within the organization does not matter; these Operational Risks still remain constant.

The resources and the money devoted to continuous due diligence, monitoring and preemptive strategy to Deter, Detect and Defend the digital assets of the enterprise need to grow dramatically to stay ahead of the curve.

The best way to figure out “What to do” and “How to do it” will require outside assistance. Moving your digital assets to be professionally managed makes sense for economic and other financially prudent reasons.

Yet this migration away from large numbers of people managing and maintaining your information technology infrastructure internally and on your payroll is just the standard "outsourcing" strategy right?

It has it's own set of 3rd party supply chain set of risks. After your next incident who will be asking: Who knew what when?

Many private sector and government enterprises who are augmenting their COOP and the economic strategy of "Cloud Computing" have realized the smart course of implementing and migrating to managed services and infrastructure suppliers.

"How can the utilization of an "Infinistructure" with the knowledge and application of a legal compliance ecosystem in your enterprise mitigate the risks associated with bad actors, unprepared personnel and the digital loss of key evidence?"

Stay tuned for more on this later. In the mean time remember this.

All of the newest technology, fastest AI computers and neural networks enabled with encryption and secured physical locations will not be enough to save your institution from Operational Risks.

It is just one more piece of the total risk management mosaic, that will still require the smartest people and the most robust policy and processes imaginable.

Who knew what when? This will continue to be the biggest question of the next decade.

operational risk

Metadata: Guardians on the Front Lines...

Continuous Continuity (C2) in your particular enterprise is a priority you shall not just focus upon during our U.S. Infrastructure Security Month.

Last week here, we reviewed Ten Steps your organization can practice on a regular basis to enhance your focus on Continuous Continuity and simultaneously your overall Operational Risk Management (ORM).

Let’s circle back to a few vital areas to emphasize as we increase our production and consumption of corporate or organizational “Data”.

Of Metadata. “Data that provides information about other data”.

The details on the creation date, time and application generating these words as they were originally written, is just one small example. What about the actual platform and the browser that was used:

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0

Screen Resolution: 1680 x 1050 (pixels)

Browser Dimensions: 1005 x 853 (pixels)

Cookie Status: Enabled

You understand that the data you can’t see on your screen and the data you may not even care about, is present, and that the metadata is being collected by some entity somewhere.

The amount of data and the speed of data is now overwhelming our global digital world we live in the year 2021 and beyond. The question remains, So What?

If you are a seasoned General Counsel (GC) today with a Fortune 1000 organization doing business on a global basis, your Blackberry :) must be "buzzing" every few minutes. Just the legal risk alone being encountered will always be a factor of the number of deals, the number of employees and the growing number of countries you are operational.

As a corporate GC of a global enterprise, you have a fiduciary responsibility to protect the enterprise from all adversaries, such as the rogue employee, the government regulator, competitors, digital hackers, nation states and all of the plaintiff class actions.

The Rule of Law in your organization is in your hands. How you transfer the "Talking Points" on ethics, compliance and legal messages to your employees, partners, suppliers and adversaries is ever more critical.

The true effectiveness of your relationship with internal partners such as your CEO, CFO, CSO, CISO and Internal/External First Responder leadership could mean the survival of the company itself.

When was the last time you as a GC took the “Ethics," “Compliance” and "Rule of Law" program directly to your employees in face-to-face sessions?

How might you provide your employees, partners or 3rd-Party suppliers with the first hand opportunity to meet, greet and engage with the General Counsel of your particular enterprise?

By doing this, you are directly engaging with the people on the front lines, to be our "Guardians" for your company and to build trusted relationships with all of them.

Get out There.

Intellectual Capital Risk: The Shamrock Organization…

What is the economic value of the Intellectual Capital(IC) in your organization? Where can you find your most valuable IC assets? Are they in the vault? Are they in the database?

Or are they sitting at the MacBook Pro at home or in the office next door? How do you know what assets are the most precious to the continuous continuity of your business?

These questions and more are at the heart of every "Shamrock" organization.

 A Three-Leaf concept originally coined by the author Charles Handy in his classic 1990 book, The Age of Unreason:

The Core
One leaf of the shamrock represents the core. These are the founders and thought leaders of the organization along with the most qualified professionals or technicians. The core is a flat hierarchy compensated purely on the results of the entire entity.

The Contractual Fringe
The second leaf is known as the contractual fringe. This is both individuals and organizations who may have their own shamrocks. These are paid for results, not for time. In fees, not wages. This leaf provides the core with intellectual assets that are essential to the organization yet are independent or even former members of the core.

The Flexible Labor Force
The third leaf of the shamrock is known as the flexible labor force. This is the flexible labor force that the core utilizes in a just-in-time talent or labor basis. Their specialized skills are tied to the intellectual assets these individuals possess to be efficient and effective for a set time period. They are treated by the core as a valuable component but realize that they will never have the commitment or the ambition of the core. They get fair pay for their contract labor.

What is Intellectual Capital?

Now with our 2021 U.S. economy changing and adapting for decades from a production-oriented economy towards a significant software driven knowledge-oriented economy, your intangible assets are becoming more and more digital. To make better products, to deliver better services or to perform better, as a company in general we need to accelerate the origination and analysis of new found knowledge and know-how.

In that perspective, we could say that our new real knowledge originates from our minds into some form of data, that has now become the key predecessor of any physical labor and financial capital.

To make your company relevant and even more valuable, you will not only need the digital data, computers, and production facilities, ...... you will also need the innovation drivers that makes your company evolve beyond your own imagination.

These “Core” innovation drivers are your “People” with their know-how and experience, your designers of internal processes to guide the business flow and also the proactive interaction with your Alliances/Partners and your key customers.

Without these “Innovation Drivers”, your company wouldn't function at all and therefore, they are of tremendous "Capital" importance. This is your real "Intellectual Capital".

The volume and speed of new “Intellectual Capital” production in your organization will determine how you will perform in an accelerating global arena of competition.

It is the difference between our success and our failure.

"No matter how good the Minimum Viable Product (MVP) or idea may be, without a consistent flow of new found Intellectual Capital, and the development of new tested prototypes, no outstanding and ground breaking results can be expected."

Now the question remains, how will you measure your organizational Intellectual Capital (IC)?

Without a way to measure it, how are you going to know what IC assets need to be managed and protected for the longevity and continuity of the business?

Where are they located? Which are most valuable? Who is the person or who are the people who own it?

People risk is one of the four major categories of Operational Risk Management.  How are you managing, measuring and protecting “Intellectual Capital” in your organization?

Organizational Integrity: Leadership of Risk…

As a leader in your organization, how long have you truly demonstrated the actions you desire for those who are following you?

Countless times each day, leaders in the global race to the finish line, ignore or disavow the rules or policies they enforce for their own team.

What are you demonstrating in your organization today and this week to build “Organizational Integrity”?

How are your own behaviors in the midst of your team, showing and reinforcing the actions that will build and activate a model of “Organizational Integrity”?

integrity
noun

in· teg· ri· ty | \ in-ˈte-grə-tē

Definition of integrity

1 : firm adherence to a code of especially moral or artistic values : incorruptibility
2 : an unimpaired condition : soundness
3 : the quality or state of being complete or undivided : completeness

Why have you made the decisions that you are more privileged than the others on your team?

Is it your personal sense of ego or power as a figure of authority, that makes you feel as if the activities and rules for you, do not apply or are different than for those who are on the front lines?

They are not.  In the midst of a legal deposition or worse, the leader who is charged, explains their own behaviors.  This is now beyond the point of no return.

Even when you are behind closed doors of the “Board Room” or the “Ready Room,” are you demonstrating the same behavior and adherence to the processes, that you wish upon all those you are leading?

Leadership of your “Executive” Team or a “Squad of Specialists” in the field, requires people who truly “Walk-the-Talk” and adhere to the same standards or rules set forth for the entire organizational operations.

You already are known as a “Leader” in your area of expertise.

Yet are you known as a leader with “Integrity,” that truly demonstrates this in the middle of your operations each day?

Workplace Violence: Maximize Dialogue and Anonymity...

Proactive vs. Reactive. The argument goes on in many organizational departments when it comes to budgeting for preparedness vs. response. How do you detect the next employee "Gone Rogue" as they say?

What is the early warning indicator that tells you that you need to train employees on the detection of "abnormal behavior" or out of context business transactions?

If we are to continue the path of handling disruptions in business and emergencies with personnel with the idea of mitigating the risk post incident, then increase the number in the budget for the line items under outside counsel, litigation and insurance.

However, the idea that a corresponding increase in the line items in the budget under the heading compliance, security and training will decrease risks prior to an incident, is prudent thinking.

In the battle for finite dollars to be spent across the enterprise in all categories that have significant risks, there will always be an argument on where the investment of resources will have the biggest payoff or return on investment.

"Yet, how will you ever know whether this is the year of the earthquake, the cyclone or the employee who becomes hostile or potentially lethal?"

The point is, you will never know, for certain...

This is why an investment in enterprise risk management dialogue requires that every department and each process, factor in additional costs for mitigating risks.

Each person who is closest to the work being done knows where the greatest potential is for a loss event. The place that is most vulnerable.

Just ask the HR specialist what employee they have hired over the past year or two that represents the most lethal threat to the company. Just ask the IT Security Engineer what system or application is on the verge of a melt down and they can tell you.

Or just ask the executive who they think the middle manager is, that is getting ready to move to the competition, with all the latest Intellectual Property (IP) secrets. Most likely, they can tell you.

Being proactive in managing operational risks sometimes means that you have to ask your employees risk related questions on a continuous basis. You have to document and collect the answers and feedback so that you can detect trends in behavior or potential eruptions in behavior.

Finally, you need to figure out how to do all of this using new tools and processes, to protect privacy and anonymity. Get started!

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the CEO and Board of Directors.

The 34th Overseas Security Advisory Council event was held the week before Thanksgiving as usual.  Yet flashback to when Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC on November 16th, 2006, when her words were music to our ears:

"It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change. The Council on Competitiveness is proud to offer this report, which promotes a strategy of resilience for both the public and private sectors a strategy with clear benefits for our companies’ competitiveness and our nation’s homeland security."

On the doorstep of 2020, globalization, technological complexity, interdependence, and speed of digital information are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face.

Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies.

Increasingly, disruptions can come from unforeseen directions with unanticipated effects. Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These new types of risk, demand new methods of Risk Management.

Was this a way for the Chief Security Officers of the Fortune 500 to finally shift their thinking from protection to something less macho? How could "Resilience" become a platform for a mind set shift to justify new funding?

After all, now we aren't trying to scare people into the "Low Probability - High Impact" incidents anymore and focusing in on the high probability incidents, that may have enough impact to cause a significant business disruption.

What are the incidents and areas of risk that insurance won't touch these days? If the insurance companies can write the policy to give you peace of mind, then is this necessarily an area that you can ignore, because you have transfered the risk to someone else?  Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to Homeland Security and Critical Infrastructure Protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

Back in 2000, the Meta Group (now owned by Gartner) did a study on the cost of "An hour of computer downtime by industry group". These numbers are now 19 years old:

INDUSTRY SECTOR (Millions)

• Energy - $2.8
• Telecommunications - $2.0
• Manufacturing - $1.6
• Financial Institutions - $1.4
• Information Technology - $1.3
• Insurance - $1.2
• Retail - $1.1
• Pharmaceuticals - $1.0
• Banking - $0.996

We all know that it costs lot of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP).

Yet is this the kind of resilience that is going to make you more competitive, to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident (ransomware) that will attack your organization tomorrow.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term "Legal Risk" new emphasis and meaning.

Once corporate management understands the need for a "Resilience" mentality in place of a "Protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in its adaptability, can be achieved with a new perspective.

Compete or die.

"Enabling Global Enterprise Business Resilience" is just the beginning...

Red Team: The Unknown Adversary...

Anticipating risks and potential threats to critical assets takes a "Red Team" mentality. Communities and companies need to be training, planning and adapting to all hazards.

Whether they be the structural failure of a bridge, ransomware of major municipalities or the next major attack on our U.S. Homeland.

Critical infrastructure is physical and cyber-based systems, that are essential to the minimum operations of the economy and our government.

This means that many states are in a continuous review of their own critical infrastructure. When the analysis is done and the finger pointing is over, we will have one more example of why the public private partnership is essential for the future of government and business.

Organizations such as WashingtonDCFIRST, ChicagoFIRST and others around the U.S. are working on putting more emphasis on critical infrastructure resiliency.

InfraGard in San Francisco, Los Angeles, New York Metro, Chicago, the Nations Capital or any of the other 70+ major metro areas, is just another example of how private business is interacting with government in the context of cooperation, coordination and connecting tens of thousands of subject matter experts.

The people who can make a difference long before an incident, or minutes after one occurs, can be found in each of these local chapters. How the local community takes advantage of these resources is up to government leadership.  Since over 85% is owned and operated by the Private Sector.

"The ability to anticipate an opponent’s intent is critical to many forms of planning, analysis, design, and operations. While this need is recognized in the military and intelligence communities, infrastructure providers and first responders find themselves on the front line facing a range of potential threats, that in many cases exceed the defenders direct experience."

Having this "Red Team" mentality can save lives and dollars, through continuous exercises and a business resilience approach to discovering and eradicating new found vulnerabilities...

Quantum Governance: The Rules of Trust...

People are learning to trust an AI, to make decisions on their behalf.  This will change our world exponentially in the next 10 years.

Now that we have reached connectivity to the Net with 50% of the human connected population, the AI of the IoT will be a growing trust factor in our daily lives.

We are accelerating beyond the simple tools of trusting that the answers to our questions are correct from "Siri" or "Alexa."  Accepting the trusted route from Google Maps on the most ideal navigation to our destination is already a given.

Beyond the consumer, the "Algo Bots" and Algorithmic Trading have already replaced the previous years of approximately 600 Goldman Sachs traders with 2 people, to oversee daily operations on the floor.  There are others who have already predicted the replacement of other human operators in various public and private decision-making bodies.

So what?

Trust Decisions in the next decade will be augmented by "Artificial Intelligence" on a more frequent basis.  That is already a given for many groups of decision makers across the globe.  The question is, how will governments begin to regulate AI?

Who will be in charge of making sure that the code and the algorithmic activity is correct?  That the rules behind the Trust Decisions are correct?

You see, as the software becomes more invasive in an individuals daily life and we rely on it for the truth, governments will be involved.  They already are.

The "rules for composing the rules, that lead to millions of peoples trusted decisions is at stake.  Maybe even more so, the evolution of "Quantum Law."  For those thought leaders such as Jeffrey Ritter who have for years been so keen to articulate the emergence of the thought of governance of unstructured data, there is this:

"We are moving from a time in which we presume that all electronic information is true to a time in which we can affirmatively calculate what it is and know the rules by which it is governed on the fly," Ritter said. "That's quantum governance."

You realize that the words will live on for eternity and for others to always contemplate.  That is a given, that all of us shall be considering for our future, sooner than later.

So how might decision making bodies such as the U.S. National Security Council (NSC) utilize AI?  Greg Lindsay and August Cole have already addressed this years ago with METIS:

"The result is a national security apparatus capable of operating at, as you like to say, “at the speed of thought”—which is still barely fast enough to keep up with today’s AI-enhanced threats. It required a wrenching shift from deliberative policymaking to massively predictive analysis by machines, with ultimate responsibility concentrated in your hands at the very top."

In 2019, begin thinking deeper and longer about your TrustDecisions...

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22

"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”

A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

• Hacker
• Spies
• Terrorists
• Corporate Raiders
• Professional Criminals
• Vandals
• Voyeurs

Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

• Attackers
• Tool
• Vulnerability
• Action
• Target
• Unauthorized Results
• Objectives

Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:

• Existence addresses the question of who is hostile to the assets of concern?
• Capability addresses the question of what weapons have been used in carrying out past attacks?
• History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
• Intention addresses the question of what does the potential threat element hope to achieve?
• Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?

Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:

• Duty to Care
• Duty to Warn
• Duty to Act
• Duty to Supervise

Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with "Insider Threats."   Just ask Dr. Larry Barton about the subject of corporate threat assessment:

"Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital."

This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:

• an associate being stalked by a spouse or former partner
• an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
• altercations between co-workers and/or with a supervisor that are escalating in tone and severity
• serious changes in attitude and performance with known or suspected substance abuse factors
• social networking, blog and other means of electronically threatening an individual or team

Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive.

Insider Threat: Duty of Care in the Workplace...

The summer of 2017 is approaching and soon thereafter the world will view the new documentary film "Risk" by Laura Poitras, about Wikileaks founder Julian Assange.  This week in Washington, DC, the CIA characterized Wikileaks as a "non-state hostile intelligence service".

Almost the same day, another case of insider threat was unveiled by the US Attorney for the Southern District of New York.  The alleged theft of proprietary trading code for a trading platform from a financial services firm by a software engineer named Dmitry Sazonov will not be the last case in 2017.

The ongoing theft of trade secrets and proprietary data from both private organizations and our governments remains a global epidemic.  A tremendous amount of effort continues by Operational Risk Management professionals, to address the growing plague.  Insider Threat's as a whole and the theft of trade secrets, continues as a significant challenge for CISO's, Chief Privacy Officers and the Human Resources executives.

Whether the incident is the lone software engineer, the contractor analyst, or a disgruntled employee does not matter.  They all are motivated for different reasons to carry out their actions as a "Trusted Insider".  Mark Pomerleau explains that technology alone may not be the answer:

Insider threats have disclosed and improperly removed troves of sensitive information from government networks that compromise secrets and highly secretive security programs. While various technical and cyber-enabled monitoring tools have been applied to prevent such actions, the intelligence community’s top counterintelligence officer believes understanding the human element is the most important component.

“The mind of the insider threat: That is what I believe to be the critical component of stopping, if we can,” the individual that wants to be nefarious and do malicious behavior, said William Evanina, the national counterintelligence executive within the Office of the Director of National Intelligence.

All the technology and software will not be able to eliminate this kind of "Insider Threat" for continuous monitoring.  It is however a key component no different than any other layered-defense risk management system.  Sometimes, it just comes down to good management practices from one person to another.

The education necessary for mid-tier management is imperative, if this layer of defense in the enterprise is going to work effectively.  Observing first hand an fellow employees behavior in the workplace or after hours in social settings, could be the "Early Warning System" each organization has been seeking for decades.

The learning and education associated with elevating managements understanding and policy implications in the workplace around counterproductive work behaviors is vital.  A malicious insider who is trusted in the workplace environment may be there operating for years.  Yet what are some of the key areas of observable behaviors:

• Production Deviance:  Poor attendance, poor quality of work, misuse of resources and time
• Property Deviance:  Destruction of property, misuse of information and theft
• Indirect Aggression:  Unsafe behaviors, politically deviant behaviors
• Direct Aggression:  Inappropriate verbal or physical behavior

Source:  Assessing The Mind of the Malicious Insider  White Paper - Security Policy Reform Council - INSA - Insider Threat Subcommittee

"Introducing sophisticated new tools and effective monitoring immediately raises a host of questions that require further discussion to assess how best to incorporate them in Continuous Evaluation programs. These include how to balance privacy and security, assess the impact on workplace morale, determine the triggers for undertaking additional monitoring and action, and incorporate oversight and protections for civil liberties."

The 21st century organization with flexible work schedules, telecommuting, work from home policies and the utilization of cloud computing will accelerate the "Insider Threat".  The naive enterprise that perpetually operates without a comprehensive education and continuous learning program in place, does so at its own peril.

Simultaneously, the organization shall utilize the corporate governance tools known for years as the Office of Professional Responsibility, Employee Assistance Program (EAP) and other emerging capabilities such as Ginger.io.

You have an opportunity to provide your organization with the protection of your intellectual property and trade secrets, while synchronizing the privacy and civil liberties of your employees.  Wikileaks or some other entity will exist for years to come.  Your particular "Trusted Insider" will not be the last person to steal proprietary or classified information or be the perpetrator of workplace violence.

As a senior executive in your organization, your "TrustDecisions" will make the Duty of Care difference...

Privacy Law: Scanning the Legal Horizon...

As our new knowledge-based organizations begin the startup phase, the thought of all of the implications of collecting and storing information may be secondary to raising capital.  However, once you have the core team in place and the business begins to scale, maybe it is time to look over the horizon.

Once you have reached the point in your companies growth curve to consider the hiring of a CFO and even an outside "General Counsel", the regulatory engine must be established within the enterprise.  Today, even the CISO in any major business across the United States has been challenged by rapidly changing digital privacy laws the past two years.

Especially in California, the CalECPA went into effect January 1, 2016 and in general is focused on law enforcement:

The landmark California Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or to search them.

The simple fact that a company is doing business in the State of California and has employees operating there, puts a significant set of requirements and compliance issues that are top of mind.  This is why you see technology-oriented companies who have their Headquarters based here, developing robust guides for working within federal and state privacy laws.

A "Chief Information Security Officer" is not only charged with protecting the data within a confidentiality, integrity and assurance framework, but also working in tandem with the General Counsel and a Chief Privacy Officer.  The standards and the laws have significant hurdles that also require prudent Operational Risk Management strategies.

Now take all of this into consideration as your begin to plan for implementing an "Insider Threat Program" (InTP) within your organization.  The addition of a Human Resources component, Chief Information Officer and even perhaps 3rd Party Cloud supply chain vendors will all be in play.

So What?

So what is the legal profession in California focused on these days?  Just take a look at the Agenda for a March 2017 event at Berkeley Law:

Cybersecurity Regulatory Enforcement

New regulators, new laws, and new norms are causing cybersecurity responsibilities to proliferate. This discussion will feature insights on how cybersecurity lawyers navigate the growing thicket of information security rules from the perspective of both companies pursued by the FTC and multinationals operating under different legal regimes. It will consider challenges posed by insider breaches and obligations arising from the General Data Protection Regulation.

Practitioners Panel

Privacy practitioners from leading law firms and major online companies will share insights on how to stay afloat in increasingly turbulent waters.

Privacy Award

BCLT is proud to bestow its annual Privacy Award this year on
Susan Freiwald, University of San Francisco Law School
Nicole Ozer, ACLU of California

in recognition of their leadership in securing passage of CalECPA, which establishes the “gold standard” of a judicial warrant for government access to communications, location data and other information about our daily lives.

Keynote: Too Close for Comfort – AI, Cloud Computing, and Privacy 

Recent advances in artificial intelligence, robots, and machine learning are enabled by big data, digital cameras, and cloud computing. These advances open an enormous Pandora’s box in terms of security and privacy. Groundbreaking AI researcher Ken Goldberg will present potential responses, such as a concept for “Respectful Cameras,” a privacy-preserving system for industrial automation. He will explain why claims of an impending “Singularity” are greatly exaggerated and will propose an alternative, “Multiplicity,” where diverse groups of humans work together with diverse groups of machines to innovate and to solve complex problems.

Government Access

With digital evidence central to an increasing number of criminal and foreign intelligence investigations, government demands for access seem to steadily increase. From varying perspectives, this panel will explore emerging issues in government access to data stored with third parties.

Artificial Intelligence and the Right to an Explanation

The General Data Protection Regulation requires that organizations explain to individuals the logic behind decisions rendered by algorithms. This policy is aligned with growing efforts in the machine learning community to improve the interpretability of outputs. This panel will examine a broad range of efforts to address interpretability and potential biases in complex algorithmic systems.

Consent and Contract under EU Data Protection Law

EU privacy regulation continues to have worldwide relevance, especially affecting U.S.-based companies. This session will examine how consumer data can continue to be collected and used given the different approaches in the EU and U.S. to consensual mechanisms for authorizing personal data processing.

The CISO and the entire team of Operational Risk Management professionals at your organization, should be monitoring and creating new strategies to protect the organization.  Scanning the legal horizon on what the new challenges are and how to prepare, is the sign of a sound business strategy.

Startup Strategy: Opportunity of Digital Trust in a New Era...

The startup ecosystem of new ideas for SaaS platforms or mission based digital solutions are becoming evermore robust, in our growing economy.  As a result, Operational Risk professionals are more in demand to help new co-founders adapt to the legal, compliance and consumer transparency requirements, that will soon descend upon them.

It makes sense, that when you are starting a new company you first are focused on the product/mission and who the intended market or user will be.  Yet soon after this is defined and the "Go-to-Market" strategy is in place, there is a tremendous amount of Operational Risk design and implementation of internal capabilities, that will be required.  In just Social Media, here is just one example:

"As social networks continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance. That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies."

Since the dawn of the Internet, new startup companies have been developing algorithms and bots to scour the vast landscape of "data oceans" for relevant content.  As public Internet tools, databases and consumer-oriented web sites were developed for even Blogs (Blogger.com) such as this one, other companies were figuring out how to capture the data content in their searchable systems.

Years later, startups developed ways to develop the API as a new product-set, so that other companies could embed and utilize a set of data or capability and have it more integrated with a new set of functionality or service mission.  What is one company in this category focused on Twitter?  Gnip.com:

"PowerTrack provides customers with the ability to filter a data source’s full firehose, and only receive the data that they or their customers are interested in. This is accomplished by applying Gnip’s PowerTrack filtering language to match Tweets based on a wide variety of attributes, including user attributes, geo-location, language, and many others. Using PowerTrack rules to filter a data source ensures that customers receive all of the data, and only the data they need for your app."

So what?

If you are a startup company that is planning on a pledge to your customers to "Keeping your data safe from surveillance," just as the juggernaut Facebook is also currently doing, you have a tremendous amount of work and new processes/systems to get in place.  You are embarking not only on the steep growth curve of adding new customers and revenue; you are simultaneously under the mandate to help achieve a higher level of "Digital Trust" with those same customers.

Developing the policy alone is only the start.  Here is how Twitter is addressing it:

"To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products."

How Facebook and Twitter and Snapchat or LinkedIn and all of the hundreds of Social Media companies will scale up enforcement, is now the big question.  Maybe they have the deep pockets and resources to build and operate their "Digital Trust" business unit.  What about the new startup with only 6 or 7 figures in the bank from a seed or even "A" round of funding?

The policy implications and new federal laws being drafted in the United States and the European Union may be good indicators of where the future requirements will be defined for a new startup.  In the EU this week, the G20 finance ministers are converging on the topic of "Cyber Crime" soon after a recent indictment:

"Two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts. The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud."

How will the new startup who is focused on addressing transparency, privacy, and surveillance now "Enable Digital Trust of  Global Enterprises."  Here is a glimpse from the latest PwC CEO Survey:

"Yet, if forfeiting people’s trust is a sure-fire route to failure, earning their trust is the single biggest enabler of success. As an example, the progression from assisted to augmented to autonomous intelligence depends on how much consumers and regulators trust machines to operate on their own. That, in turn, depends on whether those who create the machines have the right risk and governance structures, the means to verify and validate their claims independently and the mechanisms to engage effectively with stakeholders."

"In short, trust is an opportunity, not just a risk. Many CEOs recognise as much: 64% think the way their firm manages data will be a differentiating factor in future. These CEOs know that prioritising the human experience in a virtual world entails treating customers with integrity."

Welcome to the new era of achieving Digital Trust...

RSA 2017: In Search of the Truth...

The 2017 RSA Conference is set to launch this week in San Francisco.  What is true?  The state of asymmetric warfare across the globe is pervasive and nation states have been negotiating new rules of the game.

As you descend into the keynote sessions, absorb the content from your favorite track or walk the overwhelmed Expo halls, pause for a moment.  Stop, look around and look at what you see.  The ICT (Information, Communications & Technology) ecosystem is no longer a vertical.

The horizontal intrusion of smart devices, IoT and the rapid mobility sensor markets have created a juggernaut ecosystem.  The startup communities across just the United States landscape have entrepreneurs sharing and automating parts of your daily life once thought unthinkable.

The Techstars of the next generation of commerce, understand the platform better than ever.  Meanwhile, the same ambitious individuals with so much creativity are simultaneously in a battle for funding and market share.

It is a new generation of inventions that are AI-driven by Voice Recognition that are becoming the foundation for getting the information we need now; this second, not in a few minutes or even an hour from now.  We want it now and we trust that it will be true.

There are some major themes that you will see and pick-up on while attending RSA this year.  Some established companies with a tenured legacy in the industry are even making a pivot.  Look for how they are starting to craft the new narratives that will consume the marketing airwaves.

Expect plenty of talk about the ongoing ransomware scourge and threats against the Internet of Things (IoT) during RSA Conference 2017, which begins a week from today at the Moscone Center in San Francisco.

The conference will include 15 keynotes, including talks by RSA CTO Zulfikar Ramzan, Microsoft president Brad Smith, and Alphabet CEO Eric Schmidt. The popular cryptographers’ panel will feature Whitfield Diffie (of Diffie-Hellman-Merkle), Ronald Rivest and Adi Shamir (the R and S in RSA encryption), and Susan Landau (creator of Landau’s Algorithm). Paul Kocher, who figured out timing attacks against various RSA and DHM implementations, will moderate the panel.

With this in mind, now start to realize the places that have been behind the innovation curve.  The small and even mega markets, that have been slow to invent or work in such austere environments the tech has not reached it yet.  Start your new journey into these places to see how you can contribute, how you will be able to make a difference:

The Defense Innovation Initiative (DII)
Exploring Ideas to Better Identify the “Art of the Possible” for National Security

The Defense Innovation Initiative (DII) is a Department-wide initiative to pursue innovative ways to sustain and advance the capabilities of the “force of the future.” The U.S. changed the security landscape in the 1970s and 1980s with networked precision strike, stealth and surveillance for conventional forces. Through the DII, the Department will identify a third offset strategy that puts the competitive advantage firmly in the hands of American power projection over the coming decades.

The future of RSA and our way of life for our interconnected nations, economies and daily consumption of the truth is at stake.  We do have the ability to better cooperate, collaborate and communicate our paths forward.  Yet it begins with a conversation in person, face-to-face to establish the emotional and behavioral ties to trustworthiness.

Have a wonderful week in San Francisco...

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:

The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.

An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):

1. Reduction of operational loss.
2. Lower compliance/auditing costs.
3. Early detection of unlawful activities.
4. Reduced exposure to future risks.

ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

ECPA: Reality of Homegrown Violent Extremism...

In the United States, Operational Risk Management Executives in the private sector are consistently balancing the legal requirements for public safety and their customers right to privacy. The Internet Service Provider (ISP) General Counsel's duty to facilitate the rule of law within the private sector organization, has been on a collision course with protecting the homeland for over a decade since 9/11.

One of the critical tools for Homeland Security Intelligence (HSI) is the "Electronic Communications Privacy Act (ECPA) and for good reason. The law provides the tools for law enforcement and national security intelligence analysts while simultaneously protecting the privacy interests of all Americans. In a 2011 statement before the Committee on Judiciary, United States Senate, Associate Deputy Attorney General - James A. Baker outlines the basis for ECPA:

"ECPA has never been more important than it is now. Because many criminals, terrorists and spies use telephones or the Internet, electronic evidence obtained pursuant to ECPA is now critical in prosecuting cases involving terrorism, espionage, violent crime, drug trafficking, kidnappings, computer hacking, sexual exploitation of children, organized crime, gangs, and white collar offenses. In addition, because of the inherent overlap between criminal and national security investigations, ECPA’s standards affect critical national security investigations and cyber security programs."

The criminal elements and their organized syndicates are leveraging modern day technologies and capabilities of the private sector. The legal first responders for our 21st century homeland threats don't always wear a badge and drive a Crown Vic on patrol around our city streets. Many spend their hours on patrol in cyberspace or analyzing terabytes of data online with sophisticated software to determine the what, who, why and how of the current threat stream.

The US government has a fiduciary and legal duty to protect the privacy and civil liberties of all US citizens. Parallel to this task is the rapidly changing use of communications and other mobile technologies to facilitate and support the activities and operations of individuals and networks of people, who exploit the design, configuration or implementation of our countries homeland defense architecture.

Whether this architecture includes the utilization of 72 Fusion Centers or the methods for collecting "Suspicious Activity Reports" (SARS) from those first responders, the fact remains that the pursuit of national security threats is a lofty task. This is happening today, on the ground and in the digital domain. Therefore, the speed that these individuals can legally obtain the data they require to make informed decisions is at stake and so we must eliminate any new impediments put before them. From Mr. Bakers statement on "Government Perspectives on Protecting Privacy in the Digital Age" he explains further:

Addressing information associated with email is increasingly important to criminal investigations as diverse as identity theft, child pornography, and organized crime and drug organizations, as well as national security investigations. Moreover, email, instant messaging, and social networking are now more common than telephone calls, and it makes sense to examine whether there is a reasoned basis for distinguishing between the processes used to obtain addressing information associated with wire and electronic communications. In addition, it is important to recognize that addressing information is an essential building block used early in criminal and national security investigations to help establish probable cause for further investigative techniques. Congress could consider whether this is an appropriate area for clarifying legislation.

Any changes to the ECPA laws should be considered carefully with not only the government but the private sector. The combination shall work together to find the correct balance between national security requirements and the privacy of the customers of mobile communications, e-mail, and social networking entities. The time that it takes our first responders to rule-in or rule-out a person of interest in an ongoing investigation can mean the difference between a failed or successful attack on the homeland. The private sector shall determine the prudent cost to the government for providing the legally obtained information of non-telephone records such as a name, address and other metadata. By the way, has anyone noticed that the criminals, terrorists, spies and other malicious actors have decided to use Telegram, or WhatsApp instead of their mobile telephone?

Homeland Security Intelligence (HSI) first responders will be the first to tell you that the crime syndicates and non-state actors have gone underground and have stopped using the tools that leave the data more easily accessible by law enforcement. Now, they are creating and operating their own private and secure infrastructures within the confines of private sector companies. These clandestine groups have organized hierarchy and specialized skills and therefore, the US government must continue to step up the pace, legally.

What does this all mean? It means that there will be a lower chance of under cover law enforcement officers becoming members of the these organized crime syndicates that in many cases are the genesis for homegrown violent extremism (HVE).

Homegrown extremists can be individuals who become violently radicalized, perhaps after exposure to jihadi videos, sermons and training manuals available on the Internet, security officials say. Such plotters are harder for counterterrorism officials to spot because they have few links with known terrorist operatives and often don’t travel overseas for training.

Another implication is that there is a higher chance that private sector researchers will understand the new trade craft of HVE actors, long before law enforcement and national security intelligence analysts. This is because the standard approach to the "Seven Signs of Terrorism" have been focused on the physical infrastructure. Organizations in the private sector have been researching, tracking and profiling since the late 1990's on the methods and modus operandi of the digital extremists who have plagued our banks and other financial institutions with cyber crime.

The time is now for these two distinct disciplines and professionals to converge. The public as eyes and ears combined with the legal tools to extract the timely information from technology providers is part one. Part two is the integration of intelligence analytic training with the curriculum of the police and fire academies for new recruits. Providing these first responders with the methods, tools and capabilities to be more effective collectors on the street level, will provide the fusion centers with a more robust set of relevant information streams. Here is an example from a graduate certificate class in criminal intelligence analysis from AMU:

The graduate certificate in Intelligence Analysis provides you with a fundamental understanding of the issues, problems, and threats faced by the intelligence community. This online graduate program helps you develop a comprehensive knowledge of how intelligence agencies in the U.S. assess and counter international threats in order to guard U.S. global interests and protect U.S. national security from adversaries. Knowledge from this certificate program is applicable to many career fields within the military, security companies, government contractors, or federal agencies.

We have a choice to provide our first responders with the correct training and OPS Risk education for today's Homeland Security Intelligence (HSI) mission. Our national policy makers have a choice to assist them in getting the information they need to do their jobs quickly, efficiently and while protecting civil liberties. The choices that we make fifteen years after 9/11, will define the landscape for homegrown extremism and the legal framework for ensuring the safety and security of all Americans for years to come.

Trade Secrets: Gearing up for DTSA...

The Fortune Global 500 and the smallest research and development organizations in the U.S. have another ruleset to keep their eye on this week.  It is named DTSA or S.1890 - Defend Trade Secrets Act of 2016 has passed the Senate.  Operational Risk Management (ORM) is preparing for the next addition to national laws.

The attribution of cyberespionage adversaries has been gearing up since the Sony Pictures hack.  The private sector has been hunting and identifying those shadow individuals and nation state special units for years.  Now the lawyers can get more aggressive with civil actions.

The question remains, will another law deter the actions by global organized crime and the intelligence community of some significant nations?  How will attribution and more aggressive civil actions in foreign jurisdictions make a difference?

As a global organization, can you access your database of confidential trade secrets?  No different than the task of the identification of information assets that you are going to protect, you need an inventory.  What are they and where are they?  Everyone knows the formula for "Coca-cola" is written on a single piece of paper that is locked up in a vault in Atlanta, GA right?  Or is it?

There are trade secrets across America that have been stolen by operatives working inside organizations.  They may be preparing to leave the U.S. for another country outside the reach of law enforcement and the legal process for seizing the stolen property.  That is going to change soon.

The EX-Parte Seizure Order is part of the Trade Secrets bill that allows a trade secret owner to obtain an order from a judge for U.S. marshals to seize back the trade secret from the alleged bad actor without prior warning. This is to protect the trade secret owner from having the alleged bad actor skip the country or destroy the evidence before it is recaptured.

Now that Trade Secrets are in the same legal and enforcement category with patents and trademarks, you can predict that your legal budgets will need to be adjusted, upwards.  In general, what is a Trade Secret?

The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. While a final determination of what information constitutes a trade secret will depend on the circumstances of each individual case, clearly unfair practices in respect of secret information include industrial or commercial espionage, breach of contract and breach of confidence.

The effort to make intellectual property a "Trade Secret" is another strategy in itself. The determinations to designate something a trade secret is going to depend on the invention or the data itself. We understand. So what?

A Chinese businessman pleaded guilty Wednesday (March 23) in federal court in Los Angeles to helping two Chinese military hackers carry out a damaging series of thefts of sensitive military secrets from U.S. contractors.

The plea by Su Bin, a Chinese citizen who ran a company in Canada, marks the first time the U.S. government has won a guilty plea from someone involved with a Chinese government campaign of economic cyberespionage.

The resolution of the case comes as the Justice Department seeks the extradition from Germany of a Syrian hacker — a member of the group calling itself the Syrian Electronic Army — on charges of conspiracy to hack U.S. government agencies and U.S. media outlets.

Our adversaries are determined. They are already here. It has been documented for years. Let the next wave of legal indictments and seizures begin. One thing is certain. The "Insider Threat" is still present and your organization can do better. The ability to effectively utilize the correct combination of controls, monitoring, technology and internal corporate culture shifts will make all the difference. What are you waiting for?