Critical Infrastructure: OSINT to the Rescue...

Over the past decade our U.S. Critical Infrastructure has become even more vulnerable.

Why?

In the early days of the commercial Internet 2000-2001, there were several dozen of us working in a Rosslyn building on Wilson Boulevard in Arlington, Virginia to answer our growing Fortune 500 and government clients questions of “Who”, “What”, “Where and “How”.

We already knew the answer to “Why”.

The 24/7 Internet crawler algorithms our techies engineered were doing their intended tasks and retrieving Terabytes of data on a 24/7 basis for our further human analysis.

All of this was well on its way before the more sophisticated use cases of the Internet for the implementation of the Banking infrastructure, Retail transactions and Telecommunications were in place.

The systems and infrastructure we now call “Critical”, was just in its early stages of iP maturity.

Remember, the iPhone was not invented until around 2007!

Afterwards and yet even more vital to this day, you might think about your own organizations “Operational Risk Management” (ORM) objectives and tasks into three key categories:

• Human
• Physical
• Cyber

Over the course of your companies legal, compliance and security organizations conducting regular “Threat and Hazard Identification and Risk Assessment” (THIRA) activities and rules, the reality begins to set in.

The Board of Directors are still asking, "How can we as people address the exponential growth, change and remediation without more automation, software and systems?"

"This is when new companies were born to build the software to help humans keep a better eye on the risk management of our growing Critical Infrastructure."

As new software companies were born to address THIRA applications, some people began to feel like it all had NOT been solved.

Asymmetric Warfare today, not only includes our “Nation States” across the globe, but also Black hat “Hacktivist” organizations and individual people. In every country with the Internet.

Evidence of these individuals and groups growing existence are still the “Why” for your own organizations THIRA activities.

This also includes the “Why” for our US Homeland Security organizations such as CISA and others in the National Intelligence and Law Enforcement arenas.

Perhaps even more vital, are the private organizations who are still in the business today of “Open Source Intelligence” (OSINT) since the dawn of the Internet…

Asymmetric: Deer in the Headlights...

It was June of 2021 when the iPhone buzzed and the CxO requested a briefing on this growing threat on the horizon. Ransomware had already been gaining traction for years.

Human behavior has been repeating itself since the beginning and once again, this "Corporate Executive" was no different.

“We need a briefing on what we need to do at “Our Company” to avoid being attacked by this ransomware hacker!”

The response was immediate. “The Executive Report is ready for you now and the Executive Team whenever you all are together in the Board Room, yet when will you have just 30 minutes for our local Information Security Team to brief you today?”

Have you ever encountered a boss who had that “Deer In The Headlights” look on their face when they were asking for your assistance?

Did you see the “CBS Evening News” last evening they yell!

“CLOp, the ransomware gang responsible for exploiting a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including a number of U.S. banks and universities.”

For those of us who have been operating in this business for a few decades, the behavior of uninformed corporate citizens to the continuous threat vectors in our world is never going to cease.

As Digital First Responders we then communicate with a few key messages to executive management in the “C” Suite, yet not all at once!

As you will learn, you have to communicate a measured yet continuously deliberate set of message facts over the course of a week or two, for people to slowly comprehend the vast landscape of the business problem they are now in:

• Critical infrastructures are those systems and assets- whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters. 
• As Ransomware Attacks continue to grow, organizations need to improve their security posture to protect against an attack. Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place. 
• The landscape of how we work has changed. We must assess vulnerabilities in a new way and with increased due diligence. 
• The cost of a cyber attack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future. 
• Public Private Partnerships of Critical Infrastructure organizations
with CISA.gov and FBI.gov are vital to enhance our U.S. National Security.

Once you have effectively provided these top 5 bullets to your executives, then the real work shall begin:

THE RANSOMWARE CRISIS

The current ransomware crisis can be attributed to the following factors: 

1. History of Inaction
2. New Tactics
3. Rapid Technology Deployment / Innovation without Security & Resilience
4. Safe Harbors for Criminals

Since you are a “Digital First Responder”, try to remember your audience is still learning the vast and pervasive implications, of what many of us have been fighting since the dawn of the Internet and our growing “Asymmetric Warfare”…

Cyber Reality: Quest for the Digital Castle...

On this Saturday morning the prayers are silent. For family, friends and also for the subject matter experts in business and the U.S. government.

They have been waking us up again to the reality of the Operational Risks we now face, to our ubiquitous digital-based economic infrastructure.

The message is clear to those insiders, who have been trying to defend our "Digital Castles" against tremendous odds of these seemingly invisible threats. Is it really, game over?

The short answer is yes. The current mindset should be, that every major business of valuable interest in the eyes of the enemy has already been compromised or soon to be. It is already too late. The stealth digital code is currently waiting in the shadows of your organizations hundreds or thousands of digital assets.

Whether it is the aging Dell Tower Desk Tops still running on Windows XP somewhere or the latest Android PDA/Apple IOS devices tethered to the corporate network does not matter. Your adversary has control of when and where to begin the attack on you and your organization.

So if this is the reality of the global state-of-play, in both the business world and also to government, what should the risk management strategy consist of going forward? How could we ever get to a point of advantage over those who seek to do us harm?

So internally, the prudent corporate business strategy should be for your General Counsel and the CIO of your organization to be already preparing themselves for the day that they will step before the press conference microphone to disclose the material breach of the companies intellectual capital or theft of assets.

They should already know, that it is just a matter time and not a denial that it will ever happen on their watch. If you are a Board Director and you still have not had "The Talk" with management about this stark reality, then you too are complicit in the scheme to present your stockholders and stakeholders with a false sense of confidence that you are safe and secure.

The new normal for forward thinking organizations is already being implemented for adverse events. The Crisis Management Team has already exercised the "Data Breach" scenario numerous times.

Your General Counsel and Chief Information Officer have rehearsed and practiced their testimony before opposing and adversarial questioning of your organizations information security processes.

The company subject matter experts are more than prepared to submit evidence of their best practices, industry standards compliance and previous tests of due diligence. The stage is set for the court room battles ahead:

The quest for the "Digital Castle" has been going on for years. Are you awake now or still living in a dream of denial on your state of achieving a Defensible Standard of Care…

Reengineering: Our Next American Decade Together…

As you stand before the U.S. Capitol in Washington D.C. on this January 2021 evening, what are your thoughts?

When you walk down the sidewalk towards the AT&T building in downtown Nashville, what comes to your mind?

After you contemplate these two physical building locations, now think about the virtual scale of the digital SolarWinds software hack?

Our greatest adversary in a world full of Evil and continuous “Asymmetric Warfare,” is a Noun:

Definition of complacency - noun

1 : self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. When it comes to safety, complacency can be dangerous.

2 : an instance of usually unaware or uninformed self-satisfaction.

Operational Risk Management (ORM) has never been more vital, as our next decade opens before us in the United States.

People, Processes, Systems and External Events shall be our focus and our major problem-set in the U.S. Public and Private Sector.

Where does it begin? How will we as Americans unite to overcome complacency? When you wake up tomorrow, start with the thought of another word in the dictionary.

This time, we must counter our adversary “complacency” and be proactive to show a sign of action:

Definition of reengineer - verb

1 : to engineer again or anew : redesign

2 : to reorganize the operations of (an organization) so as to improve.

Our lost values and the speed of our digital world, has incrementally overtaken us. We must now realize, that we have a new opportunity before us.

First, we must Understand. Decide. Act. We must Reengineer. We must demonstrate Integrity.

Second, who do you know in your circle of human relationships that could use a hug or a “Thank You” today.

And how might you together, make your levels of “Trust” grow even greater?  How might you work side-by-side to eliminate any sign of complacency?  To improve the quality of _____?

You see, as Americans, we shall have continuous pride on what we have accomplished so far.

The rest of the globe is counting on our future.  Onward…

CyberCom: Real-time Situational Awareness...

The Operational Risks to your enterprise that are associated with your digital assets, networks and infrastructure are vast.

What is your organizations exposure today?

The amount of daily "Cyber Intelligence" flowing into the organization is growing exponentially and there are few hours in the day to analyze it. You have invested hundreds of thousands if not millions on cyber security to keep your corporate systems protected and ready for any significant business disruptions.

Electronic Stored Information (ESI) is continuously being discussed at the Board of Directors meetings. Data Breach Notification Laws are being amended and the congressional pipeline for privacy and cyber laws is in full swing in the United States.

The Fortune 500 is already paying for "White Hat" hackers to test their online and data security. The only way to continuously determine the effectiveness of risk management controls, is to continuously test them in a lab or scenario environment.

This "Red Cell" approach to attacking the corporate assets from the "inside out" or the "outside in" provides the intelligence necessary to close the gaps and vulnerabilities. These penetration or vulnerability tests are necessary and the ecosystem of companies of sources and methods is expansive.

A Fortune 500 organization may currently subscribe to annual services that provide the intelligence that gives them an alert of a "Red Flag" in their security landscape.

The company that provides the intelligence is paying a substantial fee to a network of sophisticated professionals to exploit the vulnerabilities in software coding. Namely, the design, configuration or implementation of a complex set of technologies to determine where and how these vulnerabilities may pose a threat to your assets.

The model for Enterprise OPS Risk Management in the most savvy and enlightened critical infrastructure dependent organizations realize that cyber security is not a department or a unit at the company.

It remains a horizontal platform on which all business units and the departments of the organization rest and it's pervasive mechanisms for the security and safety of people, processes, systems and external events must operate 24 X 7 X 365.

Our future is about "Defend Forward" or an "Real-Time Situational Awareness" strategy.

"The “defend forward” concept outlined in the DoD’s 2018 cyber strategy charges Cyber Command to get as close to adversaries in networks outside the United States before they reach the nation. The command uses its authorities to operate in networks abroad to discover malware and enemy tactics that could be used against the American people or election infrastructure.

The command can either share that with relevant partners — such as the Department of Homeland Security, the FBI or private companies — so they can take necessary measures, or the command can unilaterally take action thwart malicious activities before they impact American networks."

The public and the consumer are becoming used to the fact, that the challenge continues to be an iterative process and worthy of some levels of patience. 

"Operational Risk Management (ORM) is not about eliminating all threats to the enterprise. It is about the speed and accuracy of understanding the current levels and threat vectors so you can effectively deter, detect, defend and document."

This "4D" approach to risk management in the rapidly changing, digitally mobile organization of 2020 and beyond is a shift away from pure information security thinking that is housed within the Information Technology Department...

Memorial Day 2020: Understand | Decide | Act...

Walking through Section 60 at Arlington National Cemetery on Memorial Day weekend is a stark reminder of the Operational Risk Management challenges we have faced these past 19+ years.  One example can be found in the budget at the Pentagon, on how to defeat the IED.

Billions of dollars are devoted to the strategies and tactics to keep U.S. "boots on the ground" on foreign lands from becoming KIA, an amputee or another invisible wound such as Traumatic Brain Injury or Post Traumatic Stress.

Regardless of the dollars devoted, many grave markers in Section 60 have birth dates in the 1980's and 1990's.  Standing there remembering Neil, a tear rolled down a cheek and the wind quickly blew it away...

"Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.^[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.^[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service^[3]."

If you are currently in the military we will thank you for your courage of service on Veterans Day, as we have before.  This day however, is for those in the U.S. forces who have died while serving.

Simultaneously, we must thank all of the other "Operational Risk Management" subject matter experts.  The "Quiet Professionals" who operate everyday in the shadows.  We hope that their decisions will continue to be the right ones.  They live each day with the burden of managing risk decisions, that could send another U.S. patriot on their way to Section 60 or a remembrance "Star" on the wall at Langley.

Whether you are a Mother, Father, Brother, Sister, Family or Friend, this Federal Holiday is your day of memorial to your loved one(s).

Some would say that our country is currently at a degree of War.  Even though there is no official written declaration, that has been written and published to the world.

Yet, these three words, in this order, and in that continuous "Chain," means everything to those who have served and will serve our United States. 

    > Understand.

    > Decide.

    > Act.

Until the day, that all our military and all of our true "First Responders" decide, that America is no longer worth fighting for, these three words will consume them.

Thank you for being there...

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is continuously on every Operational Risk Management (ORM) executives mind these days.  The names Chelsea Manning and Julian Assange have been headline news for years.

In addition, the 2009 conviction under the Economic Espionage Act of 1996 in the United States, is a stark reminder of the accelerated requirements for an "Insider Threat Program" (InTP), by the counter intelligence and OPSEC units of major public and private organizations.  Flashback to a decade ago:

"A former Rockwell and Boeing engineer from Orange County, CA was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket."

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA a decade ago.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being, that exploits the vulnerabilities in the design, configuration or implementation of your layers of defense.

This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the changing personnel within the organization.

In collaboratin with the Information Technology organization, the Digital Operational Risks that the OPSEC team is focused on these days, has to do with Data Loss Prevention (DLP)  software platforms and proactive data exfiltration detection capabilities.

As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information, there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences, can be just as effective as the newest software running on the fastest computer box.

One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees?

Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

"The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation."

The "Integrity Interview" is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior, is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies, regarding digital assets and cyberspace access to organizational data repositories.

Individuals who have the characteristics associated with deception, could be the target of a further investigation to determine whether any unauthorized information has been sent to an encrypted webmail account or if a 2 TB Thumb Drive happened to be plugged into a corporate laptop, the night before the last day on the job.

This low tech method may still be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure, will not be able to thwart a diligent, patient and trusted insider.

Utilizing "Behavioral Interview Analysis" can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their asymmetric information operations strategy on the corporations and governments worldwide.

Economic espionage and attacks on nations states critical infrastructures, requires a substantial shift in policy and taxonomy, if we are ever going to be effective in protecting our IP and trade secrets.

While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware," we can only hope that OPSEC is still conducting the behavioral analysis exit interview.

A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secrets in the purse or backpack at their feet...

Predictive Profiling: The Human Firewall...

In Harrison Ford's 2006 movie Firewall the viewer is entertained with a combination of a Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes. There is even a degree of deception and conspiracy mixed in, to spice up the story line. The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy. In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.

Those attackers using new and increasingly sophisticated strategies, are consistently giving financial institutions new challenges to secure their real assets; binary code.

In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers has been circulating in security circles since late last year after warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.

In this case and even in the movie, the "Insider" is a 99.9% chance. A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur. The people who work inside the institution are far more likely to be the real source of your crime, rather than the skilled hacker using key logging software. More and more the real way to mitigate these potential risks is through behavior profiles and analysis.

The human element, which relates to awareness, can't be ignored any longer. And this can only be changed through education, training, and testing of employees. An organization that procures technology worth millions, is naive if you don't invest in educating your employees to make the investment worthwhile.

Sometimes the human element stands alone. Awareness, detection and determination of threat, deployment, taking action and alertness are key ingredient for security.

Predictive Profiling comes into play as organizations recognize that detecting threats starts long before the firewall is compromised, falsified accounts established and bribes taken.

The Israeli Airline El Al has known for a long time the power of the "Human Factor" as a force in security. An empowered, trained and aware group of people, will contribute to the layered framework as a force multiplier that is unequaled, by any other technology investment.

Firewall The Movie, was a wake-up call for those institutions who still have not given their employees more of the skills and tools, for detecting human threats long before any real losses occur.

National Security: Cyber Infrastructure Risk...

Is your organization a threat to National Security? That depends on whether you own, install, and maintain Critical Infrastructure. When you hear that term, "Critical Infrastructure" what comes instantly to mind? A bridge, a road or some other shovel ready project?

Yes, the hard leap for many to get their head around is that your cell phone, TV and Internet connection are vital "Critical Infrastructure" and if you are a Verizon, AT&T, Sprint or large cable company in the United States; National Security is a top of mind issue.

Is it possible that our country is at risk because of the same "Risk Management" paradigm that has plagued the Financial Services industry? A lack of resources and focus to deter, detect, defend and document risks to our critical infrastructure, could turn into a systemic and interdependent threat to our national security.

How can you make the case for a 2008 era economic meltdown in the financial services sector, to be similar to the potential failure of the Communications, Information Technology, Water or Energy sector?

It's easy. Look at human behavior and to the motivators of greed, selfishness and just plain blindness to a "risk bubble" just waiting to burst. Who will be the next Bear Stearns, in the Communications Sector?

The truth is, that some Fortune 500 companies marketing departments, may have a larger budget than the information systems, internal audit department and the security department combined. When the nuts and bolts, concrete and plumbing associated with electronic commerce, banking, and just plain mobile communications come to a slow crawl or halt in it's tracks, the government will have to do the same thing all over again.

Bail out or restore the industry and the companies, who are the lifeblood of our Critical Infrastructure.

Our National Security is at stake and the owners and operators are still waiting for the right incentives to invest in robust maintenance and security programs, instead of just more marketing. After all, market share is what shareholders ask about, along with how many new subscribers you won or lost last quarter.

How often do we hear the question at the shareholders meeting, that asks about the amount of downtime, failed systems or customers without service, as a result of a "Glitch" or fried circuit board?

So how does the electronic critical infrastructure really impact National Security?  The Department of Homeland Security (DHS) has the lead.  The mission is to lead the national effort to secure Critical Infrastructure from all hazards by managing risk and enhancing resilience through collaboration with the critical infrastructure community.

"The Office of Infrastructure Protection (IP) leads and coordinates national programs and policies on critical infrastructure security and resilience and has established strong partnerships across government and the private sector. The office conducts and facilitates vulnerability and consequence assessments to help critical infrastructure owners and operators and State, local, tribal, and territorial partners understand and address risks to critical infrastructure. IP provides information on emerging threats and hazards so that appropriate actions can be taken. The office also offers tools and training to partners to help them manage the risks to their assets, systems, and networks."

A culture of risk management is slowly moving it's way into the Board Room conversations and the CEO may be on notice, if the "Tone at the Top" is not focused on Enterprise Business Resilience. However, that "Tone at the Top" needs to go beyond the shareholder value conversation, to the National Security topic.

One only has to look further in a few places on the "Net," to better understand what the offensive cyberwarfare conversation is all about, as the Advanced Persistent Threat (APT) has evolved in the past few years.

Once you understand that many cyber incidents with our U.S. Critical Infrastructure are just a test, then you will realize that U.S. shovel ready projects need a new public service announcement (PSA), with a shock value of texting while driving.

The risk of a specific kind of behavior on the road or the critical infrastructure complacency within the corporate enterprise, can have the same results. We have already nationalized the likes of AIG, Freddie Mac and Fannie Mae after the last financial crisis.

Perhaps it time to do the same for Amazon, Verizon, AT&T, Sprint and others, who are vital assets in our National Security and have them report directly to the Pentagon...think about it.

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22

"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”

A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

• Hacker
• Spies
• Terrorists
• Corporate Raiders
• Professional Criminals
• Vandals
• Voyeurs

Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

• Attackers
• Tool
• Vulnerability
• Action
• Target
• Unauthorized Results
• Objectives

Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:

• Existence addresses the question of who is hostile to the assets of concern?
• Capability addresses the question of what weapons have been used in carrying out past attacks?
• History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
• Intention addresses the question of what does the potential threat element hope to achieve?
• Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?

Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.

2018: The Speed of Operational Risk...

As we begin to look into the rear view mirror these last few weeks of 2017 and scan the horizon of 2018, Operational Risks are ever more so present.

Whether you are a leader of a global organization or the sole bread winner of your single parent household, the management of risk is a daily priority.  Even getting enough sleep is a risk to health and well being.

So what are you going to do about 2018 and managing risk in your life? Your company. Your nation. Operational Risk Management is a discipline that can be mastered and those who will excel in the next few years understand what is at stake. Unfortunately, many people and organizations will not have the wisdom, experience or resources to survive the onslaught of new threats and to mitigate existing vulnerabilities.

"Achieving a substantial level of competence and resilience in Operational Risk Management takes decades of experience in seeing the mistakes. Witnessing the tragedy. Feeling the successful outcomes of a solid process for sense making. Using information in ways that we never dreamed about. Turning speed into your greatest ally."

Your ability to thrive in 2018 and beyond will rest with your leadership and the ability to adapt. Yet even beyond this fundamental reality is the continuous discipline to effectively accept more risks. The organizations and those individuals who rise to the 2% or even 1%, took more risks than you did. The question is, why?

Accepting a risk means that you have to think through the real potential outcomes. Both positive and negative. And you have to make the decision to accept each risk action at light speed. Otherwise, it is too late.

This is not a game of spending too much time trying to figure out odds and percentages.  It is a professional decision to act, while not knowing the exact future outcome. What you do know, is the clear result of a positive outcome and even more importantly, you know the result of a negative outcome.

Can you live with either outcome? If the answer is yes, then you should consider yourself a true Operational Risk Professional. Now make the decisions faster, before someone else makes it before you do...

The cyber offensive against ISIS, an acronym for the Islamic State, was a first and included the creation of a unit named Joint Task Force Ares. It focused on destroying or disrupting computer networks used by the militant group to recruit fighters and communicate inside the organization. Such offensive weapons are more commonly associated with U.S. intelligence agencies, but they were brought into the open in 2016... Washington Post by Dan Lamothe

We wish you an abundance of new and rapid Operational Risk decisions in 2018!

Go Fast or Go Far: Professionals of Operational Risk...

As the sun sets less than a mile from the Pacific ocean, dozens of security researchers from across Los Angeles are converging on this modern technology office park.  The meeting presentation this evening, will be focused on unveiling vulnerabilities within one of sixteen U.S. Critical Infrastructures.  Why?

Operational Risk Management (ORM) is a discipline that is a dynamic matrix, of columns and rows of the architecture and intersections of your entire enterprise.  The places and ways that the organization is exposed to potential failures of people, processes, systems or other external events.

Think about how many people you have working with you, the number of locations they work and travel, the number of technology devices running software to compute algorithm operations to enable your particular mission.  Think about all the potential ways that adverse weather and natural disasters or the simple loss of electrical power or communications in a few square blocks of your city, will impact you today.

Security researchers are also converging into a conference room somewhere in your organization this week, to discuss and show evidence of your organizations vulnerabilities today.  They might be experts in "Ruby on Rails" or how to optimize "SecDevOps".

They might be experts in counterintelligence or the detection of rogue/activist human behavior by analyzing open source social media.  They might be experts in using offensive tools, operating armored vehicles and flying aircraft into hostile environments.  Among them are also your legal experts in privacy and regulatory compliance.

Why these individual professionals are working 24x7 to expose, document and provide evidence of your vulnerabilities is complex.  Yet you should know, that they are doing it because they understand that your adversaries are also hard at work, to do the same.  Is it a competitor or a nation state?  Is it a disgruntled employee or an external extremist?  Is it the next tornado, hurricane or earthquake?  The landscape is vast and is continuously changing by the minute.

As an executive within your organization, when was the last time you devoted an hour or even two, to lock yourself in the same room with your Operational Risk professionals.  To see what they are working on to Deter, Detect, Defend and Document, all that is happening in their environment today.

What if you had that hour to turn off your busy executive life and so what might you learn?

You might learn that your organization is being attacked every day by "Spear Phishing" experts from the other side of the globe.  More importantly, the source of the attacks is by an organized cadre of criminal experts in social engineering and SQL injection.

You might learn that one of your employees has set up a Twitter account with an anonymous user name and identity.  The daily "Tweets" are telegraphing your corporate strategy to your competitors or leaking proprietary internal protected information about rogue co-workers behavior.

You might learn that the Commercial-Off-The-Shelf (COTS) sensor you utilize within your flagship transportation vehicle, is being exploited by a highly trained clandestine military unit from another country.

You might learn that a key manufacturing location is about to be surrounded by environmental activists who are planning to camp out on your entrance until their demands are met.

So what?

The question is necessary to get to the bottom line.  It helps to define the purpose for why you have these resources working with you.  The reason that they are working 24x7 to keep you and your organization even more aware and resilient.  Why they are converging on a conference room in Los Angeles after working all day to learn about new vulnerabilities?

Take the time this week to meet with them.  Ask them the question.  Listen to their answers.  You might be surprised at what you hear.  You will probably learn something new.  Work with them to improve the Operational Risk Management (ORM) capabilities and functions within the enterprise.

"If you want to Go Fast go alone.  If you want to Go Far, go together".
--African Proverb

POTUS 45: The Future of Information Warfare...

The spectrum of asymmetric warfare being waged across the globe has been accelerating for over a decade.  The physical realm, has now migrated to an environment of "zeros and ones" traveling at the speed of light.  Operational Risk Management (ORM) remains a significant factor for Senior Leadership in government and the private sector.

Information collection, deception, attribution and mutual response is consuming our airwaves and IP addresses, like a digital Tsunami.  Wikileaks vs. Edward Snowden, is a battle for digital privacy branding and a communications platform for the evidence of the truth.

The average world citizen is now reading content and consuming video by the petabyte, to satisfy their particular knowledge appetite.  The personal or nation state requirements of the continuous search for the truth, or perseverating on a single target to achieve a mission, is now the state of play.

As the United States pursues the election of its 45th President, the digital trust of our electoral systems and historical decision process are currently at stake.  Data provenance is at the center of legal and national security policy discussions.  "Trust Decisions" are ever more in our minds and simultaneously at the center of our democratic way of life.

Gawker publishing opposition research.  APT29 malware?  Guccifer2 account by a lone individual? Any similar attributes between the U.S. DNC malware servers and the German Bundestag malware servers?

The speed and sophistication of nation state plots or non-state actors, will continue to feed the novels for people such as John le Carre and yet to be written movie screenplays.  Yet what is now over the horizon for humanity and our future, lies in the innovation and current capability of Artificial Intelligence (AI):

Rob McHenry: Public-funded research has always pushed the state-of-the-art in advanced autonomy, which then drives commercial AI. I think many people would be surprised by the advanced capabilities that autonomous systems for defense are already demonstrating – capabilities that many might guess wouldn’t be achievable for many years.

For example, DARPA and the Navy are testing at sea today an autonomous ship that is designed to go “toe-to-toe” against a human adversary in the wild during complex unconstrained military operations. The ACTUV (Anti-submarine warfare Continuous Trail Unmanned Vessel) program has delivered an unmanned ship that can not only comply with the complex Rules of the Road in the open ocean, but simultaneously track and harass a manned submarine, keeping a step ahead of a highly trained human submarine captain. This is an example of AI that can understand humans, in both competitive and supportive roles.

As the U.S. Navy and others pursue the asymmetric battlefield across the oceans, we can only hope the human factor remains the man-in-the-middle.  Artificial Intelligence may very well be good at searching, collecting and manipulating data, yet it is still the human behind the intent.

In essence, humans remain the architects of the design, coding and the implementation of the programs, weapons and capabilities.  Where is the trail of evidence leading and where is the response?

Achieving digital trust and the future integrity of our global "TrustDecisions" will remain a tremendous challenge for our governments and the private sectors,  that establish our critical infrastructure.

You can be certain that the response will be calculated and the attribution will be thorough, even as new classified information is involved in the analysis.

Resilience 3.0: Next Generation Operational Risks...

Operational Risks are being exacerbated due to the tension and competition, for people to be noticed and heard, within a vast ocean of zeros and ones, all invisible to the human eye.  Trusted systems on the Internet, once thought to be impervious to the asymmetric threats of "Transnational Organized Crime" (TOC), Hacktivists, and even nation states are now ever so more in peril.  The next generation has four main fronts:

• Sovereignty
• Piracy and Intellectual Property
• Privacy
• Security

The global conflict being waged 24/7/365 on the Internet continues and in the next decade the Yottabytes of data will continue to be ingested, analyzed, digested and excreted at the speed of business and social commentary.  The United Nations has been gearing up for years with the UN Global Pulse Project concerning the future of the Internet:

"Global Pulse functions as a network of innovation labs where research on Big Data for Development is conceived and coordinated. Global Pulse partners with experts from UN agencies, governments, academia, and the private sector to research, develop, and mainstream approaches for applying real-time digital data to 21st century development challenges. "

As Michael Joseph Gross illustrates in his Vanity Fair article "World War 3.0"; Battle lines have been drawn between repressive regimes and Western democracies, corporations and customers, hackers and law enforcement:

"The War for the Internet was inevitable—a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off­-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded."

The resilience of an organization has for hundreds and thousands of years relied upon sufficient resources:  Food, water, energy, capital, trade, defense.  Communications was long ago recognized as a game changer for achieving a greater degree of resilience and historically made the difference in World Wars and other significant planetary conflicts.

Today it is no different as the Arab Spring has seen another anniversary and people leverage the use of silicon based devices in concert with wireless mesh networks on the borders of failing nation states.

Humanitarian operations are evolving to go far beyond the establishment of the standard platforms for responding to natural disasters and other atrocities of mankind.  The ability for people to develop and run their own businesses, creates a sustainability factor that can not be underestimated.  Whether that occurs, first has to do with knowledge and resources but when you add communications to the mix the advantages of survival increase exponentially.

The Internet and wireless technologies combined with the rapid adoption of IoTs, iPhones and iPads has created another key resource that organizations must manage and plan for in the vast spectrum of Operational Risk Management (ORM).  As the governments of the world debate the Sovereignty of Internet assets and the rebels of the world order more wireless enabled devices for communications; the requirements for prudent risk management endure.

Whether you are a private sector company or the leader of an organization simply trying to communicate the truth to the rest of the world, managing Operational Risks effectively will be a continuous factor of your resilience.

The ranks of those organizing themselves on the Internet continues for every instance of what people are thinking, saying and doing in the name of communications to enable their resilience:

• National Security
• Hacker News makers
• Team Rubicon
• International Disaster Response Network
• Ushahidi

"Aside from wealth or arcane knowledge, the only other guarantor of security will be isolation.  Some people will pioneer new ways of life that minimize their involvement online.  Still others will opt out altogether—to find or create a little corner of the planet where the Internet does not reach.  Depending on how things go, that little corner could become a very crowded place.  And you’d be surprised at how many of the best informed people about the Internet have already started preparing for the trip."

Fifth Discipline: The Evolution of Digital Intelligence...

"Learning organizations themselves may be a form of leverage on the complex system of human endeavors.  Building learning organizations involves developing people who learn to see as systems thinkers see, who develop their own personal mastery, and who learn how to surface and restructure mental models, collaboratively.  Given the influence of organizations in today's world, this may be one of the most powerful steps towards helping us "rewrite the code," altering not just what we think but our predominant ways of thinking.  In this sense, learning organizations may be a tool not just for evolution of organizations, but for the evolution of intelligence."  --Peter M. Senge -The Fifth Discipline - 1990

Many senior executives and a cadre of experienced Ops Risk professionals who are waking up across the globe today, keep this text book within arms reach.  Why?  All 413 pages of wisdom and knowledge transfer, is applicable this moment, even though it was written and practiced several years before the commercial Internet was born.

Our respective cadre of "Intelligence Analysts" spans the organization continuously seeking the truth, analyzing the growing mosaic, applying new context and taking relevant actions.

In an environment now vastly more virtual, far beyond the paper pages of Senge's book, lies the contemporary intelligence of "IBM's Watson."  At the finger tips of Dragos operators or the Palantir Forward Deployed Engineer, we have new insights almost in real-time.

The "Learning Organizations" are no longer in a traditional hierarchy.  They are flat, agile and capable of tremendous autonomy at light speed.

So what is the opportunity now?  How can we potentially move towards more collaborative systems thinking and "rewrite the code" even in the 2nd decade of the 21st century?  It starts with rewriting the new digital code.

It continues as we reengineer our "Learning Organizations" for a digital environment that operates 24 x 7 and is ever more so fragile where trust is so inherent.  We can still create and deploy systems thinkers to question the truth and learn from the speed and capabilities of our new intelligent machines.

Peter Senge outlines five learning disciplines in his book on three levels:

• Practices:  What you do
• Principles:  Guiding ideas and insights
• Essences:  The state of being of those with high levels of mastery in the discipline

The five disciplines are:

• Systems Thinking
• Personal Mastery
• Mental Models
• Building Shared Vision
• Team Learning

The enterprise architecture for our modern day learning organization is in it's infancy.  You see, the technologies and the software has outpaced our human ability to apply it effectively, with the five disciplines.  One of our continued vulnerabilities is the ignorance of information governance as it pertains to the truth of data provenance and how as humans, we apply the disciplines of learning in our digital organizations.
 
Our organizations are a "plume of digital exhaust" that is invisible to many and crystal clear to some.  As you begin to capture and document the digital footprint of today's knowledge worker, the trail is long and deep.  Even for those shadow planners, logistics experts and operators, they can not escape the digital encounters they have each day.  However, the apparent threat is that they will continuously become more aware and more disciplined.

The art and practice of gaining and preserving "Digital Trust" is at stake for all of us.  The vast and consistent application of understanding "trust decisions" in our digital lives, will forever provide us new found challenges and new discoveries.  How we consistently apply our digital disciplines going forward, will make all of the difference in our prosperity or our future peril.  How we reengineer our learning organizations for 2025 and beyond, is now at our doorstep.

Today, privacy, information security, cyber defenses—all revolve around the same target: achieving trust to sustain electronic commerce and create new wealth. Digital trust is not only required; achieving digital trust will prove to be the competitive differential for the winners of the next generation.  --Jeffrey Ritter

Think about your digital footprints as you interact, communicate, travel and read the news today.  Activity-based Intelligence (ABI) is a business and you are the product.  The question is, how can you and your learning organization move from the "Fifth Discipline" to the next one?

What cognitive strategies and new disciplines will you and your organization deploy this year to attain new levels of prosperity and insight?

The journey will be long and the opportunities will be explored.  It's time that more learning organizations start the reengineering with the right tools and talent.  Yes, this is the next evolution of intelligence...

CAG 20: Red Team Exercises...

The Consensus Audit Guidelines (CAG) have been public for years and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance Operational Risk Management (ORM) strategy. CAG: Critical Control 20: Red Team Exercises:

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack. 

This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.

We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:

"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."

Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis:

clandestine from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"

What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization, in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes, along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and many of these will require manual intervention, planning and effective oversight. Automated tools can only go so far, to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise, you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders:

1. Measurability - How measurable is the outcome you seek to predict?
2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?
3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?
4. Context - Is the context of the situation clear to the person making the prediction?
5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?
6. Experience - Does the person making the prediction have experience with the specific topic involved?
7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?
8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?
9. Investment - To what degree is the person making the prediction invested in the outcome?
10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?
11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This is how and where you extend your physical controls to the actual people, who will make the difference before and during a critical incident in your enterprise.  Revisit the Consensus Audit Guidelines (CAG) for your enterprise.  It just might help you find that one place where the continuity of the business is at risk after a significant disruption or the one threat that still is hiding in the shadows.

Leadership: Adaptive Risk for an Uncertain Future...

As the political season in the U.S. starts earlier and earlier each four year cycle, the question remains consistent from the rest of the world.  Will America lead the Cyber cold war in the next four years?  Operational Risk Management (ORM) is a necessary and vital component of any mission or project, from the Situation Room, inside your company, on the flight deck or on the front lines of conflict torn regions of the Sahel.

Transnational Organized Crime (TOC) and their proxies are constantly waging new malware campaigns on our global economic and intellectual property ecosystems, utilizing sophisticated new toolkits.  There are three key attributes to modern day "Threat Intelligence" and Eric Olson from Cyveillance explains:

1. Relevance – The information must relate to, or at least potentially relate to, your enterprise, industry, networks, and/or objectives

2. Actionable – It must be specific enough to prompt some response, change, action or decision, or to dictate an explicit and informed decision not to act

3. Value – Even if relevant and actionable, if the data (and the action) does not contribute to any useful business outcome, there is no value

When threat activity, known actors, historical tactics, or attack information can be combined with vulnerabilities, activity data, or other particulars present in your network and environment, then the information becomes relevant, actionable intelligence.

As a leader in the private sector the waves of globalization and regulatory mandates keep you striving for the entrepreneurial spirit, yet constantly constrained by new rule-sets and compliance initiatives.  Mitigating risks to the enterprise requires leadership that can span the visions of an environment with creativity and simultaneously the spirit of autonomy.  Modern day risk management is not only a leadership challenge, it is also a cultural challenge.  How do I get my people to think like a true entrepreneur and simultaneously provide them with the skills and knowledge they will need to survive in a hostile environment?

• First off, you have no doubt heard somewhere along the way that High Performing Teams are the way to accomplish new fixes to software code or even to ensure the last mile of due diligence to get the leveraged buy-out to become a reality.  These High Performing Teams must be diverse and they need to have the time to cross-train each other in the specific skill sets necessary, to fullfill the desired outcomes.  If one person comes down with the flu or worse; you may be the one who has to fill in and pick up the slack.
• Second, the cultural mind set shift must take place to becoming continuously adaptive.  Being adaptive means that you have to be able to incorporate both readiness and resilience in the same effort.  Making decisions that are rapid without time for formal planning, is foreign to some on the team.  You have got to get everyone to be as adaptive as the designated leader, because they will not always be there, to tell you or show you what to do next.
• Finally, leadership decisions on the floor of the exchange, in the EOC or sitting across the table from your newest prospective client means that you have got to practice.  This capability of assets calls for you to continuously train and experience the emotions and see the results of your actions.  Good and bad.  These skills are perishable and require a tremendous investment in time and resources to make sure that the risks of failure are mitigated almost to zero.

What are you willing and able to do, to lead America in 2015 and beyond?  Think service before self-interest and you will be leading beyond the risks of an uncertain future for yourself and our country.

Data Rupture: The Risk of Over-Classification...

As a result of the latest "data rupture" at the U.S. Office of Personnel Management (OPM), there are several Operational Risk factors.  The issues that most people are focused on, dwells on a lack of proper information security controls or antiquated technologies, that have not kept up with the speed of the modern day asymmetric threat.

However, this is not the primary problem that needs to be resolved.  The problem definition has been discussed in the wings of government for many years.  The root of the discussion is really a personnel hiring process combined with a human resource function.  The next level of the debate has to do with the classification of information.  The process by which certain types and kinds of information is classified at different levels of sensitivity.

In terms of the private sector vetting of an employee for employment vs. the government employee (contractor) it is very similar for non-executive personnel at the "Secret" level of classification.  You could leap to the analogy, that once you move to an executive level in the private sector, you may be vetted more thoroughly including more extensive looks into references, interviews with others and a deep dive into financial affairs.  This is more in line with the "Top Secret" level clearance in the government.

Call it a “data rupture”: Hack hitting OPM affects 21.5 million
Highly personal data from background clearances are a data bonanza to spies.

by Dan Goodin - Jul 9, 2015 6:10pm EDT

Last year's massive hack of the US Office of Personnel Management's security clearance system affected 21.5 million people, including 1.8 million people who didn't apply for a background investigation, officials said Thursday, making it official the breach was the worst in US government history.

The new figure includes most, if not all, of the 4.2 million people the agency previously said were exposed in a separate breach of personnel files. The much larger number resulted from the hack in June or July of last year on the system used to conduct background checks on contractors and other private sector employees, as well as federal workers. Some 1.1 million of the stolen records included applicants' fingerprints. Background checks for people applying with the Central Intelligence Agency weren't affected because that agency conducts its own security clearance investigations.

 The tagging of information at the point of creation, inside the walls of the private enterprise or government is the key problem set.  Then making the decision on who and why a person needs this information for them to do their job, is the secondary factor.  We all need information to do our assigned jobs and tasks.  When information is tagged as "For Official Use Only", "Confidential" "Secret" or "Top Secret" in the government, there is a reason.  The Classification system:

The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic.[1] Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.[2]

The desired degree of secrecy about such information is known as its sensitivity. Sensitivity is based upon a calculation of the damage to national security that the release of the information would cause. The United States has three levels of classification: Confidential, Secret, and Top Secret. Each level of classification indicates an increasing degree of sensitivity. Thus, if one holds a Top Secret security clearance, one is allowed to handle information up to the level of Top Secret, including Secret and Confidential information. If one holds a Secret clearance, one may not then handle Top Secret information, but may handle Secret and Confidential classified information.

When you work as an employee of a private company, there is a documented personnel hiring process.  The early part of the process in some cases is outsourced to recruiting agencies, just as the government uses contractors to process many of it's back ground investigations.  In both cases, the reason is evident.  Does this person being considered for employment, pose a risk to the enterprise?

 The purpose of the discussion now is to look at the information.  The tagging of information at its origin.  Whether in the private sector or government.  Who decides what sensitivity to put on the document, picture, video, spreadsheet, text, audio or other data element?  How do you keep only certain people from viewing and reading or listening to the information with the correct level of security clearance? (Access Controls)  Certainly the viewing of the salary levels of all employees inside the private sector company is sensitive and only certain people have the authority and need to see this information.  The assurance of information is critical:  Confidentiality, Integrity and Availability.  No different in the government.  So what is the common thread?

Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).[1]

The failure at OPM is complex and no different than the complexity of the data breach failure at Target Corporation.  Both incidents were and are the basis for case studies in Information Security classes at the academic level.  Each has idiosyncrasies, in terms of the actual data breach methodologies and the tools used by adversaries.  So what?

One has to question the need for so many people to have "Top Secret" security clearances in the government.  When you look at the numbers it is staggering.  It almost seems that the process for hiring good people in the government made it a requirement, that someone have the ability to obtain a "Top Secret" clearance.  Even though the likelihood that this person would ever be exposed to or asked to review "Top Secret" information was low.  The failure is that so many people were required to obtain Top Secret clearances, when it was not really a factor for the job they were doing or would ever do.

Now that the "Chinese hackers" (the so called suspects) have our SSN, DOB, previous addresses, (same for family members), financial and other references in their database, time will only tell what individuals will be targeted and for what.  So for those "Chinese hackers," here is a news flash:

"NOT ALL THE PEOPLE WITH GOVERNMENT TOP SECRET CLEARANCES HAVE REVIEWED TOP SECRET INFORMATION"

This is why, much of the hiring and background process that is part of the human resources systems is out of synch, with the information classification process and what someone needs to do their particular tasks in the enterprise.  The level of security clearance has unfortunately become a badge of acceptance and of perceived importance.  Just look at the number of "Linkedin profiles" today, where someone openly declares their "particular level of security clearance" with the government.  Why do people do this?

What is part of the solution to the defined problem set?

1.  Thoroughly address the defined problem of over-classification.

2.  Depends on the success of solving #1.

Operational Risk Management (ORM) is about the risk of loss resulting from inadequate or failed processes, people and systems or from external events.

 

Digital RubiCON: The Fifth Domain...

Operational Risk Management (ORM) is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con

1. a river in N Italy flowing E into the Adriatic

—Idiom

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks-like incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

"Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.

Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses. It’s almost like an automated way to digitally case every joint in the world."