Lying in Wait: Cyber Pearl Harbor...

The Operational Risks associated with the corporate battle against "Conficker" are still a true threat to our cyber infrastructure and maybe more than we could have ever imagined. Is this "Botnet" lying in wait for some future 4th Generation Warfare master plan?

Speaking at an end of year wrap, F-Secure chief research officer, Mikko Hypponen, said 2009 was an exceptional year in IT security.

“We never see huge malware outbreaks anymore — except this year we did,” he said “Conficker peaked with over 10 million infected computers around the world and at the end of 2009 is still in millions of computers.

“This was very advanced malware using several tricks we have never before seen. [It was] a massive botnet not being used by the malware operators for anything useful and we still don’t the real story behind Conficker and that makes it one of the biggest mysteries in the history of malware.”

DHS CyberStorm III is scheduled for September 2010 and will leverage the lessons learned from I and II. What are some of the major "Wake-up Calls" in the CSII Final report:

• Finding 1: Value of Standard Operating Procedures (SOPs) and Established Relationships.
• Finding 2: Physical and Cyber Interdependencies. Cyber events have consequences outside the cyber response community, and non-cyber events can impact cyber functionality.
• Finding 3: Importance of Reliable and Tested Crisis Communication Tools.
• Finding 4: Clarification of Roles and Responsibilities.
• Finding 5: Increased Non-Crisis Interaction.
• Finding 6: Policies and Procedures Critical to Information Flow.
• Finding 7: Public Affairs Influence During Large Scale Cyber Incidents.
• Finding 8: Greater Familiarity with Information Sharing Processes.
• Source: CyberStorm II Final Report - Page 3-4 - July 2009

The Homeland Security Department's third large-scale cybersecurity drill in September 2010 will test the national cyber response plan currently being developed by the Obama administration, said industry and government participants in the simulation exercise during a conference on Tuesday.

Cyber Storm III will build upon the lessons learned in the two previous exercises that took place in February 2006 and March 2008, and provide the first opportunity to assess the White House strategy for responding to a cyberattack with nationwide impact.

You are not going to hear very many people talking about "Conficker" being the beginning of a "Cyber Pearl Harbor" sneak attack and for good reason. SEE FINDING 2.

Physical and cyber attacks are rarely mutually exclusive. Physical attacks impact cyber infrastructure and cyber disruptions can have acute physical impact. This is why an "All Threats and All Hazards" approach has been adopted by many, including this blogger.

The 20+ page report from DHS took thirteen months to produce. Exercise in March 2008 and report in July 2009.

Yet the realistic future scenario is not too much of a stretch to imagine. At some point after the "Conficker" malicious code is put into action, a "Stall" warning light comes on at US-CERT. The Internet is the mechanism for the delivery of a lethal payload never before experienced in any previous tests, or real events. William Jackson has this to say:

"Dec. 7 is the anniversary of the Japanese attack against Pearl Harbor that crippled the U.S. Pacific fleet and brought this country into World War II. What have we learned in the 68 years since that world-changing day?

The threat in our age is less to ships and aircraft than to the technology that controls so many aspects of our lives. Many observers have warned that our defenses are not adequate to protect our nation’s critical infrastructure, and the phrase Electronic or Digital Pearl Harbor has been commonly used to describe a surprise cyber attack that could cripple our military and commercial capabilities. Dire as these warnings are, we should take them with a grain of salt.

Although cyber threats are real, the chances of a Digital Pearl Harbor remain small. This is due not so much to the success of our cyber defenses, which in many places remain inadequate, but to the realities of warfare and networking."

Perhaps there really is an "E-Qaida" as Brian Krebs of the Washington Post has alluded to in his Security Fix column. An insurgency from non-state actors and not China as many would say is our largest cyber enemy from a non-nations state. If this is true and the "E-Qaida" are out there, then you can quickly make the leap to counter insurgency, irregular warfare and other metaphors in the wars of Iraq and with the drug cartels of Latin America. Fourth Generation Warfare (4GW) insurgencies can't be compared to traditional insurgency models in that they do not intend merely to replace the existing government. The target is the state itself.

Physical weapons are not the only tools of the insurgents. Recently, the internet and satellite television have increased the opportunities for insurgent groups to recruit, communicate, and wage war to win the opinions of their target populations whether they are the local populace, foreign governments or the world public at large. In 4GW environments, physical weapons may be counterproductive to the cause of the insurgents. The prodigious use of propaganda may be all that is needed to achieve their goals. Source: FMFM 3-25

So if you are reading this now, is it working?

operational risk

Legal Risk: The Art of Compliance...

Risk Management is on the mind's of Corporate Directors and in some interesting places according to a recent poll by PWC and Corporate Board Member Magazine:

How has your personal risk as a director changed in the past 12 months?

Increased 69%
No change 30%
Decreased 1%

Some risks are tough to name...

What keeps you up at night?

Unknown risks 59%

...while others are identifiable.

Do you think regulators are more likely to investigate your company?

Yes 71%

Do you think there'll be an increase in shareholder suits?

Yes 65%

If 71% of the directors surveyed think that regulators are more likely to investigate the company where does that feeling come from? Is it the fact that the SEC and others such as the FTC, OCC and others are gearing up to facilitate greater oversight than in past years? Is it the lack of internal focus on creating a systemic Risk Management Framework? Could it be the amount of toxic assets that are still on the balance sheet? The answer is yes, yes, and yes.

So what can Directors do to make sure that management and the company are ready when the "Feds" come to town? The answer may well lie in the ability to show a history and evidence of doing the right thing and doing it with extreme diligence.

For good or bad—okay, mainly for bad, most respondents agree—the government as boardroom-player-cum-active-investor will be around for a foreseeable spell.

Regulation will rise...

Do you think there will be a big increase in regulation?

Yes 91%
No 2%

Of that 91%, 54% “strongly agree” with the premise that there’ll be more regulation, 37% “agree.”

...and spread.

Do you think other companies will have to adopt rules that the government has imposed on those receiving financial help?

Yes 54%
No 20%

Nearly 45% of the respondents say no amount of government control, whether more or less than what we got, could have prevented the severity of the economic crisis.

No to Uncle Sam as paymaster

Respondents are against the feds’ having a say in setting executive pay.

Are government limits on executive compensation justified?

No 88%

Should the government impose further limitations on pay?

No 97%

Should comp be left to the board?

Yes 76%

The only hope for "Achieving A Defensible Standard of Care" in your institution could be what Siemens and other wrongdoers have discovered. Spending hundreds of millions of dollars on "Compliance" might be a good thing when the time comes to differentiate yourself in the marketplace and negotiate with the government. Especially if you are a global enterprise doing business in countries that don't exactly have the best reputation with transparency and the rule of law. Here is what Chairman of the Supervisory Board of Siemens AG, Gerhard Cromme had to say on their efforts to date:

Wherever wrongdoing was proved beyond a doubt, we immediately took the necessary actions. Wherever there were systemic weaknesses, we identified them and corrected them. Where the necessary resources were lacking, we provided them. These demanding efforts have paid off: Today Siemens has a clear, transparent structure that no longer allows any gray areas with respect to responsibility. At the same time, these structures make Siemens more efficient, more cost-effective, and thus more competitive. The authorities took into consideration our unflinching desire to do whatever was necessary for a fresh start in determining the size of the penalties and the duration of the proceedings.

Operational Risk encompasses the actions taken by Siemens that includes the new centralized systems for payments, disbursements and other accounting functions that were previously in business units outside of Germany. This consolidation and integration of systems was not easy but represents that a discovery in the vulnerability of controls with a decentralized system warranted the investment in a new way of doing business.

Only time will tell whether any companies Board of Directors efforts to spend more resources on "The Art of Compliance" will make a difference to the regulators, investigators and litigators. One could probably bet that over time it will make a difference. But only if the "Tone at the Top" is commensurate with the actions being asked of the employees and stakeholders, doing the day-to-day tasks running the risk operations of the enterprise.

operational risk

Remote Digital Forensics: Complacency Risk...

Operational Risk Management commands a spectrum of disciplines within the global corporate enterprise. While convergence of responsibility, accountability and resources is taking place the internal threats continue to flourish. Why? How could a Chief Security Officer (CSO) not be aware of a specific threat to the institution by unknown subjects half way around the world? The transnational organized crime syndicates that target our weakest organizations know that they don't share information between departments, business units or even shared services within the enterprise. Does your CSO get a briefing from the CISO or CIO / INFOSEC staff on what the latest threats mean to you, such as cyber heists using ACH fraud?

This complacency is an internal threat that continues to amaze many and reinforces what few people truly understand about risk management. The adversaries utilize asymmetric strategy against unsophisticated targets to perpetuate their crimes and overall threats to people, processes, systems and deposit accounts. They are the modern day equivalents of "Bonnie & Clyde", Al Capone with a dash of Al Gonzales all rolled up into a massive threat that is increasing exponentially:

Two Romanian Citizens Extradited to the United States to Face Charges Related to Alleged Phishing Scheme

A phishing scheme uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers, and Social Security numbers. Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions, or other companies.

The investigation leading to the indictment stemmed from a citizen’s complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People’s Bank. In fact, the e-mail message directed victims to a computer in Minnesota that had been compromised, or “hacked,” and used to host a counterfeit People’s Bank Internet site. During the course of the investigation, it was determined that the defendants had allegedly engaged in similar phishing schemes against many other financial institutions and companies, including Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay, and PayPal.

Risk Management 101 talks to the X and Y axis with X representing the frequency of risk and Y representing the severity (impact) of the risk. So using the four quadrant model, the lower right box is where low risk times high frequency incidents occur. In the upper left box is where high risk times low frequency incidents occur. Got it.

As a CSO in your organization, where do you spend your time, resources and personnel in terms of their training, awareness and work efforts? Think about it for a minute. Most of you would probably say, "Well we focus on the High Frequency times High Risk incidents, the upper right box of the Risk Management model." Practice and prepare for the incidents that happen often and you will have employees who have no clue on what to do the day that something from that upper left box impacts your organization. The HIGH RISK x LOW FREQUENCY incidents are where you remain most vulnerable.

Arlington Man Sentenced 36 Months for $40 Million Ponzi Scheme

ALEXANDRIA, VA—Preston David Pinkett II, age 70, of Arlington, Va., was sentenced to 36 months in prison for engaging in a massive Ponzi scheme that raised more than $40 million in fraudulent payments from investors. Pinkett was also sentenced to three years of supervised release and ordered to pay $18,774,989 in restitution.

The two years that most frauds are conducted before they are discovered tells most risk managers that even effective accounting and audit controls can't catch these white collar criminals before it's too late. The high risk low frequency incidents are the greatest impact on your institution and yet little or no resources, training or attention is paid to these threats to your reputation and economic livelihood.

Now let's take this step further into what practices you have with exiting employees from your business. Are you conducting exit interviews? Are you examining all of the employee's digital assets for the presence of anti-forensics or the ex-filtration or theft of sensitive, proprietary trade secrets or intellectual property from the corporation? Both of these steps are necessary regardless of the person leaving and the circumstances why they are leaving your institution.

The utilization of "Remote Digital Forensics" and other centralized shared services such as this can provide your Business Units and even suppliers with capabilities that they don't need to staff internally. The technologies and resources exist today to address the stealth of fraud, the crisis stemming from industrial espionage or the disgruntled employee stalking those who they perceive as the reason for their dismissal.

An effective internal approach to high tech and advanced Operational Risk Management as it pertains to the rapidly changing landscape of smart, educated and daring people shall include a robust intelligence and audit capacity. Without it, the transnational eCrime syndicates or the internal employee threat will prey on your vulnerabilities of complacency, lack of training and apathetic approach to the design, configuration or implementation of your systems.

operational risk

26 Wall Street: Risk Management Ground Zero...

Today President Obama speaks from the same place in Wall Street that the U.S. government has some of it's roots as a nation. The topic on this anniversary of the demise of Lehman Brothers is risk management. This ground zero of managing credit, market and operational risk in one of the financial capitals of the globe brings several topics to the discussion table. Liz Moyer makes the point:

It's been a year since the $600 billion bankruptcy filing of Lehman Brothers and the financial market meltdown that forced the government into a multitrillion-dollar rescue of the U.S. banking system.

But for all the talk and hand wringing (and billions in direct government equity stakes in major banks and loan and debt guarantees) there's also been little real progress on how, or if, Washington might regulate its way out of this kind of mess in the future. Don't expect that to change anytime soon, as markets become more, not less, complex and interconnected.

If the American public has witnessed substantial up hill battles with reform for health care, they can be assured that the "Financial Services" lobby will be even stronger. The regulation of institutions such as so called alternative investment firms (hedge funds) has many of them already leaving the U.S. for safer havens overseas. The trading will continue and the people behind the unique investment vehicles are getting even more creative. Investors are now buying up the pools of insurance products that have to payout upon peoples deaths. Life insurance settlements are being bundled and sold just as toxic mortgages and the bets are on with these products, just as they were with the housing market. Are people living longer or dying sooner? I guess that depends on where you live, what you eat and what your family history is.

The creativity of trading new and exotic products will continue and the watch dogs will have their hands full trying to figure out where to regulate and what agency should have the oversight. Free market capitalism as the regulator has already proven that it doesn't work. Consolidation of agencies that focus on the regulation and compliance enforcement of the financial services and investment industry is a tremendous risk in itself. The systemic root cause of the greed, compensation exploitation and the financial product innovation lies with some very smart people. The same people who can make a major difference in managing risk in their institutions going forward.

Regardless of the instruments that are invented for trading and the people who trade them, they all rely on one thing. Software and escalating requirements for more computing power, Terabytes and Petabytes of storage and the operational risks associated with information moving around the planet at almost light speed. Information and bits of data that can influence decisions on the buy or sell strategies, is only as good as the mathematics and the algorithms coded into software.

The oversight of future financial products and the ability to take new offers to the market must have people looking at the math and the code. The systemic risks that erupted in the world markets over a year ago are a result of a complexity of systems and the speed of change in our connected economy. All of the transparency, accountability and reform of compensation packages will not impact the zeros and ones that make up the sophistication of the trading markets.

A single consumer financial protection agency will make the consumer feel better that the government is looking after them. It will modify behavior in the innovation and it may even close the gaps in the current rule sets. However, the operational risks associated with the confidentiality, integrity and assurance of information will continue to rise. These risks are consistently displayed in the public press and websites such as the Identity Theft Resource Center:

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

• Data on the Move
• Accidental Exposure
• Insider Theft
• Subcontractors
• Hacking

Yet operational risks such as these are only a piece of the total risk management equations as it pertains to Wall Street, International Banking and the so called systemic risks talked about today as the Washington Post says:

Warning that "history cannot be allowed to repeat itself," President Obama urged Wall Street on Monday to help jump-start a stalled effort to overhaul the U.S. financial regulatory system and head off a potential reprise of the U.S. economic crisis.

Visiting New York on the first anniversary of the nation's biggest bankruptcy, Obama used a speech at Federal Hall at 26 Wall St., site of George Washington's 1789 inauguration, to rally support for regulatory reform and call on the financial community to take responsibility for avoiding the abuses and failures that led the nation into a financial crisis last year and triggered a global recession.

Our greatest threat is complacency as was indicated today in the context that we do nothing as a result of the failures of people, processes, systems and external events.

operational risk

Social Engineering: Duplicity of Twitter Risk...

The use of commercial-off-the-shelf (COTS) software applications and the revolution of Cyberspace virtual hardware devices connected to the "Cloud" has proactive Operational Risk professionals "burning the midnight oil". How many of your Executive Management and other employees with roles and access to sensitive proprietary information are using Twitter today? Did any of them update their Facebook profile last evening indicating their next travel stop? Are any of these individuals part of the corporate Mergers & Acquisitions team?

The use of social networking tools is not new when it comes to networking with colleagues or updating the professional experience history. What is less well known is how foreign intelligence agencies and competitive intel units from commercial enterprises are utilizing these products and solutions to perpetuate their collection of human and program information.

One only has to watch Tony Gilroy's latest movie "Duplicity" with Clive Owen and Julia Roberts to better understand the risks to corporate and national security. Gilroy's sequence of the Jason Bourne series to Michael Clayton and now Duplicity and "State of Play" all have very important lessons for us. Here is the Duplicity synopsis:

Julia Roberts working for the CIA and Clive Owen working for MI6 play competing undercover corporate high level top secret business spies who may or may not be conning each other. The movie shows us what lengths mega corporations will try and go to keep their new product information out of the hands of their competitors. The spies in this case will not even acknowledge their relationship as a sly parallel to regular relationships. The implication here is that most people do not say or trust themselves in relationships, but as spies Julia and Clive have good reason to be wary. Multi continent travels, many plot twists and counter twists follow. The music is light locations are beautiful and evokes the Ocean's movies and fun is had by all even if you can't always follow the plot.

Are you following someone on "Twitter" that is with one of your competitors? Do you know all of your followers personally? Who is in your supply or customer chain that may be leaking vital information before it's ready for "Prime Time"? What is the point. Hypothesis? Let's see if this makes any sense:

Lockheed Martin has thousands of suppliers. Each of those suppliers is interested in selling their products or services to LMT's competitors to increase their own market share. VirTra is one of those suppliers and provides the following capabilities to Lockheed:

(OTC:VTSI.PK), today announced
that VirTra has received another order from Lockheed Martin Simulation Training
and Support business for VirTra`s newest and smallest Threat-Fire device, the
Threat-Fire II.

The Threat-Fire II is a clip-on return fire simulator, similar in function to
the Threat-Fire belt; however, the Threat-Fire II is designed to clip-onto an
officer or soldier`s duty belt. The Threat-Fire II is not only small and
lightweight to be unobtrusive, but it is also rechargeable and compatible with
VirTra`s wireless system.

"We are thrilled that Lockheed Martin has ordered our very latest Threat-Fire
II. Our Threat-Fire line of return fire are highly effective simulation training
aids and it is an honor that an industry pioneer like Lockheed Martin Simulation
Training and Support continues to order VirTra`s unique training devices,"

You can get to this press release from following this Twitter page and you ask yourself why would this person be tweeting about Lockheed Martin or VirTra's deal with them?

• 
  

• Name Shannon C.
• Location Las Vegas
• Bio Smart woman, outgoing. Making my way in the world.

1,691 Following

1,313 Followers

VirTra Receives Fourth Order from Lockheed Martin Simulation ... http://bit.ly/1ZNuVz27 minutes ago from twitterfeed

A quick Open Source search reveals that she is a Sales Manager at Harrahs/Rio in Las Vegas. Whether she got this information on the VirTra deal because she is following someone or one of her followers sent her this "Tweet" on the press release does not matter. She could have read this information in the local newspaper or on the RSS feed she has set up for tracking the Defense Industrial Base companies doing business together. What matters is the relevance of this information and the speed that it is currently being known by many, not just a few.

There is no law prohibiting the "Tweeting" of public information as long as the so called public information is not subject to some national classification scrutiny or some kind of insider information for the review of the SEC. What is more likely is that she is like millions of others on the web who are using social networking to drive you to a web site that is being driven by advertising or some other multi-level marketing offer.

This is just one small illustration of the power and the vulnerability that exists with the COTS software operating in our planet's virtual digital cloud today. How we apply it's use for the good or the bad of humanity is up to each of the humans behind the keys on the PDA, Blackberry or PC. Therefore, just as the Internet has spawned the age of transnational economic crime, child pornography and cyber extortion plots so too will these same tools on our mobile devices be leveraged to do us potential harm or good.

Viral Marketing is here to stay and the use of these new age tools to spread the word on a new product, a new stock offering or the sighting of a celebrity on Rodeo Drive in Beverly Hills is exploding:

• 
  

The Ponzi scheme and related investment Pyramid schemes, are early examples of viral marketing. In each round, investors are paid interest from the principal deposits of later investors. Early investors are so enthusiastic that they recruit their friends resulting in exponential growth until the pool of available investors is tapped out and the scheme collapses.

Multi-level marketing popularized in the 1960s and '70s (not to be confused with Ponzi schemes) is essentially a form of viral marketing in which representatives gain income through marketing products through their circle of influence and give their friends a chance to market products similarly. When successful, the strategy creates an exponentially growing network of representatives and greatly enriches adopters. Examples include Amway and Mary Kay Cosmetics among many others.

• 
  

Tom Olzak offers us some great perspective on how to deal with the inevitable digital wave upon us:

Defending against the inevitable

Trying to adequately control new employee use of public social networking by simply telling them to stop is futile, although use of these sites should be addressed in the company’s acceptable use policy. And employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. However, there are still things you can do, in addition to basic security controls, to mitigate risk, including:

1. Block use of public social networking sites from the office is my strongest recommendation. This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee’s desk or your network, to either a social networking site or a friend met at such a site.
2. Implement DLP (data leakage prevention). Know where and how your data is moving. If an online ‘friend’ of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it’s happening.

Keep your eyes and ears open to what you are saying at the local restaurant or on the phone in the lobby of that big metro area hotel. It could be known to your competitors or your enemies within a matter of minutes.

operational risk

Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.

Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.

operational risk

Business Resilience: Beyond Readiness...

The continuity of your telecom operations is an operational risk that in many cases is underestimated until a significant business disruption occurs. When telecom is down, this means a combination of voice and data services that serve your business enterprise may not be available. The resilience of both the voice and data communications is the holy grail of continuity of operations and disaster recovery professionals on a global basis.

Business Resilience and the ability to effectively anticipate or absorb the impact of an incident, whether man made or as a result of a natural phenomenon differentiates your suppliers. When is the last time you tested your Tier I service supplier for a mission critical business process to determine the ability to keep their voice and data services running during a time of crisis? And maybe more important, is your own enterprise Incident Command system survivable so that you can provide voice leadership to your "Incident Commanders" where ever they may be located?

Until now, telework, disaster recovery and business continuity professionals have primarily been limited to expensive, hardware-based, or location-specific solutions that remain inherently vulnerable. TeleContinuity’s end-user driven and “virtual” service solution is predicated on turning the traditional disaster recovery and business continuity model on its head. Instead of focusing on protecting centralized telecom infrastructure and equipment-based assets; pre-planning for employee relocation; and location-specific solutions designed to enfranchise only a select number of key executives -- TeleContinuity assumes the entire telecom capability of the enterprise is wiped out and that all employees and key executives are individually scattered to a myriad of undetermined locations.

Unencumbered by the traditional telco infrastructure mentality or by the business agendas of telecommunication hardware or IP equipment vendors, TeleContinuity’s founders synthesized the best design elements of PSTN, Internet, and dynamic call center technologies to create a seamless, ubiquitous, and fully resilient outsourced services solution. There is no equipment to buy. We do not touch the customer’s PBX. A customer does not need to change their carrier relationship.

Additionally, TeleContinuity can provide your organizations all the capabilites that they need on a daily basis so that you can work remotely from any location with access to the infrastructure that makes your data and voice applications usable.

Telecontinuity is just one good example of how to make your organization more business resilient. As we approach the middle of the Hurricane season here in the U.S., you can understand why having energy to power systems is an important aspect of most COOP discussions. This simple yet valid argument for back-up power has been going on for a decade or more. Yet not until the last several years as Iraq, Afghanistan and other places that have been the result of some of our most horrific displays of "Mother Nature's" wrath on domestic urban infrastructure has energy innovation become commercialized.

White Door offers a proprietary line of portable towers systems fueled by non-traditional power sources. These self-powered towers can be rapidly deployed to satisfy physical security and communications requirements in areas where conventional power is not readily available or too expensive to deploy.

Utilizing alternative energy power sources including solar panels, wind turbines and hydrogen fuel cells, the towers have been designed to power communications and security systems for both long term and short term requirements. Completely independent of the power grid, they eliminate the costs of trenching and physical bandwidth provisioning, are flexible to place and relocate, and easily upgraded because they utilize COTS (commercial-off-the-shelf) integrated security and communication systems. These mobile trailer-towers offer an effective, reliable and energy efficient platform to power mission critical applications anywhere in the world.

White Door provides resilience to the warfighter, first responder or the corporate enterprise in their quest for alternative power and communications capabilities. When it comes to planning for the next Hurricane Katrina or the "Tip of the Spear" overseas operations readiness, resilient business organizations need to implement robust planning, exercises and systems to be able to overcome the operational risks that are before them.

Power blackouts are the catalyst for many risks to the critical infrastructure including Transportation, Internet, Voice commmunications and even those services that you take for granted like pumping gas at the local petrol station or emergency services at the local hospital. September is DHS Preparedness Month in the US and the focus is once again on the physical readiness of our nation.

There is however another facet of readiness that is slowly getting attention across the landscape of data systems blackouts, such as the mission critical applications we utilize almost everyday such as Online Banking and Voice Over Internet Protocol (VOIP) for voice communications. Cyberspace as we know it is so embedded into most of the mission essential aspects of business today that our readiness factor needs to go well beyond redundant power supplies and battery back ups for power. Cyber-Readiness is a key component of any organizations plan to stay resilient in the face of a Distributed Denial of Service Attack (DDOS) and other cyberspace exploits that disrupt our operations.

Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously.

Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from an earlier case.

Do you think you're spending too much time with your team planning and training? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful in their strategy execution. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

operational risk

Cloud Security: OPS Risk in a Virtual Infrastructure...

"Cloud Computing" is heating up as the information centric business enterprise looks for new economic strategies to reduce costs, save energy, and share expensive resources. Cloud Security is getting into the discussion simultaneously as the lobbyist alliances make their way around the "Obama Beltway." The Cloud Security Alliance held it's symposium this past week at Mitre to set the stage for it's 501(c)(6) activities in the federal agencies.

Welcome to the topic of more effective "Operational Risk Management" as an increasing relevant strategic mandate for the future of enabling enterprise business resilience and achieving a defensible standard of care. Cloud Computing is already here and rapidly accelerating into the way business is leveraging the economies of scale, efficiency of provisioning new users, lowering energy and overhead costs and rapidly gaining new found applications. Why wait around for the IT department any longer? All the headaches of procuring, maintaining and supporting the physical infrastructure of large Information Technology operations is seemingly going to disappear. Or is it?

What once could be called that minor headache could quickly turn into a major migraine or subarachnoid hemorrhage. When a data breach, denial of service (DoS) or business disruption occurs it will most certainly be on a more massive scale that requires a substantial response to contain the bleeding. If you thought disaster recovery and continuity of operations (COOP) was something you could ignore until you ultimately had an incident, that mindset is certainly over.

Attack on Twitter Came in Two Waves

By Jenna Wortham

The meltdown that left 45 million Twitter users unable to access the service on Thursday came in two waves and was directed at a single blogger who has voiced his support for the Republic of Georgia in that country’s continuing conflict with Russia.

Facebook’s chief security officer, Max Kelly, told CNet that the attack was aimed at a user known as Cyxymu, who had accounts on Facebook, Twitter, LiveJournal and other sites affected by Thursday’s cyberassault.

In an interview with The Guardian, the blogger said he believed the strike was an attempt to silence his criticism on the behavior of Russia in the conflict over the South Ossetia region in Georgia, which began a year ago on Friday.

How did a targeted attack against a single user manage to cripple Twitter for almost an entire day?

As Cloud Computing takes businesses into a greater degree of "Domestic Outsourcing" the risk factors change along with the legal risks of 3rd party or 4th party liability. Contractual service level agreements (SLA) that were used in the past for hosting a web site will be far greater in scope and with a table of loss events and their respective costs per incident by the minute of downtime. And this is just the beginning of the "What if's?" Some of these will be different than the normal offshoring risk management question sets.

Take eDiscovery and digital forensics for a minute. What is the difference between a lawful intercept and economic espionage? The name of the government behind it. With no perimeter and data everywhere who can say where your vital mission critical data actually is in the midst of the 100,000 sq. ft. server farm full of VMWare and racks of EMC storage? Even if you new exactly where it was located in the U.S., India or Singapore, what are the assurances that it is safe or safer than in your own facility? Even with 16 pages of security documentation controls and a SAS 70 Type II certification it may not be enough to defeat the "Fuzzing of VMware" and Hypervisor "Blue Pills".

At the MidAmerica Industrial Park in Oklahoma, amid a Gatorade plant, a pipe manufacturer and nearly 80 other companies, Google is piecing together a plain-looking 100,000-square-foot building it will stock with servers. Next to the industrial park stands a coal-fired electrical generating plant operated by the Grand River Dam Authority.

It helps that the price is right. Google's corporate headquarters sit in Mountain View, Calif. The average industrial electrical rate in the Golden State runs about 9 cents per kilowatt hour. In Iowa and Oklahoma, the meter runs at between 4 and 5.5 cents.

"Google is ... not the type of industry that is really dependent on location, since its product is Internet-based," said Justin Alberty, Grand River spokesman. "The real factors in choosing a location tend to be land, water and electricity."

Server farms, also referred to as data centers by the industry, are also becoming more common with the growth of "cloud computing." The term refers to companies building massive computing power and then renting that capacity out to other firms. Amazon, for one, sells not just books, but time on its servers to run Web sites or store electronic records.

In that way, computing is starting to look like the next utility. In the same way it would be inefficient for each home to have its own electrical generator, it can make sense for consumers and businesses to farm out their computing needs. Some analysts even see consumers buying less highly powered personal computers in the future and relying on firms like Google to fire up the necessary microprocessors when the demand requires.

Operational Risk is a key facet of Cloud Computing and the security of this growing IT strategy. Navigating the laws on the ground in advance of the unseen barriers in the cloud will provide the enterprise with significant hedges against the new emerging risks of the virtual infrastructure before you.

operational risk

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.

The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

• Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.

Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

operational risk

FCPA: Modern Day "Smoking Gun"...

Corporate malfeasance is on the mind of most global executives today. Their enterprise is consistently fighting the economic challenges and at the same time defending it's reputation as new "Smoking Guns" are revealed. Perhaps these modern day discoveries of wrong doing should be renamed "Smoking Digital Evidence" because this is exactly what it is. Information uncovered through normal monitoring practices or as the result of a specific investigation produces "Red Flag" alerts based upon acceptable use policy or corporate rule sets.

These "Red Flags" uncovered in the context of programs devoted to processing digital evidence is now a standard Modus Operandi for corporate governance, legal and operations risk management. These new tactical business units are being developed in a rapid response to new regulatory and compliance mandates yet the greater pressure is coming from the wake-up calls senior executives have been receiving lately.

The Justice Department's probe of the credit default swaps market is reportedly focusing on Markit Group Holdings Ltd., the London-based supplier of prices in OTC derivatives, and its relationship to a group of major banks that own a stake in the company. The DOJ is scrutinizing the ownership of Markit by a group of banks that control a large amount of pricing in the $28 trillion credit derivatives market.

The banks have received a notice of investigation from the DOJ asking them for details on their trading activity, including how much they have at risk in the market and their monthly value of their credit default swaps, according to Bloomberg News. Banks that own the largest stakes in Markit, include: J.P. Morgan, Bank of America (through its acquisition of Merrill Lynch), Deutsche Bank, Royal Bank of Scotland which acquired ABN Amro, as well as Credit Suisse, Goldman Sachs, Morgan Stanley and UBS, according to Bloomberg News.

"The DOJ is looking to find any wrongdoing in that marketplace," commented Paul Zubulake, senior analyst at Aite Group in an interview with Wall Street & Technology. "Obviously that is going to open up a large can of worms," he said. "It will be costly for the dealers that have to battle the DOJ given the discovery issues, about all the information, emails and instant messages they will need to turn over."

Digital Forensics, Records Management and eDiscovery units at some of the largest financial institutions are working overtime. Finding any "Smoking Digital Evidence" will be the standard operating procedure on most international transactions whether it be in the financial services industry or even telecommunications:

Good news for compliance officers: You now have solid evidence that the benefit of implementing an effective compliance program far outweighs the cost, in the form of the massive Foreign Corrupt Practices Act settlements swallowed by Siemens AG and three of its foreign subsidiaries.

Siemens, a German conglomerate that is one of the largest engineering firms in the world, agreed in December to pay more than $1.6 billion to U.S. and German regulators for a massive bribery scheme that felled the highest executives at the company. Penalties paid to the Justice Department and Securities and Exchange Commission alone topped $800 million, by far the largest sanction ever imposed in an FCPA case.

In the following excerpt, Linda Chatman Thomsen speaks on the massive Siemens investigation: "Furthermore, the $1.6 billion total that Siemens will pay in these settlements is the largest amount that any company has ever paid to resolve corruption-related charges.

And that is fitting because the alleged conduct by Siemens was egregious and brazen. It was systematic, it involved thousands of payments, and it occurred over an extensive six-year period. Siemens created elaborate payment schemes to conceal these corrupt payments to foreign officials. The company’s inadequate internal controls allowed the conduct to flourish.

The details tell a very unsavory story: employees obtained large amounts of cash for Siemens’ cash desks; employees sometimes carried that cash in suitcases across international borders to pay bribes; payment authorizations were recorded on post-it notes that were later removed to avoid leaving any permanent record; there were slush funds and a cadre of consultants and intermediaries to facilitate paying the bribes.

Investigating this intricate scheme and righting Siemens’ wrongs has taken a remarkable and unprecedented level of coordination among many law enforcement agencies around the world."

The internal threat of employees, partners and so called in-country agents who help facilitate business deals is one square in the risk management matrix. The business transactions themselves are becoming part of the Venn Diagram that includes:

• Business & Global Commerce
• Personnel Security & Integrity
• Rule of Law & Litigation

As global institutions continue their expansion across the continents where capital follows security and the rule of law, so too will the attacks on the corporate enterprise.

operational risk

Trusted Systems: Human Factors in Play...

The case is U.S. v. Dreier, 09-cr-00085, U.S. District Court, Southern District of New York (Manhattan). It's only the beginning of a long hard road for many unidentified subjects (unsubs) as the fall out from the U.S. Economic crisis uncovers who was stealing others peoples money for their own fraudulent schemes.

Marc Dreier, the New York law firm- founder who pleaded guilty to defrauding hedge funds of more than $400 million, should be sentenced to 145 years in jail, prosecutors said, as a defense lawyer sought a term of as little as 10 years.

The rival requests came in court filings today in federal court in Manhattan. Dreier will be sentenced on July 13 by U.S. District Judge Jed Rakoff. Investors who placed more than $740 million with Dreier lost at least $400 million, lawyers said.

Operational Risks associated with 3rd party suppliers is a continuous concern. Effective due diligence with partners and service providers is a necessary task, on a quarterly basis. Many institutions leave it up to the service level agreement (SLA) or the written contract to be the monitor. To their demise, written words on a contract are not enough. Especially, when the partners are the lawyers themselves.

New York prosecutors on Wednesday said 13 people and a mortgage origination company have been indicted on charges of running a multimillion-dollar real-estate fraud that cheated lenders through sham sales.

The defendants include employees at the Long Island, New York-based mortgage company AFG Financial Group Inc, several attorneys and other defendants, according to Manhattan District Attorney Robert Morgenthau.

The investigation is continuing, and Morgenthau said the size of the scheme could eventually total $200 million.

One lawyer accused of engaging in fraudulent transactions was involved in transactions adding up to more than $100 million, Morgenthau said.

Lenders who were victimized in transactions made by that one lawyer included New Century Mortgage Corp, WaMu/Long Beach Mortgage Co, Countrywide Financial, First Franklin Financial Corp and Mortgage Network USA Inc.

The financial services sector will continue to be a quagmire for transactions for decades to come. The due diligence, fact checking and assurance that the "Deal" is a solid one will continue to under go a tremendous burden on all parties. The consumer, the lender and the underwriters.

The human factors associated with crimes such as fraud are well known. The study of the "Ponzi Scheme" has been a text book case for study in business schools for years. What may not have been so obvious is the science behind the human motivators. And maybe not even noticeable, is how accustomed the human is to trusting the automated world we live in. The fact that computers calculate what we have purchased in the retail store is one of the first trusted information scenarios we grow up with. How many people actually add up all of the dozens of items in their grocery cart, calculate the tax and any discounts to see if the Point of Sale (POS) system has done it's math correctly?

So what is Human Factors Science?

Human factors are sets of human-specific physical, cognitive, or social properties which either may interact in a critical or dangerous manner with technological systems, human natural environment, or human organizations, or they can be taken under consideration in the design of ergonomic human-user oriented equipments. The choice/identification of human factors usually depends on their possible negative or positive impact on the functioning of human-organization and human-machine system.

Did someone try to steal Goldman Sachs’ secret sauce?

While most in the US were celebrating the 4th of July, a Russian immigrant living in New Jersey was being held on federal charges of stealing top-secret computer trading codes from a major New York-based financial institution—that sources say is none other than Goldman Sachs.

The allegations, if true, are big news because the codes the accused man, Sergey Aleynikov, tried to steal is the secret code to unlocking Goldman’s automated stocks and commodities trading businesses. Federal authorities allege the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major “financial institution” generate millions of dollars in profits each year.

Trusted Systems and the information that flows from them is only as good as the programs that run them and the people who developed the millions of lines of code in the software. The trading systems at the NYSE, NASDAQ and Hang Seng Index are only as reliable as the calculations and the integrity of the systems themselves. When that trust is compromised in the trusted system, whether it be a program or a person, human factors take over.

operational risk

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

operational risk

Proactive Risk Strategy: Transnational Asset Forfeiture...

Effective strategy execution and the application of intelligence to gain increased mission efficiency is the name of the game. The public / private convergence of people, processes, systems and the fusion of relevant international incidents data establishes the playing field. The threats to the very fabric of our economic and security well-being is directly tied to the rule of law, the safety of the environment and the ability for capital to be invested with prudent risk management mechanisms in place.

If any component of this fabric becomes frayed or torn, this vulnerability threatens the overall resiliency of this "Transnational Ecosystem". The homeostasis of the "Transnational Ecosystem" is dependent on the factors associated with it ability to gain new energy, (food, water, power, money) and to continually "Adapt" to it changing environment. The ability to adapt rapidly within this ecosystem will determine who the winners are and also the survivors. So what is a good example of this "Transnational Ecosystem" that we can apply to public / private convergence and Operational Risk Management?

Although pioneered in the USA, there now appears to be a global trend to use stand-alone civil proceedings as a means of recovering the proceeds of crime in the hope that they will be more effective than proceedings that are ancillary to and dependent on a criminal prosecution. Recent examples of jurisdictions that have introduced civil forfeiture legislation include Italy, South Africa, Ireland, the United Kingdom, Fiji, the Canadian Provinces of Ontario, Alberta, Manitoba, Saskatchewan and British Columbia, Australia and its individual States, and Antigua and Barbuda. In addition, the Commonwealth has produced model provisions to serve as a template for jurisdictions that wish to introduce such legislation.

This trend towards civil forfeiture has been prompted by the nature of organized crime. Organized crime heads use their resources to keep themselves distant from the crime that they are controlling and to mask the criminal origin of their assets. For this reason it has become extremely difficult to carry out successful criminal investigations leading to the prosecution and conviction of such individuals, with the result that finances derived from crime are often effectively out of the reach of the law and are available to be used to finance more crime. Such peaceful enjoyment of the proceeds of crime damages public confidence in the rule of law and provides harmful role models. This has led to a recognition that criminal confiscation regimes may be inadequate and ineffective in certain cases.

Traditionally, the use of OPS Risk strategies associated with civil asset forfeiture have their intersection with AML (Anti-Money Laundering) and Terrorist Financing. Moving money on a global basis utilizing the modern day "Hawala" or informal value transfer system requires smart people and sophisticated systems. Putting the person at the right place with the right evidence is the investigators "Holy Grail" yet there are other effective means for increasing that resiliency in the ecosystem.

The financial meltdown and economic crisis has impacted both the "Boy Scouts" and the "Wise Guys" on how to continue to prosper. The use of such tools such as Asset Forfeiture in combination with timely intelligence both Open Source and proprietary can provide the means for another effective Operational Risk strategy in a public / private consortium. The cooperation, coordination and collaboration of banking, hedge funds, broker dealers, insurance companies and private equity firms with federal and state task forces is a growing trend.

The mantra "Need to Know" is quickly being replaced with "A Responsibility to Provide" in the intelligence community and soon to be in the ranks of the financial private sector as it pertains to adapting to the transnational ecosystem. One good example of this momentum can be found in the rapidly growing education and awareness programs focused on this very subject:

Mission Statement

AssetForfeitureWatch.com is the indispensable source of news, information and training for law enforcement professionals and others working in the asset forfeiture field. At AssetForfeitureWatch.com, we understand that turning the proceeds of crime against criminals is one of the most powerful tools law enforcement agencies have for keeping communities safe, eliminating corruption, and crippling cross-border criminal enterprises. In offering training and education, an annual conference, live and Web seminars and an interactive community, AssetForfeitureWatch.com keeps its members on the leading edge of asset forfeiture strategy and practice.

The goal is to utilize the existing international legal framework to improve the resiliency of the "Transnational Ecosystem." Beyond the banking institutions are the governments and countries themselves who must make their decisions about their own business and commerce models. These havens across the globe will continue to exist because they don't have manufacturing capacity, IT outsourcing services or a port for trading and exporting raw materials. Therefore, they will continue to cater to the needs of suspect enterprises, non-state actors and even some rogue nations states.

So what is the lesson here? Reading between the lines. Assets in your portfolio, on your books, in the warehouse or even in your personal possession may soon be the property of a government entity near you.

operational risk

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.

Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.

As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.

The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

operational risk