Archive for June, 2015
Michael D. Moberly June 15, 2015 ‘A blog where attention span really matters’!
Some time ago, there appeared to be a transition of sorts in language regarding computer – IT system security. What had traditionally been characterized as defensive actions (products, services, etc.) to prevent and/or mitigate computer – IT system vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries was undergoing change.
The language – terminology now used to describe what I believe to be similar phenomena are cyber-security and cyber-warfare. Are these distinctions without a difference?, I don’t believe they are. The latter is presumed to be executable on a broader scale, with greater frequency, sophistication, stealth, and other asymmetric features which can destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-based intangible assets from a single company and/or one of the pillars to our national infrastructure literally, in nanoseconds.
What troubles me most about the term cyber-warfare particularly, is the inference that ‘all things evil’ to computer – IT system(s) originate from afar, that is, they are state sponsored or the product of growing numbers of organized and sophisticated non-state actors, i.e., legacy free adversaries.
Let’s be clear however, I am not questioning whether either of these characterizations are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.
The attention and alarms government agencies particularly sound regarding cyber threats and cyber warfare are warranted and I seek not to dispute nor diminish their significance. After all, the adverse cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic.
Obviously, there are on-going discussions – debates in c-suites globally regarding the most effective expenditure, strategy, and/or practice to mitigate, if not prevent these persistent and ever larger risks. Only the uninformed would assume such challenges will dissipate in the future.
So, among CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel, sleep will surely be lost. Is it best to advocate your company or organization remain primarily in a defensive mode, e.g., repel, prevent, and contain?, or, independently engage in offensive and/or pre-emptive initiatives assuming such actions will produce some level of deterrence versus the sustained risk and likelihood of escalation currently experienced.
Before any company travels too far down a particular strategic path, it’s important to recognize that the U.S. is distinctive from many other countries in that most of the pillars to its national infrastructure are privately held and operated, apart from direct government control as is the case with numerous other countries.
Thus, independent action (offensive, or pre-emptive) taken by a privately held company against a specific state sponsored actor or cyber adversary would produce, as yet, unknown reactions that may well exceed an inclination to publicly expose ‘who’s doing what to whom’. From an information (intangible) asset safeguard perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by broader cyber security – warfare perspectives.
By continuing to frame computer-IT security in ever broader contexts, i.e., cyber security and cyber warfare, little or no space remains to recognize companies’ mission critical, sensitive, proprietary, and competitive advantage intangible asset-based information routinely still exist in formats other than electronic ‘ones and zeros and bits and bytes’.
I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare is misguided. Instead, I am suggesting, such perceptions and the accompanying expenditures and strategies give short shrift to the…
economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital.
Thus, the value, profitability, and competitive advantage, etc., rightfully developed and owned by a company is not exclusively housed in a computer or IT system and therefore not exclusively vulnerable to cyber attacks or cyber warfare.
Too, information asset safeguard policies and practices dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy. In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames. Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced solely through an IT – cyber security lens.
Instead, responsibilities for safeguarding valuable information (intangible) assets should be embedded in (asset) developers-owners-users respective orientation, ethic, and enterprise culture. The reason is, there is consistent and irreversible rise in intangible asset intensive and dependant companies in which information assets exist not solely as conventional tangible assets, rather as intangible assets, i.e., intellectual, structural, relationship, and competitive capital, etc.
As information (intangible) asset safeguard specialists know all too well, variations of a company’s – organization’s proprietary – sensitive business information is often prone to percolatating throughout an enterprise making it challenging to definitively restrict, confine, or limit its accessibility solely to conventional IT products, i.e., laptops desktops, or ‘the cloud’. Again, it’s relevant to recognize that intellectual (structural, relationship, and competitive) capital seldom, if ever can be wholly concentrated in electronic ‘ones, zeros, or bits and bytes’.
Similarly, information safeguard policies and practices supported by a presumptively superior IT – cyber security system-program, can be misleading. For example, if a company installs – executes a new IT-cyber security system is proclaimed it to be effective, presumably then, a company’s proprietary information is secure, seldom becomes the reality which the company aspired. In today’s aggressively predatorial global business transaction environment eager to acquire actionable intelligence that translates into lucrative competitive advantages, that is a message no company should, even inadvertently, be communicating.
(This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th, 2015 on Morning Edition.)
Michael D. Moberly June 5, 2015 ‘A blog where attention span really matters’!
‘I really don’t know’ is my answer to this question. And, I should note that I am variously dubious of most who, for whatever reason, deem it necessary to say otherwise. That said, I trust my candid response does not deter further reading.
My rationale is, there are numerous sociological, psychological, economic, personal convenience and availability of equal or greater alternatives that play varying roles in how, why, or if consumers – stakeholders will react and if so, whether such reactions may be felt economically, in supply chains, or as diminution of competitive advantages.
I am writing this post in the early morning of June 4th. During the late afternoon of June 3d, a proposed class action lawsuit was filed in a Manhattan federal court by four former employees of CVS who presumably held loss prevention positions. They claimed their superiors had ordered them to track minority customers which, as most know, translate as requisites to racial profiling which they voiced objections.
What prompted me to write about this specific event, among others of equal or greater import, is that NPR (Morning Edition) presented a 3 minute and 3 second segment about the CVS lawsuit which I then read about it in greater detail at Reuters.com where the story originated.
The lawsuit (Simpson v. CVS Pharmacy Inc, U.S. District Court for the Southern District of New York, No. 15-cv-4261) included the possibility that these plaintiffs may soon be filing a companion complaint with the EEOC. Should this occur, it would presumably allow plaintiffs to add more claims to their ‘federal’ case. I do not know whether CVS acquired a ‘heads up’ to the filing of this suit, but I suspect, with confidence, they did. Regardless, Carolyn Castel, a spokesperson for the Rhode Island based CVS Health Corporation, said ‘CVS was shocked by the lawsuit and would fight the claims’.
While I cannot presume to speak for CVS customers and stakeholders, I have come to be receptive to the ageless adage ‘if-where there is smoke there is usually fire’. My receptivity to this adage is embedded in multiple years of serving in various administrative capacities which, when adverse rumors, accusations, or innuendos came to my attention, I accepted a responsibility to engage each in a discreet follow-up to assess their voracity.
One can make the case that there are fewer business risks, when they may materialize, e.g., allegations that carry even the slightest adverse messaging can manifest as genuine reputation risks.
I, like numerous colleagues in the intangibles arena, listen to and/or read about the same company – management missteps and miscues in media (news) outlets charged with securing 24×7 content, which I suspect can render them receptive to portraying ‘news’ events in contexts with potential linkage to other events or imageries.
Ironically though, I seldom hear events which are clear predicates to potentially significant (company) reputation risk, not being characterized in the mainstream and/or social media conveyances as such. This, I remain particularly curious.
Media accounts are uncharacteristically absent language-narrative that reports the potential for reputation risk to arise even though growing numbers of adverse events that materialize produce some level of reputation risk fallout to the victim – targeted company before there has been a rebuttal or rational discussion as to its merits or truthfulness.
I am not suggesting the media standing alone are the instigators or precipitators of reputation risk to private sector firms but, to be sure, media characterizations do play a role in terms of how events are characterized for viewers, readers, and listeners, i.e., consumers and stakeholders.
Michael D. Moberly June 2, 2015 ‘A blog where attention span really matters’!
Throughout the 1960’s, there was consistent reference by governments and defense sectors’ about MAD (mutually assured destruction), i.e., each side possessing sufficient nuclear ‘mega-tonnage’ to assure mutual destruction of the other, should war breakout.
A similar analogy is evident today, but its origins do not lie in the delivery of nuclear weapons rather in the delivery of massive cyber attacks designed to simultaneously take down and/or substantially disrupt multiple pillars of a targeted countries’ infrastructure, ala MAD – ‘mutually assured (sector, grid) disruption’!
On the morning of September 11, 2001, I and countless others presumed the aircraft strikes in New York and Washington were diversionary, as tragic as they were, to be followed by massive cross sector cyber attacks. My anger and curiosity that a cyber attack was imminent prompted me to call acquaintances employed in various sectors throughout the U.S., one of which was the director of a top tier research university’s ‘super-computing’ center. My rationale was that a super-computing center would likely be an initial point of detection to a larger cyber attack should there be one in the offing. To my disillusionment, such a rationale was in error, at least in this instance.
The capability to thwart, mitigate, or contain the asymmetric and adverse cascading effects that a coordinated cyber attack would likely be designed to produce presents obvious challenges and creeping costs insofar as companies and organizations keeping pace with the infinite risks and threats which can seemingly materialize anytime and anyplace with no vapor trail, to maximize the intended infrastructure disruption and chaos.
I suspect there are management teams, c-suites, and boards, ranging from Fortune ranked firms to SME’s (small, medium enterprises), which have already engaged in discussions regarding the practicalities and costs of continuing to deploy state-of-the-art cyber attack – risk mitigation (data-information security) products.
There are two related reasons why I believe such discussions are inevitable…
- it is a globally universal and irreversible economic fact that rising percentages, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, relationship-social and competivity capital.
- data/information generation, storage, and retrieval needs are continually ratcheting up to the mega-terabyte arena, particularly with the rapid recognition and rise of intangible asset intensive and dependant companies.
To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering massive cyber attacks are challenges which, at this juncture, cannot be dismissed or relegated to the uninitiated.
I am not suggesting companies disregard their fiduciary responsibilities or regulatory mandates. Instead, I am suggesting a company’s desire to curtail the rising costs and operational disruptions associated with investing and deploying all-the-more nuanced IT security products that deliver consistent and measurable returns, technologies must be developed with capabilities to differentiate company information and data on a variable continuum. For example, introducing the capability to differentiate data-information that should receive the maximum safeguards, which initially I propose, encompass these four factors, i.e., the (intangible) assets…
- contributory value to a particular project, product, and/or the company’s mission.
- continued materiality to a particular project, product, and/or the company’s mission.
- relevance to a company’s reputation (image, goodwill, brand) etc.
Michael D. Moberly June 1, 2015 A blog where attention span really matters!
In the information asset protection community, there’s an adage, or perhaps more aptly characterized as an anecdotally rooted ‘rule of thumb’, the ’20-60-20 rule’ that still carries a timely relevance since it initially caught my attention some 25+ years ago. Through my lens, this represents a reasonable and plausible characterization of the persistent ‘insider threat’ which I endeavor to explain below.
Group 1 – 20% of the people we work with…are inherently honest and possess consistently high levels of (personal, professional) integrity. It’s quite unlikely individuals in this initial 20% would be influenced, inclined, or could be persuaded to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information safeguard policies or practices.
In other words, for these individuals there would be little or no concern they would be engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP)..
Group 2 – another 20% of the people we work with…function at the opposite end of this continuum of honesty – integrity. For these individuals, when their already thin sociological – psychological veneer is peeled back, it’s likely to reveal an inherently dishonest, unethical, and misguided persona with little, if any, sense of personal – professional integrity, or employer loyalty with respect to complying with company policies or government laws/regulations related to obligations for safeguarding proprietary information, trade secrets, or IP.
Too, these individuals would likely be receptive (have the internal propensity, proclivity) when certain opportunities avail or influencers are present to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.
Group 3 – then there’s the 60% of the people we work with who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk or in jeopardy. In other words, these individuals are likely to be honest and ethical.
There is a disappointing and frustrating nuance to Group 3 however. That is, anecdotal evidence which suggests individuals functioning at the fringe of this group, i.e., closest to Group 2 on the continuum, are recognizing the persistent overtures from external entities engaged in solicitation-elicitation initiatives to misappropriate or publicly leak their employers’ proprietary information assets.
This phenomenon is particularly worrisome…to information safeguard specialists on many levels, one of which is that such (highly personal and embedded) proclivities – propensities may be unknown at the time of hire, i.e., go undetected – unobserved in conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s who’s adverse proclivities may be awakened and influenced at some future point by the employee’s interpretation-assessment of…
- their employer’s reactions and sanctions imposed on those caught violating company information safeguard practices and policies.
- the degree, level, and consistency of monitoring which their employer engages relative to safeguarding its proprietary information, IP, and trade secrets.
- the persistence of external advances and their potential lucrative outcomes.
Admittedly, there is nothing particularly scientific or legally defensible…regarding the 20-60-20 perspective, other than to say it probably evolved from well intentioned ‘anecdotal guesstimates’ and observed incidents. Regardless, those finding relevance in this phenomenon, does draw, and properly so, our attention to the persistent and very costly challenges presented by ‘insiders’, whomever they may be, and the necessity for more effective pre-employment screening and regular monitoring.
One rather practical approach to addressing such insider challenges can be attributed to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary – competitive advantage information that necessitates safeguarding).
I suspect Ms. Dyson may not be familiar with the ’20-60-20 adage described here and its relevance to the hyper-competitive, aggressively predatorial, entrepreneurial spirited, and winner-take-all global business transaction environment.
But, there is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts!
While most of my operational familiarity with ‘insiders’ is a direct result of personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.