Archive for 'Cyber security'

Cyber Warfare – Security Language Is Reframing Our Perspective

June 15th, 2015. Published under Cyber security, cyber warfare., Intangible asset protection. No Comments.

Michael D. Moberly    June 15, 2015   ‘A blog where attention span really matters’!

Some time ago, there appeared to be a transition of sorts in language regarding computer – IT system security. What had traditionally been characterized as defensive actions (products, services, etc.) to prevent and/or mitigate computer – IT system vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries was undergoing change.

The language – terminology now used to describe what I believe to be similar phenomena are cyber-security and cyber-warfare.  Are these distinctions without a difference?, I don’t believe they are. The latter is presumed to be executable on a broader scale, with greater frequency, sophistication, stealth, and other asymmetric features which can destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-based intangible assets from a single company and/or one of the pillars to our national infrastructure literally, in nanoseconds.

What troubles me most about the term cyber-warfare particularly, is the inference that ‘all things evil’ to computer – IT system(s) originate from afar, that is, they are state sponsored or the product of growing numbers of organized and sophisticated non-state actors, i.e., legacy free adversaries.

Let’s be clear however, I am not questioning whether either of these characterizations are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.

The attention and alarms government agencies particularly sound regarding cyber threats and cyber warfare are warranted and I seek not to dispute nor diminish their significance.  After all, the adverse cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic.

Obviously, there are on-going discussions – debates in c-suites globally regarding the most effective expenditure, strategy, and/or practice to mitigate, if not prevent these persistent and ever larger risks. Only the uninformed would assume such challenges will dissipate in the future.

So, among CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel, sleep will surely be lost. Is it best to advocate your company or organization remain primarily in a defensive mode, e.g., repel, prevent, and contain?, or, independently engage in offensive and/or pre-emptive initiatives assuming such actions will produce some level of deterrence versus the sustained risk and likelihood of escalation currently experienced.

Before any company travels too far down a particular strategic path, it’s important to recognize that the U.S. is distinctive from many other countries in that most of the pillars to its national infrastructure are privately held and operated, apart from direct government control as is the case with numerous other countries.

Thus, independent action (offensive, or pre-emptive) taken by a privately held company against a specific state sponsored actor or cyber adversary would produce, as yet, unknown reactions that may well exceed an inclination to publicly expose ‘who’s doing what to whom’. From an information (intangible) asset safeguard perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by broader cyber security – warfare perspectives.

By continuing to frame computer-IT security in ever broader contexts, i.e., cyber security and cyber warfare, little or no space remains to recognize companies’ mission critical, sensitive, proprietary, and competitive advantage intangible asset-based information routinely still exist in formats other than electronic ‘ones and zeros and bits and bytes’.

I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare is misguided.   Instead, I am suggesting, such perceptions and the accompanying expenditures and strategies give short shrift to the…

economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’  for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital. 

Thus, the value, profitability, and competitive advantage, etc., rightfully developed and owned by a company is not exclusively housed in a computer or IT system and therefore not exclusively vulnerable to cyber attacks or cyber warfare.

Too, information asset safeguard policies and practices dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy.  In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames.  Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced solely through an IT – cyber security lens.

Instead, responsibilities for safeguarding valuable information (intangible) assets should be embedded in (asset) developers-owners-users respective orientation, ethic, and enterprise culture. The reason is, there is consistent and irreversible rise in intangible asset intensive and dependant companies in which information assets exist not solely as conventional tangible assets, rather as intangible assets, i.e., intellectual, structural, relationship, and competitive capital, etc.

As information (intangible) asset safeguard specialists know all too well, variations of a company’s – organization’s proprietary – sensitive business information is often prone to percolatating throughout an enterprise making it challenging to definitively restrict, confine, or limit its accessibility solely to conventional IT products, i.e., laptops desktops, or ‘the cloud’.  Again, it’s relevant to recognize that intellectual (structural, relationship, and competitive) capital seldom, if ever can be wholly concentrated in electronic ‘ones, zeros, or bits and bytes’.

Similarly, information safeguard policies and practices supported by a presumptively superior IT – cyber security system-program, can be misleading. For example, if a company installs – executes a new IT-cyber security system is proclaimed it to be effective, presumably then, a company’s proprietary information is secure, seldom becomes the reality which the company aspired.  In today’s aggressively predatorial global business transaction environment eager to acquire actionable intelligence that translates into lucrative competitive advantages, that is a message no company should, even inadvertently, be communicating.

 (This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th, 2015 on Morning Edition.)

Cyber Attacks Mutually Assured Disruption of Intangible Assets!

June 3rd, 2015. Published under Cyber security, cyber warfare., Intangible asset protection. No Comments.

Michael D. Moberly   June 2, 2015   ‘A blog where attention span really matters’!

Throughout the 1960’s, there was consistent reference by governments and defense sectors’ about MAD (mutually assured destruction), i.e., each side possessing sufficient nuclear ‘mega-tonnage’ to assure mutual destruction of the other, should war breakout.

A similar analogy is evident today, but its origins do not lie in the delivery of nuclear weapons rather in the delivery of massive cyber attacks designed to simultaneously take down and/or substantially disrupt multiple pillars of a targeted countries’ infrastructure, ala MAD – ‘mutually assured (sector, grid) disruption’!

On the morning of September 11, 2001, I and countless others presumed the aircraft strikes in New York and Washington were diversionary, as tragic as they were, to be followed by massive cross sector cyber attacks. My anger and curiosity that a cyber attack was imminent prompted me to call acquaintances employed in various sectors throughout the U.S., one of which was the director of a top tier research university’s ‘super-computing’ center. My rationale was that a super-computing center would likely be an initial point of detection to a larger cyber attack should there be one in the offing. To my disillusionment, such a rationale was in error, at least in this instance.

The capability to thwart, mitigate, or contain the asymmetric and adverse cascading effects that a coordinated cyber attack would likely be designed to produce presents obvious challenges and creeping costs insofar as companies and organizations keeping pace with the infinite risks and threats which can seemingly materialize anytime and anyplace with no vapor trail, to maximize the intended infrastructure disruption and chaos.

I suspect there are management teams, c-suites, and boards, ranging from Fortune ranked firms to SME’s (small, medium enterprises), which have already engaged in discussions regarding the practicalities and costs of continuing to deploy state-of-the-art cyber attack – risk mitigation (data-information security) products.

There are two related reasons why I believe such discussions are inevitable…

  • it is a globally universal and irreversible economic fact that rising percentages, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, relationship-social and competivity capital.
  • data/information generation, storage, and retrieval needs are continually ratcheting up to the mega-terabyte arena, particularly with the rapid recognition and rise of intangible asset intensive and dependant companies.

To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering massive cyber attacks are challenges which, at this juncture, cannot be dismissed or relegated to the uninitiated.

I am not suggesting companies disregard their fiduciary responsibilities or regulatory mandates.  Instead, I am suggesting a company’s desire to curtail the rising costs and operational disruptions associated with investing and deploying all-the-more nuanced IT security products that deliver consistent and measurable returns, technologies must be developed with capabilities to differentiate company information and data on a variable continuum. For example, introducing the capability to differentiate data-information that should receive the maximum safeguards, which initially I propose, encompass these four factors, i.e., the (intangible) assets…

  1. contributory value to a particular project, product, and/or the company’s mission.
  2. continued materiality to a particular project, product, and/or the company’s mission.
  3. relevance to a company’s reputation (image, goodwill, brand) etc.

New Drivers of Computer/IT Security: Contributory Value, Materiality, and Risk!

November 4th, 2014. Published under Cyber security, Enterprise risk management.. 1 Comment.

Michael D. Moberly   November 4, 2014   ‘A blog where attention span really matters’!

Achieving efficiencies by differentiating the information and data being safeguarded…

Aside, for the moment, statutory and regulatory mandates, I am increasingly confident the day is quickly approaching (in many instances, it already has, in my judgment) when it becomes impractical for companies to assume the costs and time of installing ever bigger, one size fits all, snap-shot-in-time firewalls and data/information security – protection systems and products to try to thwart the growing numbers of intensely sophisticated and global economic and competitive advantage adversaries and legacy free players, aka hackers.

There are two key and inter-related reasons why I believe this to not only be true, but an inevitability.

First, it is a globally universal and irreversible economic fact that rising percentages – 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, and relationship/social capital and other forms of intellectual property.

Second, data/information generation, storage, and archival needs are continually ratcheting up from megabytes, gigabytes, to terabytes+, particularly in intangible asset intensive and dependant companies and R&D sectors.

So, out of necessity to achieve cost efficiencies and a more specified return on investment, technologies must be developed with heretofore unique capabilities to differentiate company information and data that should receive the maximum IT/computer safeguards, which initially I propose, encompass the following four factors, i.e., the (intangible) assets…

  • contributory value to a particular project, product, and/or the company’s mission.
  • continued materiality to a particular project, product, and/or the company’s mission.
  • level of assessed risk to theft, infringement, misappropriation, etc.
  • relevance to a company’s reputation (image, goodwill, brand) etc.

IT-Cyber Security Driven By Data/Information Value

October 29th, 2014. Published under 'Safeguarding Intangible Assets', Cyber security. No Comments.

Michael D. Moberly    October 29, 2014   ‘A long form blog where attention span really matters’.

Computer/IT breaches breeding grounds for reputation risks…

Wisely, businesses are, for compliance, liability, and reputation reasons, quietly, but rather desperately seeking current and what they believe to be the most effective technologies and software to secure the data and information they produce, transmit, and store which has presumptively and legally been entrusted to their care and control.

Prompting and exacerbating these circumstances have been numerous, very public data breeches and thefts particularly those afflicting large retailers victimized by conglomerations of hackers who acquire untold numbers of personal identifiers and credit information.

Certainly no argument here when such adverse events/acts successfully target a business, in most instances they, quite correctly, produce very public outcry and oversight agency ridicule which, in many instances, rapidly manifests as reputation risk, which an unfortunately high percentage of c-suites and management teams appear to assume, can be just as rapidly stabilized or favorably reversed.

How such adverse events are conceptualized…

What I am proposing is that an unnecessarily high percentage of business leaders and management teams, including the IT/computer security software development community are inclined to conceptualize adverse events affecting data/information, and the economic, competitive advantage, and reputation challenges that follow, through a security vs. an asset value and safeguard lens.

Of all the seminars and product demonstrations I have attended over the span of 25+ years, I am hard pressed to recall any IT/computer security software developer, manufacturer, or vendor frame their products’ advantages in an asset (data, information) value and/or safeguard context.

Asset value can be characterized in many ways…

Asset value of course can be characterized in numerous contexts, aside from the conventional dollar guesstimates, e.g. its proprietary status, its sensitivity to its owner – holder, or its ‘contributory value’.

Efficiencies will accrue…

I am suggesting that efficiencies can accrue to data/information safeguards if IT/computer security…

  • were designed to reflect data/information value vs. the ever changing and sophisticated risk – threat trends emanating from the global hacking and cyber warfare entities.
  • software were designed to detect and differentiate information asset value fluctuations and materiality and reflect same in gradations of data/information security.

The efficiencies that would then accrue to IT security systems and companies in general, merely by not treating all data/information as if it had equal standing or its value was constant.

As always reader comments are most welcome!

Cyber Attacks…Nothing Particularly New!

March 6th, 2013. Published under Cyber security, cyber warfare., Economic Espionage. No Comments.

Michael D. Moberly   March 6, 2012   ‘A blog where attention span matters’!

Is there really anything particularly new here…

Being as respectful as I’m able to the purveyors of this ‘certainly nothing new here’ message, which appears to be largely originating from various government agency spokespersons as well as, let’s call’em what they are, computer/IT security firms.

Frankly, I tend to hold the view that when ‘consistent messaging’ originates ‘inside the beltway’ and makes its way to the countless media mediums, it is for a reason.  That is, there is usually a motive(s), sometimes good, sometimes not-so-good underlying the message.

In the case of the current proliferation of ‘cyber attack’ messages, for those of us who have had our respective ears to the ground on such matters for years, the messages we’re now hearing come as no particular surprise.  Rather, they’re more akin, at least in my view, to ratcheting up a quite natural progression of economic and competitive advantage ‘attacks’ which now carry, due in large part to the globally universal reliance on and functionality of IT and computer systems embedded throughout our most critical national infrastructures as well as the most mundane kitchen appliances.

The difference is, today’s intrusions potentially produce more grave, cascading, and far-reaching adverse consequences.

An agricultural metaphor…

What I find disappointing though about these messages and their purveyors is that many seem to adhere to the axiom that the best technique to create rapid and wide-spread attention necessary to influence public opinion and obtain supportive responses and/or reactions is to (a.) express the acts’ potential criticality through worst case scenarios, (b.) direct the message to the most fertile ground, i.e., audience, (c.) plant that ground with ‘FUD’ seeds, i.e., fear, uncertainty, and doubt, and then (d.) elicit rapid growth fertilization of those seeds, from IT/computer security firms, many of which heretofore would have, been extremely reluctant, if not prohibited from naming their clients or publicly espousing their findings.

In most circumstances which I’m familiar, companies who engage outside IT/computer security and forensic investigation services do so with strict confidentiality and non-disclosure agreements in place.  That’s because the adverse reputation risks and stakeholder responses such publicity would instantaneously spark if adverse findings became public may prompt more significant and longer lasting economic and competitive advantage challenges than the adverse acts themselves.  That’s certainly not to suggest I am advocating silence on such issues.  Rather, in many instances, the actual impact and losses associated with illicit and/or illegal intrusions are generally difficult to measure and/or quantify in dollar terms, aside of course from consumer and market reactions.

Clarity…

Let’s try to bring some clarity to this issue.  First of all, these intrusions are taking place, To that, there is absolutely no argument.  It’s just they’re occurring with more frequency and greater intensity and sophistication which collectively allows them to evade many conventional and even some of the state-of-the-art detection and repulsion systems.

Secondly, let’s be clear, regardless whether the intruders are state or non-state actors, over-zealous DEF CON’s, or high school prodigies, it’s not solely the intellectual property (IP) being sought.  By that I mean it does not require a Juris Doctor (law) degree to understand that IP consists of patents, trademarks, copyrights, and trade secrets.

Having studied and investigated a range of economic espionage, issues for 20+ years, i.e., the Economic Espionage Act, since it was rolled out in 1996, I personally and professionally hold the view that it’s bordering on a disservice, if not utterly misleading to characterize this issue as being solely about – directed to the theft of U.S. companies’ IP.  After all, patents are registered with the U.S. Patent and Trademark Office and once issued they’re reported in the public domain, so certainly no secrets there.

As this issues regularly reaches the agenda of c-suites, boards, and management teams and they become more personally apprised and engaged in this inevitable, progressive, and persistent challenge, I want them to recognize it may more likely be the ‘proprietary know how’ and other intangible assets the adversaries are seeking, not necessarily their company’s intellectual property per se.  Of course, intrusions are executed for a variety of reasons, among them being reconnoitering a system’s defenses and seeking undetectable paths to proceed as far possible to eventually access what they’re after.

Glad someone is taking notice…

So ultimately, whether the ‘bad guys’ are state/non-state actors engaging in economic espionage, or whether the acts are consummated through human elicitation – solicitation techniques or willing (insider) participants, and/or ultra-sophisticated cyber technologies it remains nothing particularly new.  But, I’m sure glad someone is now is taking notice!

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

Cyber Security Presidential Directive: Reputation Risk, Liability Exposure, and Reluctance to Share…

February 15th, 2013. Published under Cyber security, cyber warfare.. No Comments.

Michael D. Moberly    February 15, 2013

To perhaps better appreciate the necessity for the current escalation of national cyber-security initiatives and the associated Presidential Directive, Congressional hearings, lobbying, and blogosphere pros and cons, etc., it’s important to understand the U.S.’s critical infrastructure sectors are distinctive in comparison to numerous other countries, i.e., the European Union for one.  Throughout the EU, much, if not all of the operation, oversight, management, and protection/security responsibilities of their critical infrastructure sectors remain largely in the hands of relevant government entities.

In the U.S., on the other hand, the 18 critical infrastructure sectors, as identified by DHS, have been sliced and diced so many different ways and by so many different (private sector) companies, I’m quite confident that sharing/communicating in a timely manner (a.) a company’s cyber risks, threats, and vulnerabilities, and (b.) the increasingly probable probes, attacks, and breaches they experience will not, at least initially be a very ‘comfortable’ process due in large part to (c.) potential liability exposure and reputation risk, and (d.) the extraordinary value such information would present to any adversary should they access/acquire it.

One strategy which I suspect may be more palatable for c-suites and boards insofar as the detailed ‘sharing’ of incidents is recognizing the extraordinarily costly and quite possibly irreversible reputation risks that will inevitably follow should they elect to opt out, be dismissive of, or merely not comply, in principle or in spirit, with the Presidential Directive.  Of course, that will exacerbate many times over should they fall prey to an adverse cyber event that would cascade beyond the confines of a single company to infect an entire (infrastructure) sector.

One reality shared by numerous company’s I’m familiar, along with their c-suites, boards, and legal counsel is that under most circumstances, unless literally mandated to do otherwise, it is seldom in their interest for a variety of reasons, particularly among globally operating companies which strive to sustain amicable trading – transaction relationships, to be overly ‘public’ about victimizations, unless of course, it is a mandated (legal) requisite that is actually enforced.

Actually safeguarding U.S. national (critical) infrastructure sectors’ from cyber acts/events, carries some significant challenges because (a.) in most instances, a physical and digital interdependence and inter-connectivity exists in and between sectors which require high levels of collaboration and sharing, (b.) there are different organizational and operating structures in the various companies which will inevitably complicate the compilation of the data/information (c.) some critical infrastructure sector companies have multi-national ownership, (d.) c-suites and boards will inevitably interpret the Presidential Directive as an additional fiduciary responsibility whose scopes reaches well beyond the bare essentials and/or minimums versus utilizing known best practices or standards.

Initially, when I and many of my then university-based colleagues applied the terms ‘national critical infrastructure’, in the mid-to-late 1980’s, they were referred to as ‘pillars’ and consisted of only nine in number.  Today, the Department of Homeland Security has refined and extended that number to eighteen and refers to them as infrastructure sectors, i.e.,

  1. Food and agriculture
  2. Banking and finance
  3. Chemical
  4. Commercial facilities
  5. Communications
  6. Critical manufacturing
  7. Dams
  8. Emergency services
  9. Defense industrial base
  10. Energy
  11. Government facilities
  12. Healthcare
  13. Information technology
  14. National monuments and icons
  15. Nuclear reactors including materials and waste
  16. Postal and shipping
  17. Transportation systems, and
  18. Water

I, along with numerous colleagues experienced in the information (intangible) asset protection and economic espionage arena have long realized it is challenging to (a.) create an environment and/or the necessary (company) culture in which (b.) timely detection of adversary probing and/or system compromise or asset theft occurs.  It’s even more challenging to assemble such data and portray it in quantifiably reliable, ‘dollar contexts’.

On a cautionary note however, the public domain is chock-full of variously corroborated anecdotes, all well earned, of state-sponsored entities engaged in, for the most part to date, relatively low level and non-cascading cyber attacks, aside of course, from the theft of proprietary information and intellectual capital.  I believe it’s reasonable to suggest, that in a number of critical infrastructure sector c-suites and boardrooms, there may be a predisposition, again, well earned, to assign (assume) any offensive cyber probing, attacks, and/or breaches to particular state-sponsored entities or otherwise emanating from specific countries.

The fact is, the catalog of potential culprits possessing both the means and motives to engage in cyber attacks has expanded into the realm of well taught and under-the-radar ‘legacy free players’ globally.  So, I would respectfully add that critical infrastructure sector companies may exercise prudence in assuming those ‘handful’ of state-sponsored actors are the only ‘players’ in this extremely high stakes circumstance.

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com