Archive for 'cyber warfare.'

Lethal Autonomous Weapons Systems’ Intangibles

May 5th, 2016. Published under Communicating Risk, cyber warfare.. No Comments.

Michael D. Moberly April 5, 2016 ‘A blog where attention span really matters’!

Lethal autonomous weapons systems (LAWS) represent, in my judgment, an inevitable, but, as yet, incomplete class of weapons embedded with capabilities to independently select and engage targets (adversaries) without human (operator) assessment and/or interventional oversight.

LAWS are unlike existing (conventional) pilotless drone ‘aircraft’ in the sense they are – will be largely, if not wholly, autonomous. In other words, as I have come to understand LAWS, once deployed in various manifestations, they can surveil, assess, and execute in a wholly independent manner presumably with internal assessment and decisional guidance wrapped in AI (artificial intelligence) software.

The development and introduction of remotely piloted – controlled drones for operation in theaters of combat. counter-insurgency and counter-terrorism and for surveillance and intelligence gathering serve as real time hedges favoring expansion of risk adverse strategies, particularly, human life. Obviously, drones deployed in war fighting circumstances can deliver devastating munitions to specified adversaries – targets with the aid of satellite and global positioning systems, but only at the direction of their human operators and overseers, thus mitigating risk to requisite for ‘boots on the ground’.

Presumably LAWS, on the other hand, will be designed – programmed with capabilities to identify, assess, and self-authorize target engagement, i.e., seek, find, distinguish, select, and engage targets absent human intervention or oversight ala simultaneous introduction of infinite numbers of ‘jason bournes’ to a conflict theater. LAWS could presumably function (also) as ‘defensive’ weapons, i.e., as a theater interceptor – destroyer of an adversaries’ incoming munitions to supplant human reaction times.

Aside from the autonomy and independence of such weapons systems, their development and use is presumably intended to mitigate – favorably affect human’s – societies’ intangible senses – perceptions of risk, fear, and safety, while simultaneously serving as formidable strategic deterrents each being an intangible. To be sure, adversaries and allies alike are aggressively pursuing comparable-competing LAW war fighting capabilities, the theater functionality of which may be more-less effective, at which time the aforementioned intangible (asset) senses will likely change accordingly.

This post was inspired by the writings of Heather M. Roff, particularly an article published in Slate Magazine (online) dated April 7, 2016, titled ‘Killer Robots on the Battlefield: The Danger of Using a War of Attrition Strategy with Autonomous Weapons’ in advance of her testimony at the U.N.’s, April 11, 2016 ‘Convention on Certain Conventional Weapons’ in Geneva.

Cyber Warfare – Security Language Is Reframing Our Perspective

June 15th, 2015. Published under Cyber security, cyber warfare., Intangible asset protection. No Comments.

Michael D. Moberly    June 15, 2015   ‘A blog where attention span really matters’!

Some time ago, there appeared to be a transition of sorts in language regarding computer – IT system security. What had traditionally been characterized as defensive actions (products, services, etc.) to prevent and/or mitigate computer – IT system vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries was undergoing change.

The language – terminology now used to describe what I believe to be similar phenomena are cyber-security and cyber-warfare.  Are these distinctions without a difference?, I don’t believe they are. The latter is presumed to be executable on a broader scale, with greater frequency, sophistication, stealth, and other asymmetric features which can destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-based intangible assets from a single company and/or one of the pillars to our national infrastructure literally, in nanoseconds.

What troubles me most about the term cyber-warfare particularly, is the inference that ‘all things evil’ to computer – IT system(s) originate from afar, that is, they are state sponsored or the product of growing numbers of organized and sophisticated non-state actors, i.e., legacy free adversaries.

Let’s be clear however, I am not questioning whether either of these characterizations are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.

The attention and alarms government agencies particularly sound regarding cyber threats and cyber warfare are warranted and I seek not to dispute nor diminish their significance.  After all, the adverse cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic.

Obviously, there are on-going discussions – debates in c-suites globally regarding the most effective expenditure, strategy, and/or practice to mitigate, if not prevent these persistent and ever larger risks. Only the uninformed would assume such challenges will dissipate in the future.

So, among CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel, sleep will surely be lost. Is it best to advocate your company or organization remain primarily in a defensive mode, e.g., repel, prevent, and contain?, or, independently engage in offensive and/or pre-emptive initiatives assuming such actions will produce some level of deterrence versus the sustained risk and likelihood of escalation currently experienced.

Before any company travels too far down a particular strategic path, it’s important to recognize that the U.S. is distinctive from many other countries in that most of the pillars to its national infrastructure are privately held and operated, apart from direct government control as is the case with numerous other countries.

Thus, independent action (offensive, or pre-emptive) taken by a privately held company against a specific state sponsored actor or cyber adversary would produce, as yet, unknown reactions that may well exceed an inclination to publicly expose ‘who’s doing what to whom’. From an information (intangible) asset safeguard perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by broader cyber security – warfare perspectives.

By continuing to frame computer-IT security in ever broader contexts, i.e., cyber security and cyber warfare, little or no space remains to recognize companies’ mission critical, sensitive, proprietary, and competitive advantage intangible asset-based information routinely still exist in formats other than electronic ‘ones and zeros and bits and bytes’.

I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare is misguided.   Instead, I am suggesting, such perceptions and the accompanying expenditures and strategies give short shrift to the…

economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’  for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital. 

Thus, the value, profitability, and competitive advantage, etc., rightfully developed and owned by a company is not exclusively housed in a computer or IT system and therefore not exclusively vulnerable to cyber attacks or cyber warfare.

Too, information asset safeguard policies and practices dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy.  In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames.  Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced solely through an IT – cyber security lens.

Instead, responsibilities for safeguarding valuable information (intangible) assets should be embedded in (asset) developers-owners-users respective orientation, ethic, and enterprise culture. The reason is, there is consistent and irreversible rise in intangible asset intensive and dependant companies in which information assets exist not solely as conventional tangible assets, rather as intangible assets, i.e., intellectual, structural, relationship, and competitive capital, etc.

As information (intangible) asset safeguard specialists know all too well, variations of a company’s – organization’s proprietary – sensitive business information is often prone to percolatating throughout an enterprise making it challenging to definitively restrict, confine, or limit its accessibility solely to conventional IT products, i.e., laptops desktops, or ‘the cloud’.  Again, it’s relevant to recognize that intellectual (structural, relationship, and competitive) capital seldom, if ever can be wholly concentrated in electronic ‘ones, zeros, or bits and bytes’.

Similarly, information safeguard policies and practices supported by a presumptively superior IT – cyber security system-program, can be misleading. For example, if a company installs – executes a new IT-cyber security system is proclaimed it to be effective, presumably then, a company’s proprietary information is secure, seldom becomes the reality which the company aspired.  In today’s aggressively predatorial global business transaction environment eager to acquire actionable intelligence that translates into lucrative competitive advantages, that is a message no company should, even inadvertently, be communicating.

 (This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th, 2015 on Morning Edition.)

Cyber Attacks Mutually Assured Disruption of Intangible Assets!

June 3rd, 2015. Published under Cyber security, cyber warfare., Intangible asset protection. No Comments.

Michael D. Moberly   June 2, 2015   ‘A blog where attention span really matters’!

Throughout the 1960’s, there was consistent reference by governments and defense sectors’ about MAD (mutually assured destruction), i.e., each side possessing sufficient nuclear ‘mega-tonnage’ to assure mutual destruction of the other, should war breakout.

A similar analogy is evident today, but its origins do not lie in the delivery of nuclear weapons rather in the delivery of massive cyber attacks designed to simultaneously take down and/or substantially disrupt multiple pillars of a targeted countries’ infrastructure, ala MAD – ‘mutually assured (sector, grid) disruption’!

On the morning of September 11, 2001, I and countless others presumed the aircraft strikes in New York and Washington were diversionary, as tragic as they were, to be followed by massive cross sector cyber attacks. My anger and curiosity that a cyber attack was imminent prompted me to call acquaintances employed in various sectors throughout the U.S., one of which was the director of a top tier research university’s ‘super-computing’ center. My rationale was that a super-computing center would likely be an initial point of detection to a larger cyber attack should there be one in the offing. To my disillusionment, such a rationale was in error, at least in this instance.

The capability to thwart, mitigate, or contain the asymmetric and adverse cascading effects that a coordinated cyber attack would likely be designed to produce presents obvious challenges and creeping costs insofar as companies and organizations keeping pace with the infinite risks and threats which can seemingly materialize anytime and anyplace with no vapor trail, to maximize the intended infrastructure disruption and chaos.

I suspect there are management teams, c-suites, and boards, ranging from Fortune ranked firms to SME’s (small, medium enterprises), which have already engaged in discussions regarding the practicalities and costs of continuing to deploy state-of-the-art cyber attack – risk mitigation (data-information security) products.

There are two related reasons why I believe such discussions are inevitable…

  • it is a globally universal and irreversible economic fact that rising percentages, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, relationship-social and competivity capital.
  • data/information generation, storage, and retrieval needs are continually ratcheting up to the mega-terabyte arena, particularly with the rapid recognition and rise of intangible asset intensive and dependant companies.

To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering massive cyber attacks are challenges which, at this juncture, cannot be dismissed or relegated to the uninitiated.

I am not suggesting companies disregard their fiduciary responsibilities or regulatory mandates.  Instead, I am suggesting a company’s desire to curtail the rising costs and operational disruptions associated with investing and deploying all-the-more nuanced IT security products that deliver consistent and measurable returns, technologies must be developed with capabilities to differentiate company information and data on a variable continuum. For example, introducing the capability to differentiate data-information that should receive the maximum safeguards, which initially I propose, encompass these four factors, i.e., the (intangible) assets…

  1. contributory value to a particular project, product, and/or the company’s mission.
  2. continued materiality to a particular project, product, and/or the company’s mission.
  3. relevance to a company’s reputation (image, goodwill, brand) etc.

CSIS and McAfee Collaborate: Economic Impact of Cyber Crime and Cyber Espionage

October 7th, 2014. Published under Cyber security, Economic Espionage. 3 Comments.

Michael D. Moberly   October 7, 2014    ‘A long form blog where attention span really matters’.

In 2013, CSIS (Center for Strategic and International Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program, who directed the study, offered his best guess that ‘the upper limit of the costs-losses attributed to cyber – economic espionage might be under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.

Lewis translates the $140 billion annual IP loss to 508,000 jobs…

While I have no basis to dispute those figures, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there are two key factors necessary to arrive at the $140 billion annual loss figure, i.e.,

  • determining which assets and/or impacts to include (factor) and
  • the methodology for determining the lost assets’ near and long term value in terms of costs and losses companies will experience with respect to such things as market space, competitive advantages, profitability, sustainability, etc.

But, Lewis claims, and I agree, describing value loss – impact estimates with broad ranges is indicative of the difficulty in calculating losses. Accordingly, companies may be reluctant to reveal (their) victimization impacts, i.e., victim companies may be inclined to (a.) conceal particular portions of their losses, or, (b.) not know how to distinguish which/what intangible assets were targeted, stolen, comprised, or misappropriated. But, Lewis wisely, casts wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011.  Thus, a $400 billion loss representing the high end range of probable losses attributed to cyber crime and cyber espionage is a fraction of a percent of the global GDP figure. This, Lewis says, prompts additional questions, several of which I have been examining for many years, e.g. who are recipients and/or ultimate beneficiaries of the acquired (intangible) assets; can they expect to – be positioned to maximize those benefits, e.g., market (space) position, sector competitive advantages, reputation, value, sources of revenue, profitability, etc.

Conventional loss surveys assess – assign dollar value to losses… Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis correctly points out, generally produce imprecise findings because among other things respondents, are inclined to “self-select” which can become a source of distortion to the findings. Lewis suggests loss estimates should be based on “scale and effect” which ‘will likely produce quite different and possibly more objective and accurate results in terms of adverse impacts and loss values’.

CSIS – McAfee Assessment model… Lewis’ intent was to bring greater clarity and validity to the loss figures being reported, so data from ‘car crashes’, ‘retail pilferage/shrinkage’, ‘crime stats’, and ‘drug usage’ were examined for their relevance and comparison as methodologies to draw upon insofar devising CSIS’ assessment (valuation) model. By incorporating these analogies into the design of their loss valuation assessment model, Lewis, and McAfee were suggesting it’s problematic to rely on conventional (existing) survey methodologies to calculate dollar value for losses, because, among other things…

  • companies that (publicly) reveal their losses are frequently unfamiliar with distinguishing the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed, thus more guesstimates.
  • intellectual property – intangible asset losses are difficult to quantify because relevant dependant variables are often absent from the equation, and, often
  • the self-selection process associated with most conventional survey methodologies, frequently produces distortion in the findings.

CSIS model includes components – classifications of malicious cyber activity and economic espionage…

This, Lewis gleans, by asking ‘what should be included and counted insofar as arriving at more precise loss estimates’, i.e., there…

  • was a loss of intangible assets, i.e., intellectual property, sensitive business confidential/- proprietary information.
  • was an actual crime committed, i.e., a violation of federal law.
  • were opportunity costs, i.e., business and/or service disruptions that adversely effected consumer/customer expectations, particularly those related to the victimized company’s online activities.
  • would be additional costs incurred relative to…
    • re-securing their IT networks.
    • achieving greater company resilience insofar as to recovering from future cyber – economic espionage attacks, and
    • developing/executing business continuity plans designed to provide more rapid and fuller recovery when future attacks occur.
  • were damages to company reputations which tend to have a longer period for recovery, and lastly,
  • were costs to re-establish and re-secure company supply chain networks.

What’s the harm…?

If Lewis is correct in inferring there have, inadvertently, become “tolerated costs” and/or ‘ceilings’ for estimating losses.

So, a different perspective; is economic-cyber espionage the greatest transfer of wealth in history, or merely a rounding error in countries’ GDP…?

This, of course represents a perspective intended to elevate the significance and acknowledge the adverse impact of cybercrime-economic espionage, while the former represents a perspective intended to diminish the ‘sticker shock’ of the adverse economic impacts by characterizing them as percentages of national GDP’s.

As always reader comments are most welcome.

Cyber Attacks…Nothing Particularly New!

March 6th, 2013. Published under Cyber security, cyber warfare., Economic Espionage. No Comments.

Michael D. Moberly   March 6, 2012   ‘A blog where attention span matters’!

Is there really anything particularly new here…

Being as respectful as I’m able to the purveyors of this ‘certainly nothing new here’ message, which appears to be largely originating from various government agency spokespersons as well as, let’s call’em what they are, computer/IT security firms.

Frankly, I tend to hold the view that when ‘consistent messaging’ originates ‘inside the beltway’ and makes its way to the countless media mediums, it is for a reason.  That is, there is usually a motive(s), sometimes good, sometimes not-so-good underlying the message.

In the case of the current proliferation of ‘cyber attack’ messages, for those of us who have had our respective ears to the ground on such matters for years, the messages we’re now hearing come as no particular surprise.  Rather, they’re more akin, at least in my view, to ratcheting up a quite natural progression of economic and competitive advantage ‘attacks’ which now carry, due in large part to the globally universal reliance on and functionality of IT and computer systems embedded throughout our most critical national infrastructures as well as the most mundane kitchen appliances.

The difference is, today’s intrusions potentially produce more grave, cascading, and far-reaching adverse consequences.

An agricultural metaphor…

What I find disappointing though about these messages and their purveyors is that many seem to adhere to the axiom that the best technique to create rapid and wide-spread attention necessary to influence public opinion and obtain supportive responses and/or reactions is to (a.) express the acts’ potential criticality through worst case scenarios, (b.) direct the message to the most fertile ground, i.e., audience, (c.) plant that ground with ‘FUD’ seeds, i.e., fear, uncertainty, and doubt, and then (d.) elicit rapid growth fertilization of those seeds, from IT/computer security firms, many of which heretofore would have, been extremely reluctant, if not prohibited from naming their clients or publicly espousing their findings.

In most circumstances which I’m familiar, companies who engage outside IT/computer security and forensic investigation services do so with strict confidentiality and non-disclosure agreements in place.  That’s because the adverse reputation risks and stakeholder responses such publicity would instantaneously spark if adverse findings became public may prompt more significant and longer lasting economic and competitive advantage challenges than the adverse acts themselves.  That’s certainly not to suggest I am advocating silence on such issues.  Rather, in many instances, the actual impact and losses associated with illicit and/or illegal intrusions are generally difficult to measure and/or quantify in dollar terms, aside of course from consumer and market reactions.

Clarity…

Let’s try to bring some clarity to this issue.  First of all, these intrusions are taking place, To that, there is absolutely no argument.  It’s just they’re occurring with more frequency and greater intensity and sophistication which collectively allows them to evade many conventional and even some of the state-of-the-art detection and repulsion systems.

Secondly, let’s be clear, regardless whether the intruders are state or non-state actors, over-zealous DEF CON’s, or high school prodigies, it’s not solely the intellectual property (IP) being sought.  By that I mean it does not require a Juris Doctor (law) degree to understand that IP consists of patents, trademarks, copyrights, and trade secrets.

Having studied and investigated a range of economic espionage, issues for 20+ years, i.e., the Economic Espionage Act, since it was rolled out in 1996, I personally and professionally hold the view that it’s bordering on a disservice, if not utterly misleading to characterize this issue as being solely about – directed to the theft of U.S. companies’ IP.  After all, patents are registered with the U.S. Patent and Trademark Office and once issued they’re reported in the public domain, so certainly no secrets there.

As this issues regularly reaches the agenda of c-suites, boards, and management teams and they become more personally apprised and engaged in this inevitable, progressive, and persistent challenge, I want them to recognize it may more likely be the ‘proprietary know how’ and other intangible assets the adversaries are seeking, not necessarily their company’s intellectual property per se.  Of course, intrusions are executed for a variety of reasons, among them being reconnoitering a system’s defenses and seeking undetectable paths to proceed as far possible to eventually access what they’re after.

Glad someone is taking notice…

So ultimately, whether the ‘bad guys’ are state/non-state actors engaging in economic espionage, or whether the acts are consummated through human elicitation – solicitation techniques or willing (insider) participants, and/or ultra-sophisticated cyber technologies it remains nothing particularly new.  But, I’m sure glad someone is now is taking notice!

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

Cyber Security Presidential Directive: Reputation Risk, Liability Exposure, and Reluctance to Share…

February 15th, 2013. Published under Cyber security, cyber warfare.. No Comments.

Michael D. Moberly    February 15, 2013

To perhaps better appreciate the necessity for the current escalation of national cyber-security initiatives and the associated Presidential Directive, Congressional hearings, lobbying, and blogosphere pros and cons, etc., it’s important to understand the U.S.’s critical infrastructure sectors are distinctive in comparison to numerous other countries, i.e., the European Union for one.  Throughout the EU, much, if not all of the operation, oversight, management, and protection/security responsibilities of their critical infrastructure sectors remain largely in the hands of relevant government entities.

In the U.S., on the other hand, the 18 critical infrastructure sectors, as identified by DHS, have been sliced and diced so many different ways and by so many different (private sector) companies, I’m quite confident that sharing/communicating in a timely manner (a.) a company’s cyber risks, threats, and vulnerabilities, and (b.) the increasingly probable probes, attacks, and breaches they experience will not, at least initially be a very ‘comfortable’ process due in large part to (c.) potential liability exposure and reputation risk, and (d.) the extraordinary value such information would present to any adversary should they access/acquire it.

One strategy which I suspect may be more palatable for c-suites and boards insofar as the detailed ‘sharing’ of incidents is recognizing the extraordinarily costly and quite possibly irreversible reputation risks that will inevitably follow should they elect to opt out, be dismissive of, or merely not comply, in principle or in spirit, with the Presidential Directive.  Of course, that will exacerbate many times over should they fall prey to an adverse cyber event that would cascade beyond the confines of a single company to infect an entire (infrastructure) sector.

One reality shared by numerous company’s I’m familiar, along with their c-suites, boards, and legal counsel is that under most circumstances, unless literally mandated to do otherwise, it is seldom in their interest for a variety of reasons, particularly among globally operating companies which strive to sustain amicable trading – transaction relationships, to be overly ‘public’ about victimizations, unless of course, it is a mandated (legal) requisite that is actually enforced.

Actually safeguarding U.S. national (critical) infrastructure sectors’ from cyber acts/events, carries some significant challenges because (a.) in most instances, a physical and digital interdependence and inter-connectivity exists in and between sectors which require high levels of collaboration and sharing, (b.) there are different organizational and operating structures in the various companies which will inevitably complicate the compilation of the data/information (c.) some critical infrastructure sector companies have multi-national ownership, (d.) c-suites and boards will inevitably interpret the Presidential Directive as an additional fiduciary responsibility whose scopes reaches well beyond the bare essentials and/or minimums versus utilizing known best practices or standards.

Initially, when I and many of my then university-based colleagues applied the terms ‘national critical infrastructure’, in the mid-to-late 1980’s, they were referred to as ‘pillars’ and consisted of only nine in number.  Today, the Department of Homeland Security has refined and extended that number to eighteen and refers to them as infrastructure sectors, i.e.,

  1. Food and agriculture
  2. Banking and finance
  3. Chemical
  4. Commercial facilities
  5. Communications
  6. Critical manufacturing
  7. Dams
  8. Emergency services
  9. Defense industrial base
  10. Energy
  11. Government facilities
  12. Healthcare
  13. Information technology
  14. National monuments and icons
  15. Nuclear reactors including materials and waste
  16. Postal and shipping
  17. Transportation systems, and
  18. Water

I, along with numerous colleagues experienced in the information (intangible) asset protection and economic espionage arena have long realized it is challenging to (a.) create an environment and/or the necessary (company) culture in which (b.) timely detection of adversary probing and/or system compromise or asset theft occurs.  It’s even more challenging to assemble such data and portray it in quantifiably reliable, ‘dollar contexts’.

On a cautionary note however, the public domain is chock-full of variously corroborated anecdotes, all well earned, of state-sponsored entities engaged in, for the most part to date, relatively low level and non-cascading cyber attacks, aside of course, from the theft of proprietary information and intellectual capital.  I believe it’s reasonable to suggest, that in a number of critical infrastructure sector c-suites and boardrooms, there may be a predisposition, again, well earned, to assign (assume) any offensive cyber probing, attacks, and/or breaches to particular state-sponsored entities or otherwise emanating from specific countries.

The fact is, the catalog of potential culprits possessing both the means and motives to engage in cyber attacks has expanded into the realm of well taught and under-the-radar ‘legacy free players’ globally.  So, I would respectfully add that critical infrastructure sector companies may exercise prudence in assuming those ‘handful’ of state-sponsored actors are the only ‘players’ in this extremely high stakes circumstance.

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

Do Cyber Warfare and Cyber Security Terminology Limit Our Perspective?

February 14th, 2013. Published under Cyber security, cyber warfare.. No Comments.

Michael D. Moberly    February 14, 2013

Some time ago, I’m not really sure precisely when, a transition (change) in language occurred with respect to computer/IT system security with respect to what had traditionally been referred to as primarily defensive actions to prevent and/or mitigate (computer/IT system) vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries.  The terms now widely used to describe, at least what I believe, are similar phenomena, are cyber-security and cyber-warfare.  The distinction between the two is that the latter is generally presumed to occur on a larger scale, with greater frequency, sophistication, and asymmetric elements, which can destroy, deploy malware, or siphon (extract) specifically targeted intangible assets from a single company and/or a ‘pillar’ of our national infrastructure literally, in nanoseconds.

What troubles me most about this ‘language change’ is that the term cyber-warfare particularly, comes with the inference that ‘all things evil’ to a companies’ computer/IT system(s) emanate from afar, that is primarily (foreign) state sponsored, non-state actors, or the growing numbers of global legacy free players.  Let’s be clear, I am in no way questioning whether either of the above are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.

The attention and the alarms both the private sector and government agencies furnish regarding cyber threats, security, and warfare are obviously warranted and I seek not to dispute nor diminish their significance.  After all, the cascading infrastructure havoc created by a significant offensive cyber attack could be incalculably cataclysmic.

But, identifying the absolute best strategy, tools, and/or practices to address these persistent challenges, especially considering there is no reason to believe (they) will dissipate in the future, represents where much debate lies today in c-suites globally, e.g., amongst CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel.

That is, with respect to the private sector, is it best to remain primarily in a defensive mode consisting of repelling, preventing, and containing?  Or, should the private sector engage in independent offensive and/or pre-emptive initiatives, e.g., mounting IT system (cyber) attacks toward known adversaries in hopes such undertakings will produce a deterrent effect versus an escalation?

Before we get too far down a particular strategic path on this issue, it’s important to refresh our memories that the U.S. remains distinctive from most other countries because the key pillars of our national infrastructure are generally privately owned and operated, apart from direct government control. This distinction suggests independent offensive or pre-emptive action taken by the private sector toward known state sponsored actors (cyber adversaries) would produce some unknown reactions and/or consequences that may well exceed our natural inclination to publicly expose ‘who’s doing what to whom’.

From an information (intangible) asset protection practitioners’ perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by an IT – computer security orientation ala cyber security and cyber-warfare.  By continuing to frame this issue in this manner, little or no space is left for recognizing that companies’ mission critical, sensitive, and proprietary information (intangible) assets routinely exist in formats other than electronic ‘ones and zeros and bits and bytes’.

I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare (directed against the private sector) are misguided or misplaced.   I am suggesting, that perception and its accompanying strategies gives short shrift to the economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital.  Thus, the real advantages (value, profitability) belonging to companies may not always be found or housed in a computer or IT system and therefore not specifically vulnerable to the exclusivity of cyber attacks or cyber warfare.

Too, information asset protection policies and practices which are dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy.  In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames.  Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced through an IT – cyber security lens.  Instead, responsibilities for safeguarding valuable information (intangible) assets must become embedded in peoples’ respective orientation, ethic, and (company) culture, because increasingly that information – those assets exist in the form of intellectual capital.

As information (intangible) asset protection specialists know well, proprietary – sensitive business information will percolate throughout a company and is not confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’.  Too, intellectual capital cannot be reduced solely to those electronic ‘ones and zeros or bits and bytes’.

But, information safeguard policies and practices that infer, by having a presumptively superior IT – cyber security program, can send a misleading message, e.g., if an organization’s IT system is proclaimed to be secure, presumably then, a company’s proprietary information is also secure, which we know is not the case.  In today’s increasingly predatorial and incessantly thirsty global business environment for information assets, that’s a message no company should accept.

It is certainly not my intent here to be dismissive about the absolute necessity to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by state-sponsored and independent cyber-attacks.

But, it’s equally important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company’s most valuable and treasured trade secrets and literally wreak economic, competitive advantage, and market havoc, one company at a time.

 (This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th on Morning Edition.)

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com