Archive for 'Cyber security'

Mutually Assured Destruction – Disruption of Intangible Assets, Overlooked Risk

July 21st, 2017. Published under Cyber security, cyber warfare., Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly July 21, 2017 m.moberly@kpstrat.com ‘A business intangible asset blog where attention span really matters’!

Throughout the 1960’s, ala ‘the Cold War’ period, there were consistent references by governments and defense sectors’ regarding a relatively new capability, i.e., MAD (mutually assured destruction). Opposing countries, presumably the United States and the former USSR, now Russia, possessed sufficient triads of nuclear (war) capability, i.e., sea, air, and land based-launched missiles and bombs, a consequence of which, if used, would assure mutual destruction and annihilation of both. Indeed, a perverted approach to deterrence.

A somewhat similar analogy is evident today, but its origins do not lie in the delivery of nuclear weaponry, rather in various anonymity of cyber-attacks, or cyberwarfare, designed to destroy functionality and/or substantially disrupt multiple components of a targeted country’s cyber-based and interconnected infrastructure, hence, a ‘mutually assured disruption’ of a country’s cyber ecosystem.

Cyber warfare (massive cyber-attack) would produce substantial loss of life in-many-different ways, aside from the seismic power of a nuclear warhead blast. In a MAD context, the outcome of a comprehensive cyberwar would likely produce no definitive winner or loser as often portrayed in conventional wars and/or battles. Instead, the outcome would likely be characterized and measured in almost diminutive contexts based on system redundancies and organizational – system resilience.

On the morning of September 11, 2001, I and others presumed the purposeful aircraft strikes in New York and Washington were probably diversionary, to be followed by attacks, cyber, and otherwise, in the U.S. The probable targets would be public – private components of the national infrastructure whose services and functionality are beholden to interwoven IT systems, which, at the time, were incredulously vulnerable.

Not unlike many others who anticipated this ‘follow-up’ potentiality scenario, prompted me to contact colleagues, on the morning of 911, employed in various sectors throughout the U.S., one of which was serving at a top-tier university overseeing their ‘super-computing’ center. My rationale for contacting this individual, lie in the notion that a super-computing center would presumably have the capability to detect, at least the precursors, to impending cyber-attacks which may have already launched and ‘were on their way’. To my less than comforting amazement, this rationale, in this instance, at-this-time, proved much flawed. So, regardless of the degree-level of familiarity and/or expertise with computer security and system breach detection, recognizing and mounting effective defenses against multi-dimensional cyber-attacks were relatively new concepts, largely absent sufficient software-hardware to execute effectively and instantaneously.

The capability to thwart, mitigate, or contain the asymmetric, adverse, and inevitable cascading effects that coordinated cyber-attacks would likely produce, by design, presents obvious challenges and substantial costs insofar as preparing companies and organizations to reasonably keep pace with the infinite, asymmetric, anonymous and ‘stand-off’ methodologies of (cyber) risks and threats which can materialize anytime and anyplace leaving little or no vapor trail to investigate while maximizing disruption and chaos to a company or organization.

There is little doubt today, that management teams, c-suites, and boards, ranging from Fortune ranked firms, SME’s (small, medium enterprises), and RBSU’s (research-based startups) routinely engage in discussions regarding the practicalities and costs of deploying good-better-best cyber risk mitigation (data-information security) products.

As an intangible asset strategist, risk specialist, researcher, author, and trainer, my experience suggests there are, at minimum, two multi-related reasons why these discussions are inevitable and expanding to every business sector…

• it is a universal and irreversible economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability today lie in – evolve directly from intangible assets, primarily, intellectual, structural, relationship-social and competitive capital.

• data/information generation, storage, and at will retrieval demands are continually ratcheting up to infinite levels, variously aligned to the rapid recognition and rise of intangible asset intensive and dependent companies.

To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering highly specific, targeted, or broad-based cyber-attacks are challenges which cannot be dismissed or relegated to the uninitiated or unfamiliar.

I am certainly not suggesting public-private U.S. entities disregard their fiduciary responsibilities or regulatory mandates to safeguard data. Instead, I am suggesting any entities’ mandate to mitigate operational disruptions re-examine same in organizational resilience contexts to ensure they bear capabilities to differentiate proprietary information and data on a continuum. For example, differentiating data-information that encompass these factors as valuable – competitive advantage intangible assets, e.g., their
contributory role, value, and materiality to a particular-project, product, and/or the company’s mission and/or relevance to reputation and brand.

CSIS and McAfee Collaborate: Economic Impact of Cyber Crime and Cyber Espionage

October 7th, 2014. Published under Cyber security, Economic Espionage. 3 Comments.

Michael D. Moberly   October 7, 2014    ‘A long form blog where attention span really matters’.

In 2013, CSIS (Center for Strategic and International Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program, who directed the study, offered his best guess that ‘the upper limit of the costs-losses attributed to cyber – economic espionage might be under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.

Lewis translates the $140 billion annual IP loss to 508,000 jobs…

While I have no basis to dispute those figures, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there are two key factors necessary to arrive at the $140 billion annual loss figure, i.e.,

  • determining which assets and/or impacts to include (factor) and
  • the methodology for determining the lost assets’ near and long term value in terms of costs and losses companies will experience with respect to such things as market space, competitive advantages, profitability, sustainability, etc.

But, Lewis claims, and I agree, describing value loss – impact estimates with broad ranges is indicative of the difficulty in calculating losses. Accordingly, companies may be reluctant to reveal (their) victimization impacts, i.e., victim companies may be inclined to (a.) conceal particular portions of their losses, or, (b.) not know how to distinguish which/what intangible assets were targeted, stolen, comprised, or misappropriated. But, Lewis wisely, casts wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011.  Thus, a $400 billion loss representing the high end range of probable losses attributed to cyber crime and cyber espionage is a fraction of a percent of the global GDP figure. This, Lewis says, prompts additional questions, several of which I have been examining for many years, e.g. who are recipients and/or ultimate beneficiaries of the acquired (intangible) assets; can they expect to – be positioned to maximize those benefits, e.g., market (space) position, sector competitive advantages, reputation, value, sources of revenue, profitability, etc.

Conventional loss surveys assess – assign dollar value to losses… Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis correctly points out, generally produce imprecise findings because among other things respondents, are inclined to “self-select” which can become a source of distortion to the findings. Lewis suggests loss estimates should be based on “scale and effect” which ‘will likely produce quite different and possibly more objective and accurate results in terms of adverse impacts and loss values’.

CSIS – McAfee Assessment model… Lewis’ intent was to bring greater clarity and validity to the loss figures being reported, so data from ‘car crashes’, ‘retail pilferage/shrinkage’, ‘crime stats’, and ‘drug usage’ were examined for their relevance and comparison as methodologies to draw upon insofar devising CSIS’ assessment (valuation) model. By incorporating these analogies into the design of their loss valuation assessment model, Lewis, and McAfee were suggesting it’s problematic to rely on conventional (existing) survey methodologies to calculate dollar value for losses, because, among other things…

  • companies that (publicly) reveal their losses are frequently unfamiliar with distinguishing the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed, thus more guesstimates.
  • intellectual property – intangible asset losses are difficult to quantify because relevant dependant variables are often absent from the equation, and, often
  • the self-selection process associated with most conventional survey methodologies, frequently produces distortion in the findings.

CSIS model includes components – classifications of malicious cyber activity and economic espionage…

This, Lewis gleans, by asking ‘what should be included and counted insofar as arriving at more precise loss estimates’, i.e., there…

  • was a loss of intangible assets, i.e., intellectual property, sensitive business confidential/- proprietary information.
  • was an actual crime committed, i.e., a violation of federal law.
  • were opportunity costs, i.e., business and/or service disruptions that adversely effected consumer/customer expectations, particularly those related to the victimized company’s online activities.
  • would be additional costs incurred relative to…
    • re-securing their IT networks.
    • achieving greater company resilience insofar as to recovering from future cyber – economic espionage attacks, and
    • developing/executing business continuity plans designed to provide more rapid and fuller recovery when future attacks occur.
  • were damages to company reputations which tend to have a longer period for recovery, and lastly,
  • were costs to re-establish and re-secure company supply chain networks.

What’s the harm…?

If Lewis is correct in inferring there have, inadvertently, become “tolerated costs” and/or ‘ceilings’ for estimating losses.

So, a different perspective; is economic-cyber espionage the greatest transfer of wealth in history, or merely a rounding error in countries’ GDP…?

This, of course represents a perspective intended to elevate the significance and acknowledge the adverse impact of cybercrime-economic espionage, while the former represents a perspective intended to diminish the ‘sticker shock’ of the adverse economic impacts by characterizing them as percentages of national GDP’s.

As always reader comments are most welcome.

Do Cyber Warfare and Cyber Security Terminology Limit Our Perspective?

February 14th, 2013. Published under Cyber security, cyber warfare.. No Comments.

Michael D. Moberly    February 14, 2013

Some time ago, I’m not really sure precisely when, a transition (change) in language occurred with respect to computer/IT system security with respect to what had traditionally been referred to as primarily defensive actions to prevent and/or mitigate (computer/IT system) vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries.  The terms now widely used to describe, at least what I believe, are similar phenomena, are cyber-security and cyber-warfare.  The distinction between the two is that the latter is generally presumed to occur on a larger scale, with greater frequency, sophistication, and asymmetric elements, which can destroy, deploy malware, or siphon (extract) specifically targeted intangible assets from a single company and/or a ‘pillar’ of our national infrastructure literally, in nanoseconds.

What troubles me most about this ‘language change’ is that the term cyber-warfare particularly, comes with the inference that ‘all things evil’ to a companies’ computer/IT system(s) emanate from afar, that is primarily (foreign) state sponsored, non-state actors, or the growing numbers of global legacy free players.  Let’s be clear, I am in no way questioning whether either of the above are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.

The attention and the alarms both the private sector and government agencies furnish regarding cyber threats, security, and warfare are obviously warranted and I seek not to dispute nor diminish their significance.  After all, the cascading infrastructure havoc created by a significant offensive cyber attack could be incalculably cataclysmic.

But, identifying the absolute best strategy, tools, and/or practices to address these persistent challenges, especially considering there is no reason to believe (they) will dissipate in the future, represents where much debate lies today in c-suites globally, e.g., amongst CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel.

That is, with respect to the private sector, is it best to remain primarily in a defensive mode consisting of repelling, preventing, and containing?  Or, should the private sector engage in independent offensive and/or pre-emptive initiatives, e.g., mounting IT system (cyber) attacks toward known adversaries in hopes such undertakings will produce a deterrent effect versus an escalation?

Before we get too far down a particular strategic path on this issue, it’s important to refresh our memories that the U.S. remains distinctive from most other countries because the key pillars of our national infrastructure are generally privately owned and operated, apart from direct government control. This distinction suggests independent offensive or pre-emptive action taken by the private sector toward known state sponsored actors (cyber adversaries) would produce some unknown reactions and/or consequences that may well exceed our natural inclination to publicly expose ‘who’s doing what to whom’.

From an information (intangible) asset protection practitioners’ perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by an IT – computer security orientation ala cyber security and cyber-warfare.  By continuing to frame this issue in this manner, little or no space is left for recognizing that companies’ mission critical, sensitive, and proprietary information (intangible) assets routinely exist in formats other than electronic ‘ones and zeros and bits and bytes’.

I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare (directed against the private sector) are misguided or misplaced.   I am suggesting, that perception and its accompanying strategies gives short shrift to the economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital.  Thus, the real advantages (value, profitability) belonging to companies may not always be found or housed in a computer or IT system and therefore not specifically vulnerable to the exclusivity of cyber attacks or cyber warfare.

Too, information asset protection policies and practices which are dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy.  In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames.  Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced through an IT – cyber security lens.  Instead, responsibilities for safeguarding valuable information (intangible) assets must become embedded in peoples’ respective orientation, ethic, and (company) culture, because increasingly that information – those assets exist in the form of intellectual capital.

As information (intangible) asset protection specialists know well, proprietary – sensitive business information will percolate throughout a company and is not confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’.  Too, intellectual capital cannot be reduced solely to those electronic ‘ones and zeros or bits and bytes’.

But, information safeguard policies and practices that infer, by having a presumptively superior IT – cyber security program, can send a misleading message, e.g., if an organization’s IT system is proclaimed to be secure, presumably then, a company’s proprietary information is also secure, which we know is not the case.  In today’s increasingly predatorial and incessantly thirsty global business environment for information assets, that’s a message no company should accept.

It is certainly not my intent here to be dismissive about the absolute necessity to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by state-sponsored and independent cyber-attacks.

But, it’s equally important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company’s most valuable and treasured trade secrets and literally wreak economic, competitive advantage, and market havoc, one company at a time.

 (This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th on Morning Edition.)

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com