Michael D. Moberly February 16, 2012
I characterize the reactions by companies following last year’s ‘wikileaks’ phenomena, as adding more dimensions to mitigating the mounting inevitability that corporations will experience reputation risk.
We witnessed those dimensions converge in a layered context to elevate the complexity of managing reputation risk, i.e.,
- the reactions – responses by PayPal, Visa, and Mastercard, and servers, etc.,
- the aggressive re-actions apparently perpetrated by ‘wikileak’ advocates-proponents in the form of denial of service attacks and various forms of hacking, etc.,
- the demeanor/behaviors exhibited by Julian Assange himself (aside from the outstanding criminal warrant awaiting him in Sweden) in terms of whether his (the wikileaks) website and his actions may come to be perceived publicly as that of a mere leaker, a quasi – citizen journalist, a self-styled technology era solicitor, or merely a middle man with an unwise agenda.
- announcements by Assanges’ legal counsel and other supporters of a ‘roll out’ of a (presumed) defense strategy.
- the various efforts to deflect, mitigate, and counter the ‘leaks’ about U.S. and foreign government diplomatic (non-public) initiatives
- the global ‘talking heads’ that consistently offered opinions through all forms of media
- global open source, transparency, and First Amendment advocates weighing in on the issues
- the respective positions of U.S. Departments of State and Defense portraying their reality that classified and embarrassing information has been leaked.
- U.S. Attorney General Holder’s public legal strategies presumably intended to deter future instances of leaks.
- growing anticipation of what additional, presumably sensitive and/or proprietary information is being held hostage, but presumably awaiting release by Assange that target specific companies.
Both collectively and individually, each of the above dimensions have prompted much warranted discussions in c-suites and board rooms globally, in addition to now necessary research focusing on the inevitability there are many more ‘PFC Mannings’ to come on both the government and the private sectors respectively. It’s certainly a given, at least in my view, that many of the aforementioned discussions will likely include an array of recommendations for mounting and executing some form of ‘pre-emptive strike’ so to speak, i.e.,
- screening ring client/customer lists to identify (assess, project) the potential for ‘wikileak’ types of problems to arise
- severing associations with or creating some manner of probationary ‘watch list’ for customers-clients (stakeholders) that pose a particular ’wikileak’ type of hazard or show no evidence of executing practices (policies and procedures) that demonstrate they recognize its potential criticality
- new oversight initiatives related to the selection, retention, and/or hosting and payment services to companies that engage in ‘wikileak’ types of acts that are contrary to existing law prescribed ethics.
It is certainly not a stretch, as I’m confident most, if not all of my colleagues would agree, that we will witness numerous companies that have already engaged in some variant of a ’pre-emptive’ strike as conveyed above. Experience suggests, such pre-emptive strikes, if I can call them that, will most likely occur in the form of (private sector) policy changes intended to forestall as well as mitigate what may well be the initial salvo to try to counter this added dimension to, what has been up to this point, more conventional reputation risks.
Unfortunately though, what some companies may overlook or leave out of their ’reputation risk management equation’ is that engaging in ‘feel good’ pre-emptive strikes are generally irreversible. That is, they ultimately do more strategic harm and present more reputational challenges than a poorly construed equation allows decision makers to recognize and consider.
The bottom line is, as most successful business decision makers understand, is that a company’s reputation, while being a generally valuable intangible asset, can be quite fragile. Once compromised or attacked, unless the company’s reputation-goodwill bank is brimming full in advance, even partial economic – competitive advantage recovery will be a very costly and time consuming endeavor.
For some time, in both the private and government sectors, there have been significant initiatives underway to integrate information technologies to make relevant information accessible up and down a company’s supply chain and onto the battlefield using techniques which are often, in my view, much tweaked approaches to ‘knowledge management’.
The well intentioned premise of knowledge management, of course, and its 2012 variants, lies in the notion that more people (employees across functional-operational lines) need and should have access to certain information as a tool to aid various decision making processes, i.e., speed up the resolution of a problem, create efficiencies, etc.
In today’s global ‘information asset sharing business environment’, it should come as no surprise then that some PFC Manning’s of the future, may actually feel compelled to leak sensitive information or do so merely because they had the capability at their fingertips. Engaging in downloading and/or copying of classified information however, and making it available to Wikileaks, which we must recognize is merely one of a growing number of ready and willing global outlets, which when confronted, may well lay claim to a (citizen) journalistic orientation that flows from their ‘first amendment’ rights.
Much research, personal experience, and countless anecdotes from colleagues leaves us with the very strong impression that there are literally thousands of PFC Manning’s who have the wherewithal and receptivity, if not a penchant, to become an ‘insider’. An insider is a term which we in the information asset protection and security arena refer to as a conniving and feisty lot who consistently pose challenges to all sectors insofar as leaking sensitive information.
Insiders come wrapped in many different motives which collectively form their sometimes distinctive rationale for doing what they do; steal, disseminate, and/or sell proprietary or classified information to those who have no legitimate (authorized) right to see, much less read that information and then knowingly disseminate it to entities that will make it available in an open source context. In the private sector such acts may fall into categories of misappropriation or infringement. In the government classified arena it’s likely to be called espionage!
When insiders are successful, as it appears PFC Manning was, not once, but perhaps multiple times, the product of their misdeed can, and often does wreak havoc with its target(s) which as we’ve already noted carries many new dimensions. Those dimensions are especially critical in the increasingly inter-connected environment of business and government.
Being reasonably well versed regarding ‘insider threats’ and some of the research which PFC Manning’s illegal behavior has spawned, again suggests he’s certainly not the proverbial ‘lone wolf’.
As for government victims, returning to a state of diplomatic normalcy following such a massive leak will be neither easy nor swift. On the other hand, when such circumstances occur in the private sector, something which I’m more familiar, there are many financial, personal, and professional ‘fences that require mending’, some of which remain irreversibly broken which impacts a company’s bottom line very quickly.
What’s new and clear relative to the Manning – Assange incident is that there’s no precedent for the shear mass of data and information that was taken and disseminated aside from perhaps, the ‘Pentagon Papers’, a 1960’s event which few, if any ‘mannings’ even know about let alone try to emulate.
But that doesn’t discount, nor does it explain away the reality that many foresaw something of this nature and on this scale was inevitable!
The work of insiders, while it may not be the world’s oldest profession, it certainly does, in my view, rank in the top five. And, to add insult to injury, stealth in this instance, was apparently merely a single PFC’s rouse of downloading ‘Lady Ga Ga’ music but, from a remote government computer with access to classified information. I still have a hard time believing this was the act of a single PFC who acted alone. I’m not suggesting this event should rise to the same level of debate whether Lee Harvey Oswald acted alone.
However one perceives the Manning’s of the world, in my view, it represents somewhat of a new breed of insider (threat, risk). One that is more calculating, in some respects more stealthy, and whose acts can potentially cause more irreversible, costly, and immediate damage-harm and embarrassment to a company or organization than their predecessors who were largely confined or limited to stealing only ‘hard copies’ that they could put in the proverbial shoe box and carry out of a building under their overcoat. Not unlike the former Detroit auto executive who literally put paper copies of ‘plans, intentions, and capabilities’ of his former employer to take to his new European automaker employer as somewhat of an arrogant, yet very strategic ’housewarming gift’.
Let me be clear though, this is not so much about the insider threat posed by the ’Wen Ho Lee’s who was originally charged, circumstantially at least, with compromising classified materials belonging to a U.S. national laboratory and giving them to an adversary. The Manning event certainly has relevancy to the classified arena in terms of the types of assets now being targeted by an ever growing number of economic, competitive advantage, and military adversaries. It is also a ‘wakeup call’ to the millions of small and mid-size companies that have developed unique and valuable sets of intangible assets that literally deliver (underlie) those company’s value, sources of revenue, competitive advantages, market position, and growth potential.
When an SME experiences a theft, misappropriation, or compromise by a trusted insider of one or more of its key revenue producing intangible assets, while the consequences are certainly not equivalent or comparable to national security breaches, their impact to that SME, in terms of lost revenue, undermined competitive advantages, lost market position, etc., can be, and often is, devastating and irreversible.
So, as this construct, which I call ‘the new insider’ emerges, studies and research conducted by DoD’s Personnel Security Research Center and Carnegie Mellon University’s CERT unit provides important and timely credence and relevance.
A particular PERSEREC study appropriately titled ‘Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage’ was a significant factor in influencing how I am framing ’the new insider’ and the risks-threats they pose. This particular study characterizes the ‘insider threat’ in a very compelling and rational global context. It describes some very ominous challenges governments and corporations alike face, relative to trying to deter, prevent, combat, or mitigate, however one wishes to portray it, insider risks and threats. The four key one’s (described in this PERSEREC study) are conveyed below:
- Fewer employees today, and presumably in the future, are (will be) deterred by a conventional sense of employer loyalty. In other words, they have a tendency (proclivity) to view theft of information assets to be morally justifiable if sharing those assets, they believe, will benefit the world community or prevent armed conflict…
- There is a greater inclination for employees who are – will be engaged in multinational trade-transactions to regard unauthorized transfer of information assets or technologies as a business matter, rather than an act of betrayal or treason…
- The value of – market for protected information assets, presumably regardless if it is a company’s proprietary information or trade secrets or a government agency’s classified information, has elevated as those so inclined, i.e., insiders, recognize it can be sold for a profit to an ever widening range of receptive global entities…
- Companies are at greater risk for experiencing insider theft of information assets than previously because there is no single countervailing trend to make it more difficult or less likely to occur…
So, designing effective practices-techniques to mitigate, counter, and ultimately defend against the insider threat, whether it be a ‘PFC Manning’ or far more technologically sophisticated and global players, should, above all, not be based solely on or unduly prejudiced by :
- past events
- anecdotal (internal, external) snap shots in time, or
- generalized assumptions about one’s ethnic allegiance.
Rather, a company’s defenses to the insider threat should be well grounded in current and applied research and findings of highly specialized research as noted above.
Let it suffice to say, insider (threat, risk) challenges, left unchecked, or poorly addressed, can produce wide ranging and cascading affects that can instantaneously ripple throughout a company or government agency or department. Let it be understood though, such risks-threats are unlikely to miraculously recede or fade away through attrition, terminations, or resignations. Rather they require execution of practices that duly reflects the current, as well as future global business environment and can rapidly adjust to forward looking research. But perhaps most importantly, it should not merely plug yesterday’s leaks!