Michael D. Moberly March 6, 2012 ‘A blog where attention span matters’!
Is there really anything particularly new here…
Being as respectful as I’m able to the purveyors of this ‘certainly nothing new here’ message, which appears to be largely originating from various government agency spokespersons as well as, let’s call’em what they are, computer/IT security firms.
Frankly, I tend to hold the view that when ‘consistent messaging’ originates ‘inside the beltway’ and makes its way to the countless media mediums, it is for a reason. That is, there is usually a motive(s), sometimes good, sometimes not-so-good underlying the message.
In the case of the current proliferation of ‘cyber attack’ messages, for those of us who have had our respective ears to the ground on such matters for years, the messages we’re now hearing come as no particular surprise. Rather, they’re more akin, at least in my view, to ratcheting up a quite natural progression of economic and competitive advantage ‘attacks’ which now carry, due in large part to the globally universal reliance on and functionality of IT and computer systems embedded throughout our most critical national infrastructures as well as the most mundane kitchen appliances.
The difference is, today’s intrusions potentially produce more grave, cascading, and far-reaching adverse consequences.
An agricultural metaphor…
What I find disappointing though about these messages and their purveyors is that many seem to adhere to the axiom that the best technique to create rapid and wide-spread attention necessary to influence public opinion and obtain supportive responses and/or reactions is to (a.) express the acts’ potential criticality through worst case scenarios, (b.) direct the message to the most fertile ground, i.e., audience, (c.) plant that ground with ‘FUD’ seeds, i.e., fear, uncertainty, and doubt, and then (d.) elicit rapid growth fertilization of those seeds, from IT/computer security firms, many of which heretofore would have, been extremely reluctant, if not prohibited from naming their clients or publicly espousing their findings.
In most circumstances which I’m familiar, companies who engage outside IT/computer security and forensic investigation services do so with strict confidentiality and non-disclosure agreements in place. That’s because the adverse reputation risks and stakeholder responses such publicity would instantaneously spark if adverse findings became public may prompt more significant and longer lasting economic and competitive advantage challenges than the adverse acts themselves. That’s certainly not to suggest I am advocating silence on such issues. Rather, in many instances, the actual impact and losses associated with illicit and/or illegal intrusions are generally difficult to measure and/or quantify in dollar terms, aside of course from consumer and market reactions.
Let’s try to bring some clarity to this issue. First of all, these intrusions are taking place, To that, there is absolutely no argument. It’s just they’re occurring with more frequency and greater intensity and sophistication which collectively allows them to evade many conventional and even some of the state-of-the-art detection and repulsion systems.
Secondly, let’s be clear, regardless whether the intruders are state or non-state actors, over-zealous DEF CON’s, or high school prodigies, it’s not solely the intellectual property (IP) being sought. By that I mean it does not require a Juris Doctor (law) degree to understand that IP consists of patents, trademarks, copyrights, and trade secrets.
Having studied and investigated a range of economic espionage, issues for 20+ years, i.e., the Economic Espionage Act, since it was rolled out in 1996, I personally and professionally hold the view that it’s bordering on a disservice, if not utterly misleading to characterize this issue as being solely about – directed to the theft of U.S. companies’ IP. After all, patents are registered with the U.S. Patent and Trademark Office and once issued they’re reported in the public domain, so certainly no secrets there.
As this issues regularly reaches the agenda of c-suites, boards, and management teams and they become more personally apprised and engaged in this inevitable, progressive, and persistent challenge, I want them to recognize it may more likely be the ‘proprietary know how’ and other intangible assets the adversaries are seeking, not necessarily their company’s intellectual property per se. Of course, intrusions are executed for a variety of reasons, among them being reconnoitering a system’s defenses and seeking undetectable paths to proceed as far possible to eventually access what they’re after.
Glad someone is taking notice…
So ultimately, whether the ‘bad guys’ are state/non-state actors engaging in economic espionage, or whether the acts are consummated through human elicitation – solicitation techniques or willing (insider) participants, and/or ultra-sophisticated cyber technologies it remains nothing particularly new. But, I’m sure glad someone is now is taking notice!
My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community. Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk. As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media.
Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or firstname.lastname@example.org