04 October 2010

Stuxnet: Digital Sabotage of Critical Infrastructure...

The Chief Information Security Officer's (CISO) are getting significant new understanding of the new threat emerging in the digital domains. The Energy, Chemical, Water, Transportation and other Critical Infrastructure sectors are on high alert. The Operational Risks associated with their Programmable Logic Controller (PLC) systems using Siemens technologies are being attacked. Stuxnet is a new worm that has emerged over the past few months and is being analyzed from several vectors. One analysis that is forthcoming is who developed this new sophisticated industrial sabotage cyber weapon? Let's consider this logic from Ralph Langner:

Many aspects of Stuxnet are so completely different from malware as we know it that it's only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.
Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates

Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers

Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence

For the CISO and executives who are sitting around the latest emergency CISCO Telepresence call at companies such as Entergy, American Electric Power, Dominion Resources and dozens of others in the power grid industry; the reliability factor is uncertain.

If this new malware had an initial project budget cost of seven figures $,$$$,$$$.00 to achieve the three stages described previously, preparation, infiltration, and execution then the price will soon be more affordable. A price for a malware exploit kit such as this one as it is reengineered for other purposes or types of targets will decrease dramatically as it propagates across the Internet.

The significance of the decrease in price is that now it will be more affordable for the transnational economic crime syndicates. How they will utilize the new Stuxnet capability in their toolkit for cyber extortion, digital sabotage and other schemes remains to be seen. What is certain is that it will not be long before this becomes a reality. Gary McGraw comments further:

Stuxnet is a fascinating study in the future of malware. Not only did it reveal at least 4 0days (which are still being patched by Microsoft), it clearly demonstrated that physical process control systems of the sort that control power plants and safety-critical industrial processes are ripe for compromise.

Now that the genie is out of the bottle, it is hardly possible to stuff it back in. Expect the techniques and concepts seen in Stuxnet to be copied. Attacks on process control systems are no longer the fantasies of paranoids in tinfoil hats — they are here.


The next Operational Risk that will be on the horizon are the plaintiff law suits, each time we have an event like this one:


Pacific Gas and Electric Co. on Monday announced it would put as much as $100 million towards rebuilding areas of the Crestmoor neighborhood destroyed in the flames. PG&E president Chris Johns maintained that money in that relief fund would be spent on reconstructing the San Bruno neighborhood, not paying off potential legal claims. Nonetheless, the utility company reportedly already cut the city a $3 million check to cover expenses associated with responding to the disaster. PG&E is also expected to pay victims whose homes were destroyed up to $50,000 to help pay for their everyday necessities. “I realize money can’t return lives. It can’t heal scars, it can’t replace memories… But there does come a time for healing and for rebuilding, and we are committed to helping that happen,” Johns added.

A full probe would be required to determine what might have caused the 30-inch high-pressure gas pipeline to burst at Earl Avenue and Glenview Drive around 6:15 p.m. that Thursday evening. Thirty-seven homes were apparently leveled in the blast. A 30-foot-wide crater could also be seen in the aftermath of the explosion. Authorities evacuated over 100 people in the area immediately after the blast. Now the California Public Utilities Commission has ordered PG&E to check all high-pressure gas lines located in densely populated areas. The National Transportation Safety Board (NTSB) is leading the investigation into the fatal San Bruno natural gas explosion.


It is too early to determine the exact nature of the cause of the San Bruno, CA disaster yet the corporate general counsel's of major utilities are preparing for their defense. The legal risks could go well beyond the exact scene of the explosion. Why? As the plaintiffs examine the number of PLC and SCADA controllers involved in the area of the incident, you can be certain they will be looking at the software systems associated with them. They will be requesting the Information Technology organization at PG&E to produce evidence of their policies, procedures, and best practices as it pertains to SCADA exploits such as the Stuxnet worm.

Managing the Operational Risks associated with the Energy and Chemical "Critical Infrastructure" sectors goes well beyond the norm of security and safety. Even BP has established a new Operational Risk initiative in the aftermath of their Gulf of Mexico catastrophe.

BP is to create a new safety division with sweeping powers to oversee and audit the company’s operations around the world.

The Safety & Operational Risk function will have authority to intervene in all aspects of BP’s technical activities.

It will have its own expert staff embedded in BP’s operating units, including exploration projects and refineries. It will be responsible for ensuring that all operations are carried out to common standards, and for auditing compliance with those standards.

The powerful new organisation is designed to strengthen safety and risk management across the BP group. It will be headed by Mark Bly and report directly to incoming chief executive Bob Dudley.

The company said the decision to establish the new function follows the Deepwater Horizon accident in the Gulf of Mexico and BP’s investigation into the disaster. It is one of a number of major changes announced by Dudley as he prepares to take over his new role on October 1.

Who will be in charge of the "Stuxnet Task Force" ?

28 September 2010

Workplace Violence: Cues and Clues to Teach...

Operational Risk Management is your foundation for crisis leadership. All work locations have distinct categories of threats that are relevant to the site, people and type of business. Assessing the violent factors is the role of FBI profiler Mary Ellen O'Toole and there are four categories according to a study entitled: "The School Shooter: A Threat Assessment Perspective."

  1. A Direct Threat
  2. An Indirect Threat
  3. A Veiled Threat
  4. A Conditional Threat

Employees must be trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational. Based on the O'Toole study these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:

  • Low tolerance for frustration
  • Poor coping skills
  • Failed relationships
  • Signs of depression
  • Exaggerated sense of entitlement
  • Attitude of superiority
  • Inappropriate humor
  • Seeks to manipulate others
  • Lack of trust/paranoia
  • Access to weapons
  • Abuse of drugs and alcohol

Source: O'Toole, Mary Ellen, "The School Shooter: A Threat Assessment Perspective," by the Critical Incident Response Group (CIRG), the National Center for the Analysis of Violent Crime (NCAVC) and the FBI Academy.


The court and the jury will look upon your employers ability to apply the basics of workplace violence and threat assessment. What did you know? When did you know it? What have you done about it? They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace. What grade would you give your company today for these fundamentals?

Let's take it to the next step in terms of your ability to even meet the requirement by the Occupational Safety and Health Administration (OSHA) in the United States. Awareness programs are expected on the four primary types of workplace crimes:

  1. Those crimes committed by people not connected to the workplace.
  2. Aggression by third parties including customers, clients, patients, students, or any others for whom you provide a service or product.
  3. Employee to Employee violence or a former employee who returns to the workplace with the intention to injure a former supervisor.
  4. Aggression related to a personal relationship inside or outside the workplace.


The organization who understands the foundation for creating a proactive and preventive team for incidents in the workplace should not stop there. Once you have developed the framework for Incident Command, Emergency Operations Center, Shelter in Place, Medical Triage and Evacuation you have a good baseline to extend to a complete "Continuity of Operations" strategy. This requires a deeper analysis into the threats inside your organization that may put you out of business entirely.

Once the organization has adopted the "All Threats - All Hazards" mentality then it is well on it's way to becoming a survivable business. Operational Risk Management is a discipline that incorporates this approach and enables owners, operators and business suppliers with the tools, methods and strategy to handle workplace violence incidents or a catastrophic act of mother nature.

18 September 2010

China Syndrome: FCPA & Rating Agencies...

A modern day "Operational Risk China Syndrome" is making the Board of Directors nervous these days. The new syndrome otherwise called the Foreign Corrupt Practices Act (FCPA) has been the buzz at rating agencies for months. Are you sure about your ability to withstand the scrutiny of a FCPA litmus test? Board Member Magazine explains:

On June 2nd, Fitch Ratings agency announced that Foreign Corrupt Practices Act violations could result in ratings downgrades. That’s one more reason boards should educate themselves on FCPA and how their companies are monitoring FCPA-related risks. It appears, though, that many boards do not feel comfortable with their companies’ compliance programs. In a soon-to-be released survey from KPMG’s Audit Committee Institute, only 27 percent of U.S. audit committee members said they were satisfied that their company had an effective process to manage Foreign Corrupt Practices Act risks, and other risks associated with doing business in Brazil, Russia, India, China and other emerging markets. 35 percent of respondents were only somewhat satisfied, and 9 percent said process improvements were needed in conducting such business, which may include sourcing, outsourcing, manufacturing, or sales and distribution channels.

As your Business Development teams fan out across the globe to satisfy the appetite of the Chinese economy for critical infrastructure, establish a sound and effective awareness, training and audit program. What are the ramifications of putting unprepared personnel on the ground to do business in the Chinese Markets?

American companies or individuals who enter joint ventures with foreign partners, as well as those who hire foreign agents or distributors in China, must be extremely cautious of the vicarious liability that they may face as a result of a third party's violation of the principles set forth in the FCPA. According to the Justice Department, an American company will be subject to liability under the FCPA if it makes payments to an intermediary third party with the knowledge that such payments will go to a foreign official for corrupt purposes. Conscious disregard is enough to satisfy the requirement; if the American company is aware of a "high probability" that such payments will occur, the knowledge requirement will be satisfied. More importantly, a joint venture partner, agent, or distributor will be considered an intermediary third party for purposes of the FCPA. Therefore, any violation of FCPA standards by one of those parties could result in the American company being vicariously liable under the FCPA.

In order for the Board of Directors to have peace of mind on the emerging markets business opportunities first a substantial compliance framework needs to be established. Next, the implementation of predictive analytics software to manage the complexity of companies, people and relationships as you do business in any of these countries. This includes the subscription to several databases that include the constantly changing landscape of specially designated nationals (SDN) and politically exposed persons (PEP). World check explains:

During the period 2005 to 2007 alone, more than 310 elections and by-elections took place around the world – that’s an average of nearly 10 elections per month. (Source: ElectionGuide.org). This means that your existing clients may be elected to public office, and hence become PEPs, without your business knowing it. It may be that you only apply your due diligence processes to new customers and so miss a whole category of individuals that do not meet your corporate risk appetite. As such, routine and ongoing PEP risk screening is not only considered best practice, but is also a legal requirement.
In practice, full compliance with PEP legislation has not come without major operational challenges. In the post-9/11 era, the proliferation of regulatory compliance laws, combined with the need to screen hundreds of thousands of users and accounts on a routine basis, has created a substantial administrative burden for businesses subject to PEP legislation.

The sheer magnitude of the due diligence challenge has subsequently led to the adoption of a risk-based approach to regulatory compliance, but nevertheless Enhanced Due Diligence and ongoing risk management is still required for PEPs. Broadly speaking, the risk-based approach entails the identification of risks that exceed your business’ stated risk appetite (including the need for regulatory compliance), and then matching individuals and entities against these heightened risks during the preliminary stages of due diligence. Should a person fall into one or more of the specified heightened risk categories, additional due diligence is then required.

As your company establishes it new China-based strategy for partnerships, joint ventures or actually putting employees in country the operational risks become exponential. Remember, a sound and prudent risk framework includes a 4D approach:

  • Deter
  • Detect
  • Defend
  • Document

With these established and operating on a global basis the Board of Directors will be sleeping more soundly. Or perhaps not...learn more.

29 August 2010

Digital RubiCON: The Fifth Domain...

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

Washington Post: US eyes preemptive cyber-defense strategy: "The command - made up of 1,000 elite military hackers and spies under one four-star general - is the linchpin of the Pentagon's new strategy and is slated to become fully operational Oct. 1.

Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

"We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

Another senior defense official said, "I think we understand that in order for us to ensure integrity within the military networks, we've got to be able to reach out as far as we can - once we know where the threat is coming from - and try to eliminate that threat where we can."

29 July 2010

Employee Misconduct: Mitigating Insider Risks...

The new Verizon Cyber Report is a valuable read for OPS Risk professionals that focus on data breach and incident response. The full breach report can be found at this link at Verizon Business.

We have to agree with the observations made by Brian Krebs on the following topic in the report:

A key finding in this year’s report is that most companies suffering breaches missed obvious signs of employee misconduct – breaches that were either initiated or aided by employees. Sartin said in almost every case where a breach investigation zeroed in on an employee as the culprit, investigators found ample evidence that the employee had long been flouting the company’s computer security and acceptable use policies that prohibit certain behaviors, such as surfing porn or gambling Web sites on company time and/or on corporate-issued laptops.

The study found a strong correlation between ‘minor’ policy violations and more serious abuse. From the report: “Based on case data, the presence of illegal content, such as pornography, on user systems (or other inappropriate behavior) is a reasonable indicator of a future breach. Actively searching for such violations rather than just handling them as they pop up may prove even more effective.”


The "Insider Threat" continues to be under estimated and all of the monitoring tools will not be able to stop it completely. Ever. So what are some of the solutions to address the issues at hand? Here are a few ideas worth exploring if not for the Fortune 500 Enterprise but the small-to-medium enterprise (SME) who doesn't have the budget or the internal staff to engineer a robust and resilient infrastructure. They have their unique place in a layered approach to cyber defense:

Idea #1: ScanSafe

Cisco recently acquired the pioneering SWG SecaaS company ScanSafe. ScanSafe continues to execute well and has the largest market share in the SecaaS market including several organizations with well more than 100,000 seats. ScanSafe is expected to form the basis of an increasing array of Cisco SecaaS offerings, starting with the addition of e-mail. Cisco's credibility with the network operations team, the progressive development and market growth of the S-Series and the acquisition of the leading SecaaS provider moved Cisco into the Leaders quadrant this year.

Idea #2: IronKey

IronKey was chosen by the Reader Trust Voting Panel, comprised of security and technology experts from large, medium and small enterprises from all major vertical markets, representing the wide distribution of SC Magazine readers. With an unprecedented number of entries submitted the 2010 SC Magazine readers selected IronKey over competing solutions from Check Point, CREDANT, PGP and Symantec.

IronKey brings unprecedented mobile data security to enterprise and government organizations by combining the IronKey multifunction security devices with the ability to remotely manage the devices and strictly enforce security policies from a centralized administrative console. IronKey enables organizations to securely deliver complete desktop environments on ultra-secure, remotely managed devices with integrated two-factor authentication and fraud protection capabilities.


Idea #3: OpenDNS

OpenDNS has solutions that are perfect for organizations of all sizes, from small businesses to Fortune 500 enterprises. With no equipment to install, no upgrades and no maintenance, OpenDNS will reduce your costs, give you more control and make navigating the Internet on your network a safer, more secure experience.

OpenDNS provides comprehensive security for your organization's network through botnet and malware site protection. OpenDNS delivers network security services through the DNS layer, blocking known malicious or infected sites from resolving on your network. Since infected sites are prevented from resolving, malicious content is blocked from reaching your network, and thereby OpenDNS provides the most efficient protection available.

Built-in botnet protection stops trojans, key loggers and other persistent malware and viruses on machines in your network from sending out confidential data and personal information to hackers outside the firewall.


These are just three examples that we have found to be reliable, cost effective and easy for the small-to-medium size company to hedge against some of the infrastructure risks and bad behavior by employees. So what else could the savvy VP of Operational Risk inject into the organization to address some of the other types of "Insider Threat"?

Provided as a resource by the Association of Certified Fraud Examiners (ACFE), EthicsLine serves as an internal control tool through which companies can detect and deter fraud. Powered by Global Compliance, EthicsLine includes hotline, case management and analytics to empower organizations to prevent, detect and investigate instances of organizational fraud and abuse.

EthicsLine provides expertise and experience. As the power behind EthicsLine, Global Compliance introduced the original ethics and compliance hotline and is the largest provider of hotline, case management, and analytic solutions worldwide – supporting over 25 million client employees in almost 200 countries. Global Compliance also provides additional products and services that integrate with EthicsLine and protect an organization from fraud and abuse.


The employee who knows how to circumvent the "Rule Sets" as it pertains to the Acceptable Use Policy for the corporate digital assets may also be the same person who is stealing from the company. Whether they are stealing actual cash from the register, using vendor billing schemes or other occupational fraud tactics they understand how to get around the control objectives. Operational Risk Managers need to look at the employee population as an ecosystem of risk and that a certain percentage of those employees will be trying to surf Internet gambling sites and simultaneously misappropriating assets.

As you spend more time in OPS Risk, the more you understand the intersections with human behavior. The tools will assist you along the way yet it is the day to day interaction with people that will help you predict where and how someone may be increasing the risk to your enterprise.

22 June 2010

Workplace Privacy: Ontario Prevails on Data Audit...

Operational Risk Management professionals in corporate America have been following the Quon vs. City of Ontario case for five plus years. Now the Supreme Court of the United States has ruled 9-0 to increase the clarity on the new age of electronic privacy in the workplace. The LA Times explains:

Washington…In its first ruling on the rights of employees who send messages on the job, the Supreme Court rejected a broad right of privacy for workers Thursday and said supervisors may read through an employee's text messages if they suspect the work rules are being violated.

In a 9-0 ruling, the justices said a police chief in southern California did not violate the constitutional rights of an officer when he read the transcripts of sexually explicit text messages sent from the officer's pager.

In this case, the high court said the police chief's reading of the officer's text messages was a search, but it was also reasonable.

Police Sgt. Jeff Quon had sued the chief and the city of Ontario, California after he learned the chief had read through thousands of text messages he had sent to his wife and a girl friend. Quon won in the 9th Circuit Court of Appeals, but lost in the Supreme Court Thursday.


The scope of the investigation by the employer was not unreasonable and within the scope of determining whether the large amount of text messages was work related. What kind of corporate risk initiatives will be impacted by this ruling?

As corporations continue to battle the "Insider" risk associated with occupational fraud, workplace violence related stalking or sexting, industrial espionage, corruption and violations of acceptable use policies this case will become an example. What will continue to be the challenge for OPS Risk professionals who are responsible for internal monitoring, digital asset audits and insider investigations of potential malfeasance is the scope and reasonable nature of the case.

Get ready for a rush to the local Verizon Wireless or AT&T store for your own personal PDA or iPhone due to Justice Kennedy's ruling:

What’s more, Kennedy suggested that privacy in the modern age has more than one meaning.

“Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. And employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated. “


If you are the CxO responsible for the auditing of digital assets within the enterprise, or the responsible party for insuring privacy in the workplace it's time to convene a two day workshop to review. Take a few days to bring the legal, privacy, IT and business unit deal makers to the same hotel resort country club to converge on this vital issue. The Operational Risks associated with executive communications that were previously thought to be private may be monitored and audited anytime when company assets are being utilized.

The opportunity to work through different workplace related scenarios, highlight the legal rulings and discuss the "What if's" could mean the difference between adversarial litigation and "Achieving a Defensible Standard of Care."

This is also a good time to establish the foundation for the "Corporate Intelligence Unit" within the enterprise:

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject.

11 May 2010

Information Threat: Battle for Superiority...

What continues to be the greatest economic threat to your organization? Is it "Internal" or "External" to your institution? Could it be both? Insiders rarely work alone and therefore the nexus with some outside influence, whether it be a person, life factors or some other entity are typically in play.

Is an engineer in R & D copying precious intellectual property information from within the enterprise company that could be worth hundreds of thousands or even millions to the highest competitive global bidder? Could your small business have an accounting supervisor that has been diverting funds to a private bank account for the past two years? Would it be possible that a supplier or 3rd party partner is capable of inflating the number of billable hours on a project?

Whether it's IP Theft, Fraud or other white collar corporate malfeasance these Operational Risks are real and growing at a double-digit percentage rate annually. The greatest economic threat to your organization could be complacency or an apathetic staff who works without adequate resources and little communication with the Executive "Powerbase".

The compliance and oversight mechanism's are in full swing from the federal governments around the world as highly regulated critical infrastructure organizations are implicated in a myriad of corruption, scandal, ethics and criminal matters. Litigation is an Operational Risk that many organizations have realized the necessity for more robust internal teams to address the continuous requests for information from the government.

There is one common denominator across all of the insider threats, external forces and other vectors that seem to be attacking our institutions night and day. That common denominator is "Information". And underlying this is the data and meta data that all to often ends up being the key or clue to finding the "Smoking Gun" and the source or person(s) associated with the scheme or attack on the organization.

Managing information in a mobile and interconnected planet is a major issue in any global company. Providing the tools and the right information faster and more accurately than the competition can be the difference in your own survival on the corporate battlefield. So how does the CxO suite even begin to address the risks, opportunities and resilience in our demanding information-centric environment?

They believe in having a strong culture of ethics, training and continuous monitoring of employees, systems and their supply chain. They understand the importance of providing the vital resources to the people on the front line of risk management and to make sure that their early warning systems and methods are not compromised. This breed of CxO's are the new breed of organizational management that are leveraging information to their most significant advantage:

Goldman Sachs isn’t the only firm that made a trading gain every day last quarter.

JPMorgan Chase reported positive trading revenue every day in its first quarter, according to a regulatory filing posted Monday. The firm said that its average daily revenue was $118 million.

The achievement is remarkable for both Goldman and JPMorgan — and yet may serve as another target for legislators eager to restrain the trading activities of banks.

What could account for the phenomenal trading results at both firms? Both would claim strong risk management — especially since both emerged from the financial crisis stronger than their rivals. But the surging markets, especially those in fixed income, surely played a role as well.

Whether you are trading in a marketplace, analyzing assets on a map or manufacturing widgets and selling them to qualified buyers, operational risk management begins and ends with information. Managing that information effectively and more accurately than your competition is the name of the game. What have you done today to insure your survivability in the face of the next crisis?

Goldman Sachs Group Inc. lawyers met this week with representatives of the Securities and Exchange Commission in a first step toward a potential settlement of the agency's fraud lawsuit against the securities firm.

The two sides remain far apart. The preliminary settlement talks, held Tuesday, between Goldman co-general counsel Gregory Palm and other lawyers representing the New York company and SEC officials didn't include any specific settlement terms, such as the amount of a fine or agreements Goldman could make with the agency, people familiar with the situation said.

24 April 2010

FCPA: OPS Risk in Pharma & Small Business...

If you are a large U.S. based pharmaceutical company the odds are that over a third of your annual sales are overseas. Selling drugs in the EU, Asia and South America into the health care systems is a tremendous pipeline for Eli Lilly, Pfizer and others who find these markets hungry for their products. What kind of Operational Risks might exist for these firms and should be on "Red Alert" status with the General Counsel?

The DOJ is currently pursuing 120-130 FCPA investigations, and now it has set its sights on enforcement in the pharmaceutical industry where on an annual basis “close to $100 billion dollars, or roughly one-third, of total sales … [are] generated outside of the United States.” The DOJ’s new focus stems in part from the fact that many foreign health systems are regulated, operated and financed by government entities, and competition is intense, which creates more opportunities to “pay off foreign officials for the sake of profit,” and a perceived need for greater supervision from law enforcement.

The head of the Criminal Division of the United States Department of Justice (DOJ), Assistant Attorney General Lanny A. Breuer has indicated their interest in looking at this industry with increased scrutiny. So if you are a General Counsel at one of the companies in the cross-hairs of the government what are you doing about it?

First, you have to call together the right people and create your own internal FCPA Task Force within the enterprise. The General Counsels Office has the lead on bringing together four to six people from Sales & Marketing, Finance, Information Technology, and Internal Audit. This team will have the autonomy, funding and jurisdiction to work specifically on the vulnerabilities that exist on a global basis.

Second, you have to understand the culture, governments and the "Ground Truth" in each country you are selling your pharmaceuticals in, to map the processes and the people associated with the heath care systems, hospitals or the military that are the actual consumers of the medicines and drugs.

Finally, you have to educate your work force on the fact that pharmacists, doctors, lab technicians and other health care consultants may indeed be officials of the government of that country based upon who they work for. Why is this important?

The FCPA has a broad definition under the law that pertains to the foreign officials. In some countries it's entirely possible that if the medical institutions are owned by the government that almost everyone who works in these facilities could be considered under the FCPA. So what is the task force going to do to ensure that the company does not violate the law?

Beyond the focus on compliance and education of employees, there is much work to be done in the collection, analysis and actions within the enterprise of relevant information. Predictive analysis of data that is coming from the CRM, ERP and other open sources can provide the task force with the "Corporate Intelligence" and "Red Flag" warning to prevent a violation of the law. The ability of the company to utilize data collection and predictive analytics to not only head off any DOJ investigation also can be effective in providing voluntary disclosure to government.

Wait a minute. You mean, tell the government that we have identified a violation of the law and bring the wrath of the law and the possible impact on our corporate reputation? Yes and this is why.

Under Federal Sentencing Guidelines, those organizations that do a rigorous internal investigation and share the results with the government can avoid such sanctions as the mandate for a costly independent compliance monitor. Deferred prosecutions are not unheard of and the government can in some cases help you save money in terms of getting fines on the lower end of the sentencing guidelines.

The General Counsel's "Corporate Intelligence Unit" that is focused on the analytics of relevant data, combined with the education, awareness and compliance processes will be well on there way to keeping the legal risk and Operational Risk events associated with the Foreign Corrupt Practices Act (FCPA) from impacting their global pharmaceutical enterprises. And just when you think that the DOJ is only looking at the Fortune 500, then think again:

More focus on small and mid-sized companies: As part of their increased FCPA-related efforts, the DOJ and SEC are expected to look more at small and mid-sized firms which do business overseas. The majority of such companies have a small established compliance program, or none at all, yet some may conduct billions of dollars in foreign transactions.

Companies that are not household names have long believed that they were under law enforcement’s radar. Smaller firms have also thought that the DOJ would not expend the resources to investigate their overseas sales. That comfortable illusion no longer exists.

If you are a small disadvantaged supplier to a large Defense Industrial Base (DIB) company working on a sub-contract, then you too should be standing up your FCPA Task Force now:

On January 18, 2010 twenty-two business executives were arrested and over 100 FBI agents conducted related searches. These actions were based on sealed federal indictments handed down by a grand jury several weeks earlier, which in turn stemmed from a two-and-a-half year undercover operation. The indictments claimed that the defendants believed that they were involved in a scheme to acquire a US$15 million defense contract to outfit the presidential guard of an unnamed country. They allegedly agreed to pay a 20 percent bribe to a sales agent, supposedly representing the defense minister but really an undercover FBI officer. This was the first large-scale use of undercover law enforcement techniques to investigate Foreign Corrupt Practices Act (FCPA) violations.

22 March 2010

Legal Risk: Forensic Intel for Investigations...

A wide spectrum of Operational Risk incidents are in the news. Executive Management in the private sector, law enforcement and the military are investigating cases of identity fraud, cyber hacking and insider digital sabotage, transnational economic crime, intellectual property theft, ACH cyber robbery, counterfeiting, workplace violence and industrial espionage. Government agencies and regulatory authorities are increasing oversight, compliance and reporting requirements with the private sector and federal contractors. Inspector Generals and Internal Affairs are addressing whistleblower claims and internal corruption. Homeland security and "Connecting the Dots" are on almost every Americans mind.

All of these Operational Risk Management (ORM) challenges require comprehensive, efficient and legally compliant intelligence-led investigations to establish the ground truth and then to enable a "DecisionAdvantage." The legal framework that establishes your organizations ability to provide a "Duty to Care", "Duty to Warn", "Duty to Act" and "Duty to Supervise" is imperative.

When does information that is collected become a violation of a persons privacy or legal rights? At the point it is collected from a source or how and when it is analyzed by a human? These questions and more will be discussed as the dialogue pursues the latest challenges in Forensic Intelligence, a fast and forensically sound data acquisition, analysis and review solution for front line officers from the corporate investigations, law enforcement and government communities.

These Intelligence-led investigations also leverage the use of new forensically sound methods and proven legal procedures for collection of digital data from a myriad of technology platforms including laptops, PDA's and cell phones and more. These methods have been tested and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation. Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for and when to use this in a court of law to find the truth.

02 March 2010

ID Risk Management: Dubai Investigation Links to Workplace Violence...

What is your name? Where do you live? What is your phone number? Where were you born? What is your social security number? What is your passport number? Where was it issued? What evidence do you have that this is all true? Your identity is at stake and Operational Risk Management is on the line.

These questions and more are asked of us on a regular basis to establish our true identity. The entity asking these questions is considering you to be granted access, access to what? It could be to establish an account at a banking institution, get a drivers license or become a member of a trusted community of people. Or it could be a country deciding whether to grant you a visa to visit or work for a period of time.

SOCA is in the midst of interviewing people who had their identity stolen. This investigation is about a form of ID Theft that goes beyond the international scandal associated with the Dubai homicide incident. The Washington Post reports:

Agents from Britain's Serious Organized Crime Agency are in Israel investigating the use of forged British passports by people who Dubai officials allege were part of an assassination squad run by Israel's Mossad spy agency. The 27 members of the group used European or Australian passports -- some forged -- to enter Dubai, officials say. In several cases, the names and other information on the passports matched those of Israeli citizens who hold dual nationality and who claim that their identities were "borrowed" by those involved in the operation.

Two SOCA agents will interview the 10 British-Israelis who were affected and issue them new passports, a British Embassy spokesman said. According to Israeli news reports, Australian investigators are planning a similar visit. The European Union last week condemned the use of forged travel documents in the killing of Hamas commander Mahmoud al-Mabhouh, without mentioning Israel specifically.


Whether you are the UAE, admitting people into your country or a Global 500 company allowing someone access to your corporate facilities, digital assets or place of business; you must have ways to effectively validate who people say they are, and who they really are. Even if you asked all of the questions above in the early stages of the company hiring process, would you really have the entire picture? This changes over time and events in a persons life. Identity Management and the use of both "known to many" and "known to few" attributes about who you are and who you know, is a reality in today's blur of global commerce.

When a country has a breach of security admitting people, who are not who they purport to be, is it any different in the context of a Defense Industrial Base company headquartered in Chicago, IL or an Investment Banking firm in Geneva, Suisse? What are different are the motives and the outcomes from the fraudulent acts.

What are the current arguments and the leading reasons why our policies, methods and tools associated with Identity Management are in a state of chaos in the United States? The FTC's latest report gives you a better idea of the breadth of the privacy problem trying to be solved:


The Federal Trade Commission released a report listing top complaints consumers filed with the agency in 2009. It shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted.

The top complaint was Identity Theft, which accounted for 21% of all complaints for the year.

A complete list of complaints can be found at: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf.


What is interesting is that the same people who are coming to work every day with their TWIC or CAC cards are also victims of ID Theft as consumers. The same individuals who walk into the SCIF or the bank vault may very well be people who have active investigations going on regarding their identity being used to perpetrate crimes or other fraudulent motivations. So what are some of the most important issues on the Identity Management horizon?

In all of the breaches, all of the incidents there is a root cause for the failure in the people, process, systems or external factor that opened up the vulnerability for the attacker to exploit and obtain their objective. It's called Continuous Monitoring. This issue is found in all places in Appendix G of the US NIST sp800-37 that illustrates the reason why continuous monitoring is critical especially in information systems:

Private Sector companies have a duty to invest in resources, policy refinement and new methods or tools to keep continuous monitoring as vigilant as possible:

"Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. A well designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation"


Whether you are the United Arab Emirates or the University of Alabama-Huntsville the Identity Management problem is much the same. David Swink at Psychology Today has this to say on the other growing virus named "Workplace Violence" that is invading corporate America:


In the aftermath of school and workplace attacks, it is often discovered that there were warning signs that the perpetrator was moving down a path toward violence. In some circumstances, people reported the troubling behavior and the information was not forwarded to the people who could prevent an attack. Sometimes the troubling behavior didn't reach a threshold, in the judgment of the person receiving the report, that something needed to be done. There is often confusion about what information can or cannot be shared under privacy laws like FERPA or HIPPA.

Threatening behavior may come to the attention of multiple departments within an organization that generally don't share information with each other. Without clear policies, procedures, and training, large organizations may find it challenging to channel widely dispersed information about potential threats to a central reporting entity.

With a single report of threatening behavior, the situation may not look that bad, but when the other "dots" are connected, a clear image emerges that this person is someone that needs to be assessed and managed in order to prevent violence.


Much of what we know about our employees is found in their HR files, background reports (if ever done) and what co-workers say about their behaviors in the workplace. Corporate Security, Risk Management, General Counsel, Information Technology, Public Relations and even the EAP (Employee Assistance Program) executive managers shall create, maintain and continuously operate a Corporate Intelligence Unit and Threat Assessment Team. Without it, the consequences of not knowing a persons true identity or current state of mind could cost you more than the loss of life. It could cost you your global reputation.

23 February 2010

NIS: Homeland Security & Economic Espionage...

The National Intelligence Strategy (NIS) of the United States was published in August of 2009.

The tone at the top of your enterprise will go a long way if you ever end up in litigation associated with the Economic Espionage Act of 1996 or even the Foreign Corrupt Practices Act. As a CxO with the ultimate responsibility for the resilience of your organization, pay attention. The internal threats to your global 500 company and the Operational Risks associated with the following Mission Objectives are the focus of this posting:

  • MO4: Integrate Counterintelligence
  • MO5: Enhance Cybersecurity

The U.S. NIS spells out these two mission objectives and for good reason. One may be obvious and we have all heard it before. 80+% of the nations critical infrastructure is owned and operated by the private sector. The reason why the Energy, Financial, and other heavy R & D sectors are being subjected to more attacks by insiders is because these assets are the most valuable in the eyes of the enemy.

The other reason that these two areas are called out in the National Intelligence Strategy is because these are the country's greatest vulnerabilities. So what can a private sector Board of Directors be doing these days to address the two mission objectives that have the greatest nexus with being vigilant and creating the correct "Tone at the Top":

  • Implement Human Factors Analysis and Risk Assessments on employees, partners, suppliers and 3rd parties.
  • Revitalize, Energize and Capitalize on redesigned policy governance, integrity management and a sound legal framework.
  • Create an aggressive corporate executive intelligence and anti-fraud program that is integrated into a robust risk management ecosystem.
  • Develop wellsprings of knowledge that engages people in a dialogue focused on intellectual property, valuable corporate assets and their nexus with national security.

The preparation for enterprise disasters has been going on in the Operational Risk environment for years. Even in the most sophisticated companies, these efforts have included the implementation of IT related disaster recovery programs and plans (DRP) as mandated by rules and laws regarding Business Continuity and Continuity of Operations. When and how often these are exercised is another matter.

The crisis management plan is sitting on the shelf next to the DRP or even might be another tab in the same three ring binder. And who knows, perhaps some Director of BCP has even convinced senior management on the use of an EOC portal. This are all fundamentals, baseline and items for every organization to have soon after establishing themselves in business.

What is still being left out, not considered a priority are the two items highlighted above from the United States National Intelligence Strategy, MO4 and MO5. These two items are an Operational Risk Management priority by the Board of Directors in each global 500 company. Why?

USAO/Southern District New York, 11 Feb 10: Mr. Aleynikov was indicted today on charges related to his theft of proprietary computer code concerning a high-frequency trading platform from his former employer, Goldman Sachs. Aleynikov was previously arrested and is expected to be arraigned in Manhattan federal court at a later date.

Beginning at approximately 5:20 p.m. on June 5, 2009 –Aleynikov s last day working at Goldman Sachs — Aleynikov , from his desk at Goldman Sachs, transferred substantial portions of Goldman Sachs’s proprietary computer code for its trading platform to an outside computer server in Germany. Aleynikov encrypted the files and transferred them over the Internet without informing Goldman Sachs. After transferring the files, Aleynikov deleted the program he used to encrypt the files and deleted his computer’s “bash history,” which records the most recent commands executed on his computer.

In addition, throughout his employment at Goldman Sachs, Aleynikov transferred thousands of computer code files related to the firm’s proprietary trading program from the firm’s computers to his home computers, without the knowledge or authorization of Goldman Sachs. Aleynikov did this by e-mailing the code files from his Goldman Sachs e-mail account to his personal e-mail account, and storing versions of the code files on his home computers, laptop computer, a flash drive, and other storage devices.


The theft of trade secrets, economic espionage and the movement of data that may have business oriented implications may also have national security impacts. Whether it's going to a competitor or into the hands of foreign entities is not the priority issue. Let's be very specific on this point.

If the vital secret, intellectual property or other data is copied, then how do you know if it's missing from your organization? Sensitive, classified or otherwise proprietary information that is copied and then sold or given to competitors, adversaries of our enemies requires a whole new mind set and a whole new approach to deter, detect, defend and document this behavior in the enterprise.

Aleynikov, 40, is charged with one count of theft of trade secrets, one count of transportation of stolen property in foreign commerce, and one count of unauthorized computer access. If convicted on these charges, Aleynikov faces a maximum sentence of 25 years in prison.

The case associated with competitive intelligence where intellectual property is being transferred to another U.S. company may be just as harmful to the economic fabric of our country. What is more alarming and perhaps the final questions on Operational Risk Management is this:

  1. What do we know?
  2. When did we know it?
  3. What are we going to do about it?

The Board of Directors will be asking these after the crisis is unfolding. The law enforcement investigators will be asking these soon after the immediate incident. The final and perhaps the most painful of all the people who will asking these questions are the lawyers during your deposition and in the court room. Those questions and more will be asked from the front lines of the Goldman Sachs trading pit battlefield to the highly polished tables inside the corporate Board Room.

Revisit the Mission Objectives (MO) in your organization that pertain to MO4 and MO5. It may mean the difference to your corporate shareholders, or to all the citizens of the United States of America.

05 February 2010

Legal Risk: Early Case Assessment...

After a few days at LegalTech New York this week, it's now confirmed that a very small percentage of small to medium enterprises (SME) are truly ready for the Operational Risk of litigation. How can a General Counsel achieve a defensible standard of care in this vast sea of software, technology and vendors that are trying to address the modern day business problem called "Electronic Stored Information?" (ESI)

Yet the likes of Bank of America and the Attorney General of New York are well aware of the importance of the "Meet-and-Confer" process as the allegations of fraud look for the "Digital Smoking Gun". Let the metadata wars begin:

Legal action has begun against Bank of America and its former bosses, accusing them of duping investors and taxpayers during the takeover of Merrill Lynch.

The defendants are accused of intentionally withholding details of huge losses Merrill was suffering.

New York state officials have filed the action against the bank, former chief executive Kenneth Lewis and former chief financial officer Joseph Price.


Principle 12 to the Sedona Principles states: Absent party agreement or court order specifying the form or forms of production, production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible metadata that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and the needs of the case. Sedona Principles 2d Principle 12

The issues faced by legal counsel at large Fortune 50 organizations are no different with the Small to Medium Enterprise when it comes to the "Meet-and-Confer." Making the decisions on what is relevant and the scope of eDiscovery is increasingly about the economics of litigation. Law firms are trying to reduce their costs and impact of billable hours with their clients and General Counsels are making sure that internal IT records management tasks are a top priority.

What many vendors are advocating in process and tools at LegalTech is the idea of Early Case Assessment (ECA). In other words, the Plaintiff is going to have to show their hand early and without slight of hand. These interviews with the Hon. James Holderman explains:

Editor: Doesn't that pretty much move in the direction of requiring the plaintiff to provide specific facts about the basis for the complaint? How can the discoverable "ESI" to be preserved and produced be determined unless the plaintiff comes forward with the specific facts on which its case is based?

Holderman: It cannot be done, and that is why the plaintiff needs to cooperate by divulging that information at the outset. Hiding the ball is a concept from the last century that can't be a part of present-day litigation. This is reflected in the Supreme Court's decisions in Iqbal and Twombly . Discovery is expensive and let's get the information out early. What is the benefit of bare-bones pleadings when the expense of e-discovery is so great? If the plaintiff has information then let's see whether the plaintiff has a sufficient basis for going forward to withstand a motion for summary judgment.


Where is the information you seek? In more places than you may realize as the investigation, forensics collection and rules of evidence are engaged. The risk of sanctions is real. The analysis of custodians Blackberry e-mails, BBM's and just plain text messages will be overwhelming as the Attorney General builds the case for fraud. The US Treasury, Federal Reserve and other government agencies will also be producing Terabytes of data for inquiry.

Regardless of the General Counsel's approaches at Bank of America or Merrill, the key risk items that they should have been addressing long before this trial with outside counsel are some of the following topics, again from LegalTech:

  • Cloud-based email and records management provides a new approach for cost-effectively managing law firm content
  • Securely archive information assets and maintain compliance with all regulatory standards, including the FRCP
  • Meaning Based Computing to enable automatic categorization of ESI for the application of retention policies
  • Sophisticated retention policies that enable non-critical data to be purged appropriately
  • The ability to easily and transparently retrieve archived data, prepare the data for potential future legal holds or preservation, and to rapidly respond to a litigation and investigation pertaining to the firm
  • How has legal changed the way we think about back-up?
  • What does "inaccessible" mean in discovery?
  • How can you implement a reasonable, defensible information management strategy that reduces risk?
As a law firm you always have to look at the fine print. B of A's procedures with outside counsel are available for review online:

These Procedures shall constitute the written engagement, or contract, of the firm for any matter for which it is engaged on behalf of Bank of America, and shall govern the terms of the engagement. These Procedures are applicable to all law firms and attorneys providing legal services to Bank of America. Law firms retained by Bank of America should ensure that a copy of these Procedures is provided to all attorneys, paralegals, administrative, clerical or other assistants assigned to a particular matter before work begins on any matter.

22 January 2010

Intelligence-led Investigations: DecisionAdvantage...

Operational Risk incidents are surrounding us on a global basis. The continuity of operations in the rescue and relief efforts in Haiti. The security of information and Internet politics with Google and 30+ other companies. A growing AQAP threat after Ft. Hood and NW 253 while Islam converts flock from US prisons to Yemen to drink the "Shariah" Kool-aide. The economic integrity of global banking with new rule-sets and oversight on how banks are structured in order to mitigate systemic risk.

All of these Operational Risk Management (ORM) challenges require the same intelligence-led investigations to establish the ground truth and then to enable a "DecisionAdvantage."

"Whoever wishs to foresee the future must consult the past; for human events ever resemble those of preceding times. This arises from the fact that they are produced by men who ever have been, and ever shall be, animated by the same passions, and thus they necessarily have the same results." --Machiavelli

When does information that is collected become a violation of a persons privacy or legal rights? At the point it is collected from a source or at the point in time when it is analyzed by a human?

Intelligence-led investigations include the use of automated Internet Bots to troll the Internet and Open Source content (OSINT) for the collectors to find what they are looking for. This begins with a hypothesis and then the development of an algorithm to carry out the automated mechanism for collection.

These Intelligence-led investigations also include the use of new forensically sound methods and proven procedures for collection of digital data from a myriad of technology platforms including laptops, PDA's and cell phones. These methods have been proven and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation. Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for but to use this in a court of law to find the truth.

The monitoring and collection of information associated with people begins various intersections with the context, relevance and legality of storing it, analyzing it and when to destroy it. The ability to do this effectively inside the walls of the global enterprise corporate headquarters, the Regional Fusion Center or the National Counterterrorism Center (NCTC) is at stake.

DecisionAdvantage is a term that promotes the connotation of competition, safety or defeating an adversary but only one will apply as you begin to understand the environment and the circumstances under which information is being utilized for one or the other. If you are making decisions on the most safe and ideal drop points for water, food and medical triage supplies in Haiti, decisions are being made with information collected from satellites, humans, and the national geological scientists at CalTech. It isn't until you take all of these elements into context and establish relevancy with human brainpower can you make an informed decision to give you an advantage of improved safety and security to achieve your goal.

Investigators or analysts who are leveraging the use of software, hardware and telecommunications infrastructure to more efficiently arrive at the answers of the hard hypothesis or questions being asked must improve their training, education and awareness to the associated human factors. Predicting human behavior is difficult if not impossible. What is more realistic is the utilization of automated systems to assist the human in trying to achieve a DecisionAdvantage. Proving the ground truth is a challenge in a court of law, in front of a jury and so too when it comes to declaring a cyber attack from another nation state. According to Jeffrey Carr and his Grey Goose Project, here is why:

When sensitive or classified data faces cyber attack, why can’t governments – or organisations – identify the culprits with any conclusivity?

A state cannot respond to concerted assaults by hackers with anything more potent than a diplomatic protest – which will be met with a firm denial by the accused government or body. There isn’t even agreement on what constitutes “cyber warfare”. As an expert in cyber warfare intelligence, I have researched the legal complexities and multiple strains of conflict, with the aim of trying to identify which acts qualify as cyber war.

What is undeniable is that politically-motivated attacks are becoming more frequent and sustained. Amazingly, none of the assaults on security shown (right), all of which have occurred in the last 18 months, qualify as an act of “cyber war”. The only issue that has been defined by international agreement is a nation’s right to self-defence when attacked, which, for the moment at least, applies only to the traditional manner of attack, ie, “armed” attack. From some adversaries’ point of view, this makes the internet an ideal battleground.

The eight events described opposite have all been characterized by various media sources as acts of cyber war. But definitive “attribution” – the smoking gun – was rarely achieved. The problem is that the internet was not built to be a secure platform. Its architecture inherently supports anonymity. As a result, a purely technical analysis of cyber attacks has almost never been successful at producing definitive proof, the cyber equivalent of DNA evidence.

For 18 months I and my colleagues in the Grey Goose Project have investigated Russian cyber attacks on Georgia in 2008, and we believe governments must adopt a new method of determining attribution, taking into account the policy of a state, regional events and intelligence. In addition, we apply the tried and trusted criminal investigation test of means, motive, and opportunity. I hope the attack on Google and its inevitable departure from China’s internet will trigger a broader awakening about the need to define what we call cyber warfare.


"History, by appraising...[the students] of the past, will enable them to judge of the future." --Thomas Jefferson

05 January 2010

Deja Vu: Operational Risk in Decade Past...

The WWW is dynamic and the operational risks you take while navigating it's vast depth and breadth is part of the process. Who or what should you trust? As an example, at this very moment when you search Google for Operational Risk Management it returns this blog as the number #1 top link. Perhaps that is how you arrived here at this blog on Operational Risk.

You trusted Google that when you clicked on the link that you would find relevant information on your desired topic. Or perhaps you navigated to this site devoted to Operational Risk Management because one of the almost 1,000 postings since 2003 covered your question, topic or issue. In both cases, the information returned may have relevancy but only after careful examination of the words, concepts, ideas and arguments do you make the decision on whether to "Bookmark" this site.

And for the many that have bookmarked us or added us as your RSS Feed then we know who you are. Our mutual quest for the relevancy of "Operational Risk Management" in the current world we live in will continue. With each new incident, accident, or breach our purpose is further defined and more extensively documented.

As we encounter 2010 and the next decade we promise to provide the content you require and the relevancy to your role in the profession. Let's go back in time for a minute and see if any of our previous posts over the past 7 years have a point today:

28 October 2003

More banks hit by email fraud


U.S. Issues Saudi Alert Saying Terrorists Targeting Airlines


24 February 2004


Greenspan: Curb Fannie, Freddie Growth


24 June 2005

Negative Stock Price Reaction to Announcements of Operational Loss Events...


31 December 2006

Remember His Name: The Long War Ahead...


24 May 2007

Hedge Funds: Crystal Ball on Regulation...


11 October 2007

Fear: The Elements of Prediction...


31 March 2008

Volatility: Enemy #1...


08 May 2008

Legal Ecosystem: Survival of the Fittest...


22 September 2008

Decision Advantage: OPS Risk Intel...


25 April 2009

Human Factors: Early-Warning System...


17 August 2009

Business Resilience: Beyond Readiness...


Are you having a deja vu moment? A flashback to the future. Why is it that "lessons learned" are continuously ignored? Forgotten. Lost. History and the knowledge of that history can save you. Some use log analysis of their precious computing resources, firewalls and IDS/IPS systems to learn from the past. Others don't remember that last time they fell down the stairs, slipped on the ice or banged their head. Even those individuals who have been on the other side of the desk when the "Boss" is making their position "Extremely Clear" about their performance measures are subject to having a deja vu moment.

Operational Risk is a daily and continuous 24x7x365 process. A way of life. Not an event or a meeting at the end of the quarter. Each person and stakeholder at your organization or institution is responsible for it and should live each day embracing it. We like to say, Operational Risk Management saves lives, protects corporate assets and enables global enterprise business resilience. That's something everyone can remember, practice and strive for every waking moment and in every situation.

What do you think?