29 August 2010

Digital RubiCON: The Fifth Domain...

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

Washington Post: US eyes preemptive cyber-defense strategy: "The command - made up of 1,000 elite military hackers and spies under one four-star general - is the linchpin of the Pentagon's new strategy and is slated to become fully operational Oct. 1.

Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

"We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

Another senior defense official said, "I think we understand that in order for us to ensure integrity within the military networks, we've got to be able to reach out as far as we can - once we know where the threat is coming from - and try to eliminate that threat where we can."