Saturday, May 28, 2011

OPSEC: TQM in the Defense Industrial Base...

OPSEC in the Defense Industrial Base (DIB) is on high alert since the RSA SecureID vulnerability was revealed several months ago. The Operational Risks Management discipline is now ever so pervasive in private sector companies who have outsourced national security programs. When top secret information is at risk, the game plan shifts from a single company incident to a federal priority.

By Jim Finkle and Andrea Shalal-Esa

BOSTON/WASHINGTON, May 27 (Reuters) - Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N: Quote, Profile, Research, Stock Buzz) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N: Quote, Profile, Research, Stock Buzz) RSA security division, said the person who was not authorized to publicly discuss the matter.

It was not immediately clear what kind of data, if any, was stolen by the hackers. But Lockheed's and other military contractor networks house sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.



The SecureID hack has been an eye opening wake up call for those Operational Risk professionals who are charged with keeping information safe from foreign adversaries. The "One-Time-Password" (OTP) market place is gearing up for a dramatic shift. Organizations such as EMC the parent to RSA are still back pedaling from the crisis and cooperating with three letter U.S. agencies to determine the culprits. Not only do organizations such as Lockheed Martin hold the nations major weapons systems contracts they are also prime contractors for defending the cyber security networks across the government.

So what is the answer for keeping the nations states across the globe from continuously probing and successfully compromising secret systems networks by hacking tools like the SecureID?

The answer lies within the private sectors approach to quality assurance in software development. The vulnerability that all security-based companies and defense industrial based companies face is the flaws in software quality assurance practices. The known fact is that in any process for software development there is a testing phase to determine whether the product requirements have been satisfied. In the lifecycle of software development, the QA testing phase is still the most neglected and under staffed. Raising the bar on software quality testing is not the only answer, it is just a facet of the security mosaic that continues to be a major challenge.

Total Quality Management (TQM) initiatives not only should be mandated by software development organizations, the Defense Industrial Base needs to require new levels of software code testing by companies that are charged with securing the secrets of the company and the nation. As each new product or software version is launched into the marketplace it should have a label on it that discloses how diligent the vendor was in testing the software for defects. Reducing those defects before it lands in the hands of the consumer is one major path to reducing the vulnerabilities of such serious breaches of trade secret or national security information.

Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life.



What will soon be the norm in the software development industry is the TQM mind-set that has been at the forefront of other manufacturers for decades. Once the regulators get the gears rolling the private sector will finally change and work towards "Six Sigma" in software in combination with more effective approaches to Operational Risk Management:

The approach to managing operational risk differs from that applied to other types of risk, because it is not used to generate profit. In contrast, credit risk is exploited by lending institutions to create profit,market risk is exploited by traders and fund managers, and insurance risk is exploited by insurers. They all however manage operational risk to keep losses within their risk appetite - the amount of risk they are prepared to accept in pursuit of their objectives. What this means in practical terms is that organisations accept that their people, processes and systems are imperfect, and that losses will arise from errors and ineffective operations. The size of the loss they are prepared to accept, because the cost of correcting the errors or improving the systems is disproportionate to the benefit they will receive, determines their appetite for operational risk. Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale,Barings, AIB and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.

As OPSEC evolves in the Defense Industrial Base, the risk appetite and TQM conversation will continue to be on the agenda. The degree to which it makes it to the Board Rooms of EMC, still remains to be seen.