Sunday, October 30, 2011

Arab Spring: Information Operations Risk Management...

The Operational Risks associated with doing business on an international scale is nothing new. Global companies have for years been subjected to laws in the U.S. that are highly scrutinized by the Treasury Department. The Office of Foreign Asset Control (OFAC) is one such office. Companies in several key industry sectors including financial services have been obligated to know who they doing business with KYC (Know Your Customer) programs. This complies with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) laws. The Commerce Department has the U.S. Bureau of Industry and Security.

As compliance in any business is one of those areas that in many cases may seem burdensome, it is only one aspect of a total risk management strategy in the enterprise. One industry group that may have underestimated the magnitude of compliance and an effective export control operation is the high technology sector. During the next decade as emerging markets are building new communications infrastructure, this will be even more important; perhaps not for the reasons one would normally think about.

Information Operations (IO) are alive and well within the ranks of official and clandestine forces around the world. Why is John Q. Public surprised to hear this news? The political aspirations of new and rising factions within nation states have found the tools of the Internet and "Social Media" to instigate and to perpetuate non-kinetic components of asymmetric warfare. Now, technology companies in the United States must be ever more so cognizant of the risk implications associated with this social, political and military nexus. Here is more from theWSJ:

By JENNIFER VALENTINO-DEVRIES, PAUL SONNE and NOUR MALAS
A U.S. company that makes Internet-blocking gear acknowledges that Syria has been using at least 13 of its devices to censor Web activity there—an admission that comes as the Syrian government cracks down on its citizens and silences their online activities. Blue Coat Systems Inc. of Sunnyvale, Calif., says it shipped the Internet "filtering" devices to Dubai late last year, believing they were destined for a department of the Iraqi government. However, the devices—which can block websites or record when people visit them—made their way to Syria, a country subject to strict U.S. trade embargoes.

Discussions on the intersection of "The Arab Spring" and "Social Media" has been going on now for well over 9 months in the published press. One can only imagine that Google, Facebook and Twitter management have behind closed doors, been entertaining conversations from a myriad of .ORG and .GOV entities on this very subject. This week, the dialogue has taken on a more serious tone with comments from U.S. Secretary of State Clinton regarding Iran in the Washington Post:

By Thomas Erdbrink, Published: October 29
TEHRAN — An Iranian police unit that was formed this year to counter alleged Internet crimes is playing a key role in an escalating online conflict between the United States and the Islamic Republic. The “cyber police” force is part of a broad and largely successful government effort to block foreign Web sites and social networks deemed a threat to national security. Iranian officials say they must control which sites Iranians are able to visit, to prevent spying and protect the public from “immoral” material. The United States, they charge, is waging a “soft war” against Iran by reaching out to Iranians online and inciting them to overthrow their leaders. Secretary of State Hillary Rodham Clinton on Wednesday played into such accusations, saying U.S. officials had asked Twitter, the social networking site, to postpone online maintenance in 2009 so that it would be available for Iranian anti-government protesters organizing demonstrations against President Mahmoud Ahmadinejad’s disputed election victory. Iran’s state radio responded Thursday, citing Clinton’s comments as proof that Washington is using U.S. Internet companies to influence events inside Iran. Tensions between the two countries are high following allegations that an Iranian American citizen had plotted to assassinate the Saudi ambassador to Washington at the behest of the Quds Force, an elite branch of Iran’s Revolutionary Guard Corps. Iran has denied the accusations, but the United States has called for tougher sanctions against Tehran.

Again, where have John and Jane Q. Public been for the past few years? This is not new news to those who have been watching the growth of mobile communications and the explosion of the "Internet of Things." The utilization of wireless mobile communications and its intersection with social media apps in civilian environments is here to stay. How these consumer based applications have been now leveraged for situational awareness and information operations is exploding across the emerging nations, where the Internet is now gaining even more ubiquitous use.

What this means for risk managers in the C-Suites of major technology companies is a heightened sensitivity and awareness to the ways your tools and capabilities could be utilized in the hands of the wrong end user. No different than the unleashing of certain tools likeMetasploit, to help understand vulnerabilities within the confines of the corporate enterprise. These same tools could be utilized by nefarious cyber terrorists to quickly exploit the weakness in our own U.S. government and corporate network systems.

Like many inventions by mankind, they can be used for good and simultaneously for evil in the hands of the wrong person. Risk Management in the high technology sector will be just as much of an imperative as the manufacturing and shipment of products from Barrett or the manufacturers of detcord. The "Export Control" compliance mechanism is here to stay and companies who operate in the new age of emerging social media via mobile technologies, will need more effective OFAC internal controls.

Operational Risks exist within the business processes that you use with your sales and business development organization. When was the last time you had a compliance-based OFAC discussion within the ranks of the sales force at your new emerging technology company? Are you fully funded by the VCs and ready to sell your new encrypted social media app for Android to the world? We need to make sure that part of the roll out strategy, encompasses the right conversations with the correct government departments to determine the right process and the online tools available to better understand where and who you can sell your products to outside the U.S..

The past Arab Spring and the next organized movement utilizing social media and mobile internet technologies that include encrypted messaging, GPS and live video will be more closely scrutinized by internal compliance officers and the regulatory watchdogs domestically and abroad. Yet the most effective management tools going forward, may lie in the same ones used by your Mother and Father growing up. The ethical and the moral arguments in many cases can have a dramatic impact on people at an early stage in their lives. Perhaps it is still not too late to reinforce and to emphasize the fact that our cyber environments, are nothing more than the mirror image of the physical world we already know. Good and bad.

The future of risk management online and the effective compliance with legal sanctions may well begin with a heart-to-heart conversation at your next company sales meeting.