Saturday, December 28, 2013

OPS Risk: Best of 2013 and 2014 Forecasts...

This Operational Risk Management (ORM) blog has been posting since September 2003.  Over a decade later, the 1000+ pages of content on the discipline and profession of Operational Risk Management provides continuous learning and significant new insights.

Here are a few of our most visited "Operational Risk" blog posts of 2013:
As we approach the end of 2013 and embark on our journey into 2014 in the United States, there are many reflections and new aspirations on our mind.  When we look back over the past 12 months, we see old Operational Risk vectors pioneered in the days prior to the Internet, now making their way online.  Why?  It is far easier and more efficient to rob banks, extort people, defraud consumers and conduct psychological warfare, over a global network of interconnected digital devices.

2014 will continue to accelerate the needs and requirements for more robust Operational Risk Management strategies and increased adaptive tactics to neutralize a rapidly evolving set of new adversaries.  This however, may be one of the most compelling challenges for OPS Risk professionals across the globe:

Correcting the record on the NSA review
By Michael Morell, Published: December 27 
Michael Morell is the former acting director and deputy director of the Central Intelligence Agency and a member of President Obama’s Review Group on Intelligence and Communications Technologies. 
One of the dangers of a 304 -page report on a complex subject is that everyone gets to choose what he or she thinks is the bottom line. Many of those commenting on the report and recommendations of the recently completed Presidential Review Group on Intelligence and Communications Technologies must have read a different report than the one I helped write. 
As one of the five members of the panel, let me try to clear up some of the confusion and misperceptions. One such misperception is the extent of the changes called for in the report. Commentators have used the word “sweeping” to characterize the recommendations, arguing that they would“roll back” the capabilities of the intelligence community.  This is incorrect.
The reason that the ambiguity on the "Security vs. Privacy" debate will challenge the OPS Risk professionals, is obvious.  Uncertainty and indecision, increases vulnerability.  As a policy maker, U.S. military officer, consumer or a corporate CxO, the same applies.

2014 will require augmented abilities to adapt and to increase our adaptive speed.  What is your latency to change, from the time your adversary measures your behavior after a test of your controls or defenses?  In these continuously asymmetric ecosystems operating on a global basis, the response time window has narrowed to minutes or even seconds.  Not hours or days:
Target: Deceive first, answer questions later
Issuing deceptive statements is no way to win back customers' trust. That's a lesson for anyone who might find itself in Target's position someday. 
Evan Schuman December 28, 2013 (Computerworld)
For Target to get beyond its data breach disaster, it needs to regain the trust of its shoppers. Mystifyingly, it has opted to issue statements that are, at best, misleading. Some tiptoe beyond misleading, since the chain had to know they were untrue when it issued them. 
The latest example came Friday, when Target confirmed that encrypted PIN data was stolen. Then came the whopper: "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken." 
Of course those debit card accounts have been compromised. Webster's dictionary defines compromise as exposing something "to risk or danger." When personal identification numbers that give full access to someone's bank account are in the hands of experienced and sophisticated cyberthieves, I think it's safe to say that those bank accounts are indeed exposed to risk or danger. How could anyone argue otherwise?
2014 Operational Risk Management (ORM) will include "lessons learned" from the advice given to and within companies, such as Target Corporation.  Corporate counsel in collaboration with external private sector Incident Response companies including government agencies, will debate the disclosures, the sources and methods, as well as the timing of public relations press releases.

2014 will embark with the political narratives that are necessary to gain psychological advantage over the masses. Business media interests will begin managing the risks associated with any negative outcomes of their favored Pawns, Bishops and Knights.  Protecting the King or even the Queen for the first time, is the name of the game.  Political chess has an impact on governance, regulatory and compliance environment for business.

In 2014 horizontal thinking will "Break out" to bridge the gaps between public and private strategies. Managing catastrophic risks to vital critical infrastructure requires private sector willingness with public sector cooperation.  Big picture problem-solving and addressing global issues, requires more focus on the World Economic Forum  Global Risks Report agenda:
  • Testing Economic and Environmental Resilience
  • Digital Wildfires in a Hyperconnected World
  • The Dangers of Hubris on Human Health
In an interdependent, fast-moving world, organizations are increasingly confronted by risks that are complex in nature and global in consequence. Such risks can be difficult to anticipate and respond to, even for the most seasoned business leaders.
Finally, 2014 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

Saturday, December 14, 2013

Unauthorized Access: Civil CFAA Legal Risk Strategy...

A tutorial on the definition of a "loss event" is appropriate for those who seek greater understanding of "Operational Risk Management" (ORM).   Specifically when it comes to the civil litigation strategy utilizing the "Computer Fraud and Abuse Act" (CFAA) 18 U.S.C. 1030.

What is a loss?  Easy:  Loss = cost.  "Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service."

So the remedies available are economic damages, loss damage and injunctive relief.  Not exemplary damages or attorneys fees.  Don't let that last one scare you from using CFAA, as an effective deterrent in your arsenal as a General Counsel.  The basic threshold is that the victim incurred a loss during any one year period, of at least $5,000.00.
For the focus of this blog post, we will talk about "Insiders" who exceed authorized access, that is access in a way not entitled.  Typically employees or others in the business supply chain, who may have the use of a password or key to gain access to information only known or available by another employee, such as a supervisor or system administrator.
It is imperative here to state the importance of finding an attorney that truly understands this law, from a civil, not a criminal perspective.  The complaint must provide factual content that the Plaintiff has suffered the type of damage to "data, a program, a system or information."  Think more about business interruption and the expenses related to investigation, remediation and integrity of operations.  An employee who leaves the company and has e-mailed proprietary information of clients or proposals to their personal account, is not what we are talking about here.

What about the employee who decides to damage or destroy organizational records or of their primary area of responsibility, (database of client contacts, meeting notes, reports and proposals) or even those of the entire company.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.  Here is just one example:
Tech Systems, Inc. v. Pyles, 2013 WL 4033650 (ED VA Aug. 6, 2013) (4th Cir)
After being terminated, former employee forwarded company emails and deleted company emails from mobile device before returning it to employer because they contained incriminating evidence. Court granted spoliation finding and jury returned verdict for violating Computer Fraud and Abuse Act, among other claims.
This is just a single case of how a single disgruntled employee, decided to proactively get revenge with a former employer, Tech Systems, Inc. of Alexandria, VA, a U.S. defense contractor.  Why organizations do not utilize the tools such as CFAA to find civil remedy, on a more regular basis is the question at hand.

CFAA is designed to be legally effective on a broad scale and for good reason.  It does however, require that someone uses it with the right intent and legal purpose.  We predict that more civil cases will be filed, as General Counsels and attorneys better understand how to effectively utilize it, in combination with other laws associated with Intellectual Property Theft.  As judges and more cases are tried, the momentum will pick up.  So what?

Booz Allen Hamilton v. Snowden.  Not yet?  Just a Violation of a "Code of Ethics" and fired?  Not likely.
The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. 
One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. 
The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons.
 United States of America v. Edward J. Snowden.  Filed under seal June 14th, 2013. Offenses include 18 U.S.C. 641, Theft of Government Property.  18 U.S.C. 793(d), Unauthorized Communication of National Defense Information.  18 U.S.C. 7989a)(3), Willful Communication of Classified Communications Intelligence to an Unauthorized Person.

Civil CFAA Legal Risk Strategy can be utilized in many cases where the magnitude of the loss and the economic exposure to a U.S. government contractor, is not on the radar of the U.S. Attorney.  Keep it in mind...

Sunday, December 01, 2013

eDiscovery Risk: The Marketing of Privacy...

Operational Risk Management (ORM) professionals from London to Paris, Berlin to Brasilia and Silicon Valley to Washington, DC are quietly smiling these days.  It is ironic, that now privacy is the new vogue marketing strategy.  After so many years of trying to explain to executives the risks that exist around confidentiality, integrity and assurance of data--now a rogue U.S. citizen charged with espionage, finally has convinced some senior business executives of the value of marketing increased privacy of their technology products and services.  Chris Strohm explains:
While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key. 
The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.
Mitigating the risks of being hacked by a group of criminals stealing personal identifiable information from consumers on a transnational basis has not motivated these same executives to move towards investing in more effective data and information assurance strategies.  Yet now that the adversary has been described by the mainstream media as the U.S. Government, industry executives have started to listen.  Go figure...

What are the industry executives motivation for now improving the confidentiality, integrity and assurance of customers information?  Improved market share and presence.  The payback will be rapid and those organizations that have been in denial that customers expect and demand more systems and tools to protect their information, are now doing an about face.

As we quickly approach Cyber Monday and the commerce of the Internet is at a peak of annual transaction volume, some servers will be talking to each other on encrypted networks for the first time. All seamless to the end user and consumer, yet not to the adversary.  So who really is the adversary these days; the criminal organizations or the U.S. Government?  The strategists mitigating risks at commercial private organizations unfortunately in many cases, see both in the same category.  This is a real mistake and one that should be evaluated, discussed and agreed upon.

You see, U.S. based companies must have an effective symbiosis with it's legal system and rule of law. What does that mean?  Operational Risk encompasses the risks to the institution from a legal perspective.  That means that the process of processing, storing, archiving and retrieving information is subject to the laws of electronic discovery and forensic evidence.  It means that as an organization, having an effective way to encrypt information to stay ahead of the criminal organizations simultaneously requires that your organization is also adaptive to current legal statutes.  Tomorrow, you may need to identify, decrypt and produce evidence to the U.S. Government or as a result of another legal order.

As organization executives embark on the "new new" trend of marketing privacy to their customers, they should also be working along side the legal staff.  The risk management and information technology professionals should be briefing both corporate executives on the implications of being responsive to their consumers and non-responsive to plaintiff lawyers, or the U.S. Attorney or State Attorney General:
Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. 
A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith, reports the Wall Street Journal(sub. req.).
So this is where the marketeers and the legal staff need to get their heads together.  The privacy vs. government legal requests space is still not widely understood inside corporations let alone the average John Q. Citizen, who has never even heard of eDiscovery:
Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."