Sunday, November 29, 2015

Trustworthiness: Accelerating into our Digital Future...

As the moon descends into the Western horizon this morning, there is growing uncertainty across the globe.  We are heading into the last month of 2015 when much of the world gathers family and friends to celebrate.  Our trustworthiness as people, businesses and countries is continuously in question.

The Operational Risk Management ORM) professionals are working 24 x 7 to continue to do what is humanly possible, to make our communities, businesses, religious and educational institutions and governments more safe and secure.

At the root of many of the disputes, conflicts, suits, feuds or wars is the subject of "Trust".  On a wide spectrum in each relationship, domain or system, the decision to trust is something that many never even think about.  At the most fundamental level, the spectrum could be represented like this:


Zero Trust  >>>>>>  Trust Exists  >>>>>>  Implicit Trust

On this spectrum of trust, the rules, conditions, environment, interactions and experience move our human emotions across and back and forth on the scale from zero trust to implicit.  In the human relations scenario our words, behaviors and actions continuously move our level of trust back and forth on this "Trust Spectrum".

What about computing machines?  How often do you think about the "Spectrum of Trust" when it comes to one computer trusting another computer?  If you are a programmer, data scientist, forensics engineer or even an attorney or doctor, this is something you think about all the time.

Now there is a data revolution, that has been evolving for just a short 20 years since the commercial launch of the Internet.  The birth of the iPhone about five years ago, has now accelerated the small light weight radio transmitters for wireless communications into powerful handheld data computers.

Has your level of trust increased on the spectrum when it comes to what you read or see on your iPhone?  The ubiquitous utilization of tools and sensors such as GPS has transformed the way humans can navigate across our planet, sailing, flying, driving or on foot.  The sensors we trust and the computers that are trusting other computers, is something that we rarely even question.

The computing machines have become a way of life now for those children who are learning how to read, do mathematics and solve puzzles even before their first days in a traditional school.  Their trust in the rules, the sensors and the words and pictures they see, shall forever influence their perceptions of trust.

In the early days of trusted computing there were peer-to-peer services such as Napster and Skype. Today there are emerging new technologies gaining momentum such as blockchain.  In essence, a shared trusted ledger that everyone can inspect.  Even "Open Source" software has gained attention because of the transparency issue.

Your decision to trust and computers making "Trust Decisions" are a series of mathematical calculations.  The formula includes rules, information and is happening at light speed.  They are also happening in our brains and the brain is processing all of what it knows about the rules, data and our contextual understanding.

Computers making "Trust Decisions" are the result of humans inventing the languages and algorithms for the computers to understand each other.  We now must transition our thinking from the simplicity of just risk management, to the formality and trustworthiness of "Trust Decisions".  The discipline of engineering and mathematics is making its way towards those places that were once deemed too "Soft" for pure logic or formality.

Perhaps sometime in the near future, our digital identities, travel history, conversations, messaging, patterns of life and activity-based intelligence, will all be merged into a single digital "persona".  What then?

Will this then be transformed into a new 21st century version of the "FICO Score"?  Will our thinking be forever changed about our spectrum of trust?  What if the new "Trustworthiness Score" was on a scale from zero to 100?  What if the rules, information and calculations of the future determined where you stand at any point in time, in terms of your trustworthiness as a human being?

The time has come for our "Trust Decisions" to accelerate, by the use of trusted computers to assist humans, make more informed decisions, human-to-human and machine-to-machine.

Sunday, November 22, 2015

Velocity: Integrity of Enterprise Architecture...

Operational Risk Management (ORM) is a discipline that requires several elements to remain effective.  Whether you are working on the deck of the USS Gerald R. Ford (CVN-78) or analyzing data from the corporate Security Operations Center (SOC), your tasks continuously rely on achieving "Trust".

At the core of these decision-making roles, are the processing of rapidly changing data on a split second basis.  The sensors or tools we use day-by-day to assist our quest for greater levels of safety and security, are interdependent minute-by-minute, second-by-second, on the trust of data.  It is imperative at the early stages of process and product development, to effectively test and improve these tools and sensors.  Why?

The "Quality Assurance" phase of any process whether in design, assembly, manufacturing or implementation is based upon a foundation of the quality of trust.  You are reading this now on a device connected to an Internetwork, that has layers of business rules and technology rules that are executed according to industry standards.  The process and the rules have been implemented utilizing QFD and Mean-Time-Between-Failure (MTBF).

There are three vital components of building digital trust in this scenario, for the systems in play and the requirements of end users:
  • Authentication
  • Data Integrity
  • Encryption
All three must be present to provide you with the highest level of assurance, that you are working with a trusted system.
  1. How can you be sure that the party you are communicating with, on the other end of the line, is who they claim to be?
  2. How can you be sure that the data has not been altered, deleted or changed in transit?
  3. How can you be sure that no one can intercept and understand the information being transferred?
All three of these vital components must be present all the time, in order to build integrity and assure your level of trust.  They must be consistent and persistent from end-to-end.  In essence, we are protecting against our adversaries from listening in, tampering with the data and impersonating the destination.

Are you operating any vital component of your business operation, where any of these three components are absent?  Are any of the three not persistent, 100% of the time?  If so, then you are in jeopardy of an erosion of trust with your stakeholders and the increased likelihood of an adverse event.  With your customers, your reputation and probably both.

So what?  How does this translate to your role and the work that you are in charge of, within the operations of your enterprise?  The short answer is, "Velocity and Wealth".  You see, the business rules, technology rules and the legal rules are all connected.  Your job, is to make sure that you understand, your organizations unique "Operational Risk Enterprise Architecture" (OREA).

The velocity at which your business process can execute transactions with integrity, versus your competition or adversary, can mean the difference between victory or defeat.  The margin or profit that you are able to gain by successfully executing millions of your transactions, can mean the difference between prosperity or disadvantage.

Is your organization advertising on Internet web sites?  Is the business model for your company, based upon revenue from advertising?  The trustworthiness of your systems operating with the goal of generating ad revenue, are now at stake.  Informationweek DarkReading explains:
'Xindi' Online Ad Fraud Botnet ExposedBillions of dollars in ad revenue overall could be lost to botnet that exploits 'Amnesia' bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn't use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.
Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it's unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe's; Marriott; Wells Fargo; California State University's Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges. 
The Quality Assurance of the Online Advertising enterprise is in jeopardy.  The trustworthiness of e-commerce and the digital business models executing the rules for producing revenue, are now in question.  How effective is your enterprise in understanding the true business problem and then solving it?

"Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion."

"Achieving Digital Trust" and the "Trust Decisions" to create wealth require that we begin with a sound architecture.  It continues with the widely adopted information governance processes and three factors.  Authentication, Data Integrity and Encryption.  The "Advertising Industry" is not the only business segment at risk.  The next time you open that piece of mail with a new credit card that utilizes the EMV chip, you will begin to understand the true business problem.

You are in control of the velocity of the process of change with your current state. The opportunity for the future state of "Trust Decisions" is now coming into the light.  In your country, industry, company and DevOps team.

Sunday, November 15, 2015

Mass Movements: Adapting to the Threat...

As if the act of bombing a Russian Airliner Flight 9268 with 224 crew and tourists returning from a Red Sea vacation is not a clear indicator of ISIS as a mass movement, perhaps this attack on Paris will be:

1.  Stade De France - 9:20PM - Suicide Bomber - 1 Killed
2.  Rue Alibert - 9:25PM - 2 Gunmen by car - 15 Killed
3.  Casa Nostra - Moments Later - Same 2 Gunmen - 5 Killed
4.  La Belle Equipe - 9:36PM - Same 2 Gunmen - 19 Killed
5.  Bataclan - 9:40PM - 3 Gunmen - 2 hours later - Suicide Bombers - 89 Killed
6.  Cafe Comptoir Voltaire - 9:40PM - Suicide Bomber - 1 critically injured

As we say our continued prayers for those lost and consider the consequences of just these two single recent terrorist events, you can try to ask yourself, what now?  How will we address this kind of continuous threat and evil going forward?  Why did this happen?

To begin your understanding as a true Operational Risk Management (ORM) professional, you must start here.  In 1951 a migratory worker and longshoreman, Eric Hoffer wrote a book, The True Believer:  Thoughts on the Nature of Mass Movements:

"The readiness for self-sacrifice is contingent on an imperviousness to the realities of life. He who is free to draw conclusions from his individual experience and observation is not usually hospitable to the idea of martyrdom... All active mass movements strive, therefore, to interpose a fact-proof screen between the faithful and the realities of the world. They do this by claiming that the ultimate and absolute truth is already embodied in their doctrine and that there is no truth or certitude outside it. The facts on which the true believer bases his conclusions must not be derived from his experience or observation but from holy writ."

 There are some who know, that Hoffer understood some things about mass movements that pertain to our current state in 2015.  This set of traits and characteristics is essential understanding by all, if we are to begin to develop a strategy for the future.  To quote Hoffer again:  "However different the holy causes people die for, they perhaps die basically for the same thing."

Our future state requires a strategy that we agree on the correct taxonomy.  Whether the battle is being waged on a nation state having sovereign authority or the private enterprises of non-state actors in Cyberspace, without taxonomy, we will continue to struggle with our strategy.  What is terrorism and what is a crime?

CRIME noun 1. an action or an instance of negligence that is deemed injurious to the public welfare or morals or to the interests of the state and that is legally prohibited.

TERRORISM noun 1. the use of violence and threats to intimidate or coerce, especially for political purposes.
First, the actions that you take and the resources that are necessary to address the evil of terrorism vs. an organized crime wave, are clearly different.

Second, you must understand the source of the elements of a "mass movement."
STRATEGY noun, plural strategies. 1. Also, strategics. the science or art of combining and employing the means of war in planning and directing large military movements and operations
Are you working on a strategy right now to address cybercrime? Are you working on a strategy right now to work on cyberterrorism? Is either of these strategies tied to defeating a mass movement?

You see, the tools, tactics and resources that you are using to implement your strategy, may be all wrong. The future outcomes you seek, may not be possible with the strategy you have in place. Once you have come to this realization, there is an opportunity to adapt. However, you must adapt quickly and you must provide the resources instantly to enable the change.

How would you adapt, if you came to the realization that your quest was with adversaries who have actions such as:
  • Steal / Modify / Delete
  • Read / Copy
  • Bypass / Spoof
  • Authenticate
  • Flood
  • Probe / Scan
How would you adapt, if you came to the realization that your quest was with adversaries who have objectives such as:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
How would you adapt, if you came to the realization that your quest was with a Mass Movement?

You now realize that you may have the same problem, that many of our world leaders have today.  It could be time to finally admit, that you must now adapt and it is time to change your strategy.

GODSPEED noun 1. good fortune; success (used as a wish to a person starting on a journey, a new venture, etc.).

Sunday, November 08, 2015

November 11: Serving the United States by the Other 99%...

“As we express our gratitude,
we must never forget that the highest
appreciation is not to utter words,
but to live by them”
-John F. Kennedy-


The United States Veterans Day National Ceremony is held each year on November 11th at Arlington National Cemetery . The ceremony commences precisely at 11:00 a.m. with a wreath laying at the Tomb of the Unknowns and continues inside the Memorial Amphitheater with a parade of colors by veterans' organizations and remarks from dignitaries. The ceremony is intended to honor and thank all who served in the United States Armed Forces. This represents less than 1% of Americans.

How many Soldiers will be on active duty around the globe on Wednesday, November 11 working in their current role, task or assignment, to keep America safe and secure?  So those of us who call the United States their home, may exercise their freedoms and the citizens rights that our nations architects designed for us.

How may Airman will be walking the streets in parades remembering their flights over the Pacific, Vietnam, the Atlantic, Europe, South America, North Africa or the Middle East?  What about all those pilots that have flown at such a high altitude; never to be detected over Russia, North Korea or China?

How many Sailors and Marines will be cruising on, over or under our vast oceans to be present and ready, for our next mission to help others?  How many Submariners will never be detected on their 24 x 7 watch; or with SOF waiting patiently below deck for their next clandestine operation, anywhere in the world?

So on Wednesday, November 11 what will you be doing, John or Mary Citizen, in Anytown U.S.A.?

For some Veterans who experience this day of recognition, it is not easy.  It could be a day that is simultaneously bitter sweet.  There is certainly great pride, yet some within the 1% who are Veterans, look around the country and wonder why the other 99% are not serving their nation, in their full capacity as a U.S. citizen.
Service to your nation doesn't begin or end with a job in the military.  Service to your nation begins for everybody who becomes an American.  What does that mean?
It means that we stand up and believe in the U.S. Constitution.  We defend and negotiate all that it says and what it enables for us to accomplish for ourselves, our families and our fellow believers.  You see, the freedoms and the opportunity to prosper in the United States is there for anybody to grasp.  For anybody to achieve.

To honor and thank those who have served in the Military on Veterans Day, requires so much more:
  • Will you "sleep in" on your day off or volunteer with the local church or non-profit to teach Veterans how to be more effective in the transition to a civilian private sector job?
  • Will you design and code the next iPhone App to locate other Vets in your local town or city to assist each other and your community?
  • Will you meet with local business owners to plan, raise funds and deploy vital programs for families of Veterans?
  • Will you vote to fund and allocate adequate resources for the operations necessary and requested, by those forward deployed on the front lines, in uniform and also in the shadows?
The opportunities to serve our country and all of our Veterans November 11, requires a continuous cycle of thinking beyond just the Soldier, Airman, Sailor or Marine.  It also requires more proof, that a majority of the other 99%, are also serving their country and all that the United States stands for in the world.

Sunday, November 01, 2015

Trust Decisions: The Extinction of Risk Management...

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.
Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.
“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

Operational Risk Management (ORM) professionals can better understand the adversaries they Deter, Detect, Defend and Document each hour, of each day.  The metrics have created new thinking on what is required to increase the odds of achieving the specific mission.  That definition of each "Mission" is now the focus of so many, who are charged with the protection of our nations most critical assets.

You have been reading and hearing all about the Internet of Things (IoT) and the exponential math on the number of devices and the data storage requirements, that will be achieved by the year 2020.  The trust decisions that are being made now in nanoseconds from machine-to-machine, system-to-system, are based upon several levels of programmatic rules.  These rules are unknown to many and in some cases only known to a few.

The wealth being created on a daily basis relies on these "Trust Decisions" to execute and carry-out the rule-sets that we have bestowed upon them.  The question remains for the end user, the organization, the company, the government, the nation state.  What are the rules based exercise that encompasses understanding and knowing the rules, fueled by vast collections of unstructured information and then performing mathematical functions?  At light speed.

Here are the qualities of our future "Trust Decisions:"
  • Rules-based
  • Fueled by Information
  • Mathematical
 So what?  To ask this question at this point is imperative.  So what does this have to do with the future of the Internet?  How will this impact my way of life or my job?  Why is speed, a component of true innovation?

All of these questions and more are answered in the book by Jeffrey Ritter, Achieving Digital Trust- The New Rules for Business at the Speed of Light.  "Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted."

The planet Earth has historically provided us early signals of change.  Our scientists are measuring the temperature of oceans and the impact of weather on the ecosystems that sustain life.  No different than the measurements being assessed environmentally, data science is already making forecasts.  The facts and the math don't lie.  IPv6 is now a reality.  The "Cyber Domain" has been recognized across the world as an addition to the other domains to be defended including Air, Land, Sea and Space.  USCYBERCOM has now been established and for vital reasons.

As each human carries that digital device in our pockets, to perhaps utilize to navigate our way to our next destination, we are judging the trustworthiness of the App of choice.  Is Google Maps more trustworthy than another?  As we sit on the train using another App to order that new addition for our home or digital library, the transaction enables logistics, financial and air/ground transportation systems.  Is Amazon more trustworthy than another?

You see, the future domain for dominance in the business and commerce of the globe, is about "Digital Trust".  The innovation and startup ecosystems are all built on the number of people who trust your tool on a daily basis, as the model for success, not always just the quarterly profit.  Trustworthiness is now the new currency for how the valuation of "Enterprise X" will be interpreted by the markets vs. "Enterprise Y".  Think about it.

 The truth is, that risk management is obsolete and a new digital invention is ready for mankind.