Our Global Economy in 4G Warfare

By now must of you are aware of the Stuxnet malware, a set of malicious code so advanced that it can search and destroy a particular industrial plant software system. The coverage essentially describes its extreme accuracy and virtual impenetrability: “As Stuxnet malware is ‘weapon’ out to destroy … Iran’s Bushehr nuclear plant?”  Just imagine what this sophisticated (nasty) combination of malicious code can do for a well healed company against its competitors during many of the trade wars being constantly waged in the free markets. If the world’s military super powers are paying attention to cyber espionage these days, than we should all consider the ramifications when this level of sophistication (only a matter of time and deep pockets) is available to non-state actors. It’s not just the geopolitical scuffles, as the previous article describes; when States reach for the cyber warfare weapons in their toolkits to launch surreptitious attacks when transnational conflicts erupt. In a larger context this could represent a quantum leap in the way we think of conflict or asymmetrical (4G) warfare. Now, I can only speculate that Stuxnet is the work of a nation state, but experts seem to agree that its payload is targeting the iranian enrichment centrifuges in Natanz.

As a security practitioner responsible for the protection of production facilities and processes from sabotage, I’m concerned for the possibility that such attacks can compromise the critical industrial operating systems. As the previous article describes:

“its final payload, which manipulates parameters and code in the SPS computer is only executed if it is very certain to be on the right system… Industrial control systems, also called SCADA, are very specific for each factory. They consist of many little nodes, measuring temperature, pressure, flow of fluids or gas, they control valves, motors, whatever is needed to keep the often dangerous industrial processes within their safety and effectiveness limits.”

Such sophisticated attacks could amount to virtual sabotage on competing industrial facilities, if spies are able to gather information on the industrial supervisory control and data acquisition (SCADA) software being used at any given plant. Another scenario might be that of cyber criminals using the threat of sabotage in corporate extortion schemes. You may ask why anyone would go through all the trouble; in reality in our hyper competitive business environment, motivations abound for any advantage against competitors in the market or any lucrative scheme for that matter. If that means rendering their production facilities useless by way of sabotage so be it. My third and most troubling concern is that this level of cyber attacks could be deployed not just against industrial facilities, but could also be adapted to attack other high value targets in our critical infrastructure, mainly data facilities hosting global financial transactions. As we saw back on May 6 of this year the high frequency trading platforms global financial markets have come to rely more on, are not without serious security vulnerabilities.  We should not discount that such attacks could be part of our near future security risks.

A Thief’s World

When all you need for a thriving black market is a hot commodity any asset in a supply and demand loop is at risk.  Take for instance something as lame as old bricks from run down buildings in St. Louis, Missouri. According to this NYT article, real estate developers as far away as Florida have set a market for the City’s bricks and thieves have devised clever schemes for supplying them. The ancillary risk effect of this criminal trade puts the affected communities at high risk for loss of life and their properties. These developments are reminiscent of the rash of copper thefts that swept communities around the world when demand was driven by high commodity prices.  I can speak from first experience as a victim of copper theft when my vacant home at the time was broken into and had all the copper water supply lines striped out by thieves.  The damage left behind (Thousands of dollars worth) I’m sure far outweighed the benefit derived from the crime.

Car thefts are another example of the dynamics at play (supply and demand) in the black markets. According to this article in Time Magazine, car thieves prefer specific early model cars that have the highest demand for parts at collision shops around the US. The statistics from the National Insurance Crime Bureau reveals that the current state of the car theft economy runs counter to common wisdom, where late model cars would be in higher demand and fetch more money.  That doesn’t mean you should not be concerned and invest in antitheft devices (Standard features in most car models today) for your new vehicle, but if own an early model Honda accord you should take extra steps to protect your investment.

Reflections on the Security Management Profession

By Francisco Mateo

Cynical realism is the intelligent man’s best excuse for doing nothing in an intolerable situation. – Aldous Huxley

For better or worse there appears to me that security as a profession is limited by the protectionist realities of its practitioners. Protection being the bread and butter of our business, it also rules our conscious and subconscious environment and how we must relate to one another in furtherance of our goals on behalf of clients.  Let me explain what I mean by this line of thought; we share information related to the protection of people, assets, reputation and brands through a medley of trade groups and networking mediums, but rarely do this information sharing rises to the level of objectivity needed to be applied as a solution to problems confronted by our colleagues. That is because a number of issues come into play; if a colleague happens to be at a competing organization we would be prohibited from sharing material information under non-disclosure agreements and other information protection tools. The same information may not only be leveraged competitively from one organization against another, but also from one professional against another.  Security professionals in the financial, retail (loss prevention), consumer products or manufacturing sector remain clustered in their particular iron-clad circles. If you want to see the effects of this isolation just take a closer look at your trade group’s local chapter participation. For the most part the membership rosters are far outstripped by attendees at scheduled events, when most information sharing is expected to take place. You’ll also notice that lack of interest in direct volunteering and involvement is sometimes affected by a desire to remain independent and guard our play book a bit closer.

I do recognize that there are other overarching forces (mainly client demands, deadlines, or lack of resources) influencing direct participation in trade group events, but little has been said about the more obscure reality of protectionism. With the advent of social media we’re now more connected than ever; which means that more information is being shared among professionals, especially from some of the most secretive colleagues among our ranks. After actively participating in a number of these social media outlets I realize two important facts: 1) I know more about my colleagues’ past experiences and therefore their expertise than ever before, as well as 2) that there is less movement across industry lines than I realized. For example, there aren’t many security professionals with experience in the real estate/facilities industry going over to the large construction or engineering firms, which at face-value may appear to have much in common. Because of our ingrained guarded behavior, we lack the ability to recognize where our mutual professional interests coincide.  It is furthermore, representative of the lack of information exchange between security professionals with shared protection interest.

It is also understood that in a tough job market security management candidates would be pitted against one another based on the value of their information resources, but there is much more to be gained by pooling together our collective interests in a way that would not compromise practitioner-client privileges, and would otherwise strengthen our ranks.  As we stand today, our realities as security professionals are therefore ruled not by the commonality of our interests, or concerted action for that matter, but more distinctively by our competitive advantages.  Information is the commodity that needs to be protected, plied and used to further our objectives in an ever more competitive environment.  That stark contrast is more prevalent in the security profession than other such trades and our stature within organizations is hurt by it.  There are no right solutions to this issue, but as a matter of course we can start by sharing our thoughts on this perceived problem. My own view is that we need to reengineer the way our trade groups operate with the aim of offering more meaningful ways to nourish our ranks with coaching, mentoring and organizing a roadmap to fill our leadership pipeline.  Perhaps the magic element that is missing in all of this is trust and that, I’m afraid, is not being cultivated enough.

Corporate Espionage Follow-up

It appears that the State-sanctioned corporate espionage issue has become a hot topic this week.  If the subject peaks your interest enjoy this few follow-up articles to my post last week.  They may be worth reading:

Western firms face growing spy threat http://bit.ly/deRAAm

Do Western states spy for corporate ends? http://bit.ly/aeqQ6p

Spycraft, contacts still key in espionage world http://bit.ly/9FlwuK

Who is Looking Out for Corporate Spies?

“There is a lot of information available out there…the key is to match a client who understands the value of information and an intelligence firm that has the wherewithal to go out and get it.” – Mike Baker

Societies have always played catch-up to sophisticated criminal enterprises. This has been the norm from the industrial to the information revolutions. From the days when Allan Pinkerton revolutionized the detective role in business, as he became the first practitioner to help major companies protect their assets and information through an extensive civil intelligence network. Today the protection of information is crucial to all companies participating in the global economy. The effective application of information in its many variations can increase or destroy value for a company.  Sophisticated criminal networks are in a constant prowl for information that can be effectively applied in schemes from counterfeiting to stock manipulation. A whole industry has also sprouted around the acquisition and protection of business critical information. A high stakes game is played around the world as teams of spy attempt to steal information that would give then an advantage on the market while the adversaries attempt to keep it from falling in their hands.  The lines are so blurred that even criminal actions are difficult to decipher. It is quite easy, however to see the impact the theft of proprietary have on the market valuation for many companies at the loosing end on this trend.  That is the reason why many internal and contract intelligence units have taken afoot inside many of the most recognized names in global business.

The risk of being targeted by espionage campaigns is very real for companies leveraging market dynamics by outsourcing critical business operations around the world. They are not only the targets of government sponsored intelligence collection campaigns, but  also by private intelligence operators who are also busy at work with operations of their own. There are countermeasures to espionage and information theft. Companies can start by evaluating how vulnerable the physical protection to their information sources really is. Start by limiting access to your facilities and information networks. Also recognizing and classifying proprietary information and placing vulnerable data in protected areas are good practices to implement.  The more mature organizations also conduct information theft exercises to test their readiness and information theft prevention plans.  If you suspect your company may be the target of espionage, I urge you to adapt some of these strategies; your shareholders would be grateful.