thecipblog.com

Employer: Restricted Business Name (RBN)

Position Type: Part-time contractor, sales
Salary: Commission only (est. 500k – 750k), uncapped upside opportunity
Bonus: Top-sellers will be invited to the annual company picnic in a secret location

Travel Required: 0%
Target Clients: Disgruntled 3rd world dictators, other national governments
Business Hours: 24/7

Education Level: None required
Experience Level: No previous cyber security or business experience required
Target Age: 0-99 years

There is a once in a lifetime opportunity to become part of the largest, most efficient business in the world focusing on Cyber Security issues as it seeks to expand its Cyber Warfare product line. Our products have replaced the traditional wares of arms dealers (i.e. tanks, planes, nuclear weapons) and are crucial to the successful wartime activities of our clients as they plot integrated military attack strategies against the critical infrastructures of their enemies. With an extensive team of sales professionals, we are already delivering a full spectrum of cyber security-related products to a worldwide client base which you will be able to leverage.

Principal Duties and Responsibilities:

The successful candidate must be able to access the Internet, download the pre-configured software package provided by the company, and click “save and run” when prompted. Basic understanding of cyber security helpful, but not really required.

Primary activities involve monitoring incoming messages for requests for the company’s Distributed Denial of Service (DDOS) Attack 2.0 product line and establishing contact with the potential client.  You will not need to understand how the DDOS Attack 2.0 product works as we have a large staff of technicians to take care of this for you.  You will merely act as the middleman to handle the transaction, of which you will retain a certain percentage (to be negotiated).

Although the target market is worldwide, it is vital to the employer that the candidate is physically located in Russia, China, Indonesia, or Ukraine.  This ensures minimal risk of disruption of company activity by law enforcement, and will also help the candidate ensure continued flow of low-risk income as he builds his customer base.  Thanks to the global standardization of Internet protocols, you will be able to deliver the DDOS Attack 2.0 product line to your clients anywhere in the world in real-time (no shipping charges or customs duties) from these any of these four countries.

Desired Characteristics:

• Excellent prospecting, new client generation and negotiation skills
• Successful sales track record
• Understanding of money transfer options (i.e. PayPal, Western Union)
• Desire and ability to work alone, ability to operate under little supervision
• Proficiency in typing and reading messages on your computer
• Must be enthusiastic and positive
• Optimist at heart and passionate about selling the company’s products
• Should have laptop with WiFi access to avoid geolocation by law enforcement

Above all else, loyalty to the company is required.  In the unlikely event that some pesky law enforcement officer should happen to apprehend you, you should understand up front that revealing any information about the company will result in long-term, painful punishment to those closest to you.

How to apply: Please access your favorite IRC channel and enter job code: 0b1010011010

If you read the most recent list of Top 10 cyber security threats published by your favorite vendor, you will most likely see botnets, this, that, and the other.  When you are done, read the same list from the same vendor released 3 years ago.  Don’t be surprised if none of the same 10 appear on that list.

Even though the Top 10 threat list reinvents itself every few years, the real #1 threat, the only thing you should really be worried about, has remained completely constant. An industry built by a global illegal network of well-organized, profit-oriented businesses is able to reinvent your favorite vendor’s list of Top 10 threats faster than that vendor is able to reinvent its own portfolio of Top 10 security products.

Why hasn’t this vendor tried to scare you into buying its products by illustrating how big this digital underground threat actually is?  Because it has no idea how big the threat actually is.

The latest number floating around reagrding the size of the industry that survives by stealing data from companies like yours is $1 trillion.  This number has been loosely quoted as the size of impact caused by cyber crime, revenues of cyber crime, or profits of cyber crime. Three very different numbers, but no matter which quote you choose, it is more than likely bigger than any number associated with your business.

The fact is that no internationally recognized study has been conducted to estimate the size of the cyber crime industry on a global scale.  There have been some relatively irresponsible assertions this year that cyber crime has surpassed drug trafficking in the criminal activity equivalent of the Fortune 500 rankings. However, none of these assertions include any actual numbers used to make the comparison.

The fact is that there is a global, profit-oriented business association that is focused exclusively on stealing information from your company, and they are probably larger, better organized, and more efficient than you.  They are not bound by morals or law, and the risk and investment required on their part pale in comparison to the returns they make.

Quite frankly, it is the perfect business model.  This is why they are your number one threat.  The business motivation for them to innovate their cyber crime business model is stronger than your business motivation to innovate your business model and will probably produce higher returns.  They will probably make more money than you this year, and they will produce more new products than you will.

A sobering thought that can not be ignored any longer if we are to seriously consider winning this battle.

So, before marching into battle against this enemy, ask yourself some simple questions: How big is the enemy? Why can’t I find any reaonsable estimates of how large the global cyber crime trade is?  Am I willing to bet my business that someone else is taking care of this? Is there any chance of winning this battle in total ignorance of the enemy?

“In order to be designated ‘critical information infrastructure’, how many deaths would the failure of a network have to cause?”

When I recently heard this question, I wasn’t quite sure if the person asking it was serious or not.  Having given it some thought since then, I have begun to realize that not only was he serious, but seriously misguided.  My concern with this type of question exists on several levels.

First, assuming for the moment that “death of people” would be a legitimate category of criteria to use when determining the level of criticality of an ICT system (perhaps in a hospital or military environment), the obvious answer is “one”, and the fact that someone would have to ask is quite frankly disturbing.

Second, since we were neither in a hospital nor in a command post when he asked, I assume that he was trying to prepare some sort of impact matrix and “death of people” was the next best thing he could come up with after “revenue loss”.

Third, I am now wondering what the other categories on this list might have been.  “Change in ocean temperature?” Or perhaps “Number of terrorists allowed to buy plane tickets?”

The fundamental problem here is a lack of reasonable understanding of what can and should be measured when doing impact analysis.  I am envisioning an army of consultants, fresh out of their half-day BCM seminars, wielding all sorts of pre-fab checklists and telling their clients how important it is to dedicate resources to the quest for detailed knowledge of every possible thing.  At the end of such a project, though, value will probably not be found.  We all need to pull our focus up out of the weeds every once in a while and really think about what we are looking at in client situations.  What is REALLY valuable to this client?  What are the strategic goals of this client, and how does this system contribute to this goal?  I assure you that the failure of the system in question in this case casuing someone’s death was not even a remote possibility, even if it made sense in the emergency management project that this person recycled his impact matrix from.

After receiving only silence and a confused stare from me as a response from me to his first question, he followed up with “Well, how many?”  I wanted to say “just yours”, but instead I grinned, looked at him, and said nothing.

It seems to be quite common these days to read of national or regional activites around the development of public-private partnerships between governments looking out for the best interests of the popoulation and operators who own and manage the global critical infrastructure that provides services to that population.  Since many of these infrastructures are now privatized and / or deregulated, governments have to “cooperate” with operators rather than “direct” them – hence the partnership perspective.

However, as privatization and deregulation continue over the next 10-15 years, who is going to continue to ensure that risk mangement programs within privatized operators of global critical infrastructure continue to serve the best interests of the general population rather than the profit streams of the operators?  If you add to this the fact that many of these operators are growing to multinational and global scales, and that the interdependcies between these infrastructures continues to grow as well, the question is even harder to answer.  Is the government of Spain going to ensure that Telefonica ensures the resilience of critical services it provides to citizens of the South American countries it operates in? What about the other sectors in South America that depend on the ICT sector?  Is the government of Spain monitoring the interdependency of the ICT and financial services sectors in South American countries?

We need a Global Public-Private Council to address these issues, and no single country can bring this to life on its own.  This group needs cooperation and contribution from South America, Europe, the US, Asia, Austrialia, and everyhwere else in between.  As privatization and deregulation continue in the future, the governments releasing control to self-regulating operators must include as part of this negotiation the requirement for these operators to form a Global Public-Private Council. The difficulty lies in coordinating the actions of the related governments to ensure this requirement covers all necessary operators.  No one government can force other governments to cooperate.  We therefore need to leverage government cooperation models already in place on a global scale.

If you start to ponder which current government cooperation group could coordinate such a development, you have a range to choose from.  There are 195 countries in the world (let’s not get into the debate here on whether or not Taiwan is a country).  Somewhere in the range between the 1 (the country that you live in) and 195 (the members of the UN), there is a group that contains enough of the main deregulating countries to give some teeth to a global council without getting too bogged down in the bureaucracy of oversized organizations (i.e. the UN).  The G20 is this group.  Any major operator of critical infrastructure in almost all sectors has signficant operations in these 20 countries.  Therefore, the governments of these countries can stimulate activity that would lead to the creation of a global council.  The G8 is too small, and anything larger than the G20 risks paperwork stalemate.

My request, then, is that we all start thinking about ways to get Global Critical Infrastructure Protection on the G20 agenda, and how the organization and governance model of a Global Public-Private Council might look.   I have my own ideas, but I’m interested to hear those of others.

Imagine for a moment that you live next to a river.  On the other side of the river, you can see an orchid of 1,000 apple trees, each tree holding 1,000 sweet, ripe apples.  Unforunately, though, on your side of the river there are very few apple trees, and the apples on those trees are small and sour.  As a result, everyone who lives on your side of the river is willing to pay $10 for the apples that grow on the other side of the river.

There’s only one problem: On the other side of the river, it is illegal to pick and sell the apples.  In fact, some apple tree owners have gone so far as to put fences around their trees to keep people from picking the apples.  Some have even posted armed guards!

Not all apple tree owners have taken such precautions, though.  They figure that since it is illegal to pick the apples, no one will.  Plus, they figure that since there are so many apple trees, the chances of anyone finding their unprotected tree in the orchid are unlikely.

What they don’t undertand is that the total value of all of the apples on their tree is $10,000, because they don’t know that people on your side of the river are willing to pay $10 each.  They don’t understand that someone has already scanned the orchid for unproteceted trees and will sell you a list of them for $10.  They don’t understand that you can pay someone else $1 per apple to pick them and deliver them to you. They don’t understand that it will therefore cost you a mere $1,010 for a delivered load of apples that you can sell for $10,000.  That’s a profit of 890%.  You don’t need an MBA to see that this business model is pretty sweet (pun intended).

The beautiful thing is that, since it is not illegal to pick and sell apples on your side of the river, there is very little risk involved.  Of course, a few of the apples might go bad between picking and delivery, but with an 890% margin, who cares?  The person who picks the apples for you might get caught, but he’s on the other side of the river.  No problem for you.  In fact, you might even begin to wonder why anyone would bother starting a legitimate apple business when there is so much money to be made this way with so little risk.

Does this all sound appealing to you?  Congratulations. You are now ready to become a member of the digital mafia. Just switch the apples for credit card information, and let the hacking begin!

According to an article published in The Progressive last year (InfraGard: The FBI Deputizes Business), the FBI and DHS may have taken advantage of wording in National Security Presidential Directive 51 entitled “National Continuity Policy” requiring the DHS Secretary to coordinate with “private sector owners and operators of critical infrastructure, as appropriate, in order to provide for the delivery of essential services during an emergency.”

While this particular quote from the Directive overlooks the prevention side of the discussion, it nonetheless stimulated the formation of InfraGard, an industry-based information sharing group apparently boasting 350 of the Fortune 500 companies as members (I can’t confirm this).  The purpose of the group is to share information with the government.  However, the author seems to criticize the fact that they in-turn receive information regarding threats before the general public.  He goes so far as to suggest that this group has a license to kill or something along these lines since they are “connected to the G-man”.

Personally, while I always love a good conspiracy theory, I think this one is a bit off target.  The fact is, as anyone working in the security realm can confirm, information sharing is built on trust.  In the security world, as you build a trusted relationship, you share more and more sensitive information with the group, and vice versa.  When something serious happens, or is about to happen, you share this information with your trusted network first.  This is not a matter of protocol, but rather a symptom of the human condition.

To make a comparison, just think about your own job.  When the “juicy info” arrives on your desk, who do you tell first?  Do you forward the e-mail to the entire office staff right away, or do you make sure your closest colleagues get the goods first?

If there is a “hierarchy” in information sharing, I could only imagine it being based on the quality of information provided.  Even the sleeziest junkie in the darkest alley of New York City gets some privileges for providing the right information to the right narcotics officer.  If you don’t have any valuable information to feed into your network, don’t expect to be part of the early warning recipients when the poop hits the fan.

In a recent article posted on CSO Online (Eight Years After 9-11: Better Security or Just Luck?), the authors make a valid point about the government investing billions of dollars in “security” without having necessarily increased the protection levels of critical infrastructure.  They specifically point out the weaknesses in border and port control.

Although they were referring to the border as a control used to mitigate risks against other critical infrastructures (power plants, dams, bridges, …), the idea rasies the question of whether or not the border itself is an “infrastructure”, and the security checkpoints are actually the controls.  For example, we could say that a border provides a service to society by delineating political, social, and cultural boundaries.  There is a process for establishing and crossing borders, and there is an infrastructure (anything from a virtual line on a map to a four-meter-high concrete wall) used to carry out these processes.

The initial reaction to such an argument might be that there is no tangible object called a “border”, and therefore it can’t be a critical infrastructure.  It is strictly virtual since the physcial components located on a border are actually controls used to protect the border, not the border itself.  However, I would argue that if we remove the controls, the border will still exist (for example, all border controls removed between many European countries).  The border is therfore “real”, whether virtual or physical.

So perhaps the real question here is whether or not a critical infrastructure can be virtual.  The World Wide Web is a similar case.  While the physical ICT infrastructure that supports the Internet is internationally recognized as critical infrastructure, many still argue that the World Wide Web itself is not (I personally disagree).  Since the WWW is virtual, some simply refuse to acknowledge the important functions it provides as “critical”.

Are borders in the same category?

When I first heard of the “creation” of Deutsche Telekom’s T-City in 2007 (http://www.telekom.com/dtag/cms/content/dt/un/t-city-en), I thought we had finally received the ideal test bed for impact-based risk management models: a corporate-sponsored ICT wonderland focused on proving that fundamental societal services could be delivered reliably by the local telecom company as long as the bandwidth pipes were big enough.

How easy, I thought, it would be to map the “enterprise” architecture from the 5-7 key preliminary services being offered down through the processes, applications, etc, to the physical infrastructure supporting this project.  What better model could there be, I thought, to prove the effectiveness of the impact-based, life cycle approach to Critical Infrastructure Protection than one of the largest telecom companies in the world applying its best-in-class risk management program to such a crucial set of societal services as healthcare (Motiva), smart metering, education (Edunex), e-Gov, etc.  Certinaly a case study for all to leverage for years to come.

With €115 million committed to the project, a slew of journalists just giddy about the potential “Lights Out In T-City” headline, and open season on a beleagured CEO following various corporate scandals (most of which were not his fault), DTAG was sure to place an unprecedented amount of focus on how important these services are and how good DTAG is at providing them reliably.

Funny, though…I really haven’t heard much about T-City since then.  An occasional article here or there, while Estonia has stolen the title of “Most Web-Enabled Population.”

Then I came across an article yesterday (http://www.tradingmarkets.com/.site/news/Stock%20News/2520756/) and realized that perhaps my dream of impact-based risk management Zen has gone awry. It appears as though the critical societal service that we have all been working at protecting is the ability to order and pay for strudel from your Blackberry.  No more pesky phone calls to the bakery.

And thanks to the good folks at TurboBack Mobile and Kloos bakery, DTAG can finally start to reap the benefits of its €115 million investment.  T-COM, T-Mobile, and T-Systems should be proud of this great achievement (and apparently they are as they made the announcment rather than either of the vendors).

Now how exactly do I evaluate the psychological impact of a lack of data integrity resulting in my order for 1 piece of strudel being misinterpreted as an order for 10 pieces of strudel?

Information Sharing is one of the pillars of modern Intelligence, and it has been the objective of a deep revolution in US intelligence after its failure with 9/11. One of the paradigms of this change is the transition from “need to know” to “need to share” approach.

I am a strong promoter of Intelligence as one of the key pillars of modern Cyber Security. Having a “Common Operating Picture” and a “Shared Situational Awareness” are key elements of an agile defense and response to incidents.

US Fed already developed various projects on Information Sharing, including the famous Intellipedia.

It is recent the announcement that DHS plans to deploy a wiki to facilitate collaboration among federal agencies on Cyber Security. You can fina an article here.

George Mason University just published the new international issue. At page 5 you find an article I wrote about a new approach to Cyber Security: the Megacommunity. Enjoy the reading and share your comments.

The newsletter is available here