On hearing about the horrific events last weekend in Florida USA, I was saddened first and then struck by the bitter irony that these murders occurred in Orlando. Maybe it’s just me, but I was reminded that the magical central character played by Tilda Swinton in the movie Orlando transitions his gender and Orlando, Florida, USA the home of Disneyworld is billed as the happiest place on earth.
Whether or not the tragic and horrific murder that occurred in the Pulse nightclub in Orlando on 12 June is a hate crime on the LGBT community, a terrorist attack by a radicalised individual, or both, is probably a matter of semantics. I can’t see why it can’t be both, but it is definitely something that will be skewed by various political agendas. Indeed, that started happening the following day!
Despite the fact that the Omar Mateen wasn’t on a shift at the time, the Orlando shootings are a security failure that has impacted the reputation of his employer. For G4S, Omar Mateen’s murderous attack in security risk terms seems like the classic nightmare – a ‘black swan’ event. The high consequence of this low likelihood event is that one of their 600,000 employees killed en masse, with a resultant 5 percent fall in share price at time of writing. With a market cap of almost $4 billion (USD) G4S value has decreased by $200 million as a result of this event. Whether or not it has long term implications is not easily foreseeable.
There are increasing indications that Omar Mateen was unstable. His ex-wife apparently left him after four months and an ex-colleague reported that he was prone to outbursts of anger. The FBI investigated Mateen as well, but they only seemed to be looking for signs that he had been radicalised, not that he was psychologically stable or had anger management issues. None of this seems to have triggered significant investigation by G4S.
This should be of significant concern to security professionals. Bloomberg reports Mateen was first recruited in 2007. On employment he apparently passed a psychometric test called the Minnesota Multiphasic Personality Inventory. He was apparently rescreened by his employer in 2013 and continued to work until his death. Mateen also held Florida state security and firearms licences. But somehow the indicators, which seem with hindsight to have been clear, that Mateen was no longer suitable for employment as a licenced armed security guard, do not appear to have triggered internal ‘aftercare’ or due diligence processes.
More concerning is that this may be a systemic failing. In 2009, another employee of G4S, Danny Fitzsimons killed two other staff in Iraq. One of them was an Australian, Daniel Hoar. In 2015, the UK Coroner’s inquest released its findings. Coroner Joanne Kearsley found that Fitzsimons’ employer did not make sure that he was adequately vetted before he killed his fellow employees. Coroner Kearsley reportedly said that the killing was ‘a defining moment globally in the security industry’.
Unfortunately, we may find that Coroner Kearsley’s words are equally applicable to the killings in Orlando.
In any case, these events provide significant food for thought for enterprise security professionals. Organisations do not sit in isolation, they are part of the society in which they operate, whether this is online or in the real world. Marketers tell us that their companies’ employees are “part of the community”, which is true, but this highlights the fact that there is not a hard perimeter for an organisation, if there ever was. It is an increasing expectation of our societies that organisations take care of the bodies and minds of people that work for them. Organisational resilience comes from companies recognising this and truly caring, because in the end it affects the bottom line.
Have you ever wondered why on your electricity bill there is a representation of your household’s usage against the average 2, 3 or 4-person household telling you whether you are over or under? How does it make you feel?
The term behavioural economics has been around for maybe two decades. The marketing profession has been using the techniques it describes for even longer to get you to buy their brand. However, the use of behavioural economics as a tool for enterprise security is just emerging.
It is time for security professionals to start using these techniques to help protect organisations and not just to influence people to buy a particular soap, car or follow a sporting code.
What is behavioural economics
Behavioural economics looks at the relationship between the decisions that we make and the psychological and social factors that influence them. A significant amount of study in this area has been on people’s economic decisions, but the tools and techniques that have been tested can be applied in many other contexts.
Daniel Kahneman and his late research partner Amos Tversky are the two research psychologists most associated with behavioural economics. In 2002, Kahneman shared the Swedish Banker’s Prize in Economic Sciences in Memory of Alfred Nobel for this work. Kahneman’s 2011 book “Thinking Fast and Slow” explains many of the concepts in accessible terms. Kahneman and Tversky built on earlier studies that cut down an idea that now sounds quaint, the idea that humans act entirely rationally at the population or large group level. Even so, this idea was at the heart of much classical economic thinking.
You might not think at first that this seems entirely related to enterprise security. However, if you consider that the premise of behavioural economics is that people do not always make decisions that are entirely rational, you’d probably see the connection! In addition, the ideas that small (and sometimes even intangible) incentives and disincentives can be used to guide individual actions on a large scale are also very important. It is this second aspect which is of greatest use to the enterprise security practitioner.
Behaviour is at the heart of enterprise security, because people are every organisation’s greatest asset and often also their greatest risk. At its simplest, the key aim of good enterprise security is ensuring that individuals are encouraged to make the right decisions that benefit their organisation.
Behavioural economics works by assuming that in many cases, people making the ‘wrong’ decision within an organisation do so because they have imperfect information or lack the right incentives or disincentives.
Psychologists have also found that people can often exhibit a strong inclination to conform to social norms. The social norms change with the social groups that we participate in. Essentially, we often do things because our friends, colleagues, or those we admire, do. Our friends and colleagues provide us with informational social influence or social proof. In plain English, we like to follow our herd and keep up with the Jones’.
Curiously though, we seem to struggle more with changing our minds than coming to a decision in the first place. The idea that when the facts change, people change their minds is a bit tricky for many. Associated with this curious aspect, researchers from Harvard Business School have claimed also that we tend to think we are more moral than we actually are and inhabit an “ethical mirage”. This can mean there’s a disconnect between how we describe our decisions and how we actually behave. If we accept this somewhat unflattering portrait of human behaviour, it means that we tend to take a position that justifies our actions whatever they were, once we’ve made a decision. And we want more justification to change our minds than we needed to come to it in the first place!
But what if we could get people to make the ‘right’ decision in the first place. Then they wouldn’t have to justify wrong decisions. This is where the research findings of behavioural economics are tested at organisational and national scale.
Behavioural economics concepts are being applied at the public policy level by governments wanting to encourage certain behaviour without going to the expense of legislating compliance. It is expensive to make something illegal. Sometimes it is absolutely necessary e.g. murder, but the society has to create enforcement systems, pay the enforcers, and then who watches the watchers? Some enlightened government agencies are dabbling with the use of behavioural economics to achieve high levels of compliance.
In the UK and latterly also in Australia, the tax authorities have been attempting to use behavioural economics techniques. So called ‘nudge units’ have been set up to coax to get people to do their taxes by using social proof methods. Informing taxpayers who are late paying that “90% of people pay their taxes on time” increases the rate of taxpayer compliance. This achieves the policy objective of getting timely tax payments, but does it in a way that won’t generate negative headlines. This in turn allows the tax agency to focus on individuals who are intentionally breaking the law, rather than doing so because life got in the way.
Another recent example has been the introduction of the “No Jab, No Pay” policy by the Australian Government where parents do not get all their family tax benefits unless they are willing to vaccinate their children. Rather than making it illegal for children to remain unvaccinated, the government has incentivised parents to vaccinate. This, added to significant social pressure from almost all the medical community, means that Australia’s childhood vaccination rates are generally very high and we see fewer distressing pictures of children with whooping cough around the country.
One interesting way that companies are using social proof is in encouraging households to save water and electricity. Increasingly, utility bills show householders where they stand in comparison to their suburb in terms of water or electricity use. The householder can then consider whether they want to moderate their behaviour. Literally to keep up with the Jones’!
Marketing firms use many behavioural economics techniques to encourage us to use particular products. Many of us take advantage of airline frequent flyer programs that give rewards for the flights taken by members. The extremely successful travel website, Tripadvisor awards points to its website users for the travel reviews that they produce. However, Tripadvisor points have absolutely no dollar value. They are valuable only to users in terms of social proof to that community that a member is a well seasoned traveller. You may have realised that the majority of social media operates in a similar way.
Why should enterprise security professionals consider using behavioural economics in their organisation?
It is expensive and time consuming to maintain rules for the increasingly complex environment that organisations operate in. Rules are difficult to write well and often only work in limited circumstances. The more detail, the more exceptions need to be built. Quite often rules also create a culture where individuals only follow the letter, not the spirit of the rules. This can contribute to the creation of a workplace which is not adaptable and where security is blamed for the problems of the organisation.
This can lead to situations where workers sometimes choose to circumvent organisational rules in order to achieve local goals. A worker might shortcut a process to ensure that their team are able to complete it faster. The individual might rationalise this as being good for their company in that the job is completed faster and good for themselves in that they can go home earlier. However, the decision that they have rationally come to might be the ‘wrong’ decision from the perspective of their organisation. The shortcuts that have been introduced may decrease organisational security.
How do organisations change this? By changing the decision-equation the worker takes when he or she makes that decision. This is very much the place of behavioural economics in enterprise security. Organisational messaging which demonstrates the social norms of the organisation from a security perspective are vital. So to are tools and procedures which endeavour where possible to make the secure decision, the easiest one to make.
In many ways the decision is very much linked to the ‘security culture’ of the organisation. The security culture is effectively the customs and practices of the organisation for whom the individual works.
Organisations are increasingly moving to principles and risk based frameworks in many areas including security because they find the sheer complexity of business overwhelming otherwise. This was one of the main drivers for the creation of the Australian Government’s Protective Security Policy Framework. The PSPF tries to get government agencies to focus on their security outcomes, rather than on process.
Enterprise security professionals should be asking where they can apply these behavioural economics techniques in their organisations. The possibilities are varied and many, but one financial institution has used behavioural economics give nudges to staff regarding personnel security. In one case, to improve their reporting of change of circumstances by giving them a simple message that “most people in our organisation report their change of personal circumstances within four weeks”.
In the government space, there has been debate about whether it is possible to create an ‘information classification market’ which balances the need to classify information appropriately against the costs to organisation of over-classification in terms of long term storage and devaluation of security markings. Such a market could work by incentivising managers to ensure that staff were classifying information as accurately as possible. As always, the trick would be to ensure that the incentives matched the risk profile of the organisation.
Every organisation is different and so are the opportunities for using these techniques to improve your enterprise security.
The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.
The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.
This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland
Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.
The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.
This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.
Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.
When the big players jostle, smaller countries feel the waves.
For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.
The Internet becomes less than one – Time for an International Law of Cyberspace
The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.
Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.
This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.
How do organisations develop resilience in the complex environment that is the 21st century information centric world?
The lifeblood of the modern organisation is information. Every organisation, from small business to government department depends on information being passed to the right place at the right time.
Organisations and society are becoming more complex, but that doesn’t mean that they are more resilient. Complexity and resilience are more often enemies than friends!
Complex Organisations in the 21st Century
The opportunities posed by increased information flows are enormous,
Information is being gathered, stored and manipulated in larger quantities at higher speeds and analysed in more detail by organisations and society. They aim to to drive greater efficiencies and provide new and improved services. The information revolution allows organisations to become larger and more complex and to develop more complex systems and processes to support their organisational models.
The threats are also enormous
But the opportunity to become larger and therefore more complex often comes with a downside for organisational resilience and longevity. Complex systems are prone to catastrophic failure as small problems cascade and become enormous.
Information is damaging organisations when it is leaked or lost. Organisations are struggling to cope and governments are struggling to keep their own data secure. In other cases, too little information being passed to the places that need them. The organisational strategy is a delicate balancing act!
Survival and resilience
Why do organisations fail. Organisations are by definition self organising systems. However, when a self organising system loses the capacity to self organise – it is dead. Broadly, the story is similar for each one. The organisation was unable to adapt to the business environment before it ran out of resources. The end is often brought about by an acute event, but in many ways such an event is really just the ‘final straw that breaks the camel’s back’ .
However, in practice I think this may be too gentle. Taken over the longer term, organisations either live or die. There is no middle ground. Organisations that survive crises are able to do so for two reasons
They have the resources, capital personnel, leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities.
It is this second group which are truly resilient and survive long term. They still suffer from crises, but emerge stronger over the long term as they adapt to their new environment.
ICT is a two edged sword in the quest for resilience
As organisations become more complex, they are relying more and more on information technology and systems to help them understand themselves and their environment. Organisations can become more efficient. However, most organisations do not have control of their ICT infrastructure and it is increasingly difficult to understand how information flows within an organisation. It is also important to realise that efficiency and resilience are not the same. In fact, some efficiency practices may increase organisational fragility
Are the tools that organisations are using to try to understand their own organisations becoming in themselves part of the problem?
Possibly, though it is more the issue of complexity. There are a number of other factors
Speed of change
The speed that societies are changing is accelerating as technology advances. This means that organisations need to be able to adapt faster in order to keep up.
Organisations are more interdependent than ever. It is a trend that will continue to increase. In fact, countries are also more interdependent than ever. During the Cold war, sanctions didn’t affect Russia nearly as much as they do now. This is positive from a global political perspective, no country can survive without others, not even the USA or China. It is even forcing Iran to make compromises. In some ways this trade interdependency may be an alternate for the Mutually Assured Destruction (MAD) that nuclear weapons threatened to the USA and Russia during the cold war.
However, interdependency inherently leads to complexity and that is not a characteristic of resilience. Most organisations are increasingly dependent on long supply chains for materials and services, meaning that failure at one end of the supply chain can be expensive or time-consuming. On the other hand, international supply chains are extremely reliable … until they aren’t.
Everyone’s your neighbour
Because everyone is connected. Organisations can get closer to their customers and suppliers via the Internet. At the same time criminals and competitors are able to get closer to their target organisations as well.
Some organisations have been struggling. Sony corporation is one of the most prominent, but it is by no means the only one.
Affecting organisational longevity?
The evidence seems to be showing that organisational longevity is being reduced by a number of factors. Not least the ones I’ve written about above.
This graph produced by Innosight plots the average company lifespan on the USA Standard and Poor’s company index from 1958 to 2012 and extrapolates this out to 2030.
US corporations in the S&P500 in 1958 remained in the index for an average of 61 years. By 1980, the average tenure of a similar organisation was 25 years. By 2011, that average had been cut to 18 years. In other words, the churn rate of companies has been accelerating over the last Century. On average, one S&P500 company is dropping off the index every two weeks! In total, 23 companies were removed from the S&P in 2011, either due to
declines in market value – eg Radio Shack’s stock no longer qualified in June 2011.
acquisition – eg National Semiconductor was bought by Texas Instruments in September 2011.
At the current churn rate, 75% of the S&P organisations that were there in 2011, will no longer be on the index in 2027.
The flaws in simple risk
Risk assessment loses specificity with complexity. That is, the larger, more complex the organisation, the less accurate the risk assessment can be. This is also true when we think about societal risks.
The sum of overall risk that an organisation has, is greater than its parts.
It is hubris to think that an organisation or society can know all its risks. There will be risks faced by an organisation that are either unknown, unquantifiable or both. Moreover:
The organisational environment continues to change rapidly. This means that risk owners ie company boards have less time for consideration and risk assessments need to adapt to the changing circumstances.
Perception bias is a significant problem. Gardner talks about bounded rationality in risk – suffice to say we downplay risk of things that we think we understand. Taleb talked in the Black Swan that people focus on the simple things they could understand.
In a complex organisation, people tend to focus on problems in parts of the organisation, rather than the organisation as a whole.
Different risk events
We see these issues playing out in different events that affect organisations, whether it is a
such as the
– Deepwater Horizon Oil Spill that may yet cause BP’s demise, but seems to have been caused by a failure in the relationship with its drilling contractor, Haliburton
– Target(USA) hack which saw tens of millions of credit cards stolen due to weaknesses in service provider security.
Or chronic failure
such as Kodak’s failure over decades to manage the transition to digital imaging, despite the fact that it’s own researchers had discovered the technologies in the 1970s.
A resilient approach
Resilience is the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change. Resilient enterprises are risk intelligent, flexible and agile (Adapted from www.compete.org)
A ‘Resilience approach’ does ignore risk assessment and management, it builds upon it to address weaknesses in terms of dealing with unknowns (known and unknown) and perception bias. Particularly those ‘high consequence low likelihood events’ – the black swans, that sit untreated at the bottom of any risk assessment, or fall off the bottom because nobody wants to think about them, or are not acute but in the chronic creeping ‘must deal with it sometime’ category. Worse still, they may be completely unknown.
Resilience approach allows enterprises to put in place mechanisms ‘deal with the gaps’ in the risk approach – those things that have been missed or underestimated.
As the world becomes more complex and organisations become more complex themselves. A resilience approach is the only option.
The resilient organisation
Develops organisational adaptability. A culture of making things work in spite of adversity. This creates a capacity to deal with adverse events – adaptability to deal with rapid onset of shocks. They also analyse to see whether improvements can be made out of any adversity.
Organisations look for mitigations that are able to treat a range of threats, because these techniques are likely to be more adaptable than highly specialised methodologies.
Testing – Organisations test systems to breaking point and beyond in the most realistic scenarios possible.
Resilience from Chaos (Monkey)
An example of testing to breaking point in a real environment is the ‘chaos monkey’ tool developed by Netflix. This application/agent randomly turns off parts of the Netflix production environment simulating the failure of different parts of their infrastructure. It is set to only do this during working hours when engineers are about to respond. In this way, the system is tested in the best manner possible short of the real thing.
This post is based on a presentation I gave in Singapore. Here are my slides
Resilience Outcomes would like to acknowledge the assistance of Emirates Airlines for getting Alex to and from Singapore in great comfort.
That’s why Alex Webling has accepted a nomination to join the Australian Standards Committee for Security Standards and to join the Australian Delegation to ISO TC292, Morioka, Japan in March 2015.
We congratulate Alex on this recognition of his security knowledge and expertise particularly in the areas of enterprise security and resilience and his work in the Australasian Council of Security Professionals and its successor, Security Professionals Australasia.
The Technical Committee will have the following provisional title and scope:
Scope: Standardization in the field of security, including but not limited to generate security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security.
Excluded: Sector specific security projects developed in other relevant ISO committees and standards developed in ISO/TC 262 and ISO/PC 278.
The committee temporary structure covers the following areas;
ISO/TC 223/WG 1 – Framework standard on societal security management
ISO/TC 223/WG 2 – Terminology
ISO/TC 223/WG 3 – Emergency management
ISO/TC 223/WG 4 – Resilience and continuity
ISO/TC 223/WG 6 – Mass evacuation
ISO/TC 223/AHG – Professional development
ISO/TC 223/AHG – Information exchange
ISO/TC 223/AHG – Continuity management
ISO/TC 223/AHG – Revision of ISO 22320
ISO/TC 223 TF – Task force on strategic dialogue
ISO/TC 223/AHG 4 – Communication group
ISO/TC 223 DCCG, Developing countries contact group
ISO/TC 247/WG 1 – MSS for security assurance
ISO/TC 247/WG 2 – Terminology
ISO/TC 247/WG 3 – Guidelines for interoperable object and related authentication systems to deter
counterfeiting and illicit trade
ISO/TC 247/WG 4 – Product Fraud Countermeasures and Controls
ISO/TC 247/WG 5 – Document Fraud Countermeasures and Controls
ISO/PC 284/WG 1 – Management system for private security operations – Requirements with guidance
State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage
The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.
Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.
The German Federal Department for Safety in Information Technology has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.
As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass. I’ve picked out some of the gems and translated them here.
Complexity is killing information security
The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.
Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.
There are over 250 million individual varieties of Windows malware around now
Other observations which confirm what you may have seen in other places
Spam continues to grow exponentially
Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
The number of infected sites delivering ‘driveby exploits’ is growing substantially.
Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
Phishing continues to yield results for cyber criminals
Advanced Persistent Threats – an increasing threat for government and industry
Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues
Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
Attacks on key individuals – attacking system administrators for key systems to gain access.
Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
Manipulation of IT hardware and software – Well they would do that wouldn’t they.
The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.
This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.
Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft
The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.
Steelworks compromise causes massive damage to furnace.
One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.
Dragonfly attacks a dozen companies
The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.
It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.
The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.
The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.
The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.
In this part, we talk about some approaches to the trusted insider problem.
Organisations are asking “How can we stop employees becoming the next Edward Snowden?”
I think we should question is why aren’t there more people like Edward Snowden? I think it is worth noting that the NSA is huge with an unconfirmed staff count in the order of 30,000-40,000. One or even ten ‘rogue insiders’ is as a percentage very small – even though the damage to the USA and its allies has been very significant.
Organisations, including intelligence organisations, develop very rigorous and reliable procedures to ensure that people who shouldn’t be trusted don’t join their organisations. Good recruitment practices which exclude people who won’t fit and don’t let people become insiders in the first place are the best defence. However, one of the hardest issues to manage is to deal with people who gradually become disgruntled after they’ve been working in an organisation for a while.
Of course, organisations can use infosec procedures such as internal surveillance mechanisms and information compartmentalisation. These can reduce the consequences wrought by trusted insiders. However these mechanisms can inhibit the rest of the employee body from working at their full potential. It also can affect staff morale if not carefully marketed. Interestingly SIG attendees were told that the Attorney-General’s Department was considering the possibility of a continuous disclosure regime for security clearances which would in real or near real time provide information to security officials about whether employees were undertaking activities which might raise eyebrows.
A Sharing economy model?
Considering an organisational ‘sharing economy’ model when considering the trusted insider threat might help. The employee/employer relationship is one of mutual benefit. It can be also one of mutual harm.
Employees work for their organisation and their identity becomes entwined in the reputation and identity of that organisation. As mentioned previously, the trusted insider that does the wrong thing by their organisation does so for a number of reasons. The most dangerous reason has always been those who are motivated not by money or greed, but by a grievance or revenge.
If we extrapolate using the NSA/Snowden example…. The NSA has built up an impressive reputation over many years for technical excellence. But maybe some of its employees believed the propaganda of their employer. More importantly, it would seem that NSA’s management failed to completely disabuse their employees of the fact that intelligence agencies live in a grey world and do things that are morally grey. Consequently people working inside the NSA seem to have been surprised when they found that some of the things it was doing were dark. Unfortunately for the NSA, brilliant people became disillusioned and turned against it.
This explanation is probably not the whole answer. However a couple of thoughts arise both of which may help to prevent future events:
is it possible to develop an internal organisational market for the reputation of the organisation?
A meaningful alternative chain of reporting to vent frustrations is vital.
A market of organisational reputation
Many private and public organisations organisations spend significant sums to monitor their public relations posture. There is benefit in understanding what the organisation thinks about itself as well. An anonymous reporting mechanism can allow an organisation to get some information about whether it is ‘on the nose’. Such data might also be combined with metrics such as the number of relevant social media postings.
An alternative chain of reporting
Both USA and Australia now have whistle-blower mechanisms for their intelligence services. In Australia, the Inspector-General of Intelligence and Security performs this role.
Many organisations both in the private and public sector could consider the benefits of taking on aspects of this system. It obviously doesn’t work perfectly, but it certainly contributes to the protection of the intelligence agencies from trusted insiders.
Mr Snowden has claimedthat “he had raised alarms at multiple levels about the NSA’s broad collection of phone, email and Internet connections.” However, this is disputed by the USA. Whatever the truth of the matter, it seems that Snowden felt he wasn’t being listened to. So maybe the take-home from this aspect is that the ‘alternate chain’ of reporting needs to have big teeth to make changes where there are real problems identified. Balancing natural justice against the consequences of a breach is incredibly important. Not only for the individual concerned, but for the organisation itself, because you know people in organisations gossip about each other!
This is of course a governance issue, and this makes it very tricky to get right – this is where Resilience Outcomes Australia can help your organisation, because resilience and longevity of organisations is what we do.
Helping organisations protect themselves against trusted insiders
I attended the Security in Government (SIG) conference in Canberra earlier this month. I am somewhat biased, but I think that SIG is probably the best annual security related gathering in Australia.
If you compare it to a lot of international gatherings SIG certainly holds its own. Although, the US and German conferences in particular have glitz and size, the quality of the discussion and the more intimate nature is refreshing. SIG, as you may have guessed is primarily targeted at government, but there are good lessons for all organisations to be had there. Ok, enough of the fanboy …
The 2014 SIG theme was the ‘trusted insider’. Whilst the discussions were often very good, I wondered whether there are additional approaches to reducing the problem of the trusted insider. These approaches focus more on the relationship between employees and their organisations.
Who are the trusted insiders?
A trusted insider is somebody who uses their privileged access to cause harm to their employer or their interests. I’ll be a bit controversial here and note that, whether these people are traitors, spies or whistle-blowers depends somewhat on perspective. In any case these people evoke strong almost visceral emotions in many people.
Why are organisations so concerned about the trusted insider?
Despite fears about rogue hackers attacking organisations from the outside, the trusted insider is still considered the biggest threat to an organisation. In Australia and overseas, trusted insiders ‘going rogue’ have caused the significant damage to national security, government agencies and private organisations. The harm done can be from loss of secrets, money or even life.
Secrets: The most glaring examples in the information security space have probably come out of the USA in recent times. People like Edward Snowden and Chelsea (Bradley) Manning spring to mind in the national security sphere. However, some Swiss banks have also been stung by Bradley Birkenfield whom some in those establishments might call a trusted insider and the US tax agency would call a whistle-blower!
Money: Fraud is probably the most significant threat to private organisations from trusted insiders, particularly those in the finance and insurance industry. Sometimes the size of an event can be enormous, such as when $2billion was lost in 2011 through ‘unauthorised transactions’ in a Swiss bank.
Life and property: Whilst we often focus on loss of information confidentiality, trusted insiders were also responsible for assassinating the Indian Prime Minister Indira Gandhi in the 1980s and shooting fellow soldiers in the USA and Afghanistan in the last decade. There have also been a number of cases of ‘issue motivated’ insiders harming organisations by damaging plant and equipment.
What motivates the trusted insider? C.R.I.M.E.S.
The motivations of trusted insiders are varied, however they broadly fit under the standard drivers of criminal behaviour as described by the mnemonic ‘crimes’.
Coercion – being forced, blackmailed or intimated
Revenge – for a real or perceived wrong, it could be about disaffection and or a grudge
Ideology – radicalisation or advancement of an ideology /religious objective
Money – for cash, profit, dosh, moolah – whatever you call it, and/or
Exhilaration or Ego– for the excitement or because they think that they are in someway cleverer than their compatriots – Christopher Cook seemed driven by the excitement..
The USA’s “worst intelligence disaster” was Robert Hanssen, who might be described as an egomaniac.
Sex and personal relationships. The combination of sex and coercion is a lethal one.
Of course, some are also mentally fragile and may not have a motivation that is exactly clear to others.
End of part 1
In the coming part, we talk about some approaches to the trusted insider problem.