NOWHERETOHIDE.ORG

Economic Espionage: Spies, damn spies, and the real threat (Part 2 of 2)

In Part 1 I spoke about the many threats to your organizations innovations and intellectual property and described two of the five key strategies I came up with to help you prevent loss. In Part 2 I provide you with the three remaining strategies.

 3. Trust, but Verify

Develop a “people risk model” for your business. One that is designed for your specific industry, shaped for your specific technologies, and can address the specific threats you face. Use this model to screen employees, subcontractors, vendors, visitors, and others you engage. You should pay particular attention to subcontractors; be sure to flow-down all of your security protocols to their employees, subcontractors, vendors, etc.

Interesting side note:  Chi Mak, who was arrested in 2005 for stealing and sharing Naval submarine propulsion technology to China, worked as an engineer for Power Paragon, a subcontractor to L-3 Communications, who was in-fact a subcontractor to Lockheed Martin.

Additionally, you should join your local InfraGard program and develop a close relationship with your local FBI field office. If you are involved in national security, defense, or homeland security technologies or projects, you should ask the FBI for a focused threat briefing for your sector. you should also share suspicious incidents, unsolicited emails, strange purchase orders for products, etc., with them. Finally, don’t be afraid to ask the FBI to help screen foreign visitor to sensitive facilities BEFORE those visitors actually arrive on your doorstep.

4. Use the Velvet Rope and Black Cloth

I know this probably goes without saying, but i’ll say it anyway–implement and enforce physical and computer security measures–I cannot tell you how many times I’ve visited facilities only to find the loading dock door propped open for smokers or visitors wandering the halls clearly displaying “Escort Required” badges. It’s also a good idea to do periodic walk throughs of your facilities, with a twist–think like the threat. As you walk the halls, stop and r3ad stuff on the walls, look in trash cans, pay close attention to what you can see through open doors. Also, sit in the cafeteria for a while and listen–what are employees talking about while they have their 10am coffee? Lunchtime?

You can help to prevent threats from getting what they are looking for if you sanitize those bulletin boards and use “velvet ropes” to block off areas they shouldn’t be allowed to wander around. In my early days at NSA we used black cloth to cover our desks and bulletin boards when uncleared visitors came into our spaces; it sounds simplistic, but it was effective. Finally, be sure to sensitize smokers and others about not leaving those back doors propped open. if you use “Escort Required” badges, make sure your people challenge visitors they see walking the halls without an escort.

5. Educate, Communicate and Reward

In the end, you must rely heavily on your employees to protect your organization’s projects and intellectual property–they are really your first and best line of defense.  The best gates, guards, and firewalls won’t protect you very well if your staff doesn’t remain vigilant to the threats that these measures were put in place to protect against. The best advice I can give you for enlisting and sustaining your staff’s attention to prevent economic espionage against your organization can be boiled down to two axioms:

1. What gets measured, gets done; and
2. Reward the behavior you want repeated.

Establish simple and easy to implement measurement systems for the protection of your organizations projects and intellectual property. Hold project mangers accountable through regular evaluation of ongoing projects; publish the results of your findings publicly so everyone can see where the organization stands with respect to protecting against threats.  Finally, publicly reward individuals, teams, and other parts of your organization for finding and fixing vulnerabilities or for actively practicing good personnel and information system security practices–rather than just punishing poor performance, be sure to actively reward GOOD performance; you’ll be surprised how effective this strategy can be.

Summary

In May, 2008, the Special Agent in Charge of the Pittsburgh FBI Division was quoted as saying “America has no friends when it comes to the research that gives its companies, universities and government a competitive edge. Countries all over the world – including friends and allies – would like to have that research, and they would love to get it for free.” I hope, through this article, I’ve opened some eyes a bit wider to better see and understand a) the threats they face from foreign (and domestic) sources, and b) some simple things they can do to better protect themselves from the threats.

In summary, here’s a review of recommendations:

At the Executive level:

• Develop prioritized list of company programs and projects (3 piles)
• Engages in process to regularly review and update list with executive team
• Working relationship with FBI office for classified/sensitive defense projects

For each project:

• Proactive effort to fully understand the threat
• Formal assessment of program/project vulnerabilities
• Documented mitigation strategy to address identified risks
• Screen employees, subs, and vendors with access to pile #1 programs
• Ask FBI office to screen at-risk visitors/foreign delegations in advance of visit

On a regular basis

• Hold cognizant staff accountable for knowing the domain
• Enforce physical and computer security measures – periodically test
• Measure what’s important and reward the behavior you want repeated

Remember…

1. Ask the right questions;
2. Do the math;
3. Trust, but verify;
4. Use the velvet rope and black cloth; and
5. Educate, communicate and reward.

As always, comments and thoughts are welcome.

Chuck Georgo, chuck@nowheretohide.org

Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice president of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.

It’s 2pm on Sunday: Do you know where your data is?

It seems the Los Alamos National Laboratory (LANL)  is  in the news again. Just when you’d think they addressed the vulnerabilities that Wen Ho Lee exploited back in 1999 (Lee has his own Wikipedia page now), they got slammed again in 2006 when local police found a thumb-drive with classified information on it at local residence involved in a local narcotics investigation.  Well now the U.S. Government Accountability Office (GAO) just release an audit report of LANL that reported:

LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory’s classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.

While LANL got slammed for losing information on its  ”classified” network…what about all of the unclassified information that’s floating around out there? I feel it is just as important to make sure all of the sensitive but unclassified case information, organization proprietary information, or intelligence data that contains Personally Identifiable Information (PII) is protected as well–would you want to be the person explaining to their boss what data was just lost on that USB drive you left at the airport restaurant?

While I was at the International Association of Chiefs of Police Conference in Denver last month, I ran across a security item that really caught my eye–it was a standard, run of the mill 4GB USB thumb drive, but this one was unique–it had a built in PIN keypad, encrypted all data with AES encryption, and you didn’t have to plug it in to the computer first before unlocking it.  I got to thinking…if every law enforcement officer and intelligence analyst who had a legal, bonafied reason for copying sensitive data  onto portable media like CD-ROMs, SD cards, or unsecured thumb drives had one of these, they could sleep better at night knowing that the information on the thumb drive wouldn’t be compromised if it were lost or stolen, or than an unauthorized person who happend to get access to the drive couldn’t stick it in their computer and access the information it holds.

The item is called the Classified Secure Flash Drive. It’s a 4GB thumb drive with a built in 5-key keypad for entering a 1-10 digit PIN.  There is NO software required on the desktop/laptop to create or enter the PIN and all data on it is secured with 256 bit AES encryption. Those of you who know me know that I do not want to become another big IT vendor; however, I have decided to make these (and other innovative, niche technologies) available to agencies through NOWHERETOHIDE.ORG.  For Federal agencies; the manufacturer has developed a FIPS 140-2 compliant version with a built in 10-key keypad; they are in the midst of the validation process now.

Microsoft Fusion Core Solution: For pain relief, take two webparts and call me in the morning

I don’t usually plug any specific software, but I felt compelled to tell you about something I have been working with Microsoft on for about  the last eight months–it’s called the Fusion Core Solution (FCS). What’s different about this project is that FCS isn’t just another application, it is an effort by Microsoft to help fusion centers do more with the many applications they currently own or have plans to invest in. First a bit of background.

Whether you like the idea of a fusion center or not, they are here to stay. At last count, there were about 70 of them, and DHS recently spoke of helping to get even more going.  At their core, I believe a fusion center is responsible for doing three basic things: 

1. Accepting and vetting reports of unusual behavior (criminal or terrorism related);
2. Providing intelligence support to major case and tactical law enforcement operations; and
3. Proactively supporting federal, state, and local homeland security and community safety objectives. 

To do this well, the majority of fusion centers in operation today are required to rely on an assortment of manual processes, a patchwork of incompatible software applications, and dozens of disparate information sources. Walk into the typical fusion center today and you’ll probably find that an analyst answering the phone has to enter the request for their services into one application for management purposes, enter the same information into a second application for sharing purposes, then has to manually bring up and login to anywhere from 5-15 different data sources to search for information related to the service request, then has to open up at least one or more applications to write up  and package up the requested response, and then, more than likely, has to either manually fax it to whomever asked for the information or call them back on the telephone to give them the answer–a pretty painful and tedious way to work.

Today though, Microsoft announced release of a project that I have been helping them to develop for quite some time–the Fusion Core Solution.  Microsoft hopes, through use of Office, SharePoint and ESRI’s ArcGIS to help ease the pain described above.  The FCS uses SharePoint as a horizontal integration and workflow management platform to help an analyst go from taking in a fusion center service request, to searching for information, to analyzing that information, to producing the intelligence product without having to leave the SharePoint environment at all.

At a non-technical level, the FCS will enable fusion centers to do a couple of pretty cool things:

1. Provides a common look and feel across multiple analytic tools and business processes.
2. Greatly reduces the number of user names and passwords analyst must remember.
3. Organizes requests for fusion center services, and tracks progress of fusion center work.
4. Helps to better document and comply with 28 CFR Part 23, CUI and PCII requirements.
5. Provides multiple analyst-to-analyst and fusion center-to-fusion center collaboration tools
6. Helps to keep track of fusion center and extended staff capabilities and availability.

From a technical perspective, FCS fully supports NIEM conformant information exchanges and establishes a framework for supporting the service-oriented principles of the Justice Reference Architecture (JRA) as it applies to information and data sharing.

In a nutshell, “Fusion Core Solution is for a Fusion Center what Microsoft Windows is to a personal computer“–you can think of FCS as the “operating system” for a Fusion Center.

For more info, check out the Fusion Core Solution website, or email me.

r/Chuck

Added 8/4/2009: Click HERE to see Joe Rozek, Microsoft’s Executive Director of Homeland Security, and Former Senior Director for Domestic Counterterrorism at The White House Office of Homeland Security talk about Fusion Core Solution

Health Info Sharing Beating LE to the Punch

If you haven’t heard about the Department of Health and Human Services Federal Health Architecure and CONNECT project, I suggest you pop over to this website where documentation for version 2.0 of the software resides:

http://www.connectopensource.org/display/NHINR2/Release+2.0+Home

CONNECT is an open source software gateway that connects public and private health orgaizations to the National Health Information Network.  Think of it like a giant peer-to-peer N-DEx, but with an open source “front-porch” that drops into each agency and extracts the data from back-end systems.

I’ll be doing more investigation into the CONNECT project to see if we can adapt it for law enforcement information sharing use–the closest thing to this on the LEIS side is the FINDER project in orlando, FL.

as always, comments and thoughts welcomed.

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

What Gets Measured Gets Done…Using Evaluation to Drive Law Enforcmement Information Sharing

Tom Peters liked to say “what gets measured gets done.”  The Office of Management and Budget (OMB) took this advice to heart when they started the federal Performance Assessment Rating Tool (PART) (http://www.whitehouse.gov/omb/part/) to assess and improve federal program performance so that the Federal government can achieve better results. PART includes a set of criteria in the form of questions that helps an evaluator to identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.

I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation.  Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned. 

I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:

1. Active Executive Engagement in LEIS Governance and Decision-Making;

2. Robust Privacy and Security Policy and Active Compliance Oversight;

3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;

4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);

5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and

6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.

My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”

I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck

Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org 

WARNING: Successful Law Enforcement Information Sharing Can be Hazardous to Your Career

LInX is the Naval Criminal Investigative Service’s Law Enforcement Information Sharing Project. Those of you that know me know that I was an architect of the LInX approach and a project manager for many of the LInX locations over a five year period.  What many don’t realize is that LInX was started by the Navy with a mere $50,000 purchase order.  Through what was a largely grass-roots efforts by state and local law enforcement executives, fueled by the leadership of John McKay (one of the fired U.S.Attorneys) and Dave Brant (former NCIS Director), LInX has grown to a nearly $100 million dollar project in nine major regions around the U.S. 

What’s particularly interesting about this whole saga is that when John took this information sharing success story to his leadership and offered it up as a “proven approach to nationwide information sharing,” they put the politics of internal DOJ projects ahead of the needs of state and local law enforcement and in the process took a good man down.  

Unfortunately, they saw LInX as a competing ”IT system” and not as what I and others believed–that LInX really was ”a proven and standardized process for organizing, implementing, and evaluating regional law enforcement information sharing.”  I and others believed the LInX approach could have been implemented with many of the other IT systems currently in use around the country at that time (or being developed) for information sharing.  We also recognized that LInX was not a threat to any of the national-level systems being developed by DOJ (or DHS) and, in-fact, (as DOJ would attest to today) are now convinced that those national efforts CANNOT succeed unless LInX-like information sharing projects are quickly replicated in other parts of the country.

While I am sure the final chapter in the U.S. Attorney firings has yet to be written, my hope is that the recently released report will help us to move past federal politics and realize that the true victims here are the state and local law enforcement agencies who were cheated out of a proven approach to enabling the electronic sharing of each other’s law enforcement records–let’s give the LInX approach (and what John and Dave started) its due and develop a formal project to make the process available to other’s who are still struggling with getting it done.  I’ve summarized the LInX approach below. 

STEPS IN THE LINX APPROACH—It is NOT about the technology.

1. Strategy – Develop a regional law enforcement plan detailing areas of concern and how to leverage information sharing for the desired impact.
2. Governance – Establish an information sharing governance infrastructure that gives each participating Chief Executive Officer an equal vote on all matters pertaining to the regional LInX system.
3. Data – Identify and agree to integrate ALL relevant data. The key to success is sharing more not less information.  
4. Capabilities – Provide easy to use query and analysis tools, with multi-levels of security. LInX is a system developed by law enforcement personnel for law enforcement personnel. Feedback from user groups and the flexibility to make enhancements to the system keeps the LInX system robust and valuable to the community.
5. Technology – The LInX system is built with open standards and leverages existing technology to integrate diverse systems. An open standards architecture that is flexible, scalable, sharable, and possess the ability to enhance current systems interfaced with.
6. Full Support – There are some requirements for the participating agencies. The goal is to have minimal impact on a participating agency’s resources, however, there is a need to support user training, system administration, and maintenance.
7. Evaluation – Conduct formal evaluations to assess achievement of desired impact. The LInX system is being developed to enhance law enforcement utilizing technology to assist the investigator and patrol officer.

EA Dead? Long Live SOA!

I just finished reading through Thomas Erl’s latest book SOA: Principles of Service  Design. It is a great read for those getting involved in Service Oriented Architecture, yet one thing he doesn’t adress head-on is where does Enterprise Architecture end and SOA begin?  All he says is that “SOA spans BOTH enterprise and application architecures.” - not much help.

With apologies to every organization that’s invested boatloads of money in developing an EA, I’m starting to believe EA in general is dead.  Why do I think it’s dead?  In my eight years of doing EA, I have yet to see an EA effort that meets my five criteria for success:

1. EA championed by senior executive from start to finish
2. EA addresses all levels–business needs, systems capabilities, technical standards
3. EA development followed through to produce at least one full iteration of products
4. EA products integrated in to systems acquisition and operational planning processes
5. EA success evaluated based on achievement of real business results

Because of this, organization’s are growing weary of  their EA efforts – I have seen many EA efforts come to a screeching halt recently.  And, with EA on life-support, in comes SOA–tada! 

Tell me what you think…r/Chuck

NTH Blog is now registered with Technoati.com

Technorati Profile