NOWHERETOHIDE.ORG

Utah SIAC Takes Honors: Fusion Core Solution Success Story

On May 4, 2010, e.Republic’s Center for Digital Government and Emergency Management honored first responders demonstrating measurable improvements in the lives of the people and businesses they serve. Among the  recipients of the inaugural Emergency Management Digital Distinction Awards was the Utah Statewide Terrorism and Information Analysis Center (SIAC).  Core to SIAC’s capapbilities is the Microsoft Fusion Core Solution technology platform. Here’s a snippet from the Center’s website:

Best Collaboration and Information Sharing

Fusion Center Empowers Utah’s Crime Stoppers, Utah Department of Public Safety, Statewide Information & Analysis Center

The Utah Statewide Information & Analysis Center (SIAC), managed by the Utah Department of Public Safety, is a public safety partnership collaboration with all of the state’s law enforcement and public safety agencies to collect, analyze and disseminate intelligence appropriately for enhanced protection of Utah’s citizens, communities and critical infrastructure. As the state’s intelligence fusion (terrorism and response) center, SIAC replaced a legacy system that lacked effective data management practices and included manual, duplicative efforts. SIAC implemented a new set of technologies which utilized existing assets, integrated domain-specific applications, and improved business processes for information collection and management, and analysis and information sharing with Utah’s 29 county Sheriff’s Offices, 180 law enforcement agencies, and more than 26 specialized task forces.

Fusion Core Solution is an open and extensible information sharing and analysis product, based on the National Information Exchange Model (NIEM) and Information Sharing Environment-Suspicious Activity Reporting (ISE-SAR) Functional Standard, developed to help municipal, county, regional, state, and federal intelligence and fusion centers improve operations through workflow management, information sharing, and geospatial intelligence technologies. For more information about Fusion Core Solution see http://www.microsoft.com/fusion

Having trouble convincing the boss to spend on Security and Privacy protection? Read on…

The Poneman Institute, considered the pre-eminent research center dedicated to privacy, data protection and information security policy, released its 2009 Ponemon Institute “Cost of a Data Breach” Study on January 29, 2010.

In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

• Direct costs - communications costs, investigations and forensics costs and legal costs
• Indirect costs - lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

• 82% of all breaches involved organizations that had experienced more than one data breach
• 42% of all breaches studied involved errors made by a third party
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck

Data.gov CONOP – Five ideas posted to “Evolving Data.gov with You”

Following up on my comments and thoughts about the Open Government Directive and Data.gov effort, i just posted five ideas on the “Evolving Data.gov with You“ website and thought i would cross-post them on my blog as well…enjoy! r/Chuck

1. Funding – Data.gov cannot be another unfunded federal mandate

Federal agencies are already trying their best to respond to a stream of unfunded mandates. Requiring federal agencies to a) expose their raw data as a service and b) collect, analyze, and respond to public comments requires resources. The requirement to make data accessible to (through) Data.gov should be formally established as a component of one of the Federal strategic planning and performance management frameworks (GPRA, OMB PART, PMA) and each agency should be funded (resourced) to help ensure agency commitment towards the Data.gov effort. Without direct linkage to a planning framework and allocation of dedicated resources, success of Data.gov will vary considerably across the federal government.

2. Strategy – Revise CONOP to address the value to American citizens

As currently written, the CONOP only addresses internal activities (means) and doesn’t identify the outcomes (ends) that would result from successful implementation of Data.gov. In paragraph 1 the CONOP states “Data.gov is a flagship Administration initiative intended to allow the public to easily find, access, understand, and use data that are generated by the Federal government.”, yet there is no discussion about “what data” the “public” wants or needs to know about.

The examples given in the document are anecdotal at best and (in my opinion) do not reflect what the average citizen will want to see–all apologies to Aneesh Chopra and Vivek Kundra, but I do not believe (as they spoke in the December 8th webcast) that citizens really care much about things like average airline delay times, visa application wait times, or who visited the Whitehouse yesterday.

In paragraph 1.3 the CONOP states “An important value proposition of Data.gov is that it allows members of the public to leverage Federal data for robust discovery of information, knowledge and innovation,” yet these terms are not defined–what are they to mean to the average citizen (public)? I would suggest the Data.gov effort begin with a dialogue of the ‘public’ they envision using the data feeds on Data.gov; a few questions I would recommend they ask include:

1. What issues about federal agency performance is important to them?
2. What specific questions do they have about those issues?
3. In what format(s) would they like to see the data?

I would also suggest stratifying the “public” into the different categories of potential users, for example:

1. General taxpayer public, non-government employee
2. Government employee seeking data to do their job
3. Government agency with oversight responsibility
4. Commercial/non-profit organization providing voluntary oversight
5. Press, news media, blogs, and mash-ups using data to generate ‘buzz’

3. Key Partnerships – Engage Congress to participate in Data.gov

To some, Data.gov can be viewed as an end-run around the many congressional committees who have official responsibility for oversight of federal agency performance. Aside from general concepts of government transparency, Data.gov could (should) be a very valuable resource to our legislators.

Towards that end, I recommend that Data.gov open a dialogue with Congress to help ensure that Data.gov addresses the data needs of these oversight committees so that Senators and Congressmen alike can make better informed decisions that ultimately affect agency responsibilities, staffing, performance expectations, and funding.

4. Data Quality – Need process for assuring ‘good data’ on Data.gov

On Page 9 of the CONOP, the example of Forbes’ use of Federal data to develop the list of “America’s Safest Cities” brings to light a significant risk associated with providing ‘raw data’ for public consumption. As you are aware, much of the crime data used for that survey is drawn from the Uniformed Crime Reporting effort of the FBI.

As self-reported on the “Crime in the United States” website, “Figures used in this Report are submitted voluntarily by law enforcement agencies throughout the country. Individuals using these tabulations are cautioned against drawing conclusions by making direct comparisons between cities. Comparisons lead to simplistic and/or incomplete analyses that often create misleading perceptions adversely affecting communities and their residents.”

Because Data.gov seeks to make raw data available to a broad set of potential users; How will Data.gov address the issue of data quality within the feeds provided through Data.gov? Currently, federal agency Annual Performance Reports required under the Government Performance and Results Act (GPRA) of 1993 require some assurance of data accuracy of the data reported; will there be a similar process for federal agency data made accessible through Data.gov? If not, what measures will be put in-place to ensure that conclusions drawn from the Data.gov data sources reflect the risks associated with ‘raw’ data? And, how will we know that the data made available through Data.gov is accurate and up-to-date?

5. Measuring success of Data.gov – a suggested (simple) framework

The OMB Open Government Directive published on December 8, 2009 includes what are (in my opinion) some undefined terms and very unrealistic expectations and deadlines for federal agency compliance with the directive. It also did not include any method for assessing progress towards the spirit and intent of the stated objectives.

I would like to offer a simple framework that the Data.gov effort can use to work (collaboratively) with federal agencies to help achieve the objectives laid out in the directive. The framework includes the following five questions:

1. Are we are clear about the performance questions that we want to answer with data to be made available from each of the contributing federal agencies?
2. Have we identified the availability of the desired data and have we appropriately addressed security and privacy risks or concerns related to making that data available through Data.gov?
3. Do we understand the burden (level of effort) required to make each of the desired data streams available through Data.gov and is the funding available (either internally or externally) to make the effort a success?
4. Do we understand how the various data consumer groups (the ‘public’) will want to see or access the data and does the infrastructure exist to make the data available in the desired format?
5. Do we (Data.gov and the federal agency involved) have a documented and agreed to strategy that prepares us to digest and respond to public feedback, ideas for innovation, etc., received as a result of making data available through Data.gov?

I would recommend this framework be included in the next version of the Data.gov CONOP so as to provide a way for everyone involved to a) measure progress towards the objectives of the OMB directive and b) provide a tool for facilitating the dialogue with federal agencies and Congress that will be required to make Data.gov a success.

Data.gov needs some “Tough Love” if it’s to be successful

I just finished commenting on Data.gov on the NIEM LinkedIn Group and thought I would share what I wrote here on my blog.

I just finished watching a rerun episode of Tough Love on VH1 and I know some of you will think this is a bit odd, but the show led me to some thoughts about how to give the Data.gov project some focus and priority.

You’re probably wondering what Data.gov has to do with eight beautiful women looking for marriage and long-lasting love, but believe it or not, the show and Data.gov have a lot in common.

In this particular episode of the show, the “boot camp” director was focusing on communication skills. He made it very clear to the ladies that communication is very important in making a good first impression with a would be suitor. In the show he counseled the ladies that if they wanted to make a good impression, the ladies would need to:

• Listen carefully to what their date is telling them about what’s important to them;
• Make the conversation about “them” on first contact and avoid bragging about yourself; and
• Resist the urge to reveal too much information about their own respective private lives.

While I will avoid speaking to the validity of this counsel as it applies to love, I would like to suggest that these three rules are also quite relevant in our efforts to have a more transparent, open and collaborative government.

Along these lines, I offer the following three suggestions for Data.gov’s first (transparent, open and collaborative) date with America:

1. Ask the public (and Congress) what they specifically want to see on Data.gov and the forthcoming dashboard; all apologies to Aneesh Chopra and Vivek Kundra, but I do not believe (as they spoke in the December 8th webcast) that citizens really care much about things like average airline delay times, visa application wait times, or who visited the Whitehouse yesterday. I particualry suggest they work with Congressional Oversight Committees to make Data.gov a tool that Congress can (and will) use.
2. Make Data.gov about demonstrating the good things that Federal agencies do that directly impact the general public. It’s no surprise that most agencies do a poor job of explaining to citizens what they do. I suggest reviving the OMB Performance Assessment Rating Tool (PART) Program (which appears to have died on the vine with the new administration) and use the performance measures in the Program Results/Accountability section to better communicate the relevant value these agencies deliver to citizens.
3. Focus Data.gov data sources and the desire for openness on the critical few measures and metrics that matter to the public. Avoid the urge to just “get the data posted” – not many people will care about how many kilowatt hours of hydroelectric power the Bureau of Reclamation is counting, how many FOIA requests the Department of Justice received, or the Toxic Release Inventory for the Mariana Islands. Information sharing is most successful when it is directly relevant with the person (or agency)with whom you are sharing.

I’ll let you know if the next episode is as enlightening as this was.

r/Chuck

Data.gov CONOP: Nice document, but fails to address non-technical issues affecting transparency

I just took a look at the OMB Data.Gov Concept of Operations, and while I don’t want to sound like a party pooper, but I am very concerned about the Data.gov effort. We appear to be moving full speed ahead with the technical aspect of making data available on data.gov without really thinking through the policy, politics, resource, and other non-technical aspects of the project that could really hurt what could be a very valuable resource.

A few concerns I have include:

1. None of the Data.gov principles in the CONOP address the “real-world effects” we hope to achieve through data.gov–from an operational programs perspective. All seven principles in the CONOP address “internal” activities (means). We need to address success in terms of what citizens will realize through the Data.gov effort.

2. The entire Data.gov effort appears to be driven out of context from any government performance planning and evaluation process. Shouldn’t the need for data transparency be driven by specific strategic management questions?  Where are the links to the President’s Management Agenda? Agency strategic plans?

3. There are more than 200 Congressional Committees with varying degrees of oversight of over a similar number of agencies in the Executive Branch. How will Data.gov impact Congress’ efforts to monitor (oversee) agency performance? What will happen when there is a disparity between a) what an agency says it’s doing, b) what oversight committee(s) say they are doing, and c) how the public views that agency’s performance based on data posted on Data.gov?

4. Transparency, Participation and Collaboration (TPC) are the buzz words of the month, but what does that really mean?  The opening sentence of the CONOP states “Data.gov is a flagship Administration initiative intended to allow the public to easily find, access, understand, and use data that are generated by the Federal government.” Do we really expect the general public to access and analyze the data at Data.gov? If so, do we really understand how the public will want to see/access the information? More importantly, are we (agencies) fully prepared to digest and respond to received public feedback?

5. Who will pay the agencies to support data transparency? Do we really understand the burden involved in achieving open government? The last thing federal agencies need is another unfunded mandate.

6. Finally, how do we know the data that’s made accessible via Data.gov is good data (correct)? The GPRA required OIG review and certification of agency data published in annual performance reports. What can we expect in the way of quality from near-real-time access to agency performance data? Will we require the same data quality process for data feeds posted on Data.gov? Will agencies be funded to do it right? 

I provide similar commentary on this issue and an analysis of the recent Executive Order in a December 17th blog posting here: http://www.nowheretohide.org/2009/12/17/open-government-directive-another-ambiguous-unfunded-and-edental-mandate/

Don’t get me wrong, I am all for open government, but let’s do it right. Let’s give the techies a couple of days off and let’s take a good hard look at the non-technical issues that could really hurt this effort if they’re not properly addressed.

Your comments and thoughts welcomed.

Thanks…r/Chuck

Economic Espionage: Spies, damn spies, and the real threat (Part 2 of 2)

In Part 1 I spoke about the many threats to your organizations innovations and intellectual property and described two of the five key strategies I came up with to help you prevent loss. In Part 2 I provide you with the three remaining strategies.

 3. Trust, but Verify

Develop a “people risk model” for your business. One that is designed for your specific industry, shaped for your specific technologies, and can address the specific threats you face. Use this model to screen employees, subcontractors, vendors, visitors, and others you engage. You should pay particular attention to subcontractors; be sure to flow-down all of your security protocols to their employees, subcontractors, vendors, etc.

Interesting side note:  Chi Mak, who was arrested in 2005 for stealing and sharing Naval submarine propulsion technology to China, worked as an engineer for Power Paragon, a subcontractor to L-3 Communications, who was in-fact a subcontractor to Lockheed Martin.

Additionally, you should join your local InfraGard program and develop a close relationship with your local FBI field office. If you are involved in national security, defense, or homeland security technologies or projects, you should ask the FBI for a focused threat briefing for your sector. you should also share suspicious incidents, unsolicited emails, strange purchase orders for products, etc., with them. Finally, don’t be afraid to ask the FBI to help screen foreign visitor to sensitive facilities BEFORE those visitors actually arrive on your doorstep.

4. Use the Velvet Rope and Black Cloth

I know this probably goes without saying, but i’ll say it anyway–implement and enforce physical and computer security measures–I cannot tell you how many times I’ve visited facilities only to find the loading dock door propped open for smokers or visitors wandering the halls clearly displaying “Escort Required” badges. It’s also a good idea to do periodic walk throughs of your facilities, with a twist–think like the threat. As you walk the halls, stop and r3ad stuff on the walls, look in trash cans, pay close attention to what you can see through open doors. Also, sit in the cafeteria for a while and listen–what are employees talking about while they have their 10am coffee? Lunchtime?

You can help to prevent threats from getting what they are looking for if you sanitize those bulletin boards and use “velvet ropes” to block off areas they shouldn’t be allowed to wander around. In my early days at NSA we used black cloth to cover our desks and bulletin boards when uncleared visitors came into our spaces; it sounds simplistic, but it was effective. Finally, be sure to sensitize smokers and others about not leaving those back doors propped open. if you use “Escort Required” badges, make sure your people challenge visitors they see walking the halls without an escort.

5. Educate, Communicate and Reward

In the end, you must rely heavily on your employees to protect your organization’s projects and intellectual property–they are really your first and best line of defense.  The best gates, guards, and firewalls won’t protect you very well if your staff doesn’t remain vigilant to the threats that these measures were put in place to protect against. The best advice I can give you for enlisting and sustaining your staff’s attention to prevent economic espionage against your organization can be boiled down to two axioms:

1. What gets measured, gets done; and
2. Reward the behavior you want repeated.

Establish simple and easy to implement measurement systems for the protection of your organizations projects and intellectual property. Hold project mangers accountable through regular evaluation of ongoing projects; publish the results of your findings publicly so everyone can see where the organization stands with respect to protecting against threats.  Finally, publicly reward individuals, teams, and other parts of your organization for finding and fixing vulnerabilities or for actively practicing good personnel and information system security practices–rather than just punishing poor performance, be sure to actively reward GOOD performance; you’ll be surprised how effective this strategy can be.

Summary

In May, 2008, the Special Agent in Charge of the Pittsburgh FBI Division was quoted as saying “America has no friends when it comes to the research that gives its companies, universities and government a competitive edge. Countries all over the world – including friends and allies – would like to have that research, and they would love to get it for free.” I hope, through this article, I’ve opened some eyes a bit wider to better see and understand a) the threats they face from foreign (and domestic) sources, and b) some simple things they can do to better protect themselves from the threats.

In summary, here’s a review of recommendations:

At the Executive level:

• Develop prioritized list of company programs and projects (3 piles)
• Engages in process to regularly review and update list with executive team
• Working relationship with FBI office for classified/sensitive defense projects

For each project:

• Proactive effort to fully understand the threat
• Formal assessment of program/project vulnerabilities
• Documented mitigation strategy to address identified risks
• Screen employees, subs, and vendors with access to pile #1 programs
• Ask FBI office to screen at-risk visitors/foreign delegations in advance of visit

On a regular basis

• Hold cognizant staff accountable for knowing the domain
• Enforce physical and computer security measures – periodically test
• Measure what’s important and reward the behavior you want repeated

Remember…

1. Ask the right questions;
2. Do the math;
3. Trust, but verify;
4. Use the velvet rope and black cloth; and
5. Educate, communicate and reward.

As always, comments and thoughts are welcome.

Chuck Georgo, chuck@nowheretohide.org

Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice president of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.

Open Government Directive: Another ambiguous, unfunded, and edental mandate?

Before you send me hate mail let me state that I am all for Federal agencies sharing data in the sprit of open government, but we have to do it smart way, making sure that:

1. We fully understand why we want it and are clear about what we are really asking for;
2. We understand the burden involved in achieving open government and that we fund the agencies to do it right;
3. We are clear about the performance questions that we want the [transparent] data to answer;
4. We have an understanding for how the public will want to see/access the information; and
5. We are fully prepared to digest and respond to received public feedback .

After reading the 3,185 words of the Office of Management and Budget (OMB) Open Government Directive (with attachment), I am very sorry to report that IMO none of the five critiera (conditions) listed above have been met by the language contained in the document. From what I read:

• It would appear that no one in the approval chain asked any hard questions about the language–much of the language used is very vague and leaves a lot of room for interpretation (or misinterpretation);
• There is no mention of how agencies will be funded to build the capacity to meet the additional workload that the requirements of the memorandum are certain to cause.
• The focus of the document to “get agency data on the web” and “solicit (direct) public feedback” appears to be totally out of context of any other strategic management, performance assessment, or planning framework.  This appears to ba an end-run around other oversight committees and organizations, like Congress. Will Federal agencies be able to deal with direct feedback from hundreds or thousands of citizens? I am reminded of the old adage “be careful what you ask for”…;
• The document tells agencies to “publish information online in an open format that can be retrieved, downloaded, indexed, and searched by commonly used web search applications;” however, this can be satisfied in many ways–.txt, .csv, .doc, .pdf, .html,.xml, etc.–some formats will make it very cumbersome for the “public” to view, analyze and understand the data.
• Finally, the memorandum sets what I believe to be some very unrealistic expectations from both a performance and timeline perspective. For example, how can agencies be expected to review and respond to public input from the web when these same agencies are already overwhelmed with their current day-to-day tasks?

Here are a couple examples to ponder:

On Page 2 – “To increase accountability, promote informed participation by the public, and create economic opportunity, each agency shall take prompt steps to expand access to information by making it available online in open formats”

• Nowhere in the memorandum are the terms “accountability” or “informed participation” defined
• What does “create economic opportunity” really mean?
• It would appear that this mandate circumvents established management processes for holding Federal agencies accountable for efficient and effective performance? (OMB,GAO, Congress)

On Page 3 – “Each agency shall respond to public input received on its Open Government Webpage on a regular basis…Each agency with a significant pending backlog of outstanding Freedom of Information requests shall take steps to reduce any such backlog by ten percent each year.”

• What do the mean by “respond to public feedback on a regular basis?”
• All feedback? Some feedback?
• What does “regular basis” mean? Within 24 hours? Weekly? Annually?

If we really want Federal agencies to be more “open” with their data and information, we must be willing to commit the effort required to:

What are your thoughts and comments on this issue?

Thanks…r/Chuck

The Birds and Bees of Online Safety: What mama should have told you…

Remember what your mother told you?…wear your mittens, look both ways before you cross the street, don’t swim until 30 minutes after you eat, cigarettes are bad for you, use a condom…” Well, today’s mothers should also be telling you to “be safe” when you surf the internet.

What does it mean to practice safe web surfing?  Here are seven points I adapted from a poster that my colleagues at the NewYork City Metro InfraGard chapter developed to comunicate what you should do to practice “safe web surfing.” 

1. Use passwords that have at least eight characters, and mix it up a bit–lowercase, uppercase, numbers and special symbols. Here’s an example: rather than “amysmith” as a password, use “@mySm1th”…get it?  For more information on strong passwords, click here: Strong Passwords.  To generate r-e-a-l-l-y strong passwords, use this tool: Password Generator
2. Contrary to what you’ve heard before, write your passwords down and store them (somewhere other than under the keyboard on your desk).  There is a greater chance that an easy to remember password will be cracked than there is for someone to break into your house or office and steal that sticky you wrote them down on.  Bruce Scheiner talks about this in his blog here: Write Down your Passwords
3. Use virus scanning and spyware software–Microsoft has a free one available.  Also, make sure your virus scanning software is turned ON and that it’s signature files are up-to-date.
4. Only open email attachments from people you know.  No matter how enticing they appear to be…Free Cell Phone…Make Your (whatever) Bigger (or Smaller)…Verify Your Bank Account! …DO NOT open the attachment.
5. Do NOT click on any web links in emails from people you do not know–if there’s a web address you want to go to, type web address directly into your browser–www.goodsite.commay actually take you to a malicous website.
6. Parents can use the administrative capabilities of Microsoft Windows to lockdown sites/domains you don;t want you kids to visit. See instructions for doing this here: Block a Website
7. Be very careful downloading and installing toolbars from non-reputable sources. They might offer you all kinds of need smiley faces and cool tools, but they could also be stealing your personal information and doing other nefarious things.  Here’s one article that talks about a fake toolbar for a very well known website: Dangerous Toolbar

Let me know if you have other ideas I should add to this list…comments and thoughts welcomed..r/Chuck

Chuck Georgo
chuck@nowheretohide.org

It’s 2pm on Sunday: Do you know where your data is?

It seems the Los Alamos National Laboratory (LANL)  is  in the news again. Just when you’d think they addressed the vulnerabilities that Wen Ho Lee exploited back in 1999 (Lee has his own Wikipedia page now), they got slammed again in 2006 when local police found a thumb-drive with classified information on it at local residence involved in a local narcotics investigation.  Well now the U.S. Government Accountability Office (GAO) just release an audit report of LANL that reported:

LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory’s classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.

While LANL got slammed for losing information on its  ”classified” network…what about all of the unclassified information that’s floating around out there? I feel it is just as important to make sure all of the sensitive but unclassified case information, organization proprietary information, or intelligence data that contains Personally Identifiable Information (PII) is protected as well–would you want to be the person explaining to their boss what data was just lost on that USB drive you left at the airport restaurant?

While I was at the International Association of Chiefs of Police Conference in Denver last month, I ran across a security item that really caught my eye–it was a standard, run of the mill 4GB USB thumb drive, but this one was unique–it had a built in PIN keypad, encrypted all data with AES encryption, and you didn’t have to plug it in to the computer first before unlocking it.  I got to thinking…if every law enforcement officer and intelligence analyst who had a legal, bonafied reason for copying sensitive data  onto portable media like CD-ROMs, SD cards, or unsecured thumb drives had one of these, they could sleep better at night knowing that the information on the thumb drive wouldn’t be compromised if it were lost or stolen, or than an unauthorized person who happend to get access to the drive couldn’t stick it in their computer and access the information it holds.

The item is called the Classified Secure Flash Drive. It’s a 4GB thumb drive with a built in 5-key keypad for entering a 1-10 digit PIN.  There is NO software required on the desktop/laptop to create or enter the PIN and all data on it is secured with 256 bit AES encryption. Those of you who know me know that I do not want to become another big IT vendor; however, I have decided to make these (and other innovative, niche technologies) available to agencies through NOWHERETOHIDE.ORG.  For Federal agencies; the manufacturer has developed a FIPS 140-2 compliant version with a built in 10-key keypad; they are in the midst of the validation process now.

Economic Espionage: Spies, damn spies, and the real threat (Part 1 of 2)

When  most people think of spies, they think of the Rosenbergs who gave up atomic research in 1942, John Walker who gave up Naval radio communications in the 1980s, or the likes of  Aldrich Ames and Bob Hanssen who compromised CIA and FBI programs (respectively).  But, have you ever heard of Ho, Yang or Min?

• Chester Ho, a naturalized U.S. citizens, was arrested after stealing the plant cell culture technology from Bristol-Myers Squibb–nearly $15 million loss
• Hwei-Chen Yang was arrested after stealing adhesive trade secrets from Avery Denison–nearly $60 million loss
• Yonggang Min walked out the door of Dupont with more than 16,000 documents from DuPont’s electronic library–nearly $600 million loss

While the Rosenbergs, Ames and Hanssen were guilty of National Security Espionage, Ho, Yang and Min were clearly engaged in Economic Espionage, or “the act of theft or misappropriation of (commercial) trade secrets.” What makes this particularly significant is the fact that the potential for economic espionage exists in virtually every corner of our way of life–government agencies, small companies, large corporations, colleges, universities, overseas research and development laboratories, and economic espionage is largely driven by one of three motives:

1. Profit;
2. Patriotism to home country; or
3. Desire to achieve academic/scientific notoriety.

While the majority of the threat can come from any of the 108 countries actively seeking to collect information about American innovations, and (a sub-set) of the 30,000,000 non-immigrant visitors to our nation every year, the threat can also come from within; companies in like sectors would love to know what the others in that sector are working on–new prescription drug? Next Ipod? Alternative fuel technologies?

So, who can threaten your innovations and intellectual property?

• Insider threats–people working for you;
• People and companies that you partner with;
• Subcontractors providing services
• University students doing research for you;
• Visitors that have an interest in what you do; or
• Competitors who seek to do you harm.

Interesting side note:  75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon’s CERT program in a July 2006 study were committed by current employees. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. “In between the time they have another offer and the time they leave is when they take the information”

At the end of the day, you (and your organization’s leaders) are responsible for the survival of your organization, and only you can really know “Who’s in Your House” and what they are doing. The other way to put it is that if something bad happens, only you will be standing there explaining to your board of directors and shareholders what happened.

So what can you do to protect yourself? I suggest five key strategies:

• Ask the right questions;
• Do the math;
• Trust, but verify;
• Use the velvet rope and black cloth; and
• Educate, communicate and reward.

1. Ask the Right Questions

Corporate presidents and CEOs should regularly ask their security officers the following five questions:

1. What technologies/projects are most at risk?
2. Why are others interested in it?
3. Who are the specific threats?
4. Where are the vulnerabilities?
5. How are we stopping them from getting it?

Establish a good idea of what an adversary might be after, why they’re after it, and what your organization is doing to protect it from compromise. For larger organizations, with many projects, you should go through this exercise with each program/product.

2. Do the Math

You cannot protect everything, so develop a strategy to identify and protect those projects and technologies that can cause the most dire consequences to your bottom line. I suggest dividing up your organization’s projects/products into three piles.

• Pile One = those projects that the future of your company rests on or those that you risk jail time for compromise;
• Pile Two = Those projects that are important, but expendable; and
• Pile Three = Those projects that are commodities or already in the open source.

 Here is some sample criteria to help you decide which pile a project may belong in:

Sample Criteria for Pile One

• Classified or sensitive national security project
• New research and development effort
• Loss would mean significant loss of revenue and new CEO

Sample Criteria for Pile Two

• Company future doesn’t hinge on product survival
• No significant IP or trade secrets involved
• Product at the middle of “S” curve

Sample Criteria for Pile Three

• No IP or trade secrets involved
• Commodity type product or service; top of the “S” curve
• Already in the public domain

Remember: Focus on Pile One FIRST–do not be tempted to go after the low-hanging furit in piles two or three.

To be continued…In Part 2 of 2, I’ll finish with Key Strategies 3, 4 and 5.

As always, comments and houghts are welcome.

Chuck Georgo, chuck@nowheretohide.org

Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice President of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.