Summing Up
The title of this wrap-up and the one that accompanied this month's original column basically just deletes "Wikileaks." The original title was my mistake. The intent was not to direct attention to Wikileaks in a manner that Dan Quizal rightly referred to as a "20th Century view," but to ask how, if at all, organizations can or should be defended against the response from Anonymous? Its actions, triggered by the attacks on Wikileaks, hinted at a future of everything from Internet mischief (a la Anonymous) to cyber warfare, with business as potential collateral or intended victim. (Ironically, in the meantime we have learned that the "worm" that attacked Iran's nuclear centrifuges and sent them whirling out of control and into self-destruction in all likelihood was carefully engineered and surgically directed at the centrifuges, suggesting the possible. Next time the target may not be Iran.)
Getting back to my misstated question, none of you aimed your criticism at the technology, even lauding it, as Mark O'Connor did, as the "great equalizer." In Bev Stehn's words, "What is to be 'managed,' the tools of communication or those individuals using the tools?" Rather the problem for many of you is management itself, ranging from lack of transparency (Shantha Yahanpath. Bruce Watson) to a failure to support "whistle blowing" (Ratnaja Gogula), as well as individual failure to exercise care. As C. J. Cullinane said, "maybe the only thing that can help is common sense and learning to keep our mouths, and e-mails, shut."
The most prevalent attitude about dealing with a leaky Internet was to assume the worst and act accordingly. In Mike Schorah's words, assume that "A world where everyone knows exactly what everyone else is doing does seem to be where we're heading." Antidotes to these challenges are reasonably clear: In addition to greater transparency and support for "whistle blowers," several of you suggested the possibility of government protection. As Fidel Arcenas put it "government must be able to monitor and regulate Internet activities that adversely affect people's safety and welfare." Few were convinced that technology itself would provide more than temporary defenses.
The use of the Internet for spying was also regarded as inevitable. In addition to care in the use of the Internet, Gerald Nanninga pointed out that the best defense might well be a carefully-crafted strategy that competitors can't replicate even if they are familiar with it . Another creative proposal, leaking "outright disinformation," was suggested by M. P. Campbell.
This still leaves us with the question of the long-term implications of cyber-warfare for business. Unlike nuclear threats, at least for now they don't represent real threats to life. But for that reason, they are much more likely to be employed than nuclear weapons. What happened in Iran raises real questions about the implications of criminal or terrorist use of cyber weapons to destroy business assets. Should management be concerned about them? What, if anything, can or should be done about it at the organizational level? And finally, did any of you other than David Physick pick up on the irony that our discussion of transparency, Wikileaks, and Anonymous was joined by nearly 20 percent of respondents under the cover of "anonymous"? What do they have to hide? What do you think?
Original Article
You've heard the advice that writing down sensitive things runs the risk of discovery in a legal case. The wise don't do it. But this can be a costly practice, given our faulty memories. And in the age of WikiLeaks and the Internet, when every "secret" seemingly becomes public before long, the new advice is to avoid trying to keep information secret.
Recently we were reminded about the insecurity of information stored and processed on Internet-based systems, a series of online reprisals against the Swedish government, Amazon, the Dutch police, Sarah Palin, MasterCard, Joe Lieberman, PayPal, and Visa. The connection? Individuals and organizations speaking out against and refusing service to WikiLeaks. The attacker and the cause? A crowd (I don't know what else to call it, since it is not an organized group) that calls itself Anonymous and that was spawned by ideas exchanged on an Internet message board, 4chan, in defense of Internet freedom. The weapon? According to the Financial Times, "Anonymous encouraged 'hactivists' to download a simple tool-known as the 'low orbit ion cannon'-that allows their computers to be used to inundate the targeted website with requests and bring it down."
What has happened to Internet security, you might ask? Apparently it still exists to some degree for one third of the organizations that have taken precautions to protect themselves. It works, too, for individuals who are careful about changing passwords regularly (so that, if you're like me, you can't even remember your own password from time to time). But user names, passwords, and Internet addresses have been pilfered from sites like Gawker, reportedly giving the hackers access to planned web site changes and advertising strategy.
So the possibilities of damage are endless, ranging from random (at least not formally organized) theft by amateur hackers, organized theft by criminals, and efforts by international terrorists to target and shut down, or threaten to shut down, everything from bank accounts to nuclear processing facilities.
There has been an immediate call for risk management plans in those business and governmental organizations that don't already have them. But let's assume that such plans only deter the amateurs and criminals for fleeting periods of time and that in fact it becomes impossible to hide or otherwise keep information confidential.
What implications does this have for the management of a medium- to large-size organization that has become wedded to the economies and convenience of the Internet? For example, assuming that email even exists five years from now, will we be able to use it for business purposes? Will large data files have to be "disconnected" from networks so that their security can be preserved, with the attendant loss of connectivity with other files? Will the ultimate irony occur that the Internet becomes essentially useless to managers for strategic and other important matters?
What, if anything, can or should be done to combat Internet theft and terrorism? How will Anonymous and friends affect management in the future? What do you think?
Reference:
Tim Bradshaw, "Anonymous cyberwarriers stun experts," Financial Times, December 12, 2010, p. 3.
Every organization has it's malcontents and I do not believe these folks can be kept in check by policy or training. It is in the best interests of companies to keep everything above board and open (honest). A policy of zero tolerance can help but would have to be enforced even on people who have left the organization and how could we do that and at what cost.
Like many problems such as this maybe the only thing that can help is common sense and learning to keep our mouths , and e-mails, shut.
CJ Cullinane points out that honesty would be the best policy with the changes sites such as wikileaks and organisations such as Anonymous. Absolutely. This is one of the increasingly apparent social changes being wrought by the internet; that is, we are using technology to generate a world reflective of earlier social forms, such as a world where everyone knows exactly what everyone else is doing. The alternative to this mob-empowered (or 'democratically empowered') society is, of course, to take a violent and iron-fisted approach to internet use, such as has been done in many oppressive and anti-democratic countries. Let us hope that we in western countries attempt to live up to the ideals we are founded on, and rather than the mob/democratic majority being crushed by threatened powerful interests, we should aim to regulate and organise it, so that it is more effective while being less dangerous.
The question is not, "how do we stop this new force from attacking our structure", but "how do we incorporate this force into our structure". It might even be more profitable to do it that way.
The speed and volume of financial transactions through the internet are mind-boggling. When governments lack the tools to protect innocent investors from internet scams - who else is there to protect them?
This is not saying that government has to violate the citizens' right to privacy. But government must be able to monitor and regulate internet activities that adversely affect people's safety and welfare. I think it was Albert Camus who said: "If the center cannot hold, anarchy will reign."
Like all human inventions the Internet has its benefits and risks. As long as it continues to have unique benefits managers will continue to use it while at the same time being cognizant of the fact that its openness calls for caution.
how the web is shifting the conventions of disclosure, and the ability of businesses and governments to protect information many would like to ensure never sees the light of day. Make no mistake, this too is organized activity that modern society should have eradicated long ago. But it has lived on, protected by confidentiality agreements, compensation for cooperation, retribution in retaliation for disclosure, and a general perception that it is OK for companies, cops, courts, and criminals operating within otherwise legitimate organizations to protect dubious acts. But the Internet is the great equalizer. While we have trouble dealing with the real-world implications of our inability to block disclosure, the system's ability to fight it is becoming overwhelmed. The ability of those who would argue that privacy trumps the law will likely see a dramatic change in the next 20 years. The tipping point will come when legislation is adopted that legalizes the use of lie detector
s and similar technologies that have been blocked from incorporation within our judicial process. They are now proven effective by most law enforcement organizations, the financial services industry, government intelligence agencies, and other areas of society that haven't blocked their use to assess truth with disinformation on their efficacy. I very much look forward to the day the final barriers to adoption will fall. We should redirect our energies toward making that day happen, and more closely scrutinize what constitutes theft and terrorism.
People need to be managed, no matter what communication tools are used.
True, historians think this was pretty much how people lived in the past, but only in the context of the hundred or so people in their small village community. The differences now are many:
1. What we do and say is known on a much broader scale
2. It's stored, indexed and searchable by others outside our circle - perhaps on a global scale.
3. It's "monetized," at least it is grist to the mill of targeted advertising that generates financial benefit to others, not me.
Yes, expect 'privacy' to be seen as an historical aberration; but also expect it to have a commercial value in and of itself so that, for some in some circumstances, privacy will be worth the premium costs of time and technology to ensure it exists.
In my view this is an expected risk. The implication of risks of these gadgets (that we develop i.e. computer programs-internet, cell phones, vehicles etc) on management of medium to large size organizations should be segmented. True; for certain strategic or nor strategic files that any institution risks losing to other forces such as competitors as an example , the use of networks for such data will dwindle on security grounds unless counter systems to take care of such are developed- which is possible. For information that is not very risk to loss, with marginal implications, management should be able to make that movable to anyone. This would help develop a system and sense that regulates itself. (Mind you even a well intended use of product such a cell phone may be abused for evil acts i.e. use it for coordinating thief of funds, love, emotions etc)
When everything is said and done, these challenges of internet thieves and terrorist will lead to development of advanced systems and add to the chain of evolution. Management therefore should endeavor to investment in research that would enhance evolution all the time as a way of managing the continuous change or dynamism doing things. Management fight is therefore on a moving target.
Corporate security issues operate under a number of myths. The most often disproved is that security applies to attacks by external intruders. In fact, most security breaches are directly the result of either password breaches offered up by employees (the top execs are often the worst offenders), or the result of basket diving (all corporate info is public the moment it hits the wastebasket, not the dumpster). In security surveys and risk assessments of major on-line companies, I have found that back-door access is often quite easy, access by consultants is often unmanaged, and critical papers often wind up on zip drives. Expert corporate spies still rely on the tried and true dumpster dives and password leaks. Getting inside, to these folks, is simply not the problem. The problem is the sheer difficulty of finding the target information in the huge amount of available data.
Corporations are private and should be able to discuss options freely without having to fear intrusion in a perfect world. But if you drive around Kendall Square, for instance, you will find cruising vans fully equipped with listening devices with no earthly reason to be there other that picking up high-tech data traffic and voice bounce from exposed windows. Palo Alto, etc. the same. Any corporate conversation that is not specifically scrambled or guarded should be considered exposed to publication, period. Zip drives walk out the door daily with more info on them than most corporations held in files ten years ago. Lost and stolen laptops carry vast amounts of corporate and classified govt documents, and the personal data is almost worthless these days on the black market it so easily obtained. Pennies per SSN down from dollars a few years ago.
A corporate breach is corporate fault. As much as a CEO ( a term, by the way, that GoogleLabs finds was only commonly used after 1978 co-incident with the use of the term, "corporate strategy"), desires "security" to mean "information blockade", corporations (and the govt) rarely take the threat seriously and enact stern policies to control open traffic no matter how the issue is presented by the unfortunate consultant. Mention a hard-line laptop policy or a zip drive policy, and resistance builds fast. It should not be a surprise that we know far less about Russian, Korean or Chinese corporate data than they know about us. Who buys stolen laptops replaceble for $400 new? Major universities lose hundreds of laptops a year, many from high-tech labs, and they consider it street crime. Go figure.
Here's a simple rule in a US corporation, "As soon as a thought is conveyed, it should be assumed to be public." We broke it, we fix it. Security is corporate strategy, and we're losing the fight. Ask yourself, "would I not listen to a vital piece of corporate data ripped off the computers of a competitor?" Close and lock your back door.
I was personally impacted when my home computers were infected four years ago with a disk boot virus. I must say that I never used any antivirus software for years before the attack on my computers since I rationalized that nobody would be interested in infecting my computers and the doers were not sophisticated too. My response was not only to install antivirus software in my computers but also to add computer information systems (a junior) as a third major to my academic work. A human without computer literacy is one with the third eye blind in my opinion. Professor Heskett calls the doers 'hactivists' or hackers but it is not quite because in the profession of computer science there are hackers who create legitimate programming tools called hacks.
No computer or computer network which is connected to the internet is ever safe since it is a function of time to intrude versus time to discover. Those who know operating systems will tell you how easy it is to find passwords if you know where to look in one of our most used operating systems. A reason why more sensitive computer networks are moving to Linux based operating systems. A virus is any (malicious) software planted in a computer to incapacitate it or to relay information off the infected computer. Antivirus software is always a reactive antidote to increasingly sophisticated viruses.
Any information relayed through the internet is never safe since there are all kinds of packet sniffing software, which is an easy build to the experts. Cloud computing has an enormous challenge in keep information safe from interception. It is normally achieved by data encryption, and intrusion (and fraud) detection software and hardware. Intrusions normally through proxy servers can be detected with hard work but they mostly lead to countries beyond the reach of the US law enforcement. Some of our large banks even do not admit intrusion activity for the fear of losing customer confidence but simply write off the losses as a cost of doing business. We know all about power grids, banks, industrial facilities, government institutions, and etc. connected to the internet. There is no real solution to keep us safe from a cyber attacks other than to try to be one step ahead of the intruders or attackers. Perhaps, can the drones do the job if we can find the doers? Perhaps not bec
ause the drones are connected to the internet too!
Nauman Lodhi
Sorcim Technologies
http://www.sorcim.com
May be "management" needs to look at why there appears to be a case for needing wikileaks and "anon." in the first place. What is it they doing or not doing that is so threatening. Is it a case its OK if we can get away with it? Or is probity and ethics, some sensible consideration of privacy etc, too hard? Me thinks they do protest too much.
In the organisations, policy usually focuses around measurable performance metrics and immeasurable are often neglected. So, people are motivated by incentives, bonuses, perks that drives them to perform. In absence of drivers, motivation disappears. On the other hand, when policy focuses on people dimensions, it actually boosts employees' morale and it does not need any drivers. And employees with high morale are trustworthy and loyal. So, the need is to create trust and loyalty in the organisation to fight anonymous and wiki leaks.
Leaders in the organisations need to connect with the people. It requires an effort to interact more than top down communication. Leader should initiate and interact with people across all level to create cohesive, committed and harmonious culture. This will help to create healthy and timely feedback system of relevant information.
To prevent and protect data from theft, hacking and sabotaging, there should be mechanism that strategically decides which data can be in electronic form and which data can be in other form. This will help organisation to safeguard data and relevant information because they cannot be accessed through internet.
The other important parameter to prevent anonymous is to encourage and enforce "Whistle blower policy". Punishment for culprits and Protection and safety of whistle blower should be ensured. This approach will send strong single to culprits not to commit such crime or frauds. At the same time, accountability across all level with clear check and balance system can discourage anonymous threats. Interests of all stakeholders and maintaining relationship with them will perhaps ensure to strengthen the protection mechanism.
People before performance focus can make organisations to effectively root out internal as well as external threats. And creation of culture based on trust, respect, and identity will equip organisations and leaders to fight with anonymous threats and wiki leaks effectively.
We've always recognized the essence of risks, whether it is with information handling or something else. We've always believed that there wouldn't be any full proof defense on something that is really bound to happen. Be that as it may, we've learned how to manage and mitigate the occurrence of such untoward incidents, hence, risk management.
Preventing information from leaking is like preventing Niagara Falls from flowing. Accepting such reality can pave the way for organizations to manage it the way it should be. Information risk prevention methods may not be full proof, but it sure is necessary to have gatekeepers along the way. The secret is enabling your defense to act as fast as those threats. If information can leak at the speed of thought, why not its necessary defenses?
As far as the efficacy of being honest and truthful in combating this menace - it's almost a no-brainer. But then, honesty and truthfulness in matters of business can do only so much and business constraints and requirements sometimes demand more than being just that. I am not advocating untruthfulness and dishonesty. But - one cannot become a simpleton in dealing with complex matters of business and so difficult decisions are sometimes necessary - as we all very well know.
Most idiotic things are borne out of plain boredom and frustration with the status quo. Most of us have cribbed about our situations - whether formally in an appraisal meeting or informally around the coffee machine. Internet savagery is just an extension of the same fundamental human habit leveraging the might of technology. There's nothing new or earth shattering about it.
I'm no fan of more regulation but when enterprise regularly "de-identifies" consumer protected information (like HIPPA, GLB and Telco) without regard for the PII impact there is a hypocritical aspect to the impact of Anon disclosures.
Corporate integrity and an ethical code would be useful here.
Sure, sensitive information can be leaked. But outright disinformation can be promulgated as well. It can be difficult for a bystander to figure out what info is legit. Stuff that cannot be confirmed by checking against publicly available info is going to be questionable to anybody.
So it may not be as dangerous to companies as some think. I'm not saying that companies should be complacent, but that some need to temper their "worst case scenarios" accordingly.
Just let the 'TRUTH' come out.
They are doing the work of common people in a ethical way. This is only to fight a devil.
It is ashamed that our U.S. government, in particular, is not the transparent thing we have always wanted it to be, as well as the unfortunate schism between parties; perhaps brought on by the gerrymandering of the voting system. But if the country is to be transparent, we need to get leaders and those in government to make it so. Whether we can ever influence those in Congress to do so, is apparently, for now, a lost cause.
Allowing for the schism to flow over to the Internet is and will continue to be disastrous, unconscionable, and terribly unfortunate for all of us.
1. You've said something embarrassing.
2. You've done something illegal or immoral.
3. If the information gets into the wrong hands, they can use it to harm your business.
To stop the first two, just don't do embarrassing, immoral or illegal things (or at the very least don't put any of it into a digital form).
As for the last point, I am reminded of a line by the famous Green Bay Packer coach of the 1960s, Vince Lombardi. He said that the secret of a great team is being so good that it can win even if the opposition knows in advance exactly what the team is going to do.
The same principle applies to strategy. Great strategies integrate all of the essence of what a company is--its culture, its competencies, its history, its reputation, its resources, etc. Great strategies only tend to work if you optimize all of those pieces in a coordinated fashion. Even if the competition is leaked all the details of your strategy, it may do them no good because either:
a) They cannot replicate all of those components;
b) They cannot stop the "magic" inherent in your mastery of all of those components.
Take Apple, for example. Everyone pretty much knows their strategy: cool products with cool apps sold in a cool, integrated way. Yet even though everyone knows that, it hasn't really hurt Apple's success. Their integrated system is too difficult to copy and too difficult to stop.
Therefore, if you focus on the right kinds of strategies and implement them in the right ways, you can still win, even if the strategy is leaked to the world. That is the safer approach...creating strategies strong enough to prevail in spite of leaks, instead of fighting against the tide to keep secrets.
I always figure that anything I say on the Internet (or the equivalent), even if in a private email, is probably going to be made public at some time. If I'm embarrassed by it or it is immoral, I should have had the good sense not to say it in a public forum!
Keeping secrets from the public (or even your wife) is bad policy.
There are many disgruntled and misguided people in our busy fast moving society. Aberrations in character are unavoidable as we have seen in the recent shooting of Congresswoman Giffords. Her shooter is a deranged young man with a cause that no normal person can support.
Management, on the other hand, is usually concerned with the bottom line and keeping the company solvent. Management typically allocates a low budget to security because management sometimes lacks vision and can't see beyond a certain point. Security only becomes an issue when it affects the company. In my humble opinion, management needs to do whatever it can, and spend as much as it can afford on internet security. Management needs to make it less easy and more difficult for hackers to break-in; what good is it to have top of the line computer systems if you do not safeguard them? Management can help itself by putting up a fight (no matter how big or how small) so that the hackers will "pass" on your firm and try to hack in where it is easier.
There is a great big cry for transparency but I suspect that those that are up to no-good do not want to be transparent. No matters what Michael Douglas says in Oliver Stone's Wall Street I or the sequel Wall Street II, "greed is still [not] GOOD". What is sorely lacking in our world is morality and decency.
You can always ask for the credibility of Wikileaks, or even the documents that have escaped. Corporations can maneuver them to their advantage.
'Strategic leaks' may also release their documents which help them in their publicity.
However, internet will evolve to continue. Intranet will however gain more popularity for higher risk documents and confidentiality.
Information Overload is another strategy that corporations would employ to confuse the users of Wikileaks!