Although I have been known for longer posts, I would like to offer only three things to watch out for related to artificial intelligence and cyber-security for 2017, followed by sharing two videos.
1) Cyber attackers have long used machine learning and automation techniques to streamline their operations and may soon use full-blown artificial intelligence to do it. Botnets will become self-healing and will be able to detect when they are being discovered and can re-route in response. The botnet and cyber crime business will grow and become more organized. Showdan, the world’s first search engine for internet connected devices, will be used to target companies and individuals negatively. Yet it can also be used for safety and compliance monitoring, most likely when its feed into another analytical tool.
How to Hack with Showdan (For Educational Purposes Only):
2) It won’t be long until A.I. learns the patterns of mutating viruses and then has the ability to predict and/or stop them in their tracks. This is dependent on the most up to date virus definitions, and corresponding algorithms. How a Zero Day is made is heavily a math problem applied to a certain context and operating system. There should be a math formula to predict the next most likely Zero Day exploit – A.I. could provide this. It’s a matter of calculating all possible code various and code add on variations. It’s a lot more advanced than a Rubix Cube.
3) A.I. has the potential to close the gap between the lesser developed world and the developed world. The technology behind A.I. is not limited to big companies like IBM or Microsoft for the long term. We may be surprised with tech start-ups out of the lesser developed world who are very creative. Lack of fiber optic cable connectivity has forced many lesser developed nations to rely heavily on cell tower smartphone based internet communications. This has inspired a mobile app growth wave in parts of Africa as described here; “the use of smartphones and tablets within the country has led to a mobile revolution in Nigeria. Essentially, people now tend to seek mobile solutions more often and thus, enhance the growth of the mobile app development industry” (Top 4 Mobile App development companies in Nigeria, IT News Africa, 2015). A.I. will likely close the gap between these two sectors though not drastically change it. If lesser developed countries can build their own mobile apps and outsource things to A.I.; they could become more independent from the economic constraints of the developed world.
The below video highlights some of the complications around these points. It is from a conference hosted by the ICIT on April 25, 2016, and I did not attend this. In the video, Donna Dodson (Associate Director, Chief Cybersecurity Advisor and Director, NIST), Mark Kneidinger (Director, Federal Network Resiliency, DHS), Malcolm Harkins (ICIT Fellow – Cylance) and Stan Wisseman (ICIT Fellow – HPE) discuss related concepts and share realistic examples of how these technologies are reshaping the cyber-security landscape.
ICIT Forum 2016: Artificial Intelligence Enabling Next-Generation Cybersecurity
If you want to contact me to discuss these concepts click here.
This article reviews the 2014 Sony hack from a strengths and weaknesses standpoint based on select parts of the SysAdmin, Audit, Network and Security (SANS) and National Institute of Standards in Technology (NIST) frameworks. Although an older hack, the lessons learned here are still relevant today.
Strengths – A Track Record of Innovation and Multilayered Information Security:
From early boom-boxes in the 1980s to the first portable disc player in the early 1990s. To high-quality headphones, the first HD TVs, to high-quality speakers, a gaming system revolution called the PlayStation, and now a massive on-line gaming network, Sony has been creative and innovative. This has made them one of the most respected and profitable Japanese companies to date. Yet this success derived overconfidence in other areas including information security but they still have the potential and the money to be a security leader. The managerial layering of Sony’s information security team was a good start even if their head count was too low. One source stated, “Three information security analysts are overseen by three managers, three directors, one executive director and one senior vice president” (Hill, 2014). Although contradictory, at least there was some oversight.
Failure 1 – Poor Culture and Lack of Leadership Support:
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors. A quote from an I.T. risk consultancy summarized it this way, “The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulted in Sony being SOX (Sarbanes-Oxley) non-compliant in 2005” (Risk3sixty LLC, 2014). Things like this trickle down the layers of management and become a part of the company culture. Specifically, low level whistle blowers were silenced even though their I.T. risk arguments were solid. “Sony’s own employees complained that the network security was a joke. (Risk3sixty LLC, 2014)”. When this happened Sony’s leaders failed to execute their fiduciary duty to the board, shareholders, and customers. They did this so they did not look bad in the short term yet it cost the company more in the long term.
Failure 2 – Not Understanding Their Baseline: The baseline is a measure that determines when you have the right amount of security and security process in relationship to your required business objectives and risk tolerance. Being below the baseline means risk is too high and an attack or breach is likely. This is why the baseline changes often and needs to be closely monitored. For example, when you are producing a very politically controversial movie about an unruly world leader who has a history of making war threats against his political opponents, you should have a higher baseline to be on guard from hacktivists. Sony overly focused on their cash generating core competencies and security was at most an afterthought. According to one source, Sony Pictures had just 11 people assigned to a top-heavy information security team out of 7,000 total employees (Hill, 2014). For a technology company that is way too few people working in security. It’s not enough people to collect and intelligently review logs, patch software, pen test, red team, and be available for one or more war room type projects which are bound to come up – all things prudent security would require.
Understanding your I.T. risk baseline requires testing and measurement and this has to be based on some framework, SANS, NIST, or some of the others. One former employee described Sony’s failure to comply with any framework as follows, “The real problem lies in the fact that there was no real investment in or real understanding of what information security is. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected” (Hill, 2014). Had they conformed to the SANS or NIST framework they would have been required to encrypt the data – see conclusion.
Failure 3 – Weak Password Policies: Sony’s password policy was embarrassingly weak. In fact, so weak you might think they were deliberately trying to help hackers. “Employees kept plaintext passwords in Microsoft Word documents” (Franceschi-Bicchierai, 2014). Even very small companies from the 1990s would have policies against that. Moreover, one source confirmed that the word files were named with password in the file name (Risk3sixty LLC, 2014). Once in the network, all a hacker has to do is search for a file with password in the name and they have it.
Failure 4 – Late Detecting the Hack and Data Exfiltration: Right away the intruders easily walked into Sony’s internal network and began stealing unencrypted sensitive data with apparently no log alarms going off. Sony had not followed data classification, retention, or governance plans – not even checkbox compliance. If they did they would not have had all types of data mixed together. One reporter described it this way, “Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more” (Hill, 2014). Thus, their network segmentation here must have been weak or non-existent. Health care data should not be near unreleased film files as they are totally different. There is no business justification for this. Segmenting and encrypting the data would have greatly reduced and delayed any data theft.
1) We knew there would come another well-positioned company who makes a pair of smart glasses like Google Glass and that it will derive more competition and innovation. Microsoft raised their hand right away with their HoloLens glasses which are hologram based, slightly “gamified”, and seemingly better than Google Glass largely because they tied it in with known Windows functionality (broader offerings). See a video of this cool new technology here:
2) It is a fact that on average people now access more of their e-mail via mobile devices more often than on a traditional computer. This has forced websites, news makers, and companies to design their web offerings in a mobile compatible design so when you go to the web on a computer the sites are often overly mobile in their design aspects and sometimes look goofy and the buttons and frames are too big. CNN.com is a good example of a web-site that went too far with their mobile design so if you access it from a normal computer it looks more like a kids play web-site with big buttons and frames optimized for touch with little info presented. Yet their prior design was better especially if you want to read more on one screen view.
(Old vs. New CNN.com, respectively)
There is no doubt that mobile will continue to grow and will be used on smaller devices like watches, ear buds, pacemakers, and contact lenses. Web design has shifted so fast to mobile that sometimes good web design and user experience is forgotten about for non-mobile users or business users who on average spend much more time on those same sites than mobile users. Thus a better balance of the two design types is needed, and an app is a separate project all together yet still needed. I also think Microsoft will take more mobile market share away from Android and Apple since they have learned a lot from their Windows 8 release and are quickly working to release Windows 10 as a better touch based mobility optimized O.S. that many are excited to try.
3) There will be more data breaches but many of them will be supported by the Western Governments who in effect devalue security standards by corroborating with large companies to quarry vast amounts of metadata all in the name of security. Sadly we know Governments have abused this power in the past and will continue to do so thus the private sector needs to collaborate and inspire innovation in this space for better security and transparency so the masses may have security and corrupt Governments can be exposed.
As it stands now hackers are a few steps ahead of antivirus makers and they are constantly tweaking their viruses so they can’t be detected. The newest types of viruses are suspected to be created by the Equation Group, one of the most sophisticated hacking groups ever known. These new viruses hide in your hard drives firmware and are undetectable. Antivirus maker Kaspersky commented on this in their Q&A doc on the Equation Group by stating, “We were able to recover two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms. The EQUATIONDRUG HDD firmware reprogramming module has version 3.0.1 while the GRAYFISH reprogramming module has version 4.2.0. These were compiled in 2010 and 2013, respectively, if we are to trust the PE timestamps” (http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf).
Kaspersky went on to further speculate that there were clues that the U.S. N.S.A. was involved in the latest hard drive firmware virus and even suggested they had the cooperation of major hard drive makers like Western Digital, Seagate, Samsung, and Toshiba in order to get the code needed to write the virus. Any reasonable technologist would likely agree with this. Yet this decreases innovation and free competition and you know big money likely traded hands to make these deals happen. How can a big company now trust paying a technology company for security or services when they are just going to give it away to supposed governments here or elsewhere? More importantly, if one government has the ability to get into a tech companies data, then other more ill-intentioned governments and organizations can quickly learn how to do that as well and that is the real threat.
If you want to hire me to speak at your next event or consult for your company on these and related topics please contact me.
1) Stakeholder Management: Attain clear support from the executive stakeholders from the beginning of the project and schedule regular check-in meetings with them ahead of time as they tend to be very busy and are often pulled in many directions. Set the tone that their participation is needed and that they will need to approve change requests which is not uncommon. You should also use clever people skills and empathetic listening skills as you interview the many high-level stakeholders in the early part of the project so as to diffuse conflict and get consensus on disagreements about scope, business goals, order, and to find out who will be the thorn in your back as the sooner you know that the better. Also, accept that stakeholders will be different and they may not even directly work for your company which is ok as those ones tend to offer specialized expertise and are often very creative.
2) Communications Management: It’s common to have one or two stakeholders who are difficult, protesting the project through their actions, or who are otherwise egotistical, and/or just plain difficult to deal with. As a project manager, project consultant, or business analyst, it is your responsibility to deal with these people and situations. One way to do this is to understand the communication styles of all project stakeholders early on in the project and document this. Strength Finders, DISC, and many other communication style tests can help with this or you could consult a person who has a lot of international travel experience – they are often helpful understanding group communication dynamics. You should also know when to be direct, indirect, and/or silent in your communications. Communication is mostly about listening and perception and as project manager you are not the direct boss of the project team members so your ability to drive tasks is heavily based on your communication and motivational skills – so ask all team members what you can do to clear their roads either yourself or in partnership with other stakeholders. This reduces surprise road blocks down the road and encourages silent people to speak up.
3) Quality Management: Having worked on many complex projects in highly regulated industries over the last 5 years I have noticed a shift towards agile methodologies vs. waterfall. From my perspective this is really about quality and timely flexibility. Aligning the project tasks in small pieces allows you to test the results independently and faster, and if the results are bad that’s a good thing because it’s just one piece of the project and you can learn from it – getting an early warning. Yet to get better quality out of an error you need to have documented what went into the error from beginning to end and you need intelligent consensus. On SDLC projects there will be many small errors which then raise questions about other systems and how they relate to the business rules. Yet with good process flows, screen shots, and JAD sessions with key people, you can ensure that these errors are nothing more than normal bumps in the road. Every project has its bumps but the real test is having above average quality on budget and on time at the projects end thus creating a reusable plan others can learn and be inspired from.
4) Risk Management: In this new era where almost everything is in the cloud and hackers are targeting large and mid-sized companies to steal and sell their data, every risk analysis document/plan should take into consideration data security, customer privacy, access controls from the project team, and there should be an independent audit plan – often out of scope of the project and done by a different group for checks and balances. No project has no data so data is always a part of a project, sometimes more and sometimes less. Question number one is who should have access to the data and at what point? In today’s environment you should embrace a need to know policy and you should document that to reduce risks. You should also imagine a worst case scenario and be prepared for it and run this by the executive project sponsors, and/or risk officer if your company has one.
Another common risk is project delay. Have you analyzed how a one or two month delay would affect your critical path and logical task order? For some projects it may not matter and for others it may cost your project millions more. It may harm another dept. or a related project thus in your project risk document you should list the longest delay your project could handle and the dependencies of that delay. Delays on projects, especially SDLC projects, do happen and are not necessarily bad and they can be dealt with but your project team needs to be ready for it and the sooner they know the better.
If you want to hire me to speak at your next event or consult for your company on these and related topics concerning project risk, process improvement, project management, and related areas please contact me.
In the old days the gold standard was the way global economies secured their financial backing yet over time that got to be too costly to secure and too heavy to move. In all reality inflation and population growth far exceeded the amount of gold available for it to be widely used so nations moved away from the gold standard and adopted their own currencies and financial regulatory systems – for better or worse. Yet with growing curiosity around digital currency in conjunction with the decline of traditional cash usage I offer my commentary at an increasingly relevant time.
Figs. 1. and 2.
Governments are wrong to assume all or most forms of digital currency are associated with illicit activity. We all know there have been bad actors out there in the digital currency space, and we know that some platforms like Silk Road have been attractive to them. Yet we must not forget that most bad actors use normal currency more often, and more importantly, the form of the currency is not as important as what the actor does with it.
Since we are at the beginning of the digital currency revolution it scares big governments who use traditional currencies to govern and collect taxes, and in some countries like Venezuela, Rwanda, Iraq, and Libya, they commit war crimes, financial fraud, and they steal from their citizens under the auspice of a legitimate financial system. In these countries, could a new more secure digital currency inspire a government revolution showing more transparency in currency movement and tax records sustaining democracy, human rights, and economic growth? The point here is that governments have abused their power to collect taxes and regulate financial services since the beginning of time. Didn’t the United States fight the Revolutionary War to stop excessive and unjust taxation from the British, and prior to the formation of the United States (July 4, 1776) the Thirteen Colonies had their own contradictory currencies, used the Spanish dollar, and counterfeiting was widespread by government and non-government people alike. Indeed governments should discourage immoral activity via legislation but not innovation in payment methodologies because lots of good can come from these new technologies. We as a world must think harder, longer, and we must inspire debate among global leaders for a better currency form in the future as paper cash is too darn simple and will soon grow more insecure due to better printer technologies observing the endless capabilities of the 3d printer.
Figs. 3. and 4.
Conservative Wells Fargo led the industry in a surprise joint effort with Apple for the iPhone Apple Pay application in Oct. of 2014, setting a new standard with a mobile digital currency that has great security. Wells Fargo’s move to Apple Pay is a step closer to a digital currency and it is gaining traction and according to Forbes.com 10 major banks have now signed up for it (http://www.forbes.com/sites/roberthof/2014/12/16/apple-pay-gets-more-bank-support-but-it-still-needs-a-lot-more-stores-to-succeed/). Yet like most new technologies it takes time for others to upgrade to it, and in this case that means retailers need new software and terminal equipment that will accept the mobile payment platform. Although this takes time and money, every new technology does, and over time I believe it will save retailers money and time. Imagine a busy retailer two years from now who has no ability to take mobile payments during a busy holiday rush, they will have to staff more people, suffer more human error via cash transactions and manually entered credit card transactions, risk employee theft of unmasked credit card numbers, and customers will leave feed up with how long it takes to be serviced. Conversely, imagine a busy retailer two years from now who has the ability to take mobile payments, they will staff less people, customers can check themselves out and the risk of human error is reduced while security has the potential to be better. Moreover, in a hyper competitive retail market this can bring prices down and service levels up to the benefit of the customer, the community, and the technology sector. This is where innovation is born and some Subway franchise owners have taken the lead as of Nov. 2013 (http://www.cnbc.com/id/101211284). Economic policy makers must not hide from this better future and should take note from the private sector.
Fig. 5. Subway entrepreneur using Bitcoin:
It is likely less costly to make and secure digital currency than it is to make and secure cash and coins. Every time the U.S. Mint releases a new version of its bigger bills it takes years to develop, billions to make, billions to secure, they have to burn and shred billions of old bills, and a credible 2013 Market Watch Report backs this up by saying, “the new hundred dollar bill costs 60% more to make than the prior version” (http://www.marketwatch.com/story/new-100-bill-costs-60-more-to-produce-2013-10-08). With this type of growth rate how can these costs be sustainable especially as the population grows and paper resources become sparser?
Conversely, we know that technology costs go down or stay even when balanced for inflation over time. We also know that RAM memory, CPU speed, CPU size, fiber optic cable connectivity, and data encryption have made exponential leaps in the last five years thus making the environment for digital currency ripe. After all, many governments including the U.S. claim to have cloud, server, metadata, and predictive analytic technologies that manage to monitor and track all the internet transactions in most of the world, and the private sector would agree with this. If technology is this good why then can’t we have digital currency?
The answer is that change takes time and government bureaucrats have insulated themselves with yes lobbyists who support the current status quo. Supporting the current status quo is big business after all there are secured vehicle companies, printing companies, risk management companies, and many other companies that make money off the current financial regulatory system; lots of jobs and money are at risk if the current model would change. A good example of this is what happened to the film based camera company Kodak when it failed to respond to digital, but with digital currency its worse because we are dealing with big government and elected leaders who are at best imperfect though at times well intentioned. Yes there are some true leaders out there like Congressman Steve Stockman (R-TX 36th District) who took Bitcoin donations on his campaign and introduced the Virtual Currency Tax Reform Act (http://www.forbes.com/sites/perianneboring/2014/04/08/breaking-rep-stockman-to-introduce-first-bitcoin-bill/) to get the dialogue on Capitol Hill started but the bill has not yet passed and more work and research needs to be done. We as business/tech people need to be a loud part of this research and discussion and then more elected leaders will support it.
Lastly, digital currency moves the world closer to a one world currency where foreign exchange risk is significantly reduced or eliminated. Thus tariffs and geopolitical economic sanctions will be easier to see, prevent, and private sector companies that do a lot of international trade can benefit from that. Are there too many currencies throughout the world and would one global currency be better? Well it would be better in that there would be fewer economic highs and fewer economic lows but it would be worse in that highly valued companies and individuals would be greatly devalued in the developed world and some in the U.S. would argue that violates the free market principles of the constitution and discourages private sector competition. Moreover, a one world currency would be impracticable to support and would violate state sovereignty across the world yet that didn’t stop China from advocating for it in 2009 and subsequent years according to this credible source (http://usa.chinadaily.com.cn/world/2014-01/29/content_17264069.htm).
In sum, I don’t think a one world currency is the answer as I do think it would violate free market principles. Yet I do think a leading digital currency is needed when it can have transparent transfer rates, a secure audit trail, and can enable some cross-border economic development to balance out the third world so they don’t have to go to loan sharks for their crop loans. Cheers to our digital future!
If you want to hire me to speak at your next event or consult for your company on these and related topics concerning financial services risk, process improvement, project management, and related areas please contact me.
On Tues, 04/08/14, former FDIC Chairperson Shelia Bair visited Minneapolis and offered commentary on the financial services industry, peer-to-peer lending, systemic risk, and the recent recession. Bair is educated as an attorney and was Assistant Secretary for Financial Institutions at the Treasury Dept. and a professor at the University of Massachusetts Amherst before she moved over to Chair the FDIC from 2006 to 2011. At the FDIC Bair helped the nation’s financial system out of an exacerbated recession and unprecedented bank run from 2007 to 2010 but not without ruffling a few feathers.
Addressing a sold out crowd including former Congressman Tim Penny and other elected officials, business people, students, and ethically minded community members, Bair had the honor of being the keynote speaker at Saint Mary’s University of MN’s publically broadcasted Hendrickson Forum on Ethical Leadership. Bair opened her keynote by describing how unimpressed she was that when she arrived at the FDIC in 2006 the organization had little to no info on sub-prime lending and had to buy a database to conduct research on it. This was in part due to the fact that sub-prime lenders were private and not a part of deposit institutions and thus slightly out of scope for the FDIC at that time. Bair did not inherit a perfect FDIC, and it can be inferred that the FDIC should have been paying attention to sub-prime lending far sooner as it was directly related to many elements that affect deposit institutions including real estate, entrepreneurship, income and tax, and community redevelopment.
Bair now free from the constraints of holding a Washington office spoke openly about how she felt hindered to speak to the human element of the financial crisis while at the FDIC. She indicated that although she was a part of the team that brokered the historic bank bailouts (2008-2009), that she has some serious reservations about that, because it was “too generous and uneven” and “helped the banks far more than it helped homeowners and families”. She also described regular disagreement with then Treasury Secretary Timothy Geithner and suggested he was too close to many of the bank executives who benefited from the bank bailouts.
She further described miscommunication and lack of collaboration as Geithner worked around her efforts at the FDIC, and the undertone of this was political disagreement over which agency should lead the recession resolution in terms of the banking industry.
At present, Bair supports the Dodd-Frank Act because it favors bankruptcy and a three-year claw back for executives over a bailout in the event of a bank failure. Although Bair in the past has said she disagreed with Janet Yellen’s support to repeal the Glass-Steagall Act, she presently indicated she still supports the new Fed Chair and viewed her as a reliable Washington outsider.
When I directly questioned Bair on the growth of peer-to-peer lending she seemed cautious about its long-term viability citing an unknown regulatory landscape and even recounted that peer-to-peer lender Prosper lost many investors during the worst months of the recession. In discussion with Bair I observed that she, like many banks, is in a wait and see mode with peer-to peer-lending, but she did indicate that for customers consolidating higher interest rate debt it can be a good thing and that could in turn force banks to be more customer centric with better terms.
Yet I am more optimistic on peer-to-peer lending than Bair in partnership with many respected peer-to-peer investors including Google who invested $125 million in Lending Club and the former CEO of Citi Group, Vikram Pandit. It is really telling when the former Citigroup CEO goes against his own industry in favor of a tech-heavy new lending model, but he is right because most customers no longer need the big bank branches and elaborate services that are fee heavy. Moreover, peer-to-peer lenders offer attractive rates, diverse portfolio options, and low operational costs and that keeps investors and borrowers happy. Just like online news slaughtered traditional print media, as soon as peer-to-peer lending gets more regulatory backing it will slaughter traditional fee-heavy banks if they don’t adapt to this new environment.
When commenting on federal sequestration Bair showed frustration and disagreement over the automatic spending cut approach and instead suggested that tax rates be reduced and restructured in a number of areas to encourage more employment, keep businesses in the U.S., and encourage business innovation which would in turn provide more income and employment thus bringing in a greater amount of taxable income to offset her proposed tax reduction. This truly can be a helpful aspect of the budget deficit issue in that taxes in the U.S. are far too high and there are some needless loopholes that harm many and help few. The 2.3% Medical Device Tax is an example of this as it encourages the many medical device companies in MN to move their operations outside the U.S. due to the high tax cost, and it adds to their cost of doing business thus reducing their ability to get favorable loans.
Lastly, as an advocate for consumer protection and creative thinking I asked Bair if she had any insight on what the massive Target data breach might mean for the banking and related industries — where an estimated 10-15% of the 40 million affected cards have encountered some type of fraud — and she reminded me that the banks are taking the losses before the retailer does. Although she offered no specifics other than suggesting that debit cards are more relevant, she shared my concern that data security is a growing factor in financial regulation yet I was then reminded that Bair is more of a politician and economist than a technologist. Yet from an economic policy standpoint if the nation encounters more data breaches like this it could drive the cost of goods up thus forcing more costly and secure card payment products perhaps with biometrics on them.
Photos by Rick Busch.