The Danger of Thinking Title Makes You A Leader

socrates_fiorina_kodak

Leadership is about enabling the potential in others and getting out of the way so their dreams can enable something bigger. Having people paid to report to you does not mean you are a leader but more likely a manager, which is a very respectable and worthwhile career path but it is not leadership. When people choose to follow you without money or title, that is leadership. As a leader, you are responsible for incubating synergies to get three out of two. Leadership is about influence, not title. Title is a mostly meaningless word that constantly changes in today’s amorphous corporate culture.

Title without great external influence is not title at all. How can you move someone’s cheese when you can’t even move your community. Leadership STARTS at the community level and its nuclear power resides there. Community-based leadership has overthrown a lot of dictators. Real leaders understand the value of academic inquiry (formal or informal), history, change, and that these things together are the precursor to innovation. Former H.P. CEO and Presidential candidate Carly Fiorina said it best this way, “leadership is about changing the order of things”. Changing the order of things is dangerous because it has many unknowns and it ruffles the feathers of those holding power. If you are truly a leader or aspire to be one, get ready to be attacked because you will, because all TRUE leaders are different and DO NOT FIT IN with most people or the status quo.

Carly Fiorina On Leadership Vs. Management – Stanford Univ. 2007.

Although a lot of executives say they are leaders, they can’t handle the criticism that comes with true leadership and they are often afraid of change. They insulate themselves with simple minded yes-sayers, fire people who question them, and all too often are more concerned with the superficial status that comes with being wined and dined by vendors that serve their vertical. Types like these are fools masquerading as leaders but there is plenty of them.

The real life of a leader is lonely and some think you’re crazy. Examples include Billy Corgan (alternative rock music pioneer), The Wright Brothers (building and flying the first airplane) William Kunstler (landmark civil rights attorney), John McAfee (anti-virus pioneer), and Steve Jobs (computer pioneer). These people were all criticized in their early years and pushed many people away from their inner circle. Although this criticism and isolation may have broken some people it did not break them. Most often, real leaders don’t fit in with most people and unless they get fame or money they are ostracized. Yet they inspire movements, better people and processes, and with their vision and advocacy, society, business, and/or technology gets to heights never dreamed possible.

Martin Luther King Jr. did that and paid the ultimate price but inspired a civil rights revolution that redefined America – William Kunstler defended him. Philosopher and teacher Socrates was unjustly condemned to death for questioning the current status quo of Athenian politics and society and for teaching students to do the same thing for a better world. Today his ideologies and approach have proven to be the foundation for much of Western philosophy and education. His name is associated with the Socratic Method, which means question everything. It is the hallmark of how law schools teach students throughout most of the world and it is a methodology that has proven to save the lives of thousands. Yet some corporate leaders do not like to be questioned and this is a problem and their leadership will be short lived. In the data-centric democracy of the United States, business fads come and go, and now is about the new.

Socrates Condemned to Death Speech – 399 B.C.
Lastly, to that person who gloats about their V.P., Director, SVP title, or the like, ask them how many people would follow them passionately without money in times of great challenge while others criticize them. Likely, they will be confused, because most leaders are below the surface working to make the world a better place while the above fakers seek status and “yes” clicks. They know nothing about leadership or moral courage. To think that titles are a right-of-passage to leadership is one of the most dangerous fallacies in society to date. It has caused wars to be lost, technologies to be missed, and it is a solvable irony for a society as advanced and gifted as the human race.

I will take the person with the best ideas and passionate followers over someone who gloats about how prior titles prove anything. Titles by themselves and even with experience do not prove much at all, and in the evolving and constantly changing landscape of technology, they for the most part, do not matter. If you focus too much on title, the guy or girl with the right idea will run you out of business and you and your whole team with be left with little money and no title. Please think long and hard about this, if you are claiming to be a leader. You don’t want to be like Kodak and fail to see digital cameras are the future, and you don’t want to be the leader who failed to see a data breach. Lastly, you don’t want to be that executive whose peers support you only because they are paid to but really don’t respect you and are not at all inspired by you. This happens a lot and their leadership under good governance will be short lived.

If you want to talk more about these and related concepts, please contact me here.

Three Points on Artificial Intelligence and Cyber-Security for 2017

icit-new-logo-for-website5
Although I have been known for longer posts, I would like to offer only three things to watch out for related to artificial intelligence and cyber-security for 2017, followed by sharing two videos.

1) Cyber attackers have long used machine learning and automation techniques to streamline their operations and may soon use full-blown artificial intelligence to do it. Botnets will become self-healing and will be able to detect when they are being discovered and can re-route in response. The botnet and cyber crime business will grow and become more organized. Showdan, the world’s first search engine for internet connected devices, will be used to target companies and individuals negatively. Yet it can also be used for safety and compliance monitoring, most likely when its feed into another analytical tool.

How to Hack with Showdan (For Educational Purposes Only):

2) It won’t be long until A.I. learns the patterns of mutating viruses and then has the ability to predict and/or stop them in their tracks. This is dependent on the most up to date virus definitions, and corresponding algorithms. How a Zero Day is made is heavily a math problem applied to a certain context and operating system. There should be a math formula to predict the next most likely Zero Day exploit – A.I. could provide this. It’s a matter of calculating all possible code various and code add on variations. It’s a lot more advanced than a Rubix Cube.
975f495fafd8c494591892412ecf87e33) A.I. has the potential to close the gap between the lesser developed world and the developed world. The technology behind A.I. is not limited to big companies like IBM or Microsoft for the long term. We may be surprised with tech start-ups out of the lesser developed world who are very creative. Lack of fiber optic cable connectivity has forced many lesser developed nations to rely heavily on cell tower smartphone based internet communications. This has inspired a mobile app growth wave in parts of Africa as described here; “the use of smartphones and tablets within the country has led to a mobile revolution in Nigeria. Essentially, people now tend to seek mobile solutions more often and thus, enhance the growth of the mobile app development industry” (Top 4 Mobile App development companies in Nigeria, IT News Africa, 2015). A.I. will likely close the gap between these two sectors though not drastically change it. If lesser developed countries can build their own mobile apps and outsource things to A.I.; they could become more independent from the economic constraints of the developed world.

The below video highlights some of the complications around these points. It is from a conference hosted by the ICIT on April 25, 2016, and I did not attend this. In the video, Donna Dodson (Associate Director, Chief Cybersecurity Advisor and Director, NIST), Mark Kneidinger (Director, Federal Network Resiliency, DHS), Malcolm Harkins (ICIT Fellow – Cylance) and Stan Wisseman (ICIT Fellow – HPE) discuss related concepts and share realistic examples of how these technologies are reshaping the cyber-security landscape.

ICIT Forum 2016: Artificial Intelligence Enabling Next-Generation Cybersecurity

If you want to contact me to discuss these concepts click here.

Lessons Learned From the Sony Hack

sony-hack-photo-3This article reviews the 2014 Sony hack from a strengths and weaknesses standpoint based on select parts of the SysAdmin, Audit, Network and Security (SANS) and National Institute of Standards in Technology (NIST) frameworks. Although an older hack the lessons learned here a still relevant today.

Strengths – A Track Record of Innovation and Multilayered Information Security:
From early boom-boxes in the 1980s to the first portable disc player in the early 1990s.  To high-quality headphones, the first HD TVs, to high-quality speakers, a gaming system revolution called the PlayStation, and now a massive on-line gaming network, Sony has been creative and innovative.  This has made them one of the most respected and profitable Japanese companies to date.  Yet this success derived overconfidence in other areas including information security but they still have the potential and the money to be a security leader.   The managerial layering of Sony’s information security team was a good start even if their head count was too low.  One source stated, “Three information security analysts are overseen by three managers, three directors, one executive director and one senior vice president” (Hill, 2014).  Although contradictory, at least there was some oversight.

Failure 1 – Poor Culture and Lack of Leadership Support:
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors.  A quote from an I.T. risk consultancy summarized it this way, “The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulted in Sony being SOX (Sarbanes-Oxley) non-compliant in 2005” (Risk3sixty LLC, 2014).  Things like this trickle down the layers of management and become a part of the company culture.  Specifically, low level whistle blowers were silenced even though their I.T. risk arguments were solid.  “Sony’s own employees complained that the network security was a joke. (Risk3sixty LLC, 2014)”.  When this happened Sony’s leaders failed to execute their fiduciary duty to the board, shareholders, and customers.  They did this so they did not look bad in the short term yet it cost the company more in the long term.

Failure 2 – Not Understanding Their Baseline:
The baseline is a measure that determines when you have the right amount of security and security process in relationship to your required business objectives and risk tolerance.  Being below the baseline means risk is too high and an attack or breach is likely.  This is why the baseline changes often and needs to be closely monitored.  For example, when you are producing a very politically controversial movie about an unruly world leader who has a history of making war threats against his political opponents, you should have a higher baseline to be on guard from hacktivists.  Sony overly focused on their cash generating core competencies and security was at most an afterthought.  According to one source, Sony Pictures had just 11 people assigned to a top-heavy information security team out of 7,000 total employees (Hill, 2014).  For a technology company that is way too few people working in security.  It’s not enough people to collect and intelligently review logs, patch software, pen test, red team, and be available for one or more war room type projects which are bound to come up – all things prudent security would require.

Understanding your I.T. risk baseline requires testing and measurement and this has to be based on some framework, SANS, NIST, or some of the others.  One former employee described Sony’s failure to comply with any framework as follows, “The real problem lies in the fact that there was no real investment in or real understanding of what information security is.  One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected” (Hill, 2014).  Had they conformed to the SANS or NIST framework they would have been required to encrypt the data – see conclusion.

Failure 3 – Weak Password Policies:
Sony’s password policy was embarrassingly weak.  In fact, so weak you might think they were deliberately trying to help hackers.  “Employees kept plaintext passwords in Microsoft Word documents” (Franceschi-Bicchierai, 2014).  Even very small companies from the 1990s would have policies against that.  Moreover, one source confirmed that the word files were named with password in the file name (Risk3sixty LLC, 2014).  Once in the network, all a hacker has to do is search for a file with password in the name and they have it.

Failure 4 – Late Detecting the Hack and Data Exfiltration:
Right away the intruders easily walked into Sony’s internal network and began stealing unencrypted sensitive data with apparently no log alarms going off.  Sony had not followed data classification, retention, or governance plans – not even checkbox compliance.  If they did they would not have had all types of data mixed together.  One reporter described it this way, “Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more” (Hill, 2014).  Thus, their network segmentation here must have been weak or non-existent.  Health care data should not be near unreleased film files as they are totally different.  There is no business justification for this.  Segmenting and encrypting the data would have greatly reduced and delayed any data theft.

Conclusion:
sans-top-3-sony
nist-cyber-sec-framework-for-sony

References:
Baker, L., & Finkle, J.  “Sony PlayStation suffers massive data breach”.  Reuters.  Published 04/26/11.  Viewed 10/26/16.  http://www.reuters.com/article/2011/04/26/us-sonystoldendata-idUSTRE73P6WB20110426

Franceschi-Bicchierai, Lorenzo.  “Don’t believe the hype: Sony hack not ‘unprecedented,’ experts say.”  Mashable.  Published 12/08/14.  Viewed 10/20/16.  http://mashable.com/2014/12/08/sony-hack-unprecedented-undetectable/#359BD06aEkq6

Greene, Tim.  “SANS: 20 critical security controls you need to add.” Networked world.  Published 10/13/15.  Viewed 10/23/16.  http://www.networkworld.com/article/2992503/security/sans-20-critical-security-controls-you-need-to-add.html

Hill, Kashmir.  “Sony Pictures hack was a long time coming, say former employees”.  Published 12/04/14.  Viewed 10/20/16.  http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/

NIST.  “Framework for Improving Critical Infrastructure Cyber Security”.  Published 01/01/2016.  Viewed 10/23/16. https://www.nist.gov/sites/default/files/documents/cyberframework/Cybersecurity-Framework-for-FCSM-Jan-2016.pdf Risk3sixty LLC.

Risk3sixty. “The Sony Hack – Security Failures and Solutions.”  Published 12/19/14.  Viewed 10/20/16. http://www.risk3sixty.com/2014/12/19/the-sony-hack-security-failures-and-solutions/

Sanchez, Gabriel.  “Case Study: Critical Controls that Sony Should Have Implemented”.  SANS Institute Information security Reading Room.  Published 06/01/2015.  Viewed 10/20/16.  https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022

Demystifying 9 Common Types of Cyber Risk

1)       Crimeware
This is designed to fraudulently obtain financial gain from either the affected user or third parties by emptying bank accounts, or trading confidential data, etc. Crimeware most often starts with advanced social engineering which results in disclosed info that leads to the crimeware being installed via programs that run on botnets which are zombie computers in distant places used to hide the fraudsters I.P (internet protocol) trail. Usually the victim does not know they have crimeware on their computer until they start to see weird bank charges or the like, or an I.T. professional points it out to them. Often times it masquerades as fake but real looking antivirus software demanding your credit card info in an effort to then commit fraud with that info.

2)       Cyber-Espionage
The term generally refers to the deployment of viruses that clandestinely observe or destroy data in the computer systems of government agencies and large enterprises – unauthorized spying by computer, tablet, or phone. Antivirus maker Symantec described one noteworthy example where the U.S. Gov’t made a worm to disable Iran’s nuclear reactors arguably in the name of international security (Fig. 1).

“Stuxnet is a computer worm that targets industrial control systems that are used to monitor and control large scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing. This is the first attack we’ve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous. It’s like nothing we’ve seen before – both in what it does, and how it came to exist. It is the first computer virus to be able to wreak havoc in the physical world. It is sophisticated, well-funded, and there are not many groups that could pull this kind of threat off. It is also the first cyberattack we’ve seen specifically targeting industrial control systems” (Accessed 03/20/16, Norton Stuxnet Review).

Richard Clarke is the former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States and he commentated on Stuxnet and cyber war generally in this Economist Interview from 2013.

Fig.1.

3)       Denial of Service (DoS) Attacks
A DoS attack attempts to deny legitimate users access to a particular resource by exploiting bugs in a specific operating system or vulnerabilities in the TCP/IP implementation (internet protocols) via a botnet of zombie computers in remote areas (Fig. 2). This allows one host (usually a server or router) to send a flood of network traffic to another host (Fig. 3.). By flooding the network connection, the target machine is unable to process legitimate requests for data. Thus the targeted computers may crash or disconnect from the internet from resource exhaustion – consuming all bandwidth or disk space, etc (Fig. 3.). In some cases they are not very harmful, because once you restart the crashed computer everything is on track again; in other cases they can be disasters, especially when you run a corporate network or ISP (internet service provider).
Fig. 2.                                                                Fig. 3.Botnet and TCP image
4)      
Insider and Privilege Misuse
Server administrators, network engineers, outsourced cloud workers, developers, I.T. security workers, and database administrators  are given privileges to access many or all aspects of a company’s IT infrastructure. Companies need these privileged users because they understand source code, technical architecture, file systems and other assets that allow them to upgrade and maintain the systems; yet this presents a potential security risk.

With the ability to easily get around controls that restrict other non-privileged users they sometimes abuse what should be temporary access privileges to perform tasks. This can put customer data, corporate trade secrets, and unreleased product info at risk. Savvy companies implement multi-layered approvals, advanced usage monitoring,  2 or 3 step authentication, and a strict need to know policy with an intelligible oversight process.

5)       Miscellaneous Errors
This is basically an employee or customer doing something stupid and unintentional that results in a partial or full security breach of an information asset. This does not include lost devices as that is grouped with theft – this is a smaller category. The 2014 Verizon Enterprise Data Breach Investigation Report gives an example of this category as follows:

“Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure. One of the more common examples is a mass mailing where the documents and envelopes are out of sync (off-by-one) and sensitive documents are sent to the wrong recipient” (Accessed 02/21/16, Page 29).

6)       Payment Card Skimmers
This is a method where thieves steal your credit card information at the card terminals, often at bars, restaurants, gas stations, sometimes at bank ATMs, and especially where there is low light, no cameras, or anything to discourage the criminal from tampering with the card terminal.

Corrupt employees can have a skimmer stashed out of sight or crooks can install hidden skimmers on a gas pump. Skimmers are small devices that can scan and save credit card data from the magnetic stripe (Fig. 4.). After the card slides through the skimmer, the data is saved, and the crooks usually then sell the information through the internet or if they really want to be secure the Darknet which is a secure non-mainstream internet that requires a special browser or plug-in to access. After this counterfeit cards are made, then bogus charges show up, and the bank eats the costs which unfortunately drives up the cost of banking for everyone else. Also, some skimmers have mini cameras which record the pin numbers typed at ATM machines for a more aggressive type of fraud (Fig. 5.).  Here are two images of skimmer technologies:

Fig 4.                                                                       Fig 5.
Card Skimmer and Camera

7)       Physical Theft and Lose
This includes armed robbery, theft by accident, and/or any type of device or data lost.  Although some of the stolen or lost items may never end up breached or used for fraud sometime they are depending on what device and/or what data is on that device and/or if it was encrypted or not, or if it the data could be deleted remotely, etc.

8)       Point of Sale Intrusions
See my 2014 post on the Target Data Breach here for a good example.

9)       Web App Attacks
These incidents were carried out primarily via manipulation of vulnerabilities in input validation and authentication affecting common content management systems like Joomla, Magento, SiteCore, WordPress, and Drupal.

According to the 2015 Verizon Data Breach Investigation Report these types of attacks are not only a reliable method for hackers, but also fast with 60% of the compromises taking a few minutes or less(Accessed 02/21/16). With web applications commonly serving as an organization’s public face to the Internet, the ease of exploiting web-based vulnerabilities is alarming (Accessed 02/21/16, 2015 Verizon Data Breach Investigation Report). According to The Open Web Application Security Project these are two common types Web App weaknesses (Accessed 02/21/16, 2013, OWASP 10 Most Critical Web Application Security Risks):

“i) Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

ii) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping (Fig. 6.). XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites access unauthorized pages”.

Fig. 6.
RXSS
Jeremy Swenson, MBA is a seasoned, Intel certified, retail technology marketing and training representatives on assignment at Best Buy for clients including Intel, Trend Micro, Adobe, and others. He also doubles as a Sr. business analyst and project management consultant. Tweet to him @jer_Swenson.

 

Microsoft HoloLens, Mobile vs. Good Web-Design, and Security Needs Innovation Not Gov’t.

Microsoft HoloLens1) We knew there would come another well-positioned company who makes a pair of smart glasses like Google Glass and that it will derive more competition and innovation. Microsoft raised their hand right away with their HoloLens glasses which are hologram based, slightly “gamified”, and seemingly better than Google Glass largely because they tied it in with known Windows functionality (broader offerings). See a video of this cool new technology here:

2) It is a fact that on average people now access more of their e-mail via mobile devices more often than on a traditional computer. This has forced websites, news makers, and companies to design their web offerings in a mobile compatible design so when you go to the web on a computer the sites are often overly mobile in their design aspects and sometimes look goofy and the buttons and frames are too big. CNN.com is a good example of a web-site that went too far with their mobile design so if you access it from a normal computer it looks more like a kids play web-site with big buttons and frames optimized for touch with little info presented. Yet their prior design was better especially if you want to read more on one screen view.

(Old vs. New CNN.com, respectively)
Old and New CNN WebsiteThere is no doubt that mobile will continue to grow and will be used on smaller devices like watches, ear buds, pacemakers, and contact lenses. Web design has shifted so fast to mobile that sometimes good web design and user experience is forgotten about for non-mobile users or business users who on average spend much more time on those same sites than mobile users. Thus a better balance of the two design types is needed, and an app is a separate project all together yet still needed. I also think Microsoft will take more mobile market share away from Android and Apple since they have learned a lot from their Windows 8 release and are quickly working to release Windows 10 as a better touch based mobility optimized O.S. that many are excited to try.

3) There will be more data breaches but many of them will be supported by the Western Governments who in effect devalue security standards by corroborating with large companies to quarry vast amounts of metadata all in the name of security. Sadly we know Governments have abused this power in the past and will continue to do so thus the private sector needs to collaborate and inspire innovation in this space for better security and transparency so the masses may have security and corrupt Governments can be exposed.

Equation group victims map

As it stands now hackers are a few steps ahead of antivirus makers and they are constantly tweaking their viruses so they can’t be detected. The newest types of viruses are suspected to be created by the Equation Group, one of the most sophisticated hacking groups ever known. These new viruses hide in your hard drives firmware and are undetectable. Antivirus maker Kaspersky commented on this in their Q&A doc on the Equation Group by stating, “We were able to recover two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms. The EQUATIONDRUG HDD firmware reprogramming module has version 3.0.1 while the GRAYFISH reprogramming module has version 4.2.0. These were compiled in 2010 and 2013, respectively, if we are to trust the PE timestamps” (http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf).

Kaspersky went on to further speculate that there were clues that the U.S. N.S.A. was involved in the latest hard drive firmware virus and even suggested they had the cooperation of major hard drive makers like Western Digital, Seagate, Samsung, and Toshiba in order to get the code needed to write the virus. Any reasonable technologist would likely agree with this. Yet this decreases innovation and free competition and you know big money likely traded hands to make these deals happen. How can a big company now trust paying a technology company for security or services when they are just going to give it away to supposed governments here or elsewhere? More importantly, if one government has the ability to get into a tech companies data, then other more ill-intentioned governments and organizations can quickly learn how to do that as well and that is the real threat.

If you want to hire me to speak at your next event or consult for your company on these and related topics please contact me.

Thought$ On The Future of Digital Curren¢y For A Better World

In the old days the gold standard was the way global economies secured their financial backing yet over time that got to be too costly to secure and too heavy to move. In all reality inflation and population growth far exceeded the amount of gold available for it to be widely used so nations moved away from the gold standard and adopted their own currencies and financial regulatory systems – for better or worse. Yet with growing curiosity around digital currency in conjunction with the decline of traditional cash usage I offer my commentary at an increasingly relevant time.

Figs. 1. and 2.
blog post small

Governments are wrong to assume all or most forms of digital currency are associated with illicit activity. We all know there have been bad actors out there in the digital currency space, and we know that some platforms like Silk Road have been attractive to them. Yet we must not forget that most bad actors use normal currency more often, and more importantly, the form of the currency is not as important as what the actor does with it.

Since we are at the beginning of the digital currency revolution it scares big governments who use traditional currencies to govern and collect taxes, and in some countries like Venezuela, Rwanda, Iraq, and Libya, they commit war crimes, financial fraud, and they steal from their citizens under the auspice of a legitimate financial system. In these countries, could a new more secure digital currency inspire a government revolution showing more transparency in currency movement and tax records sustaining democracy, human rights, and economic growth? The point here is that governments have abused their power to collect taxes and regulate financial services since the beginning of time. Didn’t the United States fight the Revolutionary War to stop excessive and unjust taxation from the British, and prior to the formation of the United States (July 4, 1776) the Thirteen Colonies had their own contradictory currencies, used the Spanish dollar, and counterfeiting was widespread by government and non-government people alike. Indeed governments should discourage immoral activity via legislation but not innovation in payment methodologies because lots of good can come from these new technologies. We as a world must think harder, longer, and we must inspire debate among global leaders for a better currency form in the future as paper cash is too darn simple and will soon grow more insecure due to better printer technologies observing the endless capabilities of the 3d printer.

Figs. 3. and 4.
Bit Coin Apple Pay
Conservative Wells Fargo led the industry in a surprise joint effort with Apple for the iPhone Apple Pay application in Oct. of 2014, setting a new standard with a mobile digital currency that has great security. Wells Fargo’s move to Apple Pay is a step closer to a digital currency and it is gaining traction and according to Forbes.com 10 major banks have now signed up for it (http://www.forbes.com/sites/roberthof/2014/12/16/apple-pay-gets-more-bank-support-but-it-still-needs-a-lot-more-stores-to-succeed/). Yet like most new technologies it takes time for others to upgrade to it, and in this case that means retailers need new software and terminal equipment that will accept the mobile payment platform. Although this takes time and money, every new technology does, and over time I believe it will save retailers money and time. Imagine a busy retailer two years from now who has no ability to take mobile payments during a busy holiday rush, they will have to staff more people, suffer more human error via cash transactions and manually entered credit card transactions, risk employee theft of unmasked credit card numbers, and customers will leave feed up with how long it takes to be serviced. Conversely, imagine a busy retailer two years from now who has the ability to take mobile payments, they will staff less people, customers can check themselves out and the risk of human error is reduced while security has the potential to be better. Moreover, in a hyper competitive retail market this can bring prices down and service levels up to the benefit of the customer, the community, and the technology sector. This is where innovation is born and some Subway franchise owners have taken the lead as of Nov. 2013 (http://www.cnbc.com/id/101211284). Economic policy makers must not hide from this better future and should take note from the private sector.

Fig. 5. Subway entrepreneur using Bitcoin:

It is likely less costly to make and secure digital currency than it is to make and secure cash and coins. Every time the U.S. Mint releases a new version of its bigger bills it takes years to develop, billions to make, billions to secure, they have to burn and shred billions of old bills, and a credible 2013 Market Watch Report backs this up by saying, “the new hundred dollar bill costs 60% more to make than the prior version” (http://www.marketwatch.com/story/new-100-bill-costs-60-more-to-produce-2013-10-08). With this type of growth rate how can these costs be sustainable especially as the population grows and paper resources become sparser?

Fig. 6.

New 100 Bill

Conversely, we know that technology costs go down or stay even when balanced for inflation over time. We also know that RAM memory, CPU speed, CPU size, fiber optic cable connectivity, and data encryption have made exponential leaps in the last five years thus making the environment for digital currency ripe. After all, many governments including the U.S. claim to have cloud, server, metadata, and predictive analytic technologies that manage to monitor and track all the internet transactions in most of the world, and the private sector would agree with this. If technology is this good why then can’t we have digital currency?

The answer is that change takes time and government bureaucrats have insulated themselves with yes lobbyists who support the current status quo. Supporting the current status quo is big business after all there are secured vehicle companies, printing companies, risk management companies, and many other companies that make money off the current financial regulatory system; lots of jobs and money are at risk if the current model would change. A good example of this is what happened to the film based camera company Kodak when it failed to respond to digital, but with digital currency its worse because we are dealing with big government and elected leaders who are at best imperfect though at times well intentioned. Yes there are some true leaders out there like Congressman Steve Stockman (R-TX 36th District) who took Bitcoin donations on his campaign and introduced the Virtual Currency Tax Reform Act (http://www.forbes.com/sites/perianneboring/2014/04/08/breaking-rep-stockman-to-introduce-first-bitcoin-bill/) to get the dialogue on Capitol Hill started but the bill has not yet passed and more work and research needs to be done. We as business/tech people need to be a loud part of this research and discussion and then more elected leaders will support it.

Lastly, digital currency moves the world closer to a one world currency where foreign exchange risk is significantly reduced or eliminated. Thus tariffs and geopolitical economic sanctions will be easier to see, prevent, and private sector companies that do a lot of international trade can benefit from that. Are there too many currencies throughout the world and would one global currency be better? Well it would be better in that there would be fewer economic highs and fewer economic lows but it would be worse in that highly valued companies and individuals would be greatly devalued in the developed world and some in the U.S. would argue that violates the free market principles of the constitution and discourages private sector competition. Moreover, a one world currency would be impracticable to support and would violate state sovereignty across the world yet that didn’t stop China from advocating for it in 2009 and subsequent years according to this credible source (http://usa.chinadaily.com.cn/world/2014-01/29/content_17264069.htm).

In sum, I don’t think a one world currency is the answer as I do think it would violate free market principles. Yet I do think a leading digital currency is needed when it can have transparent transfer rates, a secure audit trail, and can enable some cross-border economic development to balance out the third world so they don’t have to go to loan sharks for their crop loans. Cheers to our digital future!

If you want to hire me to speak at your next event or consult for your company on these and related topics concerning financial services risk, process improvement, project management, and related areas please contact me.

Lessons Learned From The Target Data Breach: Part 1

In the holiday shopping rush of December 2013 Target (TGT), the 1,778 store middle market retailer, had one of the biggest data breaches in American business history.  The breach apparently affected more than 70-100 million customers over 40 million cards (varying estimates exist) across all U.S. stores but excluded Target.com and stores in Canada.
target date leakThe general consensus is that a HVAC contractor for Target, Fazio Mechanical Services, who had access to Target’s networks got their own networks hacked via an e-mail phishing attack, normally an elementary attack method; yet that attack installed malware that then got onto Target’s network and installed more malware that copied personal data from Target’s payment processing terminals when it was in the “working memory area” or “cache” of the software/system – that is before it gets encrypted to be sent to the bank to be authorized.  This is part of the reason why it was not detected so fast and yes these hackers were smart.

Yet Target also did a bad job separating their networks and servers while they were trying to save money by having less networks and broader access for those who needed them.  Yet I don’t see why an HVAC contractor would need to be so close to the networks that work the registers.  This is simply poor design.  I am sure the HVAC company could have done their job without access to the Target network.  Let’s not hope they just wanted to upload HVAC reports and browse the network.

According to a recent Business Week article, “Target had a team of security specialists in Bangalore to monitor its computers around the clock.  If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.  On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route.  As they uploaded exfiltration malware to move the stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis.” (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data)
target date leak2Yet Target did not take this alert seriously but why?  Fear of change, ego, poor leadership, and too much bureaucracy got in the way of the costly software’s effectiveness.  At the time of the breach FireEye was a new software tool for Target’s technology group and what I know about new technology is that people delay embracing and learning new systems of out of fear that those systems will be buggy or not as good as the old ones.  I understand this very well having worked part time in the P.C. dept. at Best Buy for more than 3.7 years representing Intel and related software makers Microsoft, Symantec, Trend Micro, and Adobe.  When Windows 8 came out all kinds of people were doubting it not because it was bad but because it was more work to get to know, and if they saw something really different about it, they were inclined to think it was a bug when in fact it was a useful design feature they didn’t yet understand.  The same bias can be applied to Apple computers.  People falsely think that they are immune from viruses because Apple designs them that way.  What a joke.  Apple computers are only as secure as their understanding of the latest virus.  Yes it is true the Apple operating system is not targeted as much for viruses but it is also not used as much and it is hardly used by large companies and governments.

Moving on, the CIO really needs to get behind any major software change like this, and if Target’s former CIO Beth Jacob was really behind FireEye she probably would have done something about the alerts they were giving her.  You would think as CIO she would want to immediately act and reduce any risk.  What was she doing at the time, giving some speech about how she was such a great leader in the industry while some high buck corporate partner pays for her three-course lunch?  Clearly, her eye was not on the ball or even on Target (no pun intended), and she had a big enough ego to think she was smart enough and had put the right people on her team to take care of this.  Yet what an epic fail.  It is also likely that there were people some layers below Jacob that tried to inform others to the alert but I am sure their voice of concern and reason got squashed by Jacob’s massive ego, after all you can’t doubt a CIO – right?  I highly doubt everyone in Target’s IT security team was going to ignore these alerts but it is too many layers of bureaucracy that got in the way of Target’s safety.  Target is better off with a more open style of bureaucracy where concerns can be heard at all levels and tools and processes are shared for innovative solutioning – Google’s culture is a good example of this.

Target has also grossly underestimated the costs associated with the data breach to keep their stock price up but of course they would never say it like that, however I am not alone in thinking Target’s $147 million figure is too low.  According to one analyst, “costs would rise even more over time. “I don’t see how they’re getting out of this for under a billion, over time,” he said, adding, “$150 million in a quarter seems almost like a bargain.” (http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0)

Those who have the stolen data are likely outside of the U.S. and when and if they use the data to commit fraud the ability of a U.S. corporation or court to go after them is diminished, timely, and costly.  Moreover, since the U.S is the midst of negative geo-politics with parts of Europe, particularly Russia where some sources have traced the hack, those who have the data are likely to be bold in how they use it and that’s where the cost to Target will add up.  The other areas where the costs will grow is in Target’s own internal policy and procedure changes as well as the growth of their IT security staff and tools, but most importantly their investment in training must grow.  At present Target has over more than 90 lawsuits against them regarding the breach and that number is likely to grow so the costs here are going to be huge overall.

Lastly, I am not all negative on the Twin Cities’ favorite corporate hometown hero as I shop at Target often, have the REDCard, have been to their diversity events, and I have also seen a lot of concerts and sporting events at both Target Field and the Target Center.  However, the mere fact that Target has the money and lobbying power to get their name in the community does not mean they are a true leader in the community.  As the data security community increases consumer awareness retailers like Target will continue to be challenged to innovate and that’s better for all people.

By Jeremy Swenson

Former FDIC Chair Shelia Bair Comments On Bank Bailouts, Peer-To-Peer Lending, And Tax Reform

On Tues, 04/08/14, former FDIC Chairperson Shelia Bair visited Minneapolis and offered commentary on the financial services industry, peer-to-peer lending, systemic risk, and the recent recession.  Bair is educated as an attorney and was Assistant Secretary for Financial Institutions at the Treasury Dept. and a professor at the University of Massachusetts Amherst before she moved over to Chair the FDIC from 2006 to 2011.  At the FDIC Bair helped the nation’s financial system out of an exacerbated recession and unprecedented bank run from 2007 to 2010 but not without ruffling a few feathers.

Addressing a sold out crowd including former Congressman Tim Penny and other elected officials, business people, students, and ethically minded community members, Bair had the honor of being the keynote speaker at Saint Mary’s University of MN’s publically broadcasted Hendrickson Forum on Ethical Leadership.  Bair opened her keynote by describing how unimpressed she was that when she arrived at the FDIC in 2006 the organization had little to no info on sub-prime lending and had to buy a database to conduct research on it.  This was in part due to the fact that sub-prime lenders were private and not a part of deposit institutions and thus slightly out of scope for the FDIC at that time.  Bair did not inherit a perfect FDIC, and it can be inferred that the FDIC should have been paying attention to sub-prime lending far sooner as it was directly related to many elements that affect deposit institutions including real estate, entrepreneurship, income and tax, and community redevelopment.

Image

Bair now free from the constraints of holding a Washington office spoke openly about how she felt hindered to speak to the human element of the financial crisis while at the FDIC.  She indicated that although she was a part of the team that brokered the historic bank bailouts (2008-2009), that she has some serious reservations about that, because it was “too generous and uneven” and “helped the banks far more than it helped homeowners and families”.  She also described regular disagreement with then Treasury Secretary Timothy Geithner and suggested he was too close to many of the bank executives who benefited from the bank bailouts.

She further described miscommunication and lack of collaboration as Geithner worked around her efforts at the FDIC, and the undertone of this was political disagreement over which agency should lead the recession resolution in terms of the banking industry.

At present, Bair supports the Dodd-Frank Act because it favors bankruptcy and a three-year claw back for executives over a bailout in the event of a bank failure.  Although Bair in the past has said she disagreed with Janet Yellen’s support to repeal the Glass-Steagall Act, she presently indicated she still supports the new Fed Chair and viewed her as a reliable Washington outsider.

Image

When I directly questioned Bair on the growth of peer-to-peer lending she seemed cautious about its long-term viability citing an unknown regulatory landscape and even recounted that peer-to-peer lender Prosper lost many investors during the worst months of the recession.  In discussion with Bair I observed that she, like many banks, is in a wait and see mode with peer-to peer-lending, but she did indicate that for customers consolidating higher interest rate debt it can be a good thing and that could in turn force banks to be more customer centric with better terms.

Yet I am more optimistic on peer-to-peer lending than Bair in partnership with many respected peer-to-peer investors including Google who invested $125 million in Lending Club and the former CEO of Citi Group, Vikram Pandit.  It is really telling when the former Citigroup CEO goes against his own industry in favor of a tech-heavy new lending model, but he is right because most customers no longer need the big bank branches and elaborate services that are fee heavy.  Moreover, peer-to-peer lenders offer attractive rates, diverse portfolio options, and low operational costs and that keeps investors and borrowers happy.  Just like online news slaughtered traditional print media, as soon as peer-to-peer lending gets more regulatory backing it will slaughter traditional fee-heavy banks if they don’t adapt to this new environment.

When commenting on federal sequestration Bair showed frustration and disagreement over the automatic spending cut approach and instead suggested that tax rates be reduced and restructured in a number of areas to encourage more employment, keep businesses in the U.S., and encourage business innovation which would in turn provide more income and employment thus bringing in a greater amount of taxable income to offset her proposed tax reduction.  This truly can be a helpful aspect of the budget deficit issue in that taxes in the U.S. are far too high and there are some needless loopholes that harm many and help few.  The 2.3% Medical Device Tax is an example of this as it encourages the many medical device companies in MN to move their operations outside the U.S. due to the high tax cost, and it adds to their cost of doing business thus reducing their ability to get favorable loans.

Lastly, as an advocate for consumer protection and creative thinking I asked Bair if she had any insight on what the massive Target data breach might mean for the banking and related industries — where an estimated 10-15% of the 40 million affected cards have encountered some type of fraud — and she reminded me that the banks are taking the losses before the retailer does.  Although she offered no specifics other than suggesting that debit cards are more relevant, she shared my concern that data security is a growing factor in financial regulation yet I was then reminded that Bair is more of a politician and economist than a technologist.  Yet from an economic policy standpoint if the nation encounters more data breaches like this it could drive the cost of goods up thus forcing more costly and secure card payment products perhaps with biometrics on them.

Photos by Rick Busch.

Written by Jeremy Swenson (c)