President Barack Obama announced the signing of a cybersecurity Executive Order (EO) in in his State of the Union address on Tuesday, February 12. A copy of the final EO can be found at the White House site: here.

I provided a detailed analysis of an earlier draft on this blog. Here is a quick summary of the key differences between my earlier analysis and this final version:

• Several specific statutory citations that give the President authority to act on the matter have been deleted in the final (Sec. 2 & Sec. 4);
• He makes reference to “expanding” rather than “developing” the Enhanced Cybersecurity Services Program under development by the Department of Defense (Sec. 4(c));
• A section on consultation with civil liberties and privacy counsel within each of the critical infrastructure sector-specific agencies has been deleted from the final, instead the Civil Liberties Oversight Board is to be consulted (Sec. 5(c));
• NIST’s efforts to lead the development of a Framework is the same as in the draft, but they must also consider the provisions of the National Technology Transfer and Advancement Act of 1995 (Sec. 7);
• The Secretary of DHS is to come up with an “incentives” program for private sector participation in the Voluntary Critical Infrastructure Cybersecurity program within 120 days, rather than 90 days (Sec. 8(d));
• Federal agency procurement standards are to be “harmonized” with the cybersecurity requirements of this program (Sec. 8(e));
• For critical infrastructure companies identified to be at the greatest risk by the Secretary of DHS they are to be informed of the “basis of the determination” by the sector-specific agencies [language changed from sharing “relevant threat information”] (Sec. 9(c));
• Reference to E.O. 13609 of May 1, 2012 on Promoting International Regulatory Cooperation was added and the sector-specific agencies have 90 days rather than 60 days to act (Sec. 10(b)); and
• Within a year after the publication of the final Framework sector-specific agencies are to identify “inefficiencies” [rather than “duplicative”] in regulations (Sec. 10 (c)).

Although these changes are minor, they are also revealing as to how the agencies must have responded to the November draft. First, several deadlines have been slipped for the participating agencies. Second, there is a greater emphasis on the federal government agency procurement process and the implications this E.O. might have for subcontracting services. Third, the technologies from the National Laboratories could be made more readily available to the private sector for commercialization with the added emphasis on technology transfer. Fourth, there is a new emphasis on international cooperation.

Finally, the subtle change in Sec. 9(c) that originally referenced sharing of “threat” information but in the final version referenced sharing of the “basis for the determination” is very telling. The “threat” factor is just one of several inputs to a comprehensive risk assessment process. In generic terms the characterization of assets ( or “predisposing conditions” as it is called in NIST 800-30), vulnerabilities, and impacts (with both a magnitude and a frequency measure) should also be included. Granted, this process that the President is asking Secretary Napolitano of the Department of Homeland Security to spearhead is at the macro-level (versus the company-specific or micro-level). Nonetheless, the E.O. is very clear about specifying a “risk-based approach” to identify those companies and/or entities within one of the 18 identified critical infrastructure categories. As such, it is likely that one or more of the commonly used risk-based approaches will be applied at the conceptual level to this macro-level analysis.

Managing employee communications devices in the always-connected global business community has become an important issue for information security personnel engaged in the design of effective security policies (Kabay, 2009). Key to successful management that avoids out-bound data loss and leakage and in-bound malicious attacks is buy-in and active participation by all corporate employees. A comprehensive Communications Acceptable Use Policy (CAUP) that addresses each issue systematically and is part of every employment agreement is also important for success (Stewart, 2002). Select provisions of such an agreement should also be part of all third-party contracts, as well.

Construction of a CAUP requires a working knowledge of the key issues that must be addressed (SANS, 2007). To be effective, the policy design should be clearly correlated with the company’s legal liabilities and use proper netiquette that is consistent with the corporate culture. In the banking and financial services sector (BFSS) this will include considerations of intellectual property protection, bank secrecy/anti-fraud considerations, customer privacy and other issues (Grimm, 2010, March). This is especially important in the Bring Your Own Device (BYOD) era where employees are increasingly blending business and personal activities through their communications devices (Roberts, 2012, October).

This paper will address some of the key components for constructing a CAUP for the BFSS. Legal and regulatory constructs and case (i.e. common) law will be used to substantiate my list of key components.

Key Drivers

From a review of multiple CAUPs and the critical literature on the subject P.A. Laughton developed a hierarchical view of the importance of key drivers for the design of a CAUP. He found a wide range of examples that varied from being too vague, or, conversely, too restrictive (Laughton, 2008, December). Importantly, he found that the evolving nature of Internet law showed that CAUPs must be viewed as dynamic, living documents that must be revised to reflect the changing liabilities a company faces and responsibilities employees must be informed of.

Important findings among the studies he reviewed included the work of Flowers and Rakes (2000). They identified four generic areas that should be included in every CAUP: (1) liability issues and concerns; (2) online behavior; (3) system integrity, and; (4) the quality of the content. Flowers and Rakes “generic areas” were adapted by Laughton in designing the list of “drivers” for his hierarchical ranking.

In a separate, and somewhat playful analysis by Scott and Vass a Seven P’s Model is suggested: (1) participation; (2) partitioning; (3) philosophy; (4) privacy; (5) pernickety (do’s and do nots of the policy); (6) phog phactor (ways to improve readability and reduce legalistic jargon); and (7) publication (1994). Importantly for my analysis, Laughton uses their framework to inform his 2008 model.

Laughton also found that previous studies and surveys failed to rank the relative level of importance of design drivers that should be dealt with in a CAUP. He offers such a ranking based on the acceptability of the CAUP to user communities and his own expert opinion.

Figure 1 illustrates an adaptation of his hierarchical view I have constructed. I have placed the most important driver at the top of the figure with subsequent categories that he ranked descending, in order, down the stack.

Figure 1. Laughton’s Hierarchy of AUP Issues

Click to enlarge

In the years since Laughton developed his model, and as companies have become more adept at crafting effective policies, the statutory, and regulatory and case law has evolved significantly. In fact, in the United States, legal frameworks have emerged in all of the categories of drivers originally proposed by Laughton, especially in highly regulated industries such as the BFSS.

Table 1 lists some key examples specific to CAUP construction for the BFSS.

Table 1. Laughton’ Drivers and Modern Legal Frameworks for the BFSS

What becomes clear from this sampling of legal, regulatory and case law citations is that within each of the subordinate driver categories set forth by Laughton these legal drivers are vital for the design and development of a CAUP. Each one of the factors identified should be addressed from a legal, regulatory and case law point of view to avoid organizational liability, ensure customer and employee privacy, and protect the intellectual property of the enterprise. Therefore, the legal drivers should be envisioned as cross-cutting categories that are applicable to each of Laughton’s other key drivers.

I would recommend an alternative “hierarchy” to the one proposed by Laughton, as shown in Figure 2, below. In my model all four of Laughton’s categories are subjected, systematically, to a review of the legal, regulatory and case law history. Also notice that the order of the ranking has changed to illustrate the emphasis placed on security, privacy and intellectual property protection within the BFSS. For example, Netiquette, although an important factor for guiding the readability of the CAUP, is less important in this sector, given the legal liabilities companies face.

Figure 2. Ginn’s Model of Design Drivers for a CAUP for the BFSS

Click to enlarge

Below are some examples of how these legal directives relate specifically to concerns of companies within the BFSS. I have used only a small sample of the laws and cases cited on Table 1, above.

Security

Gramm-Leach-Bliley Act (GLBA) regulated parties must protect against unauthorized access, ensure the security and confidentiality of customer records and information, and protect against any anticipated threats or hazards to the security or integrity of records. The Safeguards rule, issued by authority of GLBA, states that BFSS firms must develop, implement, and maintain a comprehensive information security program that is written in “one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to its size and complexity” (FTC, 2002, May 23). A key consideration for the CAUP designer will be how to communicate this program to all employees so that they have a stake in the total security management program. This is where awareness training becomes an integral part of the implementation process.

The Shoars v. Epson America case cited in Table 1 illustrates this point. In this 1994 case the plaintiff alleged that her termination occurred in retaliation for her reporting of, and refusal to go along with, interception of her Email, based on prohibitions concerning wiretapping and eavesdropping. A comprehensive training program and a well-designed CAUP that made the employee a partner in information security could have alerted her to the practice of company monitoring of Email communications within a less adversarial context. It is possible that such a training program could have helped Epson avoid this lawsuit.

Privacy

In my review of the privacy-related case law the majority of the cases involved enforcement action under the Children’s Online Privacy Protection Act (COPPA). At a minimum a CAUP should specify acceptable employee behavior online regarding children’s privacy. For purposes of this law, a child is defined as a minor under 13 years old.

There are, however, many other privacy-related provisions that are more central to management considerations in the BFSS. Many of these are cited in the Privacy section of Table 1. Note that there are several laws that are tied to criminal investigations in the event of white collar crime and fraud. Forensics investigators into BFSS incidents need to know when and how their investigations can be questioned and/or evidence excluded from a court proceeding because an accused party’s right to privacy has been invaded.

Organizational Property

In September of 2011 a Grand Jury in Illinois indicted Chunlai Yang in a case involving intellectual property infringement (U.S. District Court, 2011, September). The defendant had been an employee of the CME Group, a company that operated an electronic trading platform called Globex. He had been an employee during which time he routinely copied proprietary source code for his own personal use. He later opened a Chinese language trading platform that closely resembled the business logic of the Globex platform. The plaintiffs successfully prosecuted the case and Yang was ordered to pay compensation to his former company and turn over all corporate assets he had confiscated in the course of his employment (ibid., p.11).

BFSS firms which develop proprietary business processes as account enhancements own these assets. These assets can give them a competitive edge in an industry with thin profit margins. This case offers one example of how case law is evolving in the area of intellectual property protection.

Netiquette

In an interview with the CISO for a major stock brokerage the importance of the readability of the CAUP was emphasized. He stated, “Since policies and awareness of the policies exist to reduce risk by controlling behavior, the workforce needs clear, readable policy language. Policy language, style, and tone will vary coordinating to company culture. This should be expected, and the content should be reviewed annually” (personal communication, January 9, 2013).

Purpose of Communications Acceptable Use Policies

The importance of a well-crafted CAUP cannot be underestimated. This paper has emphasized the role of legal, regulatory and case law in defining the drivers that will inform the wording of a CAUP.

But beyond the identification of legal, regulatory, and case law drivers discussed in this paper there is the crafting of the metrics used to measure and record compliance. This was emphasized in my interview with the CISO: The area to focus on is the compliance measure and associated metrics. When implementing any compliance program, 100% compliance is always the goal, but perfection is difficult to obtain. So there must be acceptable, marginal, and unacceptable percentages of employees successfully completing the required policy awareness learning module. Start on solid footing and encourage HR to require that employee goal setting/evaluation include adherence to required modules. (personal communication, January 9, 2013).

Two researchers from St. John’s University have recently developed a schema for designing deterrence approaches for using business assets for personal actions (Ugrin, 2008, Winter). Subsequent work on the development of a comprehensive CAUP should also include discussion of these types of methods for gauging conformance and shaping employee behaviors.

Conclusions

This paper has emphasized the role of statutes, regulations and case law in the design and development of a comprehensive CAUP. I have illustrated how a clear understanding of the specific issues within each of four areas can help to craft a document that can have the force of law if challenged in court. These are: (1) security; (2) privacy; (3) organizational property; and (4) netiquette. Although legal issues must be dealt with in a clear and concise manner, it is also important that the wording of the CAUP be understandable by all of the employees and/or contractors subject to its provisions. And, for the CAUP designer, the careful construction of metrics for measuring conformance will be most important for establishing a consistent and enforceable CAUP. The next steps for designing a comprehensive CAUP will be to specify such metrics and measures that correlate specifically to the types of legal considerations outlined in this paper.

References

Children’s Online Privacy Protection Act, 15 U.S.C. 6501-6506 (Pub. L. 105-277) (1998).

Flowers, B., Rakes, G. (2000). Analyses of acceptable use policies regarding the Internet in selected K-13 schools. Journal of Research on Computing in Education, 32(3), 351-365.

FTC, Standards for safeguarding customer information: Final rule, 16 C.F.R. § Part 314 (2002, May 23).

Gramm–Leach–Bliley Act [GLBA], Pub.L. No. 106-102, 113 U.S.C., § 1338 et. seq. Stat. (1999, November 12).

Grimm, J. R. (2010, March). Intellectual property crimes. American Criminal Law Review, 47(2).

Kabay, M. E., Kelly, S. (2009). Developing security policies. In S. Bosworth, Kabay, M.E., & Whyne, E. (Ed.), Computer Security Handbook (5th ed.). Hoboken, NJ: John Wiley & Sons, Inc.

Laughton, P. A. (2008, December). Hierarchical analysis of acceptable use policies. InterWord Communications, Vol. 10(4).

Roberts, P. (2012, October). Holes in BYOD: Are your security policies up to the challenge of a bring-your-own-device world? Dark Reading. Retrieved from http://www.darkreading.com/security/news/240008838/byod-filling-the-holes-in-your-security-policy.html

SANS. (2007). Information security guide: A development guide for large and small companies. Information Security Reading Room.

Sarbanes–Oxley Act [SOX], Pub. L. No. 107-204, 116, § 745 et. seq. Stat. (2002, July).

Scott, V., Voss, R. (1994). Ethics and the 7 P’s of computing use policies. Ethics in Computing Age, 61-67.

Shoars v. Epson America, Case No. BC007036, Los Angeles County Superior Court (1994).

Stewart, F. (2002). Internet acceptable use policies: Navigating the management, legal, and technical issues, Ch. 31 The Privacy Papers: Managing Technology, Consumer, Employee, and Legislative Actions. Zug, Switzerland: CRC Press, LLC.

U.S. v. Chunlai Yang, Violation: Title 18, U.S.C. § 1832(a)(2) and (a)(4) C.F.R. (2011, September).

Ugrin, J. C., Pearson, M.J. (2008, Winter). Exploring Internet abuse in the workplace: How can we maximize deterrance efforts? Review of Business, 28(2). Retrieved from http://www.freepatentsonline.com/article/Review-Business/184710901.html

This is the question CNN’s Piers Morgan keeps asking over and over again but no one gives him a satisfactory answer.

The reason for this is the question requires two distinct answers because it’s really two questions in one.

There is the “need” a person has to possess such a weapon; the desire to own one that is.

And there is the question of whether an automatic weapon is “needed” to defend oneself.

Need

Let’s consider question number one. Why does a person need an AR15 anyway?

Aside from hunters, the military, law enforcement, collectors, people who just love to pull triggers, tear up targets and feel the kick of a boom, Second Amendment patriots that believe it is their duty and right as Americans to be armed and of course criminals, for most others who buy or have guns, fear is the motivating factor — the fear of someone out there, especially a bad guy, having a bigger gun than you.

Seeing gun killings on TV or in movies, whether in the news or just entertainment, those that consider the possibility of such profound acts of violence happening to them in real life feel less threatened having weapons of equal or superior firepower to what they see is out there.

Whether the need is based on reality is not at issue. What matters is they believe in their hearts an AR15 will make them safer and therefore they need it.

Survival-Based Scenarios

There are numerous types of survival-based scenarios flaming the need for superior firepower.

Some believe a cataclysm, like a collapse of the Internet due to an anonymous cyber attack would create total chaos that would turn ordinary, law-abiding people into criminals.

People caught off guard with no stocked provisions will form mobs and ransack homes. Lawlessness will rule. An AR15 is a better defense against a mob than a handgun.

There’s the fear an X Scale solar flare will erupt when the giant-sun spot lines itself up with the earth sometime this year that will knock out everything that is moved by electricity, plunging the planet into a darkness that may take decades to end.

Then there are those that believe China will invade us to collect the money we owe them if we default and still others believe a criminal element has taken over the governments of the world, including our own, and are planning to completely subjugate the human species once and for all by disarming them and ruling with an iron fist.

So these are a few real or imaginary reasons people feel they “need” to have an AR15 rifle.

Desire

Let’s consider the second question. Why does a person need an AR15 anyway? Or, does a person need more than a handgun to protect themselves and family.

The number of assailants, the amount and type of arms they carry, the amount of bullets in the clips, the skill of the shooters, the cleanliness of the weapon, who-has-the-drop-on who, how near one is to their weapon, whether the weapons are loaded, marksmanship and ability to stay cool and aim properly under stress all come into play in answering that question.

In the realm of physics, considering all of the aforementioned factors, it boils down to a matter of how many bullets one has at their disposal and how fast they can fire them in fire-fight.

Visualizations

Let’s proceed with some visualization to better understand the dynamics of the answer

Imagine we live in a perfect gun-controlled world.

The government has gotten so efficient every single semi-automatic weapon has been taken away. Not even the criminals on the streets have them anymore.

Three bad guys decide to rob a house in a nice middle-class neighborhood where unbeknownst to them the owner happens to have a hand gun with a standard seven-round magazine, as limited by law.

Each of the bad guys has a gun. Same clip capacity and fully loaded. They break in, only to come face to face with the man shakily aiming his gun at them.

They weigh the odds and whip out their own guns.

One of the thieves pulls the trigger missing the man. The man fires off a couple of shots, hitting one thief and grazing another.

A wild fire fight ensues. The thieves discharge 20 rounds and the homeowner fires five more. The smoke clears

The homeowner, who is wounded, is crawling towards the kitchen where he keeps his extra clips hidden. Seeing the man’s gun is empty, with one last round in his own gun, the leader of the thieves calmly walks over to him.

He grabs the homeowner by the shoulder and flips him on his back

“I got one bullet left in this puppy,” he sneers, “and I saved it for you.”

He pulls the trigger and takes the man out with one last bang.

Upstairs, they hear the crying of the man’s wife and daughter. They hesitate, consider their options but luckily for the dead man’s family, they grab their wounded accomplice and run out before the police arrive.

Now, let’s assume the man protecting his home just happened to have a fully-loaded AK47 handy that the government missed in their sweeps.

Let’s replay the scene.

The bad guys scope the house and break in. They come face-to-face with the homeowner who happens to be hefting the fearsome, battle-hardened semi-automatic, casually pointing it at their mid-sections.

The thieves gawk at AK47 with the big fat banana clip. They know they are outgunned.

They smile sheepishly. They slowly put their hands up and walk backwards out of the house figuring the homeowner won’t fire unless totally necessary to avoid hassles with the cops.

They split, never to come back. In such a scenario, clearly, having a semi-automatic rifle is better than not having one.

So there it is.

People “need” to possess AR15’s for various personal reasons and desires, based on facts or fiction. AR15’s are “needed” to repel attacks by armed-multiple assailants.

‘I was a bully….”

“A ruthless desire at win at all costs…”

“..did not feel bad…did not feel wrong….did not feel I was cheating…”

These are some of Lance Armstrong’s quotes that have hit the headlines following his recent confessional interview. Amidst the ‘free-for-all’ dissection of this fallen idol, there is one positive thought that hits me – thank God for the non-flamboyant average Joe who gives his all to excellence, without losing his soul to be perfect or the winner, come what may!

Our culture seems to be obsessed with winning. ‘Do whatever it takes to win’ – we hear it at school, at college, at work, in business. Does it signify positive determination? When and how does it then slide to the inflexible “Failure is not an option”? Or to the dangerous “If you are not willing to skirt the edges, then you do not want to win bad enough”? Or to the condemned “You are a loser if you don’t win”?

Sure, competition is healthy. It fosters efficiency, productivity, increased choices and perhaps an improved standard of living. Sure, there is something to be said for stretching your boundaries. It fulfills you and lends pride to the achievement. But when competitiveness turns into a brutal force that decimates competition instead of overtaking it; when it mercilessly rapes the self-confidence of those who want no part of this race instead of letting them be – it is time for a relook.

Most mountain-climbing accidents, they say, happen on the descent. 
Not surprising at all! When ferocity is the only emotion in the armory during ascent, the descent does tend to get catastrophic without the gentler strings of the parachute! An irrational fixation on outcomes alone leaves us dangerously stranded without the safety net of integrity.

Let me get a little cheeky and say – ‘winning at any cost is for losers!’ The price to be paid anyway makes them internally bankrupt. Why look for a sharp edge only to bleed by it? “Fire-in-the-belly”? Ulcer is the only visual I can conjure for this inane phrase!

So my friends, I am not going to delude myself that I will bring 100% perfection to all that I do. Maybe I will allow the heart to lose a little, let go a little, and not give a hoot a little if some of what I do is average. In fact I am going to find at least one activity a day that I do not need to do my best. If McDonald’s can respect the need for and succeed on the ‘quick-and-average’ philosophy, I ain’t reinventing the wheel!

At least this way, I will clearly see the lines I will not cross to win at any cost.

For you see, even with a noble vision, the truth is we sometimes need nothing beyond the simplicity of the moment!

On April 26, 2012 the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). It was referred to the Senate’s Select Committee on Intelligence on May 7^th (Sottek, 2012, April 26). The Senate version was sponsored by a bi-partisan group of Senators, led by Joseph Lieberman (I-CT) (2012, July 23). Shortly after this, President Obama offered commentary on the cybersecurity risks posed to the nation in an Op-Ed article published in the Wall Street Journal (Obama, 2012, July 19). Called the Cybersecurity Act of 2012, the Senate version (S.3414-112th Congress) significantly expanded the scope making it a more comprehensive approach.^[i] However, it failed cloture in the Senate on August 2^nd, even after the President’s public appeal (GovTrack.us, 2012).

As a result of this, the Obama Administration began external review of an Executive Order (EO) to accomplish some of the same objectives (Economist, 2012, December 8th-14th). Concurrent with this, the Administration issued a classified Presidential Policy Directive (PPD-20) that “establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber-attacks” (Verton, 2012). This latter, classified action raised criticism from Congressional representatives and some in the press (ibid.)

Given the partisan politics of the 112^th Congress, and, against the backdrop of escalating cybersecurity concerns, the Obama Administration decided to take preemptive action to issue PPD-20 and subject its own unclassified EO to critical analysis and review (White House, 2012, November 21). The design of the Administration’s EO, although greatly streamlined from the Senate bill version, includes explicit provisions on information protection; the subject of this analysis. Specifically, I will discuss the provisions for the protection of private sector information within the banking and financial services sector (BFSS) as defined by the U.S. Department of Homeland Security (DHS).[ii] Importantly, I will draw upon recommendations by a key private sector BFSS council and interview results from professionals in the BFSS in drawing my own conclusions.

Summary of CISPA

H.R.2523 was sponsored by Michigan Representative Mike Rogers (R) and co-sponsored by 112 others (86 Republicans and 26 Democrats). The main thrust of CISPA was to establish a framework for information sharing between government agencies and private sector entities designated as meeting the definition of critical infrastructure companies or utilities. It defined key terms, exempted shared information from the Freedom of Information Act (FOIA), called for an annual report to Congress from the Inspector General of the intelligence community and called for establishment of metrics on gauging the success of civil liberties and privacy protections (Rogers, 2012, April 26).

Protection of Information in S.3414

Lieberman’s bill, S.3414, was methodically constructed to provide a comprehensive framework for research and development, public/private sector information sharing, education and awareness, international cooperation, and an approach to how the U.S. critical infrastructure would be affected by cybersecurity considerations.[iii] But, beyond this, S.3414 would have established a National Cybersecurity Council (Sec. 101), provided for an inventory of critical infrastructure resources (Sec. 102), streamlined and coordinated U.S. federal agency activities on cybersecurity (Sec. 201), and established a mechanism for the protection of information submitted voluntarily by companies within one or more of 18 critical infrastructure sectors (Sec. 106). It goes far beyond CISPA in establishing a workable cybersecurity institutional infrastructure.

The public policy design of the Lieberman bill clearly reflects aspects of the approach outlined in a strategic planning document produced by the DHS in 2009, the National Infrastructure Protection Plan (Chertoff) called for by Homeland Security Presidential Directive-7 (HSPD-7) (Bush, 2003, December 17). It built on and expanded the work of DHS in outlining a method for improving U.S. critical infrastructure protection.

A key sticking point for the 112^th Congress debate on S.3414 between Senate Democrats and Republicans was whether or not information sharing by private sector owners of critical infrastructure assets would be mandatory or voluntary. Compromise language established that it would be voluntary as defined by “Section 214 of the Homeland Security Act of 2002 (6 U.S.C. 133)” which was consistent with the version of CISPA that passed the House.[iv]

Other issues revolved around: (1) liability protections for individuals within private companies acting in good faith to share threat information; (2) participating companies seeking to avoid antitrust actions; (3) incentives to be offered to companies to encourage participation in the information sharing programs; and (4) efforts to reduce administrative burdens on those in the private sector that would elect to participate.

On November 14, a second cloture motion on S.3414 was rejected and the bill was unable to make it to the floor for a vote (GovTrack.us, 2012).

Overview of Cybersecurity EO

During the time Congress was debating S.3414 President Obama issued a draft cybersecurity EO to 28 members of his administration for review (McKeon, 2012, September 28). This version closely reflected the Lieberman bill language. Figure 1 provides a high-level overview of the proposed implementation process.

I have illustrated:

• How the Director of National Intelligence will provide guidance to create unclassified versions of documents on critical infrastructure documents (consistent with several CISPA provisions);
• How the Secretary of the U.S. Department of Commerce will direct the Director of the National Institute of Standards and Technology (NIST) to define a baseline framework to reduce cyber risk; and
• How the Secretary of DHS will initiate a consultation process with the private sector and, ultimately, establish a public/private Critical Infrastructure Partnership Advisory Council (CIPAC).

Figure 1. Cybersecurity EO Implementation Process

Click on Image to Enlarge

I have also shown how the various steps come together sequentially to roll-out the voluntary Enhanced Cybersecurity Services Initiative (the heart of the program). Also shown is how the information sharing process will help identify companies that have been determined to be at the “greatest risk.”

The draft cybersecurity EO public policy objectives are two-fold: 1) to expedite coordinated action on further cyber security assessment and remediation efforts, and 2) to establish a framework for public/private collaboration. Many of the other provisions of CISPA and S.3414, including liability protection for individuals and corporations are missing. Given the timing of the issuance of the draft EO, and the bare bones framework, it might be that the Administration is using this version to apply political pressure on the members of the Senate to take proactive action on real and present cybersecurity threats.

Implications for the Banking and Financial Services Sector

Information assurance for the BFSS has matured over the past few decades due, in part, to domestic standards such as the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule at 16 CFR 314 and Privacy Rule at 16 CFR 313. GLBA regulated parties must protect against unauthorized access, insure the security and confidentiality of customer records and information, and protect against any anticipated threats or hazards to the security or integrity of records.[v]

In addition, the requirements of the Federal Financial Institutions Examination Council (FFIEC) rules govern how information assurance programs for the BFSS are designed and implemented. The FFIEC established important standards regarding accessibility, authentication, confidentiality, non-repudiation, accountability, and record-keeping aimed at best management practices for safeguarding against fraud and cyber-crime (2012, June 28).[vi]

Some information security analysts also claim that the regulatory compliance requirements of Section 404 Audits of the Sarbanes-Oxley Act of 2002 (SOX) have had a bearing on how companies apply security measures. As noted by a specialist cybersecurity attorney, “SOX is about internal controls for financial reporting; it is not about protection of assets or business continuity. To single out SOX as a significant vehicle for promoting national cyber security is a misunderstanding” (personal communication, December 26, 2012).

Nonetheless, SOX introduced accounting reform including provisions for quality control and independence of standards and rules which has had bearing on how information assurance programs within the BFSS are implemented (Herold, 2006).

When these three programs are combined, the aggregate rules provide significant regulatory guidance to companies within the BFSS. An emerging consensus within the sector is that certain provisions of CISPA, S.3414 and the cybersecurity EO would be redundant and might even conflict with some of these existing programs.

If the Obama Administration EO is signed, a series of steps relating to civil liberties, privacy and business confidentiality would be undertaken. A short discussion of some of the key issues follows.

Civil liberties protection. U.S. civil liberties scholars point out that an individual has a right to a reasonable expectation of privacy when browsing to sites on the Internet, sending emails, participating in chat rooms, and engaging in interactions on the various social media platforms (MacKinnon, 2012, p. 88 et.seq.). This expectation stems from the Fourth Amendment to the U.S. Constitution as contained in the Bill of Rights. In the U.S. and other Western countries with Constitutional protections this has come to be interpreted as a right to engage anonymously in any or all of these forums. Advocates of anonymity promote the use of The Onion Network (TOR) [see: www.torproject.org] to facilitate anonymous Internet activities. TOR traffic uses encrypted packets that pass through at least three proxy servers before being forwarded on to the destination Internet Protocol (IP) address.

Critics of anonymity on the Internet acknowledge that, although the U.S. founding fathers used anonymity to protect life and limb during the run-up to the revolutionary war (e.g., in The Federalist Papers), the use of unattributed speech on the Internet has had some negative effects. They note the use of cyber bullying, the use of vicious verbal attacks, the use of false rumors to influence group behavior and other troubling effects (MacKinnon, 2012). While acknowledging these negative effects, civil liberties advocates still believe that the net benefit of anonymity outweighs the net loss that could accrue if citizens were not able to comment without fear of reprisal.

As a point of contrast between the Obama Administration’s approach to anonymity as a civil liberty and the Chinese government’s approach, the recently installed Chinese National People’s Congress just released new regulations governing registration for online services for Chinese citizens. It is now prohibited to obtain any services without registering under one’s full name; and the Internet Service Providers (ISPs) have been designated as the entities responsible for policing this new requirement (Bradsher, 2012, December 28).

Censorship. Censorship is another difficult issue that civil libertarians are concerned about where the U.S. and Chinese approach contrasts sharply. The foundational principles of the Internet as currently governed by various multi-stakeholder entities including the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF) are based on the idea of the free flow of information. China’s approach has been one that carefully monitors Internet traffic through the “Great Chinese Firewall” actively censoring sites that do not conform to pre-approved visions of official truth (MacKinnon, 2012).

This contrasts sharply with official policy of the U.S. government. U.S. constitutional lawyer Lee Bollinger argues that: “Political majorities and government officials cannot be trusted to exercise the power of censorship in a moderate fashion. Intolerance is natural, especially in times of stress”(ibid. p.89). U.S. advocates of an uncensored Internet frequently point to the human rights abuses in the Chinese system to warn against the use of censorship over content. In fact, the U.S. Ambassador to the December, 2012 International Telecommunications Union conference in Dubai, U.A.E. was recently quoted as stating: “the United States remains fully committed to the values of freedom of expression and the free flow of information and ideas on the Internet” (Kramer, 2012, December 13).

Privacy. Closely tied to the Fourth Amendment concerns is the issue of privacy. Privacy is an even more important issue within the BFSS due to the legal liabilities of unauthorized release of personally identifiable information (PII). The National Conference of State Legislatures provides a listing of all of the State security breach notification laws that are in force in the U.S.[vii] CISPA called for specific exclusions of certain types of documents on browsing behavior of individuals under investigation for an Internet-related crime. Such exclusions would include PII from library records, gun purchase records, and health records, among others (Rogers, 2012). This provision was not in the Senate version or the draft EO. Nor does it reflect issues more closely associated with cyber security investigation practices. For example, browsing history and website registration information would be a more accurate reflection of a user’s recent actions.

Business confidentiality. The draft cybersecurity EO also calls for Obama Administration officials to conduct a review of business confidentiality issues that would stem from the proposed Enhanced Cybersecurity Services Initiative. This would address the concerns of many who cite intellectual property protection issues as a reason for choosing not to voluntarily participate. These issues and others would be put under review as part of the Obama EO process on civil liberties and privacy.

Proposed Implementation Process for Civil Liberties and Privacy Review

The review that would be required by the draft cybersecurity EO, as shown in Figure 2, varies slightly from the approach taken in S.3414. The EO calls for the privacy and civil liberties reviews to be initiated by the sector specific agencies. These sector specific agencies would have more in-depth knowledge of the vulnerabilities and attack vectors for companies within their sectors; however civil liberties might not necessarily be a high priority. In contrast, the more centralized approach, as outlined in the Lieberman bill, would ensure that these concerns would be handled comprehensively through a single Privacy Officer that reports to the Secretary of DHS.

As the designated sector specific agency for the FBSS, the Department of Treasury would conduct the primary review for this sector. Treasury would also work closely with all of the regulatory agencies that have oversight over institutions subject to GLBA, SOX and the FFIEC and other BFSS entities.[viii] This review of privacy and civil liberties issues is integral to the information sharing framework that is envisioned by CISPA, S.3414 and the cybersecurity EO.

Figure 2. Privacy and Civil Liberties Review of Cybersecurity EO Implementation

Click on Image to Enlarge

Civil libertarians fear that the privacy of customer information could be compromised with extensive information sharing and that, without transparency, there could be abuses by government agency users. Advocates of tougher cybersecurity laws argue that information sharing is critical in order to gain a more comprehensive picture of the threat patterns the entire sector is facing. Since it is envisioned as a voluntary program, the challenge then becomes how to incentivize private sector companies in a way so the benefits outweigh the potential costs of participation.

Information Sharing Issues of Cybersecurity EO Compliance

To better gauge how the private sector would respond to S.3414, Senator John D. Rockefeller IV (D-WV), Chairman of the Senate Committee of Commerce, Science and Transportation wrote a letter to the private sector Financial Services Sector Coordinating Council (FSSCC) and the CEOs of Fortune 500 companies with eight questions (Wainstein, 2012, October 12). The FSSCC Chairman and Vice Chair wrote a response to Senator Rockefeller IV on October 15th. They argued that additional risk assessments would be counterproductive and redundant to GLBA and SOX, given the already high level of oversight in the sector. Therefore, they did not support provisions calling for additional risk assessments for the BFSS.

Conversely, the FSSCC argued that a 2010/2011 pilot project for threat-based information sharing was highly successful and should be continued. The Government Information Sharing Framework (GISF), co-implemented by the U.S. Department of Defense, DHS and the Financial Services-Information Sharing Advisory Council (FS-ISAC)[ix] “allowed for the sharing of advanced threat and attack data between the federal government and 16 financial services firms” (ibid. p.4). Although the budget for this pilot project ran out in 2011, they deemed it to be highly successful in identifying threat activity from actors first identified through the GISF. They strongly recommended continuation. They argued that it drove innovation and helped to protect the privacy of the customers of the 16 participating organizations (ibid. p.5). They would like to see the program made available to other organizations that might choose to participate.

In my own interview with the CISO of a major brokerage firm posing some of the same questions on the draft cybersecurity EO, a key distinction between sharing information on “threats” versus “risks” was made (personal communication, December 20, 2012). This respondent noted “A fact is that sharing risk information within the BFSS introduces different risk, but the unintended consequences that may come to fruition are likely to pale compared to failing to protect the sector. However, firms should be sharing threat information more than risk information” [emphasis added] (ibid). This is a subtle, but important distinction. In cyber security a threat can be defined as: a danger that a vulnerability could be exploited to cause harm to the enterprise (e.g., the release of personally identifiable information from customer records). This differs from a risk. A risk typically refers to the business implications of sustaining an exploit such as a data breach. Business risks are typically held as confidential information and would not be appropriate for external disclosure.

In a separate conversation I had with the Chief Investment Officer at a major retirement plan consulting group I found that he had a concern about the EO if the process was not accompanied by the necessary funds for implementation (personal communication, December 8, 2012).

In yet more direct feedback to the White House on the draft EO, in late December House of Representatives members submitted a letter to the Executive office signed by 46 of the 113 co-sponsors of CISPA. Co-authored by Marsha Blackburn (R-TN) and Steve Scalise (R-LA) this letter cited the successful passage of the House bill, CISPA[x], during the 112^th Congress and urged the President not to preempt Senate action on S.3414 or its successor (2012, December 21).[xi]

As the reader can see, the proposed information sharing programs of both S.3414 and the draft cybersecurity EO, while theoretically strengthening joint efforts at fending off cyber threats, would also be wrought with controversy, given the civil liberties, censorship, privacy and business confidentiality issues it would bring up.

Conclusions

The Obama Administration appears to have crafted its cybersecurity EO as a stop-gap measure in the event that the Lieberman bill did not pass. Although elegant in its construction, it does not cover some of the key issues covered in the Lieberman bill. The classified PPD-20 was issued to provide federal agencies with the authority to fend off the advanced persistent threats that agencies and critical infrastructure entities are now facing. The timing of the release of PPD-20 appears to have exacerbated concerns about the decision-making process in the Obama Administration and House representatives are now urging the President to terminate action on the unclassified cybersecurity EO. At the same time, the Administration must have determined that politics as usual would not allow the U.S. to respond to the immediacy of advanced persistent threats. I suspect that the Administration still hopes that the Lieberman bill, or a subsequent version, will pass in the early days of the 113^th Congress, and that the White House will not be compelled to act preemptively by signing the EO into force.

The BFSS would like to see a more comprehensive approach to unifying the overall critical infrastructure protection strategy with an emphasis based on sharing of threat information not risk information. The BFSS would prefer a program that builds on previous successes and does not impose additional administrative burdens, and it would like to see more resources devoted to remediation as opposed to assessment (Blauner, 2012, October 15).

It is my conclusion that the Lieberman bill includes a fuller range of issues that must be addressed with cybersecurity legislation. Furthermore, it handles liability issues, training and incentive programs not addressed in the EO. The President’s approach to civil liberties and privacy protections review by sector specific agencies is likely to be more effective and less redundant; however a centralized approach as envisioned by Lieberman et. al. would ensure that the issues are systematically and consistently addressed.

I urge Senators considering any 113^th Congress’ follow-up bill to act quickly on a Senate version, to consider funding commensurate with increased federal agency responsibilities, and ensure that impacts on business confidentiality also be included. Furthermore, the successor bill should make it clear that threat information, not risk information is to be shared between the private and public sectors. Also, the existing sector specific Information Sharing Advisory Councils should be the venue for sharing threat information, as in the successful pilot project in the BFSS.

I also urge the President to give the Senate’s Congressional process a chance to resolve itself to ensure a more comprehensive approach while still exerting pressure for quick and early action in the 113th Congress.

References

Blackburn, M., Scalise, S. (2012, December 21). House Republicans Letter to President Obama on Draft Cybersecurity E.O. Washington, D.C.: House of Representatives.

Blauner, C., and Wells III, J.M. (2012, October 15). Response to Letter from Senator John D. Rockefeller IV. Washington, D.C.: Financial Services Sector Coordinating Council [FSSCC].

Bradsher, K. (2012, December 28). China toughens its restrictions on use of the Internet. New York Times. Retrieved from http://www.nytimes.com/2012/12/29/world/asia/china-toughens-restrictions-on-internet-use.html?ref=technology&_r=0

Bush, G. W. (2003, December 17). Homeland Security Presidential Directive-7. Washington, D.C.: Department of Homeland Security Retrieved from http://www.dhs.gov/homeland-security-presidential-directive-7#1.

Chertoff, M. (2009). National Infrastructure Protection Plan: Partnering to Enhance Protection and Resiliancy. Washington, D.C.: Department of Homeland Security [DHS] Retrieved from http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

Economist. (2012, December 8th-14th). Cyberwarfare: Hype and fear. The Economist, p. 62-63.

Federal Financial Institutions Examination Council [FFIEC]. (2012, June 28). Supplement to authentication in an Internet banking environment. Washington, D.C.: FFIEC.

Federal Financial Institutions Examination Council [FFIEC]. (n.d.). IT examination handbook infobase Retrieved from http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/personnel-security-/training.aspx

Federal Trade Commission [FTC]. (2006, April). Financial institutions and customer information: Complying with the Safeguards rule. Washington, D.C.: Federal Trade Commission.

FTC, Privacy of consumer financial information; Final rule, 16 C.F.R. § Part 313 (2000, May 24).

GovTrack.us. (2012). Senate Vote #202 in 2012., from Civic Impluse, LLC http://www.govtrack.us/congress/votes/112-2012/s202

Gramm–Leach–Bliley Act [GLBA], Pub.L. No. 106-102, 113 U.S.C., § 1338 et. seq. Stat. (1999, November 12).

Herold, R. (2006). Introduction to computer ethics. In H. Tipton (Ed.), Official (ISC)2 Guide. New York: Auerbach Publications.

Kramer, T. (2012, December 13). Amb. Kramer Remarks on World Telecommunications Meeting. IIP Digital. Retrieved from http://translations.state.gov/st/english/texttrans/2012/12/20121214139976.html#axzz2GP1rNDyZ

Lieberman, J. (2012, July 23). Cybersecurity Act of 2012 (Draft). Washington, D.C.: Government Printing Office Retrieved from http://www.govtrack.us/congress/bills/112/s3414/text.

MacKinnon, R. (2012). Consent of the Networked: The Worldwide Struggle for Internet Freedom. New York, NY: Basic Books.

McKeon, B. P. (2012, September 28). Discussion paper for Paper Deputies Committee meeting on E.O. on Improving Critical Infrastructure Cybersecurity Practices [Unclassified]. Washington, D.C.: White House.

Obama, B. (2012, July 19). Taking the cyberattack threat seriously. Wall Street Journal, U.S. Edition. Retrieved from http://online.wsj.com/article/SB10000872396390444330904577535492693044650.html?mod=googlenews_wsj

Rogers, M. (2012, April 26). Cyber Threat Intelligence and Information Sharing [CISPA], H.R. 2523. U.S. House of Representatives.

Sarbanes–Oxley Act [SOX], Pub. L. No. 107-204, 116, § 745 et. seq. Stat. (2002, July).

Sottek, T. C. (2012, April 26). U.S. House passes controversial CISPA bill, now on to Senate. The Verge. Retrieved from http://www.theverge.com/2012/4/26/2978395/us-house-passes-cispa

Stevens, G. M. (2003, February 28). Homeland Security Act of 2002: Critical Infrastructure Information Act. Washington, D.C.: Congressional Research Service [CRS]. Retrieved from http://www.fas.org/sgp/crs/RL31762.pdf.

Verton, D. (2012). Cybercom: Critical issues in national cybersecurity. HS Today. Retrieved from http://www.hstoday.us/blogs/critical-issues-in-national-cybersecurity/blog/first-signs-of-national-cyber-doctrine-emerging/d7fcea03bc3df4bf44ea7726bd470687.html

Wainstein, K. (2012, October 12). The Rockefeller Letter and the Cybersecurity Debate Clients&Friends Memo. New York: Cadwalader, Wickersham & Taft, LLP.

White House. (2012, November 21). DRAFT: Improving Critical Infrastructure Cybersecurity [Unclassified], from http://thenextweb.com/us/2012/12/01/legislative-options-dead-a-fresh-draft-of-the-executive-order-on-cybersecurity-has-been-leaked/

End Notes:

The media frenzy over the looming Fiscal Cliff and panic over its consequences has nothing to do with reality.

Get over it. Nothing worse than raised taxes on everyone can happen! Does anyone really think Washington is going to let that occur?

Perhaps we’ll suffer a scraped economic knee but no 300-foot straight-down-drop to a waiting shoreline of jagged rocks as the media keeps threatening and predicting.

Think of it this way, if the Republicans don’t come to the table and deal, taxes are going to go up big time, especially for them. The purse-string pullers in the party are not going to be happy because the GOP will ultimately get the blame for the fiasco.

They endured a beating in the election. They are like a boxer who forgets to take his boots off after a fight and takes a shower with them on.

They are dazed and Obama is circling, looking to hit them hard and make them look even worse in the eyes of the American people if they don’t play ball.

He’s got a heavy right hand waiting behind his left shoulder. They can’t afford to take another hit.

They will throw in the towel to save their own skins. Obama and company will get what they want.

Obama will leave room on the table for them to save face. The deal won’t smell nice but it will get us over the hump and set the stage for the mid-term election battle.

A big fear factor for investors is the threat that the market will suffer a knock-out if we hurtle off the Fiscal Cliff.

The market might take a sympathy hit for show but the fact is there are wars everywhere and fat budgets for military spending. The market will shrug it off.

Teamwork. The first interpretation of this word is of people coming and staying together to achieve a goal. A closeness develops, even if for the period of their project or mission, as they exchange ideas and information, pool their collective experience to draft plans and actions. And the longer the association is, the tighter the bond grows.

Such tight bonding that forms the basis of teamwork, it is good, right?

But wait!

When does this become a suffocating clique that bars entry to other people or ideas?

Hmmm…good points, but nothing new. There is enough leadership counsel that warns leaders what to look out for and how to build agile teams that embrace diversity.

But here is the catch. What happens if leaders themselves form this clique?

Let us step back for a minute. There are three basic traits most of us display to varying degrees at work. One, we guard our independence. Two, we think of our importance a tad higher than it actually is. As a consequence of these two traits, we end up with the third – we control the information that reflects on our work.

So much for us as individuals. If the situation now moves to a close-knit team, these three traits balloon to form the perfect clique. And the higher this group moves in the hierarchical ladder, the clique becomes an impenetrable fiefdom!

When leaders possess vision and values, an organization can experience great growth and success. When they fail to pass on the baton to the next generation of leadership, and are more interested in protecting their turf, the organization gets stale and goes into decline.

The promise of the next level will either battle to break such fiefdoms, or leave. Leave to translate their promise to reality elsewhere, where they are appreciated and can blossom. Both are bad news for organizations. The old cliques will eventually tire of meeting new challenges, may wonder why there is no competent second line and leave the organization to be rebuilt from the shambles they created.

It is a question of perspective. The ‘let-me-guard-my-authority’monarchs need not worry. It is really not about giving up ‘turf’ – it is about being ‘welcoming’ to the promising next-gen leaders and not make them wonder if they will forever be on the outside.

The willingness to step off the spotlight and let others step into it to grow and develop themselves is the signature of a great leader. What makes them even greater is their willingness to take ownership of minor failures during this transition.

How do I, as a leader, look out for signs of any unintentional fiefdom I may be creating? I would keep the following questions as my constant watchdog.

1. Am I acting as a gatekeeper to monopolize and manipulate information, relationships and resources?
2. Am I playing the game of strategic non-cooperation? Saying yes, but delaying to act?
3. Am I subtly or overtly excluding or ‘outlawing’ individuals or groups? Using my authority to create doubt about another person’s competence or credibility?
4. Do I intimidate others?
5. Do I distract needlessly – out-talk others and prevent action?

A recent article in ‘The Economist’ on the increasing clout of the internet giants concluded thus “The four big fish nowadays also have a reputation for arrogance and plenty of enemies. If they really want to keep the trustbusters at bay, they should not let their size go to their heads”

Not a bad message really, for individuals too!

In looking back at the Republican presidential defeat, we need to strip away pretense and look at what really happened.

Republican honchos, strategists and players are huddled in corners licking their wounds and desperately trying to find a reason that makes sense to them as to why they were defeated so soundly.

The answer is in front of their noses, so close they are unable to focus.

Simply put, the problem with Republicans is not their ability to wage sound business, balance budgets and maintain family values but the perception of them being insensitive, puritanical, money hungry and callous to their less-fortunate fellow humans.

Let us look at some points that contributed to the Republican candidate’s crushing and embarrassing defeat.

Romney’s rejection by Gays, Blacks, Hispanics, Young People, Single Women, Pot Smokers and Seniors

When the time came to fill in the ballot, undecided Gays, Blacks, Hispanics, single women, young people, those living on the economic edge, seniors and pot heads just couldn’t vote for Romney no matter how bad the economy was or how bad a job Republicans said Obama is doing.

For the Gays, Republicans have always been the main force behind their not being allowed to enjoy marital rights. For Blacks, Romney represents the party that fought hardest for decades to deny them civil rights. For Hispanics, Romney represents the party that sponsored SB70. For single women, Romney represents the party that claimed rapes are God’s will and would deny them the right to terminate a resulting pregnancy. For seniors, Romney represents the party that would take down Social Security and Medicare. For young people, the Republican Party is for old people. For pot heads, Romney would wage a real war on medical marijuana. For people living on the economic edge, Romney represents the party that would take food from their baby’s mouth.

The Impact of the “Pot Party”

Baby Boomers that smoke pot and young adults that smoke pot have a similar passion. They love to smoke pot. It’s no secret to the ever-growing, pot-smoking voting bloc that their greatest persecutors have been Republicans. Sure, Obama’s State Department has harassed some medical marijuana providers in certain states, mostly California, but it is nothing compared to the kind of “war on pot” Romney and Republicans would wage if they got back in power.

Look at Arizona, a Republican stronghold, where even though voters approved medical marijuana, Republican state representatives and officials are doing everything and anything they can to make it impossible for patients to legally purchase their medicine. Who remembers Nixon’s “War on Drugs?” Pot smokers know who their real enemies are.

Pot smokers are a political force. Active pot smokers have assimilated into the halls of political influence and business enterprise and are organizing. They got money. They are launching initiatives, referendums and backing political candidates that get the message. Their influence in the 2014 mid-term election will be heavy if not profound. Move over Tea Party and make way for the “Pot Party.” Watch the Republican 2014 mid-term elections go up in smoke.

Rope a Dope: How Obama Took Apart Romney in the Debates

A lot of Republicans, especially the Fox News pundits, were in shock, bewildered because they honestly believed in the first presidential debate Romney KO’d Obama and it was impossible for the president to get back on his feet and recover after such a beating. Democrats hung their heads in despair thinking it was all over for Obama after the first debate.

Those who understand the sweet art of boxing saw something else. Obama was playing Romney like legendary boxer Mohammed Ali did George Forman with the infamous “rope-a-dope” ploy, where Ali hung back on the ropes until Foreman got tired of punching, then came in and knocked Foreman out. In the first debate Romney leaped from his corner, like Foreman, swinging away with haymakers while Obama leaned back on the ropes and absorbed the ferocious attack. He took a lot of hard hits, but like Ali, Obama withstood the blows, studying Romney’s style while taking shots to the body to better prepare for the next round.

In the second debate Obama was on his feet, literally, and like Ali, danced, slipped Romney’s jabs and wild rights and stung him with his own throughout the debate. Like Ali did to George Foreman, Obama figured his opponent out and was ready to turn the tables. Consider Obama had not been in a debate in four years while Romney honed and sharpened his skills during the Republican primaries. Obama had to shake the ring-rust off.

In the third debate Obama, like Ali in the last round, went to work doing what he does best; taking an opponent apart with hard lefts and harder right hands while deftly blocking and dodging his opponent’s tired blows. Whipping Romney in the last debate, Obama energized his followers to get back in there and fight to the end.

Entitlements: Six of These – Half a Dozen of the Other

Republicans rile against entitlements, wailing our tax dollars are keeping a welfare state in business. Well, there is also the business of welfare. What would happen to shop owners and grocery producers if those checks stopped coming to their food stamp customers and seniors dependent on Social Security? The industry would lose billions. And Medicare? Obamacare? What would happen if there was no coverage available for these people? The pharmaceutical industry, hospitals and doctors would lose billions as well. Democrats and Republican investors and business owners in both fields would suffer mammoth financial losses without entitlements. There are two parties benefiting from our tax dollars: the buyers and the sellers; the people on entitlements and those who take their money. Too many people on the receiving end of entitlements for the Republicans to gain traction for their “cut-them-off” plans for the future.

Benghazi vs. the Real 911

Here’s where the Republican effort to hurt Obama in retaliation for their loss verges on the edge of pathetic. By what stretch of logic can they try to replace the outrage the American press should have expressed when the first 911 occurred with what allegedly happened in Benghazi?

Fox news pundits are chewing a bone that has no meat on it. The Benghazi incident pales in comparison to the Republican administration’s massive intelligence failure of September 11, 2001. On the real 911 we were under attack for almost an hour without our Air Force interceding to protect us. Unbelievable incompetence that lead to deadly consequence, how could we have been so slow to respond to the hijacked jets of 911? Benghazi, in comparison to the real 911 and what is happening in the rest of the Mid East right now, was a cozy campfire, now smoldering in the ashes of a soon-to-be-forgotten military-sex scandal of epic proportions.

Conclusion

It wasn’t a matter of how bad a job Obama was doing. Rather, it was how worse a job Romney would do.

The current leaderless geopolitical and environmental state of the world is the theme of Ian Bremmer’s new book Every Nation for Itself: Winners and Losers in a G-Zero World (2012). Bremmer starts by defining the G-7 college of nations which, after the 2008 global financial crisis morphed into the G-20. Although much ado was made about the potential of the G-20, Bremmer’s key point is that the reduced standing of the U.S. in the global policy arena leaves an unfilled leadership gap in trade and security policy that the G-20 is not yet able to fill. The G-20, comprised of the U.S., Canada, Mexico, Brazil, Argentina, Britain, Germany, France, Italy, Russia, Japan, China, Indonesia, South Korea, India, Australia, Turkey, Saudi Arabia, South Africa and the EU was an accommodation to the new global balance of power that has emerged in the early 21^st Century. But as a tool for global leadership it is too unwieldy with too many diverse ideological frameworks that also have competing policy and commercial interests. This leaves us adrift in the ocean of social and political change like what we have witnessed over the past four years; what he characterizes as the G-Zero world.

In the book Bremmer carefully outlines who the winners and losers may be as we move forward into the future in such areas as nuclear weapons policy, climate change, regional and global trade and cybersecurity. He also outlines who the various national players may be as pivot states, rouges with friends, adapters, protectors, and cheaters. He also illustrates how important both the U.S. and China are as the two largest economies that are intricately intertwined economically, but diametrically opposed philosophically. He presents a series of scenarios of possible futures calling upon recent political events that may or may not develop to support how each scenario plays out.

All in all, it is a fascinating and enjoyable excursion into the world of “what if.” Going in the reader should have a good grasp of geography and current events to fully appreciate the nuances he delivers as he jumps back and forth in time and space. For my purpose in this essay, the jumping off point is how his model of the G-Zero leaderless world, could play itself out in cyberspace as we approach the upcoming International Telecommunications Union (ITU) vote to be held in December, 2012 in Dubai.

The Future of the Internet

This event which I wrote about in a previous article on the challenge to the authority of the Internet Corporation for Assigned Names and Numbers (ICANN) is likely to be one of the most important events of 2012, and yet it is barely reported on in the mainstream press. The ICANN, a multi-stakeholder, multinational non-profit organization originally established by the U.S. Department of Commerce (DOC) administers the top-level domain authority and the root servers for the Internet. Since the global expansion of the Internet has far exceeded the wildest imaginations of the original purveyors and many countries now depend on the efficient communications benefits it offers, a battle for the management of the Internet backbone’s root authority is now underway. Russia, China and Brazil are reported to be three countries pushing for transferring this authority from the ICANN to the ITU, an agency of the United Nations (UN). The vote on this matter will be held in less than a month.

The Great Distorter

Leading spokespersons on both sides of the debate have made strong arguments. On the one hand, the ITU is an international body and is, therefore, not subject to the political agenda of one powerful nation (i.e., the U.S.). And, they contend, since the Internet is now a global public good it makes sense that governance should be in the hands of a multinational body. Besides, the world of the Internet is being overwhelmed by the traffic of cybercriminals and hacktivists that are using this public resource for nefarious purposes. More control by national governments is in order to maintain the resource for beneficial commerce, trade, and governance, so they argue.

On the other hand, others argue, the ICANN is a multi-stakeholder body and, therefore allows private sector and non-governmental organizations (NGOs) to sit at the table as equals with state actors. It, therefore, reflects the new reality of the modern world whereby unrepresented but important constituencies can have a voice. Further, they argue that bureaucratic actions by slow-moving, politically-sensitized nation states cannot possibly keep up with the pace of technological change necessary to make good decisions about Internet governance. And, the potential for corruption, the great distorter, will artificially dictate winners and losers through market distortions that have nothing to do with the original intent of the Internet (i.e., as a tool for the freedom of expression). It is feared that the machinations of political horse-trading will be expressed more fully in the context of ITU governance and the efficiencies gained in market advances and technological innovations will be stalled. More importantly to civil liberties advocates the use of the Internet as a tool for oppression and control is seen as a dangerous shift for the future of mankind.

Anonymity and Cybercrime

The arguments of those that advocate for a more civil, less criminal, cyberspace have not gone unnoticed by those in power within the U.S. Bills before the U.S. Congress to reduce our own vulnerabilities to activities of state-sponsored or private action cyber-terrorism are stalled due to political infighting. The Obama Administration in seeking to forestall a tragic “cyber Pearl Harbor” as Secretary of Defense Panetta characterized it has issued a secret directive and has floated a draft Executive Order (EO) to protect the U.S.’s critical infrastructure.

Critics of the draft EO, especially those supporting voluntary private action by companies deemed to be subject to the definition of “critical infrastructure” fear that the U.S. government is going too far in mandating incident reporting and data collection activities. Other critics, especially those who are concerned about the loss of anonymity online and the prospect of an Orwellian “Big Brother” are concerned that the civil liberties of ordinary citizens will be infringed upon. Some seem to be more concerned about the U.S. national agenda and the actions of the Executive Branch than the 800 pound international Gorilla staring them in the face with the prospect of a loss of top-level domain name authority and root server governance to the ITU.

The up-tick in cybercrime and the advanced persistent threats that U.S. corporations and citizens are facing minute-by-minute and day-by-day in cyberspace present the greatest test of the G-Zero concept that Bremmer proposes (Verizon RISK Team, 2012). The U.S.’s global leadership in establishing the ICANN structure as a multi-stakeholder entity is a prime example of “leading from behind” as Bremmer documents in his book. The question now becomes how to slow the progress of cyber-criminal activity without stalling the progress of technological innovation and/or infringing on civil rights and liberties. Although tough for the 18 industry sectors detailed in the National Infrastructure Protection Plan (NIPP) increased information sharing as proposed in the EO is the first step in a unified and coordinated approach to dealing with organized cyber criminal activity and the cyber espionage efforts of state actors.

I’m willing to place my bets on solutions that emerge from a healthy mixture of private, public and NGO action in ICANN and the Internet Engineering Task Force (IETF) rather than the bureaucracy of the ITU. In my view, ITU governance of the Internet backbone would be an incubator of catastrophe and would speed the world toward the G-Zero scenario that Bremmer outlines.

References:

Bremmer, I. (2012). Every Nation for Itself: Winners and Losers in a G-Zero World. New York, NY: Portfolio/Penguin.

Verizon RISK Team. (2012). Verizon data breach investigations report: Verizon.

And the argument continues….

The “60-30-10” or, in some cases, the “70-20-10” distribution performance system, with its evolving merits and de-merits, continues to be a favorite topic of discussion among theoreticians and practitioners alike. Beyond the argument for or against a forced distribution and its primary effects, there is a critical secondary implication that has already made its effect felt in the evolution of the Human Resources function.

HR, especially in in the last 5 to 10 years, has made galloping strides in its strategic and operational achievements. Yet, one must admit that this function still struggles to categorically and credibly demonstrate the impact of such accomplishments, in spite of its laudable progress. And here is where perhaps a consequence of the forced performance banding may be seen.

As a trusted business partner, talent policies and decisions constitute a fundamental cornerstone of HR’s ‘raison d’etre’. In a system where managers must identify 10 percent as bottom performers in each role or job and perhaps remove or improve the bottom 10 percent, here is a crucial question to ask – “Is removing or improving the bottom 10 percent valuable in all cases?“

And if we extended this line of thinking to the very beginning of the performance cycle, the goal-setting stage, the same question can be asked differently and more powerfully – “Should we not differentiate between job aspects to set aggressive standards for high critical goals and accept meeting adequate standards for the less critical ones?”

Purists may chafe at this, but it is a practical thought to ruminate on – do we need excellence in everything? If managers and leaders can provide assurance to their members on where excellence makes a pivotal difference, and where good performance is good enough, they may be enthused and motivated to put their best where it actually does matter.Maybe it would be a result-oriented exercise for HR to treat talent management like an investment banker would treat portfolio investment and diversification for high and optimized returns.

Maybe then…well informed choices on the work elements that require greater attention can be made, and tough goals may be set on only their key performance indicators.

Maybe then…having top performers in every role need not be an expectation, and may be targeted to where performance really matters most.

Maybe then…employees will have crystal clarity on where improving work performance would make the greatest difference to business and their success.

And, most importantly, maybe then…organizations can reliably direct talent and resources (more so when they are limited) to where they would me more effective and impactful

Today’s business and HR leaders are smart, well-meaning, and willing participants in good talent management decisions. The exciting opportunity for both lies in keeping this intent alive and converting it to successful results by developing systems and tools that give the best signals to make more accountable human capital decisions.