Showing posts with label Vulnerabilities. Show all posts
Showing posts with label Vulnerabilities. Show all posts

April 27, 2019

Top Secret Tinseltown

So this is a city with a lot of secrets. 

I'm not talking about just the run-of-the-mill, non-disclosure agreement (NDA).

This is Top Secret Tinseltown!

And even the stuff that comes out in the news--whether it's clandestine transfers of $1.7 billion to the Ayatollahs in Iran or the Uranium One deal with the Russians, there is plenty of dirty little games going on. 

What was hilarious is when when saw this huge industrial shredding truck in the parking lot:


Paper Shredding * Electronic Destruction * Medical Waste Disposal

And there were a line of cars waiting to get rid of their little secrets.

I kid you not when I say that on a Saturday morning, there were at least 25 cars in line to dispose of their "stuff."

Now who do you know in what city that waits 25 cars deep in line for an industrial shredder on a Saturday morning.

And the cars are pulling up, the trunks are popping open, and boxes and boxes of paper and electronic files are being handed over. 

Gee, I hope the Russians or Chinese aren't getting into the shredding business...and inside the truck isn't a large shredder but a bunch of analysts waiting for you to hand it all over. ;-)

(Source Photo: Andy Blumenthal) 
Share/Save/Bookmark

October 19, 2017

Never Ever More Vulnerable

So we have never been more technology advanced. And at the same time, we have never been more vulnerable

As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.

There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 

Energy
Transportation
Agriculture
Banking
Commerce
Health
Defense
Manufacturing
Telecommunications

If ANYTHING serious happens to cripple our technology base, we are toast!

From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry--we are at the mercy of our technology underpinnings. 

Don't think it cannot happen!

Whether it's Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP--these are just a few of the recent cyber events of 2017!

Technology is both a blessing and a curse--we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!

This is not just a risk that life could become more difficult or inconvenient--it is literally an existential threat, but who wants to think of it that way?

People, property, and our very society is at risk when our cybersecurity is not what it must be.

It's a race of defensive against offensive capability. 

And we can't just play defense, we had better actually win at this! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

August 25, 2017

Ever Feel Like You're Target Practice

Thought this was really spot on.

The knives get sharpened and readied. 

At some point, they come flying out of nowhere. 

Often, from all directions at the same time.  

When it rains, it pours. 

Some people latch on to the opportunity to try and make a kill. 

You do your best to duck this way and that and survive the onslaught.

Hopefully, you were adequately prepared. 

The big question is--can you hold unto your cheese? 

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

June 23, 2017

Uber Overconfidence

As everyone knows, Uber is essentially--for now--a high-tech taxi company.

And high-tech tends to command high price.

But they are IMHO very overconfident of their position. 

And while I generally like taking Ubers, I would go so far to say that in many respects they are potential dead cab meat!

Why?

- Not because their leadership is in disarray and their founder and CEO was just forced to resign.

- Not because they have a disastrous corporate culture.

- Not because of their uber low or not profitable margins.

- Not because of the threat of autonomous driverless vehicles.

- Not because of the (alleged) stolen documents from Google.

- Not because Uber is (potentially) overvalued at nearly $70 billion (more than GM, Ford, or Honda)!

- Not because of its numerous competitors coming up from behind, including Lyft.

But a major reason is because:

They just gave you a not-so-hidden increase in price by tacking on a new tipping mechanism that will result in many people paying as much as a 20% hike to their overall fares.

Uber is now losing a sizable portion of their price point competitive advantage!

With the risks involved here, who could be so overconfident?
Perhaps, it's time to take a cab or hovercraft somewhere else. 

(Source Photo: Andy Blumenthal)

(All represents my own opinions)
Share/Save/Bookmark

April 19, 2017

Nation In Denial

We are a nation in utter denial over our problems.

Just to name a few...

Whether from the threat of North Korean dictator, Kim Jong Un, who smiled while displaying a video yesterday of nuclear missiles destroying the USA.

To the shooting death of three in Fresno, CA yesterday by a man shouting "Allahu Akbar" that was deemed not a terrorist attack.

To our national debt of $20 trillion which quadrupled in just the last 15 years under the administration of both political parties.  

Unfortunately, denial is still alive and well, while smiling photos of the North Korean dictator adorn the light poles outside the capital of the USA.

We don't like to admit our problems be it from despots threatening us with WMD to global terrorism that gives us no peace, and a mammoth debt that is sinking our national economic sustainability.

Smile for the camera!

Don't worry about big problem-solving. 

What we don't admit can't hurt us or can it?  ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 11, 2016

On the Lookout To Managing Risk

So risk management is one of the most important skills for leadership. 

Risk is a function of threats, vulnerabilities, probabilities, and countermeasures. 

If we don't manage risk by mitigating it, avoiding it, accepting it, or transferring it, we "risk" being overcome by the potentially catastrophic losses from it.

My father used to teach me when it comes to managing the risks in this world that "You can't have enough eyes!"

And that, "If you don't open your eyes, you open your wallet."

This is a truly good sound advice when it comes to risk management and I still follow it today. 

Essentially, it is always critical to have a backup or backout plan for contingencies.

Plan A, B, and C keeps us from being left in the proverbial dark when faced with challenge and crisis. 

In enterprise architecture, I often teach of how if you fail to plan, you might as well plan to fail. 

This is truth--so keep your eyes wide open and manage risks and not just hide your head in the sand of endless and foolhardy optimism for dummies. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

February 9, 2016

Cybersecurity Lost In Unknowns

Today unveiled is a new Cybersecurity National Action Plan

This in the wake of another Federal data breach on Sunday at the Department of Justice where hackers stole and published online the contact information for 9,000 DHS and 20,000 FBI personnel

And this coming on the heels of the breach at OPM that stole sensitive personnel and security files for 21 million employees as well as 5.6 million fingerprints.

While it is nice that cybersecurity is getting attention with more money, expertise, public/private poartnerships, and centers of excellence. 

What is so scary is that despite our utter reliance on everything cyber and digital, we still have virtually no security!

See the #1 definition for security--"the state of being free from danger or threat."

This is nowhere near where we are now facing threats every moment of every day as hackers, cybercriminals, cyber spies, and hostile nation states rapidly cycle to new ways to steal our secrets and intellectual property, commit identity theft, and disable or destroy our nation's critical infrastructure for everything from communications, transportation, energy, finance, commerce, defense, and more. 

Unlike with kinetic national security issues--where we regularly innovate and build more stealthy, speedy, and deadly planes, ships, tanks, surveillance and weapons systems--in cyber, we are still scratching our heads lost in unkowns and still searching for the cybersecurity grail:

- Let's share more information

- Let's throw more money and people at the problem.

- Let's seek out "answers to these complex challenges"

These have come up over and over again in plansreviewsinitiatives, and laws for cybersecurity.

The bottom line is that today it's cyber insecurity that is prevailing, since we cannot reliably protect cyber assets and lives as we desperately race against the clock searching for real world solutions to cyber threats. 

Three priorities here...

1) Build an incredibly effective intrusion protection system
2) Be able to positively tag and identify the cyber attackers 
3) Wield a powerful and credible offensive deterrent to any threats ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

March 2, 2015

Metro Wide Open

I took this photo in the Washington, D.C. Metro today. 

What do you think it is?

Lots of electronics, wires, lights--and in front of it and holding the door open is a "caution" pylon. 

This is one of the faregates to get into the metro system for the Capital region. 

Now how "smart" is it to leave the door wide open to this contraption. 

Usually the basics of physical security is gates, guards, and guns--in this case, the gates part is broken. 

The Department of Homeland Security was provided another week of funding to work out the immigration mess pitting Congress against the President...

But even with DHS still up and running, security is looking a little too wide open again. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

March 9, 2014

SCADA in Pictures




So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more. 

These are part of our nation's critical infrastructure. 

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to: 

- Turn on and off lights

- Open/close perimeter gates

- Control water and gas pipelines

- And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world. 

This is a major security vulnerability for our nation:

- SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

- SCADA systems should not be available without proper access controls--there must be credentials for user id and passwords, and even two-step authentication required. 

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure--otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror. 

We owe our nation and families better, much better. 

(Source Photos from lab: Andy Blumenthal)

Share/Save/Bookmark

July 29, 2013

Medical Hacks

Usually when we talk about the dangers of cyber attacks, we are concerned with the dangers of someone stealing, spying, or systematically corrupting our information systems. 

But Barnaby Jack who died last week at age 35 brought us awareness of another, more personal and perhaps dangerous hack...that of hacking medical devices.  

Barnaby, a director at computer security firm IOActive, became known first in 2010 for being able to hack at cash machine and have it dispense money. 

In 2012, he drew attention to a flaw in insulin pumps whereby someone could cause it to administer a fatal dose to its unknowing victim. 

This week, Barnaby was going to demonstrate how heart implants could be hacked, killing a man from 30 feet away. 

With advances in the miniaturization and battery life of personal medical devices and implants for monitoring and managing patients health, more and more people could be exposed to malicious or murderous cyber attacks on their body.

With the potential for RFID embedded chips for managing our personal identities to bionics for replacing or enhancing human body parts with electronic and mechanical implants, the opportunity for someone seriously messing with our physical person grows each day. 

If dangerous vulnerabilities are discovered and exploited in these devices, an enemy could go from the traditional attack on our information systems to potentially sickening, disabling, or even killing millions at the stroke of some keys. 

Imagine people keeling over in the streets as if from a surprise attack by a superior alien race or the release of a deadly chemical weapon, only it's not extraterrestrial or kinetic, but instead a malevolent cyber attack by a hostile nation or cyber terrorist group taking aim at us in a whole new and horrible way.

(Source Photo: here with attribution to Bhakua)

Share/Save/Bookmark

July 21, 2013

Like Buying A Nuke On The Black Market

Buying a serious computer vulnerability is now like acquiring a nuke on the black market. 

Nations and terrorists will pay to find the fatal flaw in computer programs that will enable them to perpetrate everything from subversive cyber spying to potentially massively destructive cyber attacks. 

As the world is focused on nuclear non-proliferation, computer weapons are the new nukes--able to do everything from a targeted strike on an organization or agency to taking out vast swaths of our nation's critical infrastructure.

According to the New York Times (13 July 2013), there is a great interest in buying "zero-day exploits"--one where governments or hackers can strike using a computer vulnerability before anyone even knows about it and can correct it. 

The average zero-day exploit persists for "312 days--before it is detected"--giving amble time for attackers to cash-in!

Brokers are now working to market the computer flaws for a 15% cut, with some even "collecting royalty fees for every month their flaw is not discovered."

The average flaw "now sells for around $35,000 to $160,000" and some companies that are selling these are even charging an annual $100,000 subscription fee to shop their catalog of computer vulnerabilities in addition to the cost for each one that varies with it's sophistication and the pervasiveness of the operating system behind the exploit. 

While governments and terrorists are on the prowl to buy the exploits for offensive purposes, technology companies are competing to purchase them and are offering "bug bounties" in order to identify the flaws and fix them before they are exploited. 

We've come a long way from people and organizations buying software with their regular upgrades and patches to nations and hackers buying the knowledge of the flaws--not to patch--but to spy or harm their adversaries. 

You can buy the bomb shelter or software patch, but someone else is buying the next more lethal bomb or vulnerability--the question is who will pay more to get the next exploit and when and how will they use it. 

(Graphic by Andy Blumenthal adapted from here with attribution for the mushroom cloud photo to Andy Z.)
Share/Save/Bookmark

June 16, 2012

Securing Transport To The Cloud

A new article by Andy Blumenthal on cyber security and cloud computing in Public CIO Magazine (June 2012) called Securing Cloud Data Means Recognizing Vulnerabilities.

"It’s the principle of inertia: An object in motion stays in motion unless disturbed. Just like a car on a highway, everything zips along just fine until there’s a crash. This is similar with information on the superhighway."

Let's all do our part to secure cyberspace.

Hope you enjoy!

(Source Photo: here with attribution to Kenny Holston 21)

Share/Save/Bookmark

June 3, 2012

Raising The Bar On Cybersecurity



Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity. 

There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.

Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.

There is a lot riding over the Internet--power, transportation, finance, commerce, defense, and more--and the vulnerabilities inherent in this is huge!

Some notable quotes from the video:

- "Spying, intrusions, and attacks on government and corporate networks occur every hour of every day."

- "Some sort of cyberwar is generally considered an inevitability."

- "Cyberwar although a scary terms--I think it is as scary as it sounds."

- "Right now the bar is so low, it doesn't take a government, it doesn't take organized crime to exploit this stuff--that's what's dangerous!"

We all have to do our part to raise the bar on cybersecurity--and let's do it--now, now, now.

Share/Save/Bookmark

May 5, 2012

Understanding Risk Management

Information Security, like all security, needs to be managed on a risk management basis.  

This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.  

The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.

Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:

Risk = [(Threats x Vulnerabilities) / Countermeasures)]  x  Impact

Where:

- Threats = those who wish do you harm.

- Vulnerabilities = inherent weaknesses or design flaws.

- Countermeasures = the things you do to protect against the dangers imposed.

[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]

- Impacts = the damage or potential loss that would be done.

Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive. 

For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.

Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.

In a sense, being unable to "get rid of risk" or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied--in other words, what good is security if we can't ever really have it anyway?

I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.

(Source Photo: here with attribution to martinluff)

Share/Save/Bookmark

May 4, 2012

Leadership Cloud or Flood Coming?

I came across two very interesting and concerning studies on cloud computing--one from last year and the other from last month.

Here is a white paper by London-based Context Information Security (March 2011)

Context rented space from various cloud providers and tested their security. 

Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases --leaving a pass rate of just 25%!

The major security issue was a failure to securely separate client nodes, resulting in the ability to "view data held on other service users' disk and to extract data including usernames and passwords, client data, and database contents."

The study found that "at least some of the unease felt about securing the Cloud is justified."

Context recommends that clients moving to the cloud should:

1) Encrypt--"Use encryption on hard disks and network traffic between nodes."

2) Firewall--"All networks that a node has access to...should be treated as hostile and should be protected by host-based firewalls."

2) Harden--"Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves."

I found another interesting post on "dirty disks" by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.

In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data--but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud? 

While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud. 

Clouds can lead the way--like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah. 

The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field? 

(Source Photo: here with attribution to freefotouk)


Share/Save/Bookmark

April 24, 2012

Cyberwar--Threat Level Severe

!
This video is of an incredible opening statement by Rep. Michael McCaul (R-TX), Subcommittee Chairman on Oversight, Investigations, and Management on the topic--Cybersecurity Threats to the United States.

Some of the highlights from his statement:

- America's computers are under attack and every American is at risk.

- The attacks are real, stealthy, persistent, and can devastate our nation.

- Cyber attacks occur at the speed of light, are global, can come from anywhere, and can penetrate our traditional defenses.

- In the event of a major cyber attack, what could we expect? Department off Defense networks collapsing, oil refinery fires, lethal clouds of gas from chemical plants, the financial systems collapsing with no idea of who owns what, pipeliness of natural gas exploding, trains and subways derailed, a nationwide blackout. This is not science fiction scenarios. (Adapted from Richard Clark, former Senior Advisor of Cyber Security)

- It is not a matter of if, but when a Cyber Pearl Harbor will occur.  We have been fortunate [so far]. (Adapted from General Keith Alexander, Director of the NSA).

I believe we must address these threats and our vulnerabilities in at least five main ways:

1) Increase research and development for new tools and techniques--both defensive and offensive--for fighting cyberwar.

2) Establish a regulatory framework with meaningful incentives and disincentives to significantly tighten cybersecurity across our critical infrastructure.

3) Create a cybersecurity corps of highly trained and experienced personnel with expertise in both the strategic and operational aspects of cybersecurity.

4) Prepare nationwide contingency plans for the fallout of a cyberwar, if and when it should occur. 

5) Create a clear policy for preventing cyberattacks by taking preemptive action when their is a known threat as well as for responding with devastating force when attacks do occur. 

With cyberwar, just as in conventional war, there is no way to guarantee we will not be attacked, but we must prepare with the same commitment and zeal--because the consequences can be just, if not more, deadly.

Share/Save/Bookmark

April 13, 2012

Be Who You Are

I watched an interesting TED video presented by Brene Brown, who has a doctorate in social work and is a author many times over--she talked about one book in particular called The Gifts of Imperfection: Letting Go of Who We Think We Should Be and Embracing Who We Are (2010).

She said that from all her studies and research, what she learned is that purpose and meaning in life comes from the connections we make and maintain.

But what gets in the way is shame and fear--shame that we are not good enough and fear that we cannot make real connections with others.
To move beyond shame and fear, we need to feel worthy as human beings--true self acceptance--and say "I am enough."
 
However, she points out that as a society there is a lot of numbing going on (i.e. plenty of shame and fear) and that is why we are the most in debt, obese, addicted, and medicated society in history.  I liked this presentation and thought about how hard we are on ourselves--we are never good enough.

  • All our lives we pursue signs of advancement from that gold star in grade school to collections of degrees, awards, promotions, material goods, and even relationships.
  • We constantly push ourselves further and faster on the treadmill of life--in part to learn, grow and be better, but also to try to achieve our sense of self-worth and -acceptance.
Yet, as Brown points out those that are successful with relationships and have a strong sense of love and belonging are those that feel they are inherently worthy. They have self-esteem without having to achieve any of these things.

That sense of self-worth and confidence, Brown says, enables you to achieve three key things in life:

  1. Courage--This is the courage to be yourself and to tell others who you are with a whole heart (i.e. they don't hide in shame).
  2. Compassion--That is compassion for others, but also for yourself first--you accept yourself.
  3. Connection--Getting to solid relationships in life is a result of our own capacity to be authentic.

When you have that self-worth and confidence then you can embrace your vulnerabilities and make them beautiful, rather than numb yourself to constantly try to cover the disdain you feel for your frailties and weaknesses. 

From my perspective, our growth and contributions to the world are good things--leave the world better than you found it!

However, the proving ourselves and amassing "things," while milestones in life, are not a measure of a person's true worth. 

Sometimes it is fine to get over it all--accept yourself, be yourself, and stop worrying that your never good enough.

In the Torah (bible), when Moshe asked G-d his name--G-d replies in Exodus 3:14: "I am that I am."  


To me, this is really the lesson here--if we but try to emulate G-d, then "we are what we are."

That is not defeat or giving up on bettering ourselves, but acceptance of who we are, where we came from, and where we want to go in our lives.

We don't have to beat ourselves up for being those things or for making good faith mistakes along the way. 



 (Source Photo: Andy Blumenthal)
Share/Save/Bookmark

April 15, 2011

When Butterflies Sting

Butterfly

Stage freight (aka "performance anxiety") is one the most common phobias.

While often attributed to children, this is really a fear that everyone experiences--to a greater or lessor extent.

Organizations like Toastmasters help people overcome their fear of public speaking by having them practice regularly in front of the group.

Yet even the most experienced speakers and performers still get that knot in their stomach before a really big performance.

We are all human, and when we go out there and open ourselves up to others, we are vulnerable to ridicule and shame and being seen as shysters and charlatans.

So it really takes great courage to go out there and "do your thing" in front of the world--for better or worse.

As the child poet, Rebecca says, "when I go on stage, it's me, myself, and I."

What a wonderful perspective in being yourself and doing your best.

Here's what she has to say--in a poem called Butterflies.

(Credit Picture: scienceray.com)

________________________________

Butterflies

By Rebecca

Butterflies, that’s what I feel before the poetry slam.

It's 2 minutes before I read my poem.

I feel them tickling around my stomach making me want to puke.


My mom always tells me just imagine the audience in their underwear but it makes me feel even worse.

I told myself when I came up here you’ll do fine but, I know I’ll just stumble on a word.

Buzzing noises start in my ear.

I feel like I want to just go up on the stage and conquer my fear.

I shouldn’t care what people say because it’s my thoughts that matters.

When I go onstage it’s me, myself, and I.

1 minute till showtime.


Finally I hear my name.

I walk up to the stage unsteadily and all the lights are on me.

Everyone’s eyes beam towards me, almost as if they are watching a movie and I’m the show.

I read my poem.

I’m shaking.

I’m sweating like a dog running in the heat of summer.


I stumble upon a few words, but I survive it.

I am almost done. Just be done, already.

I read the last sentence but the time when I’m reading that sentence feels the longest.

My life is not going to end.

I’m done and I feel accomplished.


Share/Save/Bookmark

January 9, 2011

The Center Of Gravity Is Information

Center of Gravity (COG) is a military concept that Dr. Joseph Strange defines as “primary sources of moral or physical strength, power, and resistance.” From a military perspective, this is where we should concentrate when attacking the enemy. As Prussian strategist Carl von Clausewitz states, “that is the point against which all our energies should be directed.”

In “Center of Gravity Analysis” (Military Review, July/August 2004), Army Colonel Dale Eikmeier describes the framework for COG and how an enemy (your threat) attempts to exploit them, as follows:

· Center of Gravity—the organizations that do the work (e.g. the military/industrial complex)

· Critical Capabilities (CC)—the strengths of the organization—its “primary abilities”

· Critical Requirements (CR)—the supplies that a COG use—the inputs that are their opportunities, if leveraged for future plans

· Critical Vulnerabilities (CV)—the vulnerabilities a COG has—e.g. exposed or unguarded critical infrastructure

From an enterprise architecture perspective, I greatly appreciate this analysis of COG as it aligns beautifully with Albert Humphrey’s famous Strenghts, Weaknesses, Opportunities, and Threats (SWOT) Analysis for organizational strategic planning.

Aside from typical SWOT analysis to develop your organization’s strategy, the COG analysis adds greater offensive analysis to SWOT--like the military, organizations using the COG model can disrupt competitors’ advantages by seeking to weaken them where they are most vulnerable.

For example, EA used in this fashion may lead a company to build a sophisticated online sales site that directs customers away from your competitor’s retail location. Similarly, acquiring a major supplier (i.e. vertically integrating) may disrupt a competitors’ supply capability, and so on. The point is that EA becomes a force for attack rather than a mere planning tool or information asset.

It is at this point that I disagree with the assertion in the article that “Information is not power; it is a tool, an enabler. It helps wield military or economic power. By itself, it is simply information.”

Far to the contrary, information is one of the greatest assets that we have. It is the way that an advanced, intellectually based society competes. Of note, our declining performance in Science, Technology, Engineering, and Mathematics (STEM), which is so greatly worrisome to our leadership, is of concern because it is directly a threat to our competitive advantage, both militarily and economically, in the global environment.

Information, as embodied by the Internet, is now the center of our society. With it, we perform critical tasks of information sharing, collaboration and education. Used effectively, our military has developed robust command, control, communications, computers, intelligence, reconnaissance, and surveillance (C4ISR)—all information-based. Similarly, our industry is highly competitive and advanced because of the engineering, innovation, and people behind it.

Enterprise architecture, once a small part of the IT infrastructure, can actually play a far greater role in the information society if we allow it to. We have morphed from the industrial age of the 18th and 19th centuries to a highly advanced information society that creates new sources of critical capability, but also new critical vulnerabilities that must be defended. And we must also leverage the vulnerability of our enemies in order to stay viable. Whether it’s cyber-warfare or economic survival, information is at the heart of everything we are successfully doing today.


Share/Save/Bookmark