Last Modified:                                                                                                

Homepage / Publications & Opinion /

Peter Cochrane's Uncommon Sense: Holistic Security
We have the ability to be far more subtle and capable.

Everyday I seem to receive briefings or articles on the topic of security with an almost exclusive focus on the internet and electronic aspects of the personal, the corporate and the organisational. From the laptop and PC through Wi-Fi, wired LANs, servers, ISPs, networks, mainframes and storage, the concentration of interest is in viruses, worms, Trojan horses and all forms of cyber-attack.

It would be easy to end up thinking these are the only aspects of security that really matter. And it is not just the tech community propagating these briefings and articles. The wider management population also shares the same view. In my view, there is much more to this topic and we need to take a far more holistic approach.

The past 20 years have seen companies migrate from 100 per cent in-house employees, who did everything from gardening and food to production. All had references and were vetted before they were engaged and soon had an inherent loyalty to the company for their employment and benefits.

Today the situation has changed with almost everything being outsourced. Most organisations no longer enjoy 100 per cent containment and the loyalty it buys. It is now the norm for the restaurant, cleaning, gardening, building maintenance and site security to be managed by external agencies under some service level agreement. This trajectory is part of a wholesale migration to the fabled virtual company with large numbers of temporary employees and an outsourced front and back office, with all technical and support services overseas.

While there are tremendous economic gains to be made by outsourcing and virtualising, we should also recognise the gradual erosion of employee loyalty for those remaining at the core of the company. Pay and treatment disparities, plus the continuous threat of reorganisation and pending unemployment, provide constant destabilising and discontentment. But even more worrying, keeping the overall organisation secure can become a nightmare.

While huge savings have accrued through outsourcing and the dispersion of organisations across the planet (by exploiting lower labour costs and wider accessibility to educated and capable people) security and organisational defence has become far more difficult. But it goes much further. The wholesale closure of industries driven out of a country or region by cost reduction now sees an exposure that includes an inability for a nation to feed itself and provide its own clothing, energy, fuel oil and the majority of the technology on which it is increasingly dependent.

This all means that high on my list of parameters for making company decisions is the political stability and integrity of regions, governments and companies. When considering the prospect of outsourcing as a means of leveraging business by further reducing operating cost we really must include the downside risk. If history has taught us anything, it is that the unthinkable almost always happens. Outsourcing anything to an unstable region is risky.

The aggressor in any war or criminal activity generally has the upper hand in terms of surprise: being able to spring an attack from a direction the victim is not even looking and may not even be aware of is hugely advantageous. This is made infinitely easier for the aggressor if they can subvert an organisation by working on the inside as an employee, sub-contractor or outsourcing agent. They can gather all of the information, data and intelligence they require to inflict huge damage at some point and time known only to them.

Every major virus and worm attack costs the global economy around $2bn. The cost of malicious activity inside large corporations tends not be revealed or advertised for fear of destabilising the customer base. This is especially true in the banking and insurance sectors where there is a time-honoured tradition of presenting a public face of infallibility and total security. It is also true of network operators and many providers of information services. But the reality is $10bn per year is being lost by electronic and physical attacks by people who are working on the inside.

Democracy and democratic organisations are the easiest targets of all. They tend to operate with 'shields down' - with an openness and honesty that assumes people have good intent and are willing to contribute. Unfortunately much of the modern world does not hold to these values and will take advantage and we need a more holistic approach to the growing security threat.

We have to employ within our systems and organisations the capability not just to identify the enactors of a particular crime but to pre-empt that activity by monitoring over the long term their actions as they gather pace. This automatically raise issues of civil liberties and privacy violations and some may see the potential for the creation of an Orwellian state that will be worse than the disease.

I happen to think that we have the ability to be far more subtle and capable. It doesn't have to blatant and intrusive. It doesn't have to be stupid and dumb - it can smart and it can be powerful.

In my past I have been responsible for setting up internal units for the express purpose of attacking the host company to see where the vulnerabilities lie before they are discovered by the agents of evil. This has usually been done to the great disquiet of the management and the security department but the reality is it is far easier to be a criminal/terrorist then a defender. Employing your own brand of criminal/terrorist, under your own control, is a very powerful way of locating weaknesses so that cures can be formulated on the basis of real evidence rather than the aftermath of a real attack.

My guess is that we really have to go a step beyond this and I will give just one example here. Like it or not the civilised world is in the business of supplying goods and services to everyone and the great hope is that we can equalise the living conditions of the peoples of our planet to provide everyone with a reasonable life, free from the terror of war and other threats. As we do so, much of our technology will leak into the hands of those who wish to do harm and they may be not just individuals and small organisations. They may be complete regimes and countries.

It is not beyond our engineering wit and capability to build into everything we sell the ability to disable or limit the functionality at some point of time in the future, should these technologies be turned against us. This is especially true of weapons where aircraft and missiles, tanks and ships have hugely complex systems that could be brought down electronically rather then by explosives. Indeed, the same is true of computing and communications systems and anything electronic or electrical that could be used in a war of atoms or bits.

Somewhere on this raft of complexity there is a reasonable path for us to increase the potential for an outbreak of peace as opposed to another outbreak of war.

Compiled at Liverpool Street station, London, dictated to a digital file and emailed to my PA a few days later. Typed and drafted in The Coffee Shop at Ipswich Hospital Trust Facility and emailed to via my home LAN.