Skip navigation
2014

The recent cyber-attack on Sony Pictures, which the U.S. federal government says was committed by North Korea, may be the catalyst for changing perspectives regarding cyber-security in 2015.

 

Security experts investigating the hack against Sony Pictures appear to be moving away from the theory that the attack was carried out by North Korea, and instead now believe it may be the work of disgruntled former employees—or at least former employees were somehow involved. Arguing that accessing and navigating selective information would take a detailed knowledge of Sony’s IT systems, researchers at Norse cyber-security now claim six former employees could have compromised the company’s networks, according to an article on The Guardian.

 

While Norse is not part of the official FBI investigation, company representatives did brief the U.S. government earlier this week, company officials report. Although they did note the findings are “hardly conclusive,” Norse senior vice president Kurt Stammberger told the Security Ledger that nine researchers had begun to explore the theory that an insider with motive against Sony would be best placed to execute a hack, the Guardian article reports.

 

The team had started by examining a leaked database of Sony employees made redundant during a restructuring in May, the article notes. Of six people Norse claim had involvement with the hack, one was a former staffer made redundant in May after 10 years with Sony. She had a very technical background and had used social media to berate the company after losing her job, which fits the pure revenge motivation, the Guardian article reports.

 

That possibility reminds me of a report earlier this fall, in which the Department of Homeland Security (DHS) and the FBI jointly announced they have seen an increasing exploitation of business networks and servers by disgruntled and/or former employees. Some of these cases have resulted in significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company.

 

Regardless of who perpetrated the cyber-attack at Sony, the attack does cast a light on what may be a glaring deficiency at some companies. Production and distribution in the supply chain now encompasses a firm’s value chain proposition. Inbound and outbound logistics, along with operations and marketing/sales and service, are seen as critical factors that can drive competitive advantage. Consequently, the supply chain is at risk for cyber-attacks at numerous points of contact—including manufacturers, suppliers, transporters, retailers, distributors and even customers.

 

That, in turn, means finding innovative ways to ensure consumer and corporate privacy through fraud detection and intellectual property protection is critical amidst increasingly complex supply chain designs, writes Drew Smith, founder & CEO of InfoArmor, on SupplyChainBrain. For starters, supply chain firms should conduct a gap assessment across the organizational chain ecosystem and identify ways to remediate potential threats, writes Smith. Security auditing and real-time monitoring are requisite steps for companies with several key measures, he continues.

 

Firms also should enlist a third-party expert to conduct the audit, or even better, partner with a company that will perform an evaluation of the supply chain’s posture with on-going monitoring, Smith writes. Additionally, a company should have a security framework (for example ISO 27001), he continues, along with an individual such as a CSO, CTO, CEO or data steward who is responsible for management, strategy and responsive action.

 

What are your thoughts on the growing risk of cyber-attack? Secondly, does your company have a C-level executive specifically tasked with cyber-security?

Takata Corp., the embattled airbag maker, ratcheted up its response to a global auto-safety crisis yesterday by publishing an open letter from its chief executive officer in U.S. and German newspapers. The advertisements in newspapers including the New York Times, The Wall Street Journal and Detroit Free Press show Takata is intensifying efforts to defend itself amid a crisis that caused its shares to fall more than 50 percent this year.

 

At least five driver deaths in the U.S. and Malaysia, and dozens of horrific injuries, have been reportedly linked to the faulty airbags. At least one victim’s death was initially investigated as a murder due to the grisly injuries. The problem is that there is a risk the airbags may deploy with excessive explosive power, sending potentially-fatal shrapnel around the interior of the automobile. Consequently, millions of vehicles produced by some of the world’s largest automakers, including Honda, Toyota and General Motors, have already been recalled due to the risk. The majority of the recalls are in the U.S. as the defective airbags were mostly made in Mexico.

 

The Takata letter is a response of sorts to heavy and continued criticism directed at Takata’s top executive for remaining largely silent on the issue, even though there are accusations that the company hid evidence of the defects for years.

 

“Even one failure is unacceptable and we are truly and deeply saddened that five fatalities have been attributed to auto accidents where Takata airbags malfunctioned,” Shigehisa Takada, Takata’s chairman and grandson of the company founder, wrote in the letter. “We understand the public’s concerns and we take them seriously.”

 

“I am personally committed to do what is necessary for Takata to regain the full confidence of the public and our customers,” Takada wrote.

 

The open letter follows Takada’s interview Wednesday with Japan’s Nikkei newspaper, in which he said Takata had been misunderstood and that the company has no intention of confronting the U.S. National Highway Traffic Safety Administration. The company has refused NHTSA’s demands to expand some recalls, which have been limited to high-humidity regions, nationwide. Nonetheless, the regulator said this week that it’s preparing for a legal battle.

 

To address the issue, Takata has said it will increase replacement airbag production to 450,000 repair kits by next month from its plant in Mexico. The company also will boost capacity to build the components at factories in China and Germany within a year, Takada told the Nikkei. Furthermore, Takata explained that it is additionally tripling capacity to test its airbag inflators.

 

In an interesting turn, Japanese carmakers announced earlier this week that they are considering the idea of introducing expiration dates for airbags, said Fumihiko Ike, chairman of Japan Automobile Manufacturers Association, at a press conference. There are concerns that Takata still does not know the root cause of the problem, so the suspicion now is that the problem has been caused by a gradual deterioration, rather than a manufacturing fault, says Ike, who is also the chairman of Honda Motor.

 

“I think the debate may as well occur eventually on whether [airbags] should be replaced after several years,” says Ike. “We have already started the talks unofficially.”

 

Aside from what eventually happens to Takata—and Honda which has been named with Takata in at least one lawsuit—there are questions that arise from all this. Most notably, if the Japan Automobile Manufacturers Association does start to seriously consider introducing airbags with expiration dates, what would happen to industry costs? Secondly, who would have to maintain the inventory of replacement airbags?

 

What are your thoughts on the whole issue?

It was one thing when the after-effect of the Sony hack centered mainly on the release of distasteful e-mails, the release of confidential employee information and the unauthorized release of movies that have not yet been released to theaters. However, in recent days the nature of the threats from the hackers has dramatically escalated. All of this leaves executives at other companies wondering just what—if any—information is actually secure anymore.

 

As an editorial in the Chicago Tribune noted, the humor went out of the spectacle when the hackers sent a message to all Sony employees warning: “Not only you but your family will be in danger.” Since then, threats have been directed at the New York premiere of Sony’s movie “The Interview” on December 25 and at theaters that show the film.

 

The threat, which invoked the Sept. 11, 2001 terrorist attacks, has been widely reported over the past couple days. It also warned that people should avoid going to theaters where “The Interview” is playing.

 

It was no surprise then that theaters and chains began to announce they would not screen the film. Later today, Sony announced it would cancel next week’s planned release of “The Interview,” after most of the country’s largest theater chains had decided not to show it.

 

The larger risk for Sony, the risk for every company and really, every individual, is the now- common theft of sensitive digital information. Consider that over the course of the past year, the list of victims include retailers Target and Home Depot, and JPMorgan Chase—the nation’s largest bank. Then again, the White House, State Department, Postal Service and National Oceanic and Atmospheric Administration have all been hacked as well.

 

“What this shows is that the IT guys tell the board and top management they’ve got the problem under control, and everybody goes back to business as usual,” says Adam Epstein, a corporate consultant with Third Creek Advisors, in a Bloomberg Businessweek article by Paul M. Barrett. “The weaknesses you see at Sony and other companies, large and small, can’t be fixed by installing one more firewall or some new antivirus software. By the time the good guys zig, the bad guys are already zagging.”

 

Furthermore, the malware used against Sony Pictures “would have gotten past 90 percent of the net defenses out there today in private industry,” Joseph Demarest, assistant director of the FBI’s cyber division, recently told the Senate Banking Committee, the Businessweek article reports.

 

Be that as it may, another misstep by Sony was that files were plainly labeled. Instead, Sony’s most valuable material—contracts with actors, directors, and investors and such intellectual property as unreleased films and scripts—ought to have been isolated from central data-storage systems connected to the Internet so it was much more difficult to find, Epstein says in the Businessweek article. This would require essentially non-technical decisions to invest manpower and money that could transform the castle keep into more of a labyrinth, he explains.

 

The simplest takeaway from the Sony situation is that too many companies have a lasses-faire attitude about e-mail. For instance, much of the sensitive information that was hacked from Sony was either in e-mail or was in documents attached to e-mail. Security experts often warn that all employees—from the CEO down—should restrict e-mail content to what wouldn’t be damaging if it were lost.

 

In the end, I think there are more questions than answers. For example, are people now numb to the ever-increasing threat of cyber-attacks? Secondly, what if instead of Sony, the hacking victim was a global manufacturer and its intellectual property was stolen? Even more troubling, what if the hacking concerned municipal infrastructure and resulted in a power-grid failure or other large scale disaster?

President Obama announced late last week that the government will continue to invest in creating more Manufacturing Innovation Hubs.

 

At a meeting of the President’s Export Council (PEC), President Obama said the government will invest nearly $400 million to help improve the competitiveness of American businesses and workers by spurring new manufacturing innovations and giving America workers additional opportunities to improve and expand their skill sets for middle-class jobs. Of that amount, the President said more than $290 million in public-private investment will go toward two new Manufacturing Innovation Hub Competitions. Another $100 million will be used to expand apprenticeships for American workers.

 

Manufacturing institutes serve as a regional hub, bridging the gap between applied research and product development by bringing together companies, universities and other academic and training institutions—as well as federal agencies—to co-invest in key technology areas that encourage investment and production in the U.S. President Obama explained this type of “teaching factory” provides a unique opportunity for education and training of students and workers at all levels, while providing the shared assets to help small manufacturers and other companies access the cutting-edge capabilities and equipment to design, test and pilot new products and manufacturing processes.

 

The first institute is a Department of Defense-led Flexible Hybrid Electronics Manufacturing Innovation Institute. The DoD will lead a competition for a new public-private manufacturing innovation institute in flexible hybrid electronics, combining $75 million of federal investment with $75 million or more of private investment. Flexible hybrid electronics combine advanced materials that flex with thinned silicon chips to produce the next generation of electronic products, President Obama said. These include items as diverse as comfortable, wireless medical monitors, stretchable electronics for robotics and vehicles, and smart bridges capable of alerting engineers at the first signs of trouble.

 

The President went on to say that for the nation’s warfighters, these new technologies will make lifesaving advances and improve mission effectiveness. For example, intelligent bandages and smart clothing will alert soldiers to first signs of injury or exhaustion; structural integrity sensors will offer real-time damage assessment for helicopters or aircraft after engagement; and small, unattended sensors will give soldiers greater situational awareness.

 

The other manufacturing institute introduced last week is the Department of Energy-led Smart Manufacturing Innovation Institute. President Obama explained that a third of the nation’s energy consumption goes into manufacturing. New smart manufacturing technologies—including advanced sensors and sophisticated process controls—can dramatically improve energy efficiency in manufacturing, saving manufacturers costs and conserving the nation’s energy. The Department of Energy will lead a competition for a new public-private manufacturing innovation institute focused on smart manufacturing, including advanced sensors, control, platforms and models for manufacturing. By combining manufacturing, digital and energy efficiency expertise, technologies developed by the institute will give American manufacturers unprecedented, real-time control of energy use across factories and companies may increase productivity and save on energy costs, President Obama said.

 

For energy intensive industries—such as chemical production, solar cell manufacturing and steelmaking—these technologies can shave 10 percent to 20 percent off the cost of production, President Obama said last week. The new institute will receive a federal investment of $70 million that will be matched by at least $70 million in private investments, and represents a critical step in the Administration’s effort to double U.S. energy efficiency by 2030.

 

What are your thoughts on these manufacturing innovation institutes, or others such as the Digital Lab for Manufacturing in Chicago and the Lightweight Materials Manufacturing Innovation Institute in Detroit? What impact do you believe they will have on future manufacturing and supply chains in the U.S.?

Winter weather, or even a severe storm, offers a good opportunity to review risk mitigation strategies. For that matter, the storms could even occur somewhere else.

 

For example, a storm expected to be one of the windiest and rainiest in five years pushed across parts of Northern California early Thursday. Schools in San Francisco, Oakland and Marin counties shut down before the heaviest rainfall began. At San Francisco International Airport, where winds were measured at 48 miles an hour Thursday morning, more than 200 flights were canceled. As of early afternoon yesterday, 150,000 customers were without power in the San Francisco Bay Area, including 94,000 in the city itself, according to the National Weather Service. As much as eight inches of rain was expected to fall on coastal mountains over a 24-hour period, the Weather Service adds.

 

Then again, states in the northern half of the country, particularly the Midwest and Northeast, expect tough winters. Last winter was different though. Extended periods of below-zero temperatures and wintry conditions pushing south into unprepared states caused trouble in the energy and transportation grids. Many people in those areas, or who have operations in those areas, now wonder if another polar vortex is on the way this winter. If so, they could be in store for week-long periods of sub-zero temperatures that are disruptive and frequently make on-time delivery a challenge for suppliers hit by either the extreme cold or heavy snow.

 

Chris O’Brien, senior vice president at global third-party logistics provider CH Robinson, wrote on eft recently that the time to develop a mitigation strategy is when there still is time to identify and evaluate the weakest links and develop a plan to circumvent potential disruptions. That’s because disruptions can interrupt business between a company and its customers and suppliers—and last for days, weeks or even months. The longer those connections remain broken, the easier it is for competitors to step in and take market share, O’Brien wrote.

 

Global companies with high-value, high-demand products coming from multiple locations are the most likely to need a mitigation strategy. Certain industries are particularly vulnerable to disruption. Retailers and brand name pharmaceutical companies, for instance, require speed to market to keep sales channels open and customers satisfied, O’Brien writes. Manufacturers need raw materials and supplies at planned intervals to ensure plant uptime. Food and beverage companies must be able to trace problems back to their source in multi-tiered supply networks, he continues.

 

Companies with resilient global supply chains are more likely to have goods available when they need them, and to be able to continue serving customers without disruption. When they have visibility and are able to see their inventory, these companies are less likely to spend unnecessarily to transport emergency stock or supplies.

 

Complete redundancy is cost prohibitive. However, having some redundant stock, systems and resources in place may help avoid the waste of system breakdown if a disaster occurs, even in a highly efficient supply chain, O’Brien writes. Certain considerations can help build backup plans for more resilient supply chains and help companies adapt to changing circumstances.

 

For example, it’s especially important to map supply chains to identify chokepoints, and whether they are related to suppliers, inventory, transportation or technology. To ensure supply chain resiliency, O’Brien suggests companies continually ask questions such as: Are there sufficient backup suppliers for critical components? Where is inventory located? Should there be a plan for safety stock or forward stocking? What transportation alternatives are available to keep product flowing? Finally, if operations technology is disrupted, corrupted or destroyed, how quickly can data be recovered?

 

What are your thoughts on risk mitigation? Does your company continually review its strategies?

Cyber-attacks, such as those against Sony Pictures last month, but also Home Depot and Target, as well as the Apple hack that resulted in nude pictures of celebrities being released, will only grow in number next year, according to new research.

 

Earlier this week, Intel Security released its McAfee Labs November 2014 Threats Report, and the company’s annual 2015 Threats Predictions forecast for the coming year. The security researchers predict cyber-attacks will increase in 2015 as hackers use more advanced techniques to infiltrate networks. Furthermore, cyber-warfare and espionage will also increase as hackers make use of increasingly sophisticated strategies to hide their tracks and steal sensitive data.

 

There are several predictions in the report that I found most interesting. The first, is an expected increased use of cyber-warfare and espionage tactics. Cyber-espionage attacks will continue to increase in frequency as long-term players will become stealthier information gatherers, while newcomers to cyber-attack capabilities will look for ways to steal sensitive information and disrupt their adversaries, the report explains.

 

Also, the researchers expect greater Internet of Things attack frequency, profitability and severity. Unless security controls are built-in to their architectures from the beginning, the rush to deploy IoT devices at scale will outpace the priorities of security and privacy. This rush to deploy and the increasing value of data gathered, processed and shared by these devices will draw the first notable IoT paradigm attacks in 2015, the researchers predict.

 

So-called “Ransomware” is expected to evolve into the cloud as hackers continue to develop its methods of propagation, encryption and the targets it seeks. McAfee Labs predicts ransomware variants that manage to evade security software installed on a system will specifically target endpoints that subscribe to cloud-based storage solutions. Once the endpoint has been infected, the ransomware will attempt to exploit the logged-on user’s stored credentials to also infect backed-up cloud storage data.

 

As would be expected, the researchers predict mobile device attacks will continue to grow rapidly due to the growing availability of malware-generation kits and malware source code for mobile devices, which will lower the barrier to entry for cyber-criminals targeting these devices. What’s more, untrusted app stores will continue to be a major source of mobile malware. Traffic to these stores will be driven by “malvertising,” which has grown quickly on mobile platforms.

 

Finally, McAfee Labs predicts that the aftershocks of Shellshock will be felt for many years due to the number of potentially vulnerable Unix or Linux devices—such as routers, TVs, industrial controllers, flight systems and even critical infrastructure. In 2015, this will drive a significant increase in non-Windows malware as attackers look to exploit the Shellshock vulnerability, the report notes.

 

“The year 2014 will be remembered as ‘the Year of Shaken Trust,’” says Vincent Weafer, senior vice president, McAfee Labs, part of Intel Security. “This unprecedented series of events shook industry confidence in long-standing Internet trust models, consumer confidence in organizations’ abilities to protect their data, and organizations’ confidence in their ability to detect and deflect targeted attacks in a timely manner. Restoring trust in 2015 will require stronger industry collaboration, new standards for a new threat landscape, and new security postures that shrink time-to-detection through the superior use of threat data.”

 

Do you agree with the McAfee researchers’ predictions? Secondly, whether you agree or disagree, is cyber-security an important issue where you work?

The cyber-attack that exposed data security flaws at Sony Pictures just before Thanksgiving showed the entertainment industry—and, essentially, any large company—that every company has its vulnerabilities.

 

On the one hand, some critics have accused Sony of having lax controls. Whether that’s true or not, the uncomfortable truth is that organizations need to balance security with the needs of running a business, creating inevitable vulnerabilities, says Paul Proctor, chief of research for security and risk management at Gartner, in an article on the Guardian.

 

“The only way to fully protect yourself from something like this is to shut down your business,” Proctor says in the Guardian article. “A dedicated enemy with sufficient resources can compromise any security system. There is no such thing as perfect protection. This is just a demonstration of it. People who believe they can be protected are likely to have their trust shaken by reality.”

 

Sony employees in Los Angeles discovered the security breach when they logged-on to computers and were greeted with the image of a red skeleton and a mocking message: “Hacked By #GOP.” This allegedly is a reference to a group calling itself Guardians of Peace. In addition to leaking a number of both current and upcoming films, the hackers posted Sony employee passwords, employee performance appraisals, salaries and other sensitive information on-line.

 

The FBI is investigating. Additionally, earlier this week, the bureau issued a confidential five-page flash warning to security administrators at American corporations about a recently discovered form of destructive malware. The warning did not name Sony in the warning, but said that the malware was written in Korean and was “destructive” in nature. It commands a computer to sleep for two hours, after which the computer is shut down, rebooted and directed to start wiping all of its files, the agency said.

 

Nevertheless, the use of the Korean language in the malware may be a red herring. Security experts note that it is easy to insert fake Korean-tinged data into the malware and the Sony attack could very well be the work of disgruntled employees or former employees.

 

That possibility reminds me of a report earlier this fall, in which the Department of Homeland Security (DHS) and the FBI jointly announced they have seen an increasing exploitation of business networks and servers by disgruntled and/or former employees. Some of these cases have resulted in significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company.

 

Perhaps more troubling is that a review of FBI cyber investigations shows that the cost to businesses for these attacks by disgruntled or former employees ranges from $5,000 to $3 million, per attack. Businesses reported various factors were used to create those cost estimates, including calculating the value of stolen data, assorted information technology services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers, and the purchase of credit monitoring services for employees and customers affected by a data breach.

 

What are your thoughts on cyber-security? From a damages point of view, there is no difference whether an attack was perpetrated by a disgruntled employee, a former employee or someone else. Be that as it may, is your company prepared for any type of cyber-attack?

Last week, I wrote about Amazon’s use of Kiva robots in its warehouses to dramatically speed warehouse operations. This past weekend, Amazon gave tours of its Tracy, California warehouse so media could see those activities.

 

The robots, and there are more than 15,000 of them companywide, are part of Amazon’s high-tech strategy to fill orders quicker and deliver them to customers sooner. The robots lift shelves of Amazon products off the ground and then deliver them to employee workstations, which eliminates the need for warehouse workers to walk around looking for items. Consequently, employees at some robot-equipped warehouses are now expected to pick and scan at least 300 items an hour, compared with 100 items per hour under the old system.

 

But as a recent article in the LA Times points out, a rapidly growing army of robots at the country’s largest e-commerce retailer would seem to foreshadow eventual trouble for many of the thousands of employees at Amazon’s 109 warehouses. Amazon’s moves to revolutionize operations could also have implications industrywide if smaller companies feel forced to similarly adapt to compete.

 

“Real-life workers are going to have less to do,” says Michael Pachter, an analyst at Wedbush Securities, in the LA Times article. “It’s obvious that humans are going to lose these jobs. There will be exactly the same impact on retail as robots have had on manufacturing.”

 

During a tour of Amazon’s Tracy fulfillment center last Sunday, the company sought to dispel worries about the rise in automation.

 

“We continue to add employees, and no employee has been negatively impacted by Kiva coming on board,” says Dave Clark, Amazon’s senior vice president of worldwide operations and customer service, in the LA Times article. “When you look around at Kiva, there are still a lot of people working. What we’ve done is automate the walking element. Our focus on automation is to do automation that helps employees do their job in an easier way, in a more efficient manner.”

 

That may be true for now, but Amazon’s robots clearly are doing tasks humans would otherwise do, which over time would seem to lead to a need for fewer lower-wage workers. However, because robots can’t replicate everything humans do, such as being able to identify the exact product a customer has ordered and check it for quality, legions of employees will still be needed—and those jobs will be higher-paid positions, as the LA Times article notes. Furthermore, although robots will complete the labor-intensive tasks, skilled workers will increasingly be needed to operate, maintain and program the fleet of robots.

 

Also this week, Stephen Hawking—noted theoretical physicist, cosmologist and author of A Brief History of Time—expressed concern about artificial intelligence (AI) and said in a BBC News interview that efforts to create thinking machines pose a threat to humans’ existence. He went so far as to say that the development of full AI “could spell the end of the human race.”

 

Hawking said that while the primitive forms of AI developed so far have already proved very useful, he fears the consequences of creating something that can match or surpass humans.

 

“It would take off on its own, and re-design itself at an ever increasing rate,” Hawking said in the BBC interview. “Humans, who are limited by slow biological evolution, couldn’t compete, and would be superseded.”

 

From self-driving cars to smartphones with autocorrect and other intelligent assistant capabilities, there’s no doubt increasingly sophisticated automation is part of our lives. What’s more, as leading companies such as Google spend millions to acquire AI and robotics startups, AI will assuredly play a larger role in our lives, both personally and professionally.

 

It would seem first steps would be to use computational power to replace jobs that rely on pattern recognition, data gathering and distillation, and computational algorithms. Perhaps jobs in transportation/logistics and some production labor could be next.

 

What are your thoughts on the increasing use of robotics and AI? Will they eliminate jobs completed by humans or perhaps lead to the creation of new jobs?