Showing posts with label Cybersecurity. Show all posts
Showing posts with label Cybersecurity. Show all posts

Saturday 24 July 2021

The Sad State of BCP and Cyber Risk Planning at Financial Market Infrastructure Institutions

Nine Years Thundering Toward the Station
Alas, Yet to Arrive

Here I am again making what no doubt could be labeled as an “overdue wake up call” by the chronically somnolent or perhaps as a “sobering fact” by the habitually intoxicated.

On 21 July the BIS Committee on Payment and Market Infrastructures published a joint report with the Board of International Organization of Securities Commissions on a level 3 evaluation of implementation of Principles for Financial Market Infrastructures (PFMI).

Before beginning my rant, a couple of notes.

The PFMI were issued in 2012, which would appear to be some nine years ago, if my arithmetic is correct.

The PFMI were issued to set standards for Business Continuity Planning (BCP) and Recovery of Operations for systemically important and therefore critical financial market infrastructure institutions:

  • payment systems (PS)

  • central securities depositories (CSD)

  • central counterparties (CCP),

  • securities settlement systems (SSS) and

  • trade repositories (TR).


To be clear we’re talking about payment systems, e.g., CHIPS, CHAPS, Fedwire not individual banks. For the other categories, some US examples: DTCC, NSCC, FICC, etc.

The rationale is to require these critical market infrastructure institution to have effective BCPs to restore service in the event of disruptions. In that regard think of power blackouts, 9-11, and yes cyber attacks.

Here is the link to the BIS CPMI page on the PFMI which contains additional details.

In addition to the PFMI, you will notice that there are also an additional eight guidance papers on implementation of the PFMI.

Among those there is a 2016 guidance paper on cyber risks. Applying the same arithmetic as above, that would appear to be five years ago.

The July joint BIS CPMI/IOSCO-OICU IMSG (Implementation Monitoring Standing Group) reviewed the business continuity planning practices at a sample of 38 FMIs from 29 jurisdictions during 2019-2020.

The sample comprised 14 PSs, 15 CSDs/SSSs, five CCPs and four TRs.

The study was conducted by reviewing responses to a questionnaire.

That is, based on assertions made by the respondents rather than an on site investigation.

If you’re like me, you might find that a bit chilling given the results. 

If you're willing to self-certify to failure, isn't it likely the the failure is even more egregious?

So what were the findings?

1.2.1 Timely recovery in the event of a wide-scale or major disruption

The IMSG has identified one serious issue of concern, which is that the business continuity management of some, and potentially many, FMIs does not seem to “aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption”, as expected by the Operational Risk Principle (Principle 17). Furthermore, based on the information provided by the participating FMIs, there are doubts about whether their business continuity plans are designed to “ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events” and “enable the FMI to complete settlement by the end of the day of the disruption, even in case of extreme circumstances” as expected by KC6. [That’s Key Consideration 6 in Principle 17]. Given this is a serious area of concern, the CPMI and IOSCO expect the relevant FMIs and their supervisors to address this as a matter of the highest priority.

Given that the PFMI were issued some 9 years ago and implementation is still deficient, the use of the term “highest priority” is perhaps both an indication of importance as well as a bit of sarcasm. That being said, the IMSG only “expects” this to be done. No doubt as they have expected implementation over the past nine year.

The IMSG’s findings continue:

While almost all of the surveyed FMIs indicated that they have business continuity plans (BCPs) designed to meet this requirement, there is evidence that leads the IMSG to question this. In terms of specific evidence:

  • A few of the surveyed FMIs do not explicitly aim for the 2hRTO, even for wide-scale physical (noncyber) disruptions.

  • One of the surveyed FMIs acknowledges that its secondary site does not have a distinct risk profile from that of its primary site.

  • A small number of FMIs stated that they did not have alternative arrangements to allow for the processing of time-critical transactions. Of those that did have such arrangements, some relied solely on manual and paper-based alternative arrangements.

  • A few FMIs indicated that they do not have specific plans to mitigate potential widespread staff unavailability. This suggests that these FMIs may have difficulty completing settlement if this were to occur.

Mighty disappointing” to use a technical financial market term.

Inverse kudos to the respondent that apparently will rely on manual paper-based systems. Systemically important FMIs are likely to be ones that process “lots” (that’s another technical financial term) of transactions.

But you ask what about cyber attacks?

1.2.2 Cyber risk

Principle 17 states that “[a]n FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls…” The IMSG has identified one issue of concern, which is that a few FMIs in the sample did not provide specific BCP objectives with respect to cyber risk. Among the FMIs that have specific BCP objectives with respect to cyber risk, only a few explicitly acknowledged the breadth and depth of potential cyber attacks and the complexities of cyber risks that their BCPs may not be able to cover.

While not as serious as the previous risk in the assessment of the IMSG, I think this qualifies as very serious.

  • The probability of a cyber attack may be higher than some of the other risks of disruption and the impact much greater.

  • If computer networks are hacked, critical information even that at backup sites may be unavailable or destroyed.

Particularly, if the attack is the work of a state actor.

That would be a different kettle of fish than a natural disaster. Or even a 9-11 style attack.

Wednesday 16 June 2021

Ransomware Prioritize Prevention Then Pursue Prosecution – Part 2

When You're This Far Gone
It's No Wonder You Don't Hear the Wake-Up Call
And a "Sobering Fact" Is Likely to Have No Effect

In Part 1, I outlined (yet again) the above point: hardening the target should be the priority.

In this post, I will hit that downed horse several more times. 

Hopefully demonstrating that with respect to prevention there is quite a bit of low hanging fruit.

Please note that only the first point below directly relates to Mr. Younger’s opinion piece in the FT.  

Russia

Mr. Younger had and perhaps still has access to secret information that makes him better placed than me to make an assessment about the links between ransomware hackers and the Russian Federation.

And as well to draw the conclusion that securing the cooperation of the RF will be a key element in stopping attacks.

His comment may be read to imply that the Russian Government

  • is more capable of controlling crime originating inside its borders than other countries are within theirs (that, I’d note, would be a remarkable achievement), or

  • that there are bonds between the hackers and certain organs of RF state security or

  • perhaps both

In any case, if the hackers were expelled and are motivated by profit, wouldn’t they simply pack up and go elsewhere?

Or in a demonstration of the intense competition in the “free market”, wouldn’t other countries’ enterprising hackers step up to fill the void?

From time to time, countries are “ranked” for the amount of “malevolent” internet traffic they originate.  

Perhaps, these reports may identify potential candidates?  

I didn't include all the countries named. 

You can look at the reports cited below for additional country names.  

One point to keep in mind. 

It’s unclear if these reports are based solely in IP addresses or if there are other metrics.

Like VPNs proxy servers can make one appear to be in a country when one is not. Proxy server chains can create even more difficulty in locating a person or entity.

Matthew 7:7  Just one day after I posted this, Auntie answered.  Still a great deal even at GBP 159 a year!  https://www.bbc.com/news/technology-57504007

According to this report in 4Q2012, the PRC was responsible for 41% of “global attack traffic” on the internet, the US second with 10%, and the RF in fourth place with 4.3%.

According to another report, in 2016 China led the pack with 27.2% of cyber attacks (this is a subset of malicious traffic) the US with 17.12%, Turkey 10.24%, Brazil with 8.6%, and Russia with 5.14%.

According to this report for May 2019, “China, Russia and Ukraine appear to be active in a wide variety of hack attempts, including root kits, ransomware, brute force attacks and a wide variety of malware.”

State Intelligence Operations versus For Profit Criminal Hacking

It’s important to keep this distinction in mind when looking for solutions.

While finance is my provenance, I’d venture to guess that eliminating spying is even harder than eliminating organized crime.

According to what I read in the media, even allies spy on one another.

I’d also venture that countries are not going to allow the extradition of their intelligence operatives to a foreign country. 

What about criminals?

The definition of “criminal” can be tricky—to use a shared finance and legal term --particularly when it comes to matters of state security.

Unauthorized access to state secrets, secret internet or communications systems and physical sites is a crime.

In such a case one might revise the statement about “terrorists” and “freedom fighters” to: 

One country’s cyber spy is another country’s cyber criminal.

So what is to be done?

Prevention may offer a higher prospect of reducing risk than after the fact prosecution. Though prosecution should not be abandoned.

The Sophisticated “Hacker”

There seems to be a general perception that hackers are an incredibly brilliant lot.

Think of an evil twin from a soap opera.

A “rogue” Bill Gates, Linus Torvalds, or Larry Page.

That’s not always the case.

Much of the hacking takes place by the equivalent of opening an unlocked door or open window.

Those tools are fairly simple to program.

And for the lazy available for purchase on the web, or so I am told.

Here is a CISA alert from 6 May of this year.

More sophisticated hacking software is often developed from undisclosed flaws in existing software or systems that the hacker has purchased from someone else clever enough to discover them.

Here’s an article these “flaws” or zero day exploits.

Here’s another on how these sort of exploits were used to hack IOS in February 2020.

And there are other ways.

According to security experts the WannaCry ransomware attack was made possible by using information from some NSA software that Shadow Brokers illegally acquired and then put up for sale.

The Somnolent/Negligent Target

Here’s where we get to the really uncomfortable part – taking responsibility.

Lot of attacks are successful because targets left their doors unlocked and windows open.

WannaCry was facilitated because many users hadn’t upgraded from Windows XP.

As is common practice, after a certain amount of time, software vendors stop “supporting” old software. That includes providing security patches for known vulnerabilities.

You’ll see that same failure mentioned regarding some of the 2018 ransomware attacks in the USA.

Another is failure to install patches and updates that are provided by the vendor. 

That is, perhaps even more egregious. One doesn’t have to plunk down money for a new bit of software, but merely install a “patch” from the vendor.

Pulse Secure VPN appears to be our poster child here.

First, an article from AP about breaches this year.

Here is a CISA alert from 15 April 2020 which is an update from 10 January 2020. 

Take a look at the timeline outlined in this report.

You’ll notice the vendor made its first wake-up call in January 2019. That was followed by several “sobering facts” from a variety of sources.

Both of these incidents may be a salutary caution to those whose mobile phones no longer receive software updates or security patches. Or those who have ignored a message to update their phones.

I’ll upgrade this comment later to “a wake-up call” or “sobering fact" later.

As you will notice from the FT article cited above, WannaCry was described as a “wake-up call”.

That the somnolent didn't and don’t answer.

Perhaps the solution is a louder ring tone? Voice mail?

Not bloody likely! (See picture at the head of this post).

Stricter government requirements and robust penalties for failure to adhere to them are likely to get more attention and responses.

Tuesday 15 June 2021

Ransomware Prioritize Prevention Then Pursue Prosecution – Part 1

 

Noted Internet Security Expert, B. Franklin
Interesting Fact: 
Colonial Pipeline Earlier Management Ignored His Advice

Alex Younger, former head of the Secret Intelligence Service, penned an opinion piece in Saturday’s FT Ransomware attacks have to be stopped — here’s how.

Some 898 words long. Lots of good advice and interesting points.

However, he had but these 37 words (4%) on what I consider to be one of the key steps to resolving the problem.

It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.

The last sentence “names the issue exactly”.

I think this is the major problem.

By way of analogy, let’s assume a town where no one locks their doors, where people leave valuables in plain sight, where it’s common to leave the keys to one’s Maybach in the ignition, and the car in the driveway..

Now we could crackdown on those who buy stolen goods even those in other cities.

We could station a policeman by each house to keep guard.

Or, we could get as many citizens as possible to lock their doors and secure their property.

What this latter step hopefully would do is lessen the opportunity for crime.

And the amount of crime that takes place.

It also lessens the number vulnerable targets that one has to guard.

If we can take the above steps, then resources can be more focused.

Also and perhaps more importantly, with national security issues, one would I hope prefer to prevent an attack over  a successful response to the attack.

Is this the case with ransomware? That doors are unlocked, valuables unsecured?

First, some macro examples from an earlier post.

Two quotes from the FT. Italics mine.

  1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

  2. The oil and gas sector has been criticised for lax cyber security regulation.

The above points are estimates not facts.

But it should be not only an “overdue wake up call” but also a “sobering fact” even if these are overestimates by a factor of two.

The companies making these estimates are companies selling security products and so may have a profit dog in the fight.

So let’s turn to recent comments by US Secretary of Energy. She is reported to have said that “hackers” could shut down the US energy grid.

Second, some individual examples.

Colonial Pipeline was penetrated through a VPN which was “not intended to be used” but not turned off. That system had single factor authentication.

In February 2020, CISA (Cybersecurity and Infrastructure Security Agency) published an alert on a ransomware attack on an unnamed US pipeline.

That alert mentions some of the same security failures as with Colonial Pipeline.

Lessons learned?

Wake-up calls unanswered?

Sobering facts insufficiently “sobering” to overcome the state of intoxication?

As well, you will note that many of the other failures mentioned in that alert are “basic cybersecurity”. The PC equivalent of locking doors, securing valuables, etc.

You will see this pattern of “rookie” mistakes in many of their alerts

Another study that ranks cybersecurity by country seems to confirm the above.

The US ranks 46th out of 75 countries.

Some caveats:

  1. This isn’t an apples to apples comparison. Rather it is an overall ranking across a broad gauge of metrics not just for ransomware. It includes attack attempts, infection rates on personal devices, etc.

  2. But despite that drawback it does highlight the Willy Sutton Principle: One would expect the USA to be of more interest to hackers than many of the other countries on the list. And so more targeted. And so more in need of defense.

In Part 2, we’ll look at some other issues, not all of which relate directly to Mr. Younger's opinion piece.


Saturday 12 June 2021

Colonial Pipeline CEO’s 8 June Testimony -- Annotated

 

No Need for an Extensive Hunt
Just Read Below

On June 8th Joseph E. Blount, Jr., President and CEO of Colonial Pipeline testified before the US Senate Committee on Homeland Security and Governmental Affairs.

I have annotated quotes from his prepared statement before the Committee to provide further context and set the stage for a following post on the Committee’s reaction.

Quote 1

Colonial Pipeline is cognizant of the important role we play as critical infrastructure. We recognize our significance to the economic and national security of the United States and know that disruptions in our operations can have serious consequences.


That certainly sounds promising, Colonial acknowledges its “significance to the economic and national security of the United States”.

Based on that we can expect a description of the robust measures that Colonial took to prevent hacking and ransomware attacks.

Quote 2

I recognize that the attackers were able to access our systems. While that never should have happened, it is a sobering fact that we cannot change. 

Indeed it should never have happened.

It is as well a “sobering fact”.

While great philosophers have debated whether a “sobering fact” is more urgent than a “wake-up call”, I think it’s safe to say that they largely agree that for a fact to be “sobering” one must not have been a “sober” state prior thereto.

Quote 3

We take our role in the United States infrastructure system very seriously.

With a previously reported 30%+ net profit margin, very seriously no doubt.

That aside, I guess we’re about to hear about Colonial’s robust preventive measures and the millions spent on cybersecurity.

I’d note that I take my role as a parent very seriously with respect to the safety of my children while traveling in our car.

That means of course that the Prince of Wails is secured in a baby seat and the two other little ones are buckled in before we embark.

Madame Arqala generally rides “shotgun” in these cases. 

And makes ample use of the “phantom” brake and periodic verbal warnings to moderate any perceived excesses in my speed.

Note that those steps are undertaken before not after a crash.

So you’re probably as excited as I am to hear from Joe.

Quote 4

Colonial Pipeline is an accountable organization, and that starts with taking proactive steps to prevent an attack like this from happening again.

It seems that CP’s “accountability” is focused on the future. 

They're looking "forward not backward."

Unspoken is the extent of accountability for pro-actively securing the stable gate before the horses bolt.

That can’t be quite right after all Joe of his statements so far about Colonial’s attitude to protecting critical infrastructure.

There’s got to be more to come.

Quote 5

Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.

Ah, the answer.

When you hear the word “legacy”, you immediately know that its not current management’s failure. 

It’s like the fraternity or college that has to accept an applicant because he’s a “legacy”. Neither can be blamed if the “legacy” doesn’t work out.

Or “legacy” can also mean something unwanted that you inherited, like your Aunt Stella’s collection of glass figurines. Just stick them in a box and forget about them.

With a name like “Colonial” you might well expect that John Murray, Fourth Earl of Dunmore, George Washington, or Alexander Hamilton probably set up the VPN.

Before you rush to blame any of them, let me remind you that internet security was not as advanced then as it is now. 

Also we learn that the system “was not intended” for use.

But it certainly seems that it was  “left on”.

So Colonial’s management is filled with good intentions among other things.

I guess in some quarters that counts for more than “effective actions”.

But that doesn’t mean that Colonial isn’t taking action now.

Quote 6

We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise. We also recently engaged Dragos’ Rob Lee, one of the world’s leading industrial and critical infrastructure and OT security specialists to work alongside Mandiant and assist with the strengthening of our other cyber defenses. We have also retained John Strand from Black Hills Information Security, another leader in the cybersecurity space, who will provide additional support to strengthen our cybersecurity program.


Clearly quite a bit work is being done now—that is to remind you after the hack.

Can we infer from the long list of remedial items that there were widespread and serious security weaknesses pre-hack?

It sure sounds like it.

With this as backdrop, you probably expect that Joe is about to get a quite grilling from the Senators on the Committee.

Let me remind you that “expectations” just like “intentions” don’t always deliver the wished for results.

Once the transcript of the hearing is published we’ll take a closer look.

Wednesday 9 June 2021

The “Big Boys” Market – Ransomware Insurance

 

The Underwriter's New Suit

In the 3 June FT, Ian Smith had an article Cyber Premiums Jump in Face of Acute Threats.

Two quotes from the article and my reactions.

Surge in attacks prompts vigilant insurers to question clients closely about culture, attitude to security and training.

And 

Nor are insurers simply jacking up prices. They are also becoming more vigilant about controls at the companies to which they sell cover.

A big “shout out” for the use of “vigilant”.

The clear implication is that many, perhaps most, have been asleep at the switch.

If you’ve been following my “Big Boy” series of posts, you know I like to puncture the unwarranted myth of the imaginary “sophisticated” investor.

In that vein let’s reflect on Ian’s article using my own personal experience.

When I went to take out an insurance policy on Chez Arqala, my insurance company asked a raft of questions.

  • About smoke detectors, their locations, and presence of fire extinguishers and other such equipment.

  • I was also asked if we have a home security system, whether in addition to intrusion detection it also had a fire detection capability. Was it set to ring up the authorities? Who were the providers of the home security system?

  • Did it have a back-up battery in case of power disruption?

  • How far we were from the nearest fire station?

  • Whether we stored any flammable or dangerous materials in the house.

  • Other than the little people who live with Madame Arqala and me we were clean on that score.

No questions about culture, though. 

I guess he could tell just by looking at me. Or perhaps at Madame Arqala.

The decision to “write” the policy and the premium depended on our answers to those questions as well as our post code.

It boggles the mind that insurance companies writing cover multiples of that provided our house wouldn’t be asking similar questions for cyber cover.

And come to think of it, quite a lot more.

Apparently, they were not doing this.

Now to be fair, the general “take” on insurance underwriting standards is that only life insurance consistently makes a profit.

With other “lines” irrational exuberance and shoddy standards lead to highly cyclical swings in profits.

So much for the “big boys” of insurance. 

At least they are not an outlier among the "big boys"


Sunday 6 June 2021

Taking Responsibility A Key Step to Minimizing Ransomware Successes

If You Don't Answer Your Phone, 
Calls are not "Overdue", They're Ignored

Saturday's FT "Big Read" The cyber threat to America's beef discussed expert reaction to the ransomware attack on JBS.

I'm going to use quotes from that article to outline two acceptances of responsibility that are necessary, but not necessarily sufficient, to fix the problem.

Step 1: Corporate acceptance of responsibility (a) for its past failures and (b) to fix the problem.

The first quote.

Beyond the political posturing, analysts and cyber security experts say companies, government and other entities must treat the hack as an overdue wake-up call to not only develop adequate defences but also to develop a unified approach to dealing with the soaring number of attacks.

Sorry this is neither “overdue” nor a “wake up call”.

Let’s call it precisely what it is.

It is a failure to heed numerous warnings given over more than several years.

Until corporate managements admit that fact and take responsibility to act responsibly, there will be no solution to the problem.

The CISA (Cybersecurity and Infrastructure Security Agency) was founded in November 2018 (roughly three years ago). They published an alert on a ransomware attack on a pipeline in February 2020 (let’s call that one year ago).

The National Protection and Programs Directorate (NPPD) was set up under the DHS’s umbrella in 2008 with the mission of protecting the USA’s critical physical and cyber infrastructure. (That would be thirteen years ago).

If you look at the CISA website here, you will find a list of resources, including alerts, tips, training and webinars.

Notice that the first “alert” dates from 2009. (That would be twelve years ago).

And then there is the FBI’s ic3 unit which has antecedents back to 2000. And has issued warnings on ransomware for many years. Here’s one example from 2019.

Or maybe this memo from the DOJ in 2015.

Overdue?

The only thing “overdue” is the response to the warnings.

CISA also offers a free checkup service (no “death panels” as far as I know) for governmental entities and private companies that operate critical infrastructure:

  1. Weekly vulnerability penetration scans

  2. Web application scanning

  3. Phishing campaign assessment

  4. Remote penetration testing

It would be interesting to know how many private sector firms operating critical infrastructure have availed themselves of this service. And if not, why not?

Beyond efforts by the USG to ring the tocsin of alarm, the media has reported on the risks of hacking and ransomware for some time.

NYT Feb 2020, NYT 2017.

Or Fox News 2018. (Port of San Diego) Fox News 2018. (City of Atlanta incident -note this was described as a wake-up call).

I’m not a computer or cyber security expert, but even I knew of the risks to national security from hacking before Solar Winds and JBS. Or reliance on foreign manufactured components in computers, telecommunication systems, etc.

That’s not to brag, any moderately sentient person who reads the news should be able to figure this out, even one like me who focuses primarily on matters financial.

Captains of industry might well be expected to have even greater sources of information as well as staff who might fill in any gaps in their attention spans.

Additionally there are the firms who make a living in this field who have weighed in on the risks. Here’s a link to one. They mention the first ransomware attack as taking place in 1989. (That would be thirty-two years ago).

Another quote from the FT article.

The alleged perpetrators of the JBS attack have long been known to cyber security experts. Since February alone, the Russia-linked REvil group has been connected to almost 100 targeted ransomware attacks, according to cyber security specialists ZeroFOX.

Step 2: Government acceptance of responsibility to impose rigorous standards on entities critical to national security and enforce penalties on them for failure.

The second quote.

"Once again the notion that ransomware is a national security threat is ringing true. We need a fundamentally different approach to security,” says Sanjay Aurora, Asia-Pacific managing director for UK AI company Darktrace.

Indeed a new approach is needed.

That fundamentally different approach to security would involve abandoning naive beliefs about market efficiency. The market hasn’t solved this problem and isn’t going to.

The simple reason?

Corporations don’t want to spend the money directly or indirectly (the time).

Governments need to impose comprehensive and rigorous security requirements with substantial monetary penalties for failures to implement them.

Legislation that was passed and regulations issued regarding Business Continuity or Disaster Plans can provide a precedent.

The cybersecurity laws should allow in extremis the replacement of management and the cancellation of licenses/permits to conduct critical infrastructure business.

Note the dual approach to achieve the goal by threatening the single most important priority of each of the two key parties

  • management’s retention of its sinecures and

  • the value of shareholders’ investments.

That doesn’t mean if a company critical to national security were successfully hacked that it would necessarily be fined, its management removed, or the business turned over to another party.

What it should mean is that if a company hadn’t taken reasonable precautions, say to protect the operating system of its pipeline, then the hammer would come down in line with the severity of its failures. ​

Friday 4 June 2021

The Absolute Wrong Way to Stop Ransomware and Hacking


 

Just when I thought the idiocy on this topic had reached its pinnacle, I was proven wrong yet again.

See today’s FT “White House implores businesses to strengthen ransomware defence”

The word “implores” particularly set me off.

Then I thought a bit more and remembered—or at least I think I do—how this sort of decisive approach has been successful in the past.

Here are just two examples:

  1. Following an appeal from the SEC a few years back, the incidence of financial fraud and market manipulation in the USA has dropped dramatically. As has insider trading.
  2. After both my wife and I implored the little ones who live with us to eat healthy for their own good, we’re no longer asked for cookies or ice cream. Both grandmothers have reskilled and are now bringing vegetables when they visit.

While there has been no reaction yet, I’m confident that my letter to the President Biden and Senator McConnell is about to usher in an era of bipartisanship not seen since “peace guided the planets and love steered the stars”.

Naysayers out there might comment that business with few exceptions has been asleep at the switch so long now, that it’s almost certain that they don’t have a clue where the switch is. Or what it does. Or how to operate it.

Or that imploring the habitually somnolent and negligent to “take action”--particularly when the action involves spending money—has not proven to be particularly efficacious.

They’re wrong as demonstrated above.

Though I will admit that it seems strange to call the addressees on the memo business “leaders”.

One final note.

If you’ve been inspired by this blogpost and want to establish peace in the Middle East, on the Korean Peninsula, or in the Gulf, please feel free to direct your own memo imploring the parties to take action.

I won’t mind.

I had intended to do all those things myself.

But currently I am focused on learning Romulan to write the memo that will "fix” any dangers to our way of life from UFOs. I think we’re not far enough into the season that it would be the Borg.

Kumbaya!

Bonus Gratuitous Snark

Some further thoughts that occurred to me after I first posted the above.

Additional rather sad conclusions that have to be drawn from this episode.

First, the memo contains 5 recommendations for action that might charitably be described as the blindingly obvious.  Things equivalent to lock your doors, don't run with scissors.

Hardly, the sort of advice that captains of industry should need to receive for two reasons.

  • The advice given isn't rocket or computer science.  Just common sense steps. 
  • The warning should not be necessary, they should know this already.

If they missed either or both of these points, it's pretty clear that they need to step aside for those with the aptitude and attitude required to do the job.

The memo is a damning assessment of the calibre of our business tycoons. 

Though to be fair that assessment is supported by successful ransomware attacks on companies who did not lock their doors, etc. and the woeful lack of preparation at other firms as noted in my earlier post.

Second, but it's not just the captains of industry who are in for criticism.  

What does it say about the US Government? 

As my mentor used to say "you can tell you're in a third world country, when problems are addressed through rhetoric rather than concrete action".