Saturday, February 5, 2011

NASDAQ penetrated. Feds clueless? Dear John:

Dear John:

(That's John Markese, chairman of the NASDAQ OMX Group, Inc. board of directors audit committee),

Last night's online WSJ carried a story, "Hackers Penetrate Nasdaq Computers." I've got to hand it to Devlin Barrett, the story's author. He absolutely nailed the salient issue in his first sentence:
Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter.
Good stinking grief, John! Repeatedly penetrated? During the past year? And the real knee slapper: "…federal investigators are trying to identify the perpetrators and their purpose…" In the immortal lyrics of Aerosmith, "Kiss off the devil and [honk] off a saint!" In my Monday post from National Defense Magazine, I contended that the Navy's being short of tools to detect and nab cyber-intruders built my case for authorizing legally bonded cyber privateers. But that story absolutely pales next to the NASDAQ story. The feds have been trying to figure this out for the past year? Last night in my comment on the WSJ site, I suggested:
If I were head of NASDAQ security, I'd put a bounty on the culprits. And law enforcement should give the cyber privateer "bounty hunters" a get-out-of-jail-free card.
One reader, Frank Blank, replied, "That's actually a good idea." And William Clark asked, "Curious about how that would work. Would the NASDAQ release log data to a group of qualified bounty hunters and then let them go to work?" I answered his question with a link to my Cyber Privateer Code and then said:
They would get the logs and then be released for the job by a "bonding authority" and authorized by a Letter of Marque & Reprisal authorized br Article 1 Section 8 of the US Constitution. Gotta' be done right & legally.
I then shared with him my blog on the legal precedents for cyber privateering.

NET-NET: WE DON'T NEED BIGGER BUDGETS FOR MORE FEDERAL SLEUTHS; WE NEED TO SIC THE DOGS OF HELL ON CYBER CRIMINALS!  A few reader comments on the article correctly "grokked" that our government will use this as a rallying cry for more tax dollars to throw at the problem. At the risk of harping on the obvious, the feds can't begin to address the problem. Never could. Never will. I think I built my case in yesterday's posting. You know my solution. With all its warts, risks and flaws, I've not heard a better approach than licensed and bonded cyber privateers. Not only will it not cost the government a cent, but my cyber privateering concept could generate billions in confiscated funds for the US Treasury.

There seems to be some real resistance to going after the bad guys' bank accounts (see my October 25th post). The profoundly misguided logic is that we shouldn't do that because this is OUR greatest vulnerability. Alas, that train has already left the station. Furthermore, NASDAQ needs to quickly get in front of this and forcefully reestablish confidence in our financial institutions. For a short time, I served on the board of directors of a public company as chairman of their audit committee. To John D. Markese, chairman of the NASDAQ OMX Group, Inc. board of directors audit committee (and who is also on the executive committee and the governance committee of the board), I suggest you better get cracking. Because no Directors and Officers (D&O)  insurance policy can possibly cover you for the potential class action liabilities from the from irate investors in our public markets. And you absolutely know your board is going to be under tremendous pressure to underestimate your liability exposure. Sir, your liability is…well…astronomical. I'd be surprised if your auditors don't run for cover on this one. Specifically, I suggest:

  1. NASDAQ must be totally forthright about the extent of the penetration. NOT to do so could be a criminal offense. Today's follow-up WSJ story talked about unidentified "malware" files. If you know it's malware, then you'd better disclose exactly what the malware did, with whom it communicated, and its complete activity history from time of installation.
  2. NASDAQ should immediately announce a $20 million bounty on the head(s) of the attackers, payable to pre-approved cyber privateers.
  3. If a rogue government (such as China) is found to be responsible, the it will be the job of the cyber privateers to loot the assets of that rogue government wherever they may be found, and then
  4. The cyber privateers should take that rogue government and its citizens off the Web until POTUS decides they have learned their lesson and gets an appropriate treaty ratified by the Senate.
  5. NASDAQ will indemnify the cyber privateer(s) against all civil and criminal consequences, and if the US Attorney General balks at the legality, then he should be replaced by someone who will go to Congress and get the necessary legal waivers.
Does this sound draconian? Mr. Markese, it's your skin at stake here. Our financial institutions are indeed our greatest vulnerability. Unless you consider this "nuclear option" seriously, the end of the financial world could beat that Mayan 2012 doomsday calendar by a good year.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?