Mission Critical

PricewaterhouseCoopers Keywords Magazine Vol. 9

Data driven

Two PwC alumni explain how Big Data is making the leap from the intelligence community to the private sector.

Jim Reagan
Data analytics have almost countless uses, but aren’t useful to a customer unless you marry the data with the right application.
Big Data—with a capital B—involves sifting through terabytes upon petabytes of information to draw connections, identify patterns and find meaningful analysis. From academia to the tech sector, it’s being hailed as a game-changer, with potential to revolutionize healthcare, spot business trends, stay one step ahead of criminals and combatants, and even change the way we record and view world history. But how?
To find out, Keyword recently spoke with Jim Reagan, senior vice president and CFO of The SI Organization, Inc., and Drew Perez, Intelligence Solutions at HIGHFLEET—two PwC alumni who are navigating a world of data that few dive deep enough to explore.
“It’s difficult to imagine, or even put a limit on, the importance of Big Data, whether it’s in defense or public services or the private sector,” says Reagan. “Twenty years from now, we’ll look back and realize we’re doing things we never could have imagined, thanks to having more available data and more ways to put it to work.”
Big Data is hardly a new concept. Ever since the first satellites, radar sensors, mobile devices and recording instruments started collecting and transmitting information, people have recognized the value of voluminous data. But they’ve also struggled to figure out how to use it. “The challenge is not one of gathering data, which happens continuously,” says Perez. “The problem is understanding what it means.”
For the intelligence community, finding such clarity can make all the difference. In the world of counterterrorism, make-or-break decisions involve national security, so the more complete the view of the information, the better. Big Data analysis helps agencies dealing with classified information forecast and deploy resources, as well as make tactical and strategic decisions. Perez points to the OODA Loop decision-making cycle (Observe, Orient, Decide and Act), a staple framework of intelligence created by Korean War fighter pilot Colonel John Boyd and taught everywhere from the War College to noncommissioned officer courses. Those who move through the cycle quicker, observing and reacting to events more rapidly than their competition, eventually “get inside” the opponent’s decision cycle to gain an edge.
“You live in their future,” Perez says. “You’re deciding and acting and operationalizing your decisions as they’re just orienting themselves and observing the environment—and you have a significant strategic and tactical advantage.”
Homing in on the most relevant information right away makes that edge possible. So how do you shave off seconds and potentially pile on an advantage? By understanding the meaning behind data that’s coming at you from all angles—and fast. The same logic applies in the private sector, where methodologies to make sense of overwhelming amounts of available information are still in the early stages. “There’s an untapped market for the use of Big Data,” Reagan says. “We’ve been helping government clients manage Big Data for years. Now, we’re eager to make it more available.”

Applications abound

Jim Reagan has been finding meaning in numbers since his early career as a staff auditor with Coopers & Lybrand in the 1980s. He moved along the audit path, primarily working in the real estate and government contracting sectors in Washington, D.C., where he was on the first audit team to ever comb through the Smithsonian’s financial books. “That was very cool,” he says. “It involved reconstructing a lot of very, very old financial records since they’d never been audited before.” Lessons in teamwork at the core of entry-level audit positions in public accounting firms—along with an education in real estate development and the government services sector—prepared him well for his early career posts.
Reagan went on to become CFO of PAE, Inc., which works to support the Defense and State Departments in Afghanistan, Iraq and Central Africa. Drawn by a connection to PAE’s mission to provide logistical support for peacekeeping and global security worldwide, Reagan helped refinance the company’s debt while developing cost structures to succeed in the ultra-competitive world of government contracting.
Now as the CFO at The SI Organization, Inc., Reagan is helping to diversify the company’s business to appeal to state and local governments, as well as private-sector customers. With potential belt-tightening looming, the SI is looking to Big Data analytics around geospatial data—the kind streaming in from commercial and government satellites, high-flying aircraft, radar and sensors that inform things like GPS devices, weather forecasts, commercial shipping routes, crop forecasts and tax assessments. As the data is cleared for release into the private sector, applications abound. “Data analytics have almost countless uses,” Reagan says. “But it’s not useful to a customer unless you marry the data with the right application.”
The SI hosts and brokers huge databases of geospatial information that both federal and local governments can repackage and make available to third-party providers. Their muscle memory built upon more than 40 years of supporting classified customers is strong, Reagan says. And now the SI is looking to leverage that know-how to build bridges between private-sector data owners, application providers and their customers. “We’re a data-driven company—that’s our legacy, it’s who we are,” Reagan says. “Data is behind every decision we make.”
Currently, the SI is working on applications that help governments at every level organize and cull data for value-added uses in the private sector, particularly in healthcare. Data analytics and capabilities enable more proactive forecasting, prevention and detection of Medicare and Medicaid fraud. Healthcare providers are also seeking to develop ways to better use electronic health records to diagnose patients, research disease and allow patients to play a more active role in their care.
“It’s everything from seeing someone’s symptoms at the doctor’s office to making sure the patient gets the right treatment so they don’t end up in the emergency room the next week,” Reagan says.
As anyone who’s filled out forms in a waiting room can attest, there’s plenty of data to be collected. But information is not intelligence—far from it. The whole nature of intelligence is supporting critical decisionmaking; information, however much, is just one small piece of the puzzle.

Plunging into the Deep Web

A former intelligence officer, Perez trained special forces in tradecraft—“your classic spy stuff,” he quips. From 2000 to 2002, he was a senior enterprise architect at Diamond Management and Technology Consultants, which joined with PwC in 2010. Perez spent most of his time with Diamond in Europe, focused on strategic technology transfer agreements. His work there helped him develop and refine skills within enterprise architectures, particularly when his experience forced him to simultaneously adopt corporate and national cultures.
Perez began his private-sector career by co-founding the Lockheed Martin Center for Security Analysis, where he helped create training programs for intelligence analysis and software used by the CIA, NSA and Defense Intelligence Agency. At the request of the Department of Homeland Security, he developed a declassified version of the program for a range of private- sector clients. “Pick any vertical, and you find a problem with too much data in too many places,” Perez says. “The core issue remains sense-making.”
One key technology is accessing Deep Web data—the kind that search engines and web crawlers don’t find— to create applications that efficiently convert disparate, disorganized data into structured, searchable formats. These applications understand foreign languages, apply link analysis to recognize relationships and use analytics to visualize the data. They’re all tools that matured in the counterterrorism effort but have yet to be taken advantage of in the private sector, and their capabilities provide a distinct competitive advantage for businesses. The ability to monitor and almost instantaneously make decisions on markets and customer behavior or to assess strategic position related to the competition, targeted demographic or market, Perez says, is key.
This is why Perez often gets the same set of questions from potential clients once they learn about his capabilities. “They ask, ‘How come we’ve never heard of this before?’ or ‘Why is it you guys know how to do it better than we do?’” Perez says. “Well, because I did work that used to be classified, that’s why.”
In counterinsurgency, support from the local populace is the cornerstone of success. To help win over “hearts and minds,” intelligence focuses on people’s past and potential behavior, along with the patterns that decision- makers hope to both understand and eventually influence. Similarly, in business, the support of the market provides the cornerstone to profitability. Applying time-tested methodologies and related technology to identify behavior patterns for markets, Perez says, can lead to an enormous advantage.
Drew Perez
Pick any vertical, and you find a problem with too much data in too many places. The core issue remains sense-making.
“It’s a no-brainer when you’re dealing with the intelligence community, because they’ve been doing this for decades,” Perez says. “In the private sector, it’s a significant investment—and you’ve got to articulate and justify return on investment.”
For Perez, there’s no better way to do that than to provide a real-world example of Big Data’s power. Case in point: A pharmaceutical client turned to Perez to leverage the counterterrorism tools he’d developed to identify counterfeiters. Perez architected and implemented a solution to monitor, in near real time, worldwide e-commerce activity connected to the pharmaceutical company’s product and figure out the probability that it may involve fraud. It took two weeks to set up the software, designed to troll well below the headwaters of the Internet indexed by search engines and web crawlers and to make sense of it all. Once they flipped the switch, a collection of data that might have taken the company months to compile took just hours to capture.
“By the seventh hour, we had saturation,” Perez says. “We were monitoring the whole planet. Anytime somebody engaged in any kind of transaction that mentioned that company’s products and violated the rules on pricing, I knew.” The capability is meaningful given what can be gained with the ability to monitor comparative product performance and market behavior in real time.

Big rewards, big challenges

Reagan says some clients come to the SI with an understanding of Big Data’s potential, and some don’t. One thing they do know is that the investment in infrastructure for data storage space and bandwidth can be huge. “Some of these agencies have terabytes of data, and for them, it’s a storage headache and a cost,” he says. “We can help show them how they can manage data more effectively and how they can get some return on the investment by making the data available for resale.”
Perez says ROI will become more tangible as better solutions are developed to link data in disparate locales: It’s not a question of whether or not we can get data; it’s a matter of knowing where the right data is. The information that decision-makers need may already exist internally within a company’s data stores, but individual files can still be literally all over the map.
“It could be sitting on a SharePoint file in Dubai, and that little piece of information has to be associated with a large data warehouse that’s sitting in Buenos Aires,” Perez says, noting that intelligence analysts simply don’t have the time or resources to go through all the data. But Perez says moving data to the same location is not the answer in this day and age. Technology exists that connects information seemingly far out of reach. “You don’t have to physically touch a data point,” Perez says. “You can associate it through depth of logic.”
Of course, storing, managing and capitalizing on the seemingly unlimited potential of data all come with the challenge of protecting it. According to PwC’s 2013 Global State of Information Security Survey, many organizations fail to perform thorough assessments of factors that contribute to breach-related financial losses. In fact, just over 25% of respondents considered damage to brand and reputation when estimating the full impact of a breach, while the same survey found 61% of respondents would stop using a company’s products or services after a breach.
From advanced persistent threats linked to foreign governments to insider threats made by disgruntled or corrupted employees, economic espionage is a growing concern. The White House has responded by issuing an executive order calling for the creation of a framework to reduce risk to critical infrastructure and ease sharing of threat information with the private sector. But individual organizations must find their own balance: Strong “need-to-know” control mechanisms must be enforced yet somehow tempered to allow collaboration. In PwC’s survey, more than 80% of respondents said protecting customer and employee data is important. Still, the percentage of respondents who reported an accurate inventory of employee and customer data remains below 40%.
To address gaps like these, the SI provides customers with technical advice and consulting around protecting national assets from the threat of cyberattack. Large corporations, banks and power companies may be dealing with thousands of attempted attacks per day, and Reagan says the SI is equipped to weather the storm. The company employs a Threat Operations Center (TOC) in Laurel, Maryland, to monitor its financial accounting system, human resource management system, payroll and internal email. It also has a separate TOC that’s focused on its customers’ needs, constantly monitoring, detecting and fending off cyberattacks from the outside. “All of our systems that have touch points to the Internet are protected,” says Reagan, who notes the SI customers’ data is kept on closed systems.
“In our work we’ve found significant evidence of Theft of Trade Secrets (ToTS) in our monitoring efforts. If sensitive material is not categorized and properly labeled based on the impact of unauthorized disclosure or dissemination—and personnel are not trained in the culture of information security—then it is very difficult to protect sensitive information and intellectual property,” Perez says.
The concerns are real, and new regulations to protect privacy and address issues of consent, collection, use and misuse of data are sure to come. As more data becomes available for more applications, challenges will undoubtedly continue to present themselves. But Reagan and Perez agree: Big Data’s power can’t be underestimated. In defense and intelligence, it’s proved to be an indispensable tool. Now in the private sector, Big Data has the potential to be nothing less than transformational. “Once you turn this stuff on and implement it,” Perez says, “you rule the market.”

Related:  http://www.cio.com/article/2683969/leadership-management/the-cio-as-vc.html

A Cheap Spying Tool With a High Creepy Factor

AUGUST 2, 2013, 4:58 PM
Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?
Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.
Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.
Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.
“Actually it’s not hard,” he concluded. “It’s terrifyingly easy.”
Also creepy – which is why he called his contraption “creepyDOL.”
“It could be used for anything depending on how creepy you want to be,” he said.
You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed.
Mr. O’Connor says he did none of that – and for a reason. In addition to being a security researcher and founder of a consulting firm called Malice Afterthought, he is also a law student at the University of Wisconsin at Madison. He says he stuck to snooping on himself – and did not, deliberately, seek to scoop up anyone else’s data – because of a federal law called the Computer Fraud and Abuse Act.
Some of his fellow security researchers have been prosecuted under that law. One of them, Andrew Auernheimer, whose hacker alias is Weev, was sentenced to 41 months in prison for exploiting a security hole in the computer system of AT&T, which made e-mail addresses accessible for over 100,000 iPad owners; Mr. Aurnheimer is appealing the case.
“I haven’t done a full deployment of this because the United States government has made a practice of prosecuting security researchers,” he contends. “Everyone is terrified.”
He is presenting his findings at two security conferences in Las Vegas this week, including at a session for young people. It is a window into how cheap and easy it is to erect a surveillance apparatus.
“It eliminates the idea of ‘blending into a crowd,’” is how he put it. “If you have a wireless device (phone, iPad, etc.), even if you’re not connected to a network, CreepyDOL will see you, track your movements, and report home.”
Can individual consumers guard against such a prospect? Not really, he concluded. Applications leak more information than they should. And those who care about security and use things like VPN have to connect to their tunneling software after connecting to a Wi-Fi hub, meaning that at least for a few seconds, their Web traffic is known to anyone who cares to know, and VPN does nothing to mask your device identifier.
In addition, every Wi-Fi network that your cellphone has connected to in the past is also stored in the device, meaning that as you wander by every other network, you share details of the Wi-Fi networks you’ve connected to in the past. “These are fundamental design flaws in the way pretty much everything works,” he said.