Lights Out For America

One thorn of experience is worth a whole wilderness of warning. - James Russell Lowell

History is a vast early warning system. - Norman Cousins

The NSA revealed recently that the US faces an inevitable “traumatic” cyber attack that will be directed at its key infrastructure.  It should be shocking news except for two things:

1. This is not news – such warnings have existed for years.
2. No one cares.

The reality of our situation and our dependence on technology that is fraught with security holes that can be penetrated by 15 year-olds, let alone rogue states, should be a call to action for us and those who represent us but it isn’t. 

The US is built upon 18 key infrastructures.  17 of them rely on one – electricity.

If (or when) it goes off, everything stops immediately without warning.  Cell phone towers with one day back-up batteries will die, ending communications.  Water supply systems will be unable to provide clean water.  A cash-less system will grind to a halt as people are no longer able to buy fuel, food or water.  Heating and cooling systems, transportation, security, hospitals, policing, fire control, first responder support and the like will also grind to a halt.  People on life support systems will die but in a way that may be a blessing in disguise as they may be spared from the potential chaos and carnage that results as society collapses.

In one scenario, when a country goes dark including its communication systems, aircraft in the air will have difficulty finding a safe place to land, in a land of complete darkness and out of touch with essential ground-based communication and navigation systems.  Tens of thousands of people will die as aircraft run out of fuel as pilots look in vain for a safe place to land.

And in a worst-case scenario, the US will be more vulnerable to a significant attack as it degrades into total chaos within its borders.

Somewhere in between there is the reality that our major cities rely on a just-in-time delivery system with 3-4 days of food, water and fuel on-hand, leaving us 72-96 hours away from anarchy should anything go wrong.  Such a system provides the opportunity to witness the best and worst of humanity simultaneously.

Few of us are prepared for what would ensue in such a scenario.

But this is all just fear mongering

After all, the security and technology compromises that many of us have been warning others of for years is not real.

Well … sort of … except such compromises have already happened repeatedly and will continue to happen as organizations refuse to invest appropriate levels of time, energy and money into solvable problems.

Then there is the lack of information made available to the public.  For example, there was a report made public a couple of years ago outlining how all 144 nuclear power plants in the US were vulnerable to a cyber attack but the report quickly disappeared from the public eye.  Want a copy?  Drop me a note and I will send it to you.

In recent conversations I have had with major utility players in the US, they agree there is a problem.

Do you know what their answer to the issue is?

They don’t have one.  Maybe you should call them and help them out.

Meanwhile if you want to know what you can do to prepare for an event which the NSA deems inevitable, you could start by asking your local government representative and watch one of five things happen.

1. Your request will be met with a blank stare
2. You will be told not to worry about it
3. You will be told someone will get back to you and they never do
4. You will be told that such matters are a national security matter and therefore details cannot be shared with you
5. You will be viewed as a threat for daring to ask the question in the first place.

The difficulty with any of the responses is that you will be unable to prepare your family for what the NSA deems inevitable since you will unable to make appropriate decisions without sufficient information.

Meanwhile, our elected officials go on arguing about pork bills and such that in the grand scheme of things do nothing to serve the people.

But that’s all they can do.  They don’t have an answer to the problem either so it’s better to keep you in the dark …. literally.

I think it’s time we had a real conversation about what matters to us, what faces us and what we can do together to make our world a better and more secure place … while we still have time (something that we may be running out of).

And as you tuck your kids into bed, kiss them good night and turn off the light, imagine what kind of world we are creating for them if the lights never come back on.

Can you protect your children if such an event occurs?

I doubt it.

I think we must do better … now.

What do you think?

In service and servanthood,

Harry

Addendum

While this post is a departure from my strategy, political, fictional or “feel good” musings, myself and many of my colleagues have grown weary of the fact that there are serious realities facing us that must be addressed and can be addressed if we put our attention to it.

Every once in a while, a cranial defibrillator is needed and thus the reason for my post.

Create a great day because merely having one is too passive an experience.

Make a difference.

The world needs your talents, skills, passion and knowledge.

What are you waiting for?

The NSA–Why They May Be Delivering What You Demanded

Those who deny freedom to others deserve it not for themselves. - Abraham Lincoln

They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin

This blog is not a typical blog post but is in fact a paper that I wrote that some asked to see as an example of the material I write outside of public scrutiny.

It is deep, dry and academic.  If you don’t like such things, please come back later.

---

In the months that followed since Edward Snowden released classified documentation where he revealed the breadth and depth of surveillance activities carried out by the National Security Agency (NSA), there has been much debate about whether the NSA has overstepped its bounds morally, ethically and legally. There is great uncertainty about how far the surveillance actually goes, how far it will go in the future and what the impact will be on the personal freedoms of citizens now and in the future. Some have even suggested that such surveillance is the final piece of evidence implying that the theme of lack of individual citizen rights as expressed in novels such as George Orwell’s 1984^[i] are about to be realized.

Whether or not citizens of the United States or other nations are in favor of such surveillance, I posit that neo-institutional theory demonstrates that such surveillance is not only inevitable, but in fact that people inadvertently demand such surveillance or demand it through implication, only to be unhappy when they see what the results of those inadvertent or implied demands are. I also posit that the concept of institutional isomorphism (how an organization forms, develops, spreads, and becomes legitimate) can be clearly applied to the NSA, demonstrating how it may slowly evolve from an institution that people fear, distrust or dislike into an organization that people will willingly submit to in order to protect themselves and their family. I will not be discussing whether such an evolution of the NSA is right or not as such a topic is based largely on perspective.

As context for my discussion, I will be leveraging my 30-year career as a strategy advisor to Wall St., Fortune 25, military and government groups.

In Scott’s Institutional Theory^[ii] and Managing Institutional Environments^[iii], Scott suggests that institutions exert influence in one or more of three different ways:

1. Regulatory influence - constraining behavior through rules and inducements of behavior.

2. Normative influence – guiding behavior through a logic of appropriateness and a sense of duty or an awareness of what one is "supposed" to do.

3. Cognitive influence – guiding behavior as a result of preconceived notions or conceptions.

When the events of 9/11 had taken place and the initial grieving and outrage had passed, citizens of the US demanded that their government protect them from the possibility of similar events in the future. In order to comply with such demands, the US Government recognized that the sweeping powers necessary to accomplish such a task would require:

1. Regulatory influence, passing the laws to enable what the government perceived to be “the right actions” moving forward.

2. Normative influence, explaining through a massive campaign of information or misinformation (depending on the information and perspective) that what the government and the citizens were doing together was “the right way” for the safety of American citizens and their families

3. Cognitive influence, explaining that action not taken today will produce greater risk for the safety of the nation moving forward, making it imperative to take action “right now”.

In essence, the demand of the American people and the response by the US Government, including the NSA, could be summarized as “we need to take the right actions, the right way, right now”. Unfortunately, there was a disconnect between the implied demand and the response to that demand.

One of the greatest challenges that the NSA and other groups recognized early was that while they were satisfying a “demand” from the people, it was possible that the people might quickly discover that the solution was much more heavy-handed than they had anticipated.

It was therefore deemed imperative that the Government find a way to rationalize their efforts in a manner that appeared to be in alignment with the needs of the people and with that, the Government began a process of using rationalized myths to justify their actions.

Rowan and Meyer in Institutional Organizations: Formal Structure As Myth and Ceremony^[iv] described rationalized myths as:

1. Ideas that are rationalized because they are impersonal prescriptions identified with the appropriate means to pursue goals.

2. Ideas that are myths because we accept them on faith, trusting in institutions that we assume represent our best interests.

Therefore, in order to initiate a response to the demands of the people that served the needs of the government, the US Government began a campaign of demonstrating that not only had the US been attacked but it also faced greater danger as a result of:

1. The alleged possession of weapons of mass destruction by nations such as Iraq^[v].

2. The intention of groups like Al Qaeda (and the nations that provided them with safe harbor) to commit further acts of violence. It was noted that such groups, or people sympathetic to their cause, might also be active on US soil^[vi].

While the second item was conceptually accurate in some areas, the first one was not all but the citizens of the US believed their own government. Once both items were generally accepted, it was a rational, logical conclusion to all parties (including citizens) that an invasion of other nations was required and to the US Government, it was a legitimization to begin a larger campaign of domestic and international surveillance.

As Rowan and Meyer suggest in Institutional Organizations: Formal Structure As Myth and Ceremony^[iv], such rationalized myths originated from:

1. The need to deal with ambiguity and uncertainty – to answer the question of “how do we guarantee the security of the nation moving forward, with different solutions perceived as required by the US people and the US government”.

2. Utility – the solutions provided, including new wars and additional surveillance, satisfied everyone’s needs within the “security of the nation” scenario.

3. Diffusion through networks of association – collaborations with other nations were created, thus asserting the “truths” of the actions being taken as different governments agreed on the definitions of the threat and the required response.

Once the US Government initiated their solution, including new wars and additional surveillance, the challenge then became one of sustainability, the notion that events that are consistently expensive financially, politically and in the cost of human lives, would be difficult to sustain over time as citizens began to question the legitimacy of past and future actions.

In order to sustain the mix of truths and rationalized myths that the US Government were promoting, they relied on Scott’s logics of confidence:

1. Avoidance – limiting access to information as requested by citizens by deeming it “classified for reasons of national security” and so information that might weaken the Government’s position or actions was restricted from the American people and information supporting various actions flowed freely and unquestioned.

2. Discretion – information shared for the purposes of carrying out the intentions of the Government were shared only with organizations or nations who were considered to be totally bought into the strategic intentions of the US Government.

3. Integrity – since information disseminated to the people came from sources identified as trustworthy, either through reputation, accreditation or implication, many people assumed that such information must always be true and unquestioned.

So Where Does The NSA Fit Into This Puzzle?

The NSA and other organizations, both predecessors and peer organizations, got their start in the Second World War with the introduction of surveillance of enemy governments and military groups for the sake of obtaining strategic military intelligence. After the war concluded, the mechanisms that had been created continued to be useful, especially in regards to the Cold War adversaries of NATO and the Soviet bloc.

Domestically, surveillance programs such as Echelon were created for the purposes of monitoring domestic criminal activity including but not limited to money laundering and other organized crime activities^[vii]. However, after 9/11 occurred, Echelon and other programs quickly expanded their efforts to include counter-terrorism and eventually morphed into today’s modern surveillance programs.

How did such an evolution take place and how did the NSA become the number one brand known for surveillance?

The evolution of the NSA took place in a process that Scott, Rowan et all describe in their process of isomorphism:

1. Competitive isomorphism – the NSA was just one of many organizations competing for government resources (money and people) but without a cause to justify greater actions, they were one of many groups, lost within the complexity of the many departments that exist within the government. The results of 9/11 suddenly gave them “an edge” over their peer government departments in the struggle for resources and recognition.

2. Institutional isomorphism – the NSA recognized that in order to achieve their intentions, they needed support within Capitol Hill and so they began a campaign of creating internal champions such as former Vice President Dick Cheney, former Secretary of Defense Donald Rumsfeld and other powerful people. This allowed them to promote their agenda, garnering support within the population-at-large and American lawmakers for legislative support.

To accomplish this, the NSA took action in three key ways:

1. Coercive actions – the NSA presented themselves to the people and the Government as the focal point of American security. As domestic and international pressure increased suggesting that the American people were threatened, the NSA was able to position itself as a stalwart protector of the nation. They also used legislation to quiet naysayers who questioned their intentions and actions.

2. Mimetic actions – whenever the NSA was questioned, whether it be by the people or by a legislator, it was able to position itself as being similar to other successful groups, referencing their existence as proof of successfully deterring terrorist efforts^[viii].

3. Normative actions – by citing recognized experts in the areas of civil defence as well as domestic and international security, the NSA was able to set itself up as the “obvious logical choice” coordinator for national security, justifying their intentions and actions in their own minds.

So Why Is the NSA Despised Now?

In the research of Scott, Rowan, Meyer and others, they suggest that there are five ways to manage both the isomorphic institution and the relationship between such an institution and other organizations (in this case, the American public).

1. Acquiescing – conforming to the needs or intentions of others.

2. Compromising – balancing intentions or negotiating them with other groups.

3. Avoiding – hiding from the inspection of others or creating barriers that prevent such inspection.

4. Defying – blatantly defying the intentions and requests of others who attempt to explore their intentions.

5. Manipulating – changing the “rules of the games” by finding support in other powerful people (corporately, politically or diplomatically), promoting messages of validation (in this case, the threat against the people) and through the use of legislation to enforce the items of “avoiding” and “defying”.

In successful partnerships, whether it is within an organization, between organizations or between an organization and the people it serves, success is usually defined as acquiescing (in the short term, not being sustainable in the long term since someone eventually tires of sacrificing ad infinitum) or finding a true win – win by negotiating a balance via the process of compromising.

The American people, in the days immediately following 9/11, assumed incorrectly that their demands of security would be answered by the government in a manner that suggested either acquiescing or compromising. This assumption was perhaps based on the notion that that is how most people tend to live their lives and it forms a fundamental belief in how their relationships, personal, professional or otherwise are lived.

However, in the days and years that followed, the solution for the problem they demanded a solution for was provided by a group of organizations that chose to follow the models of avoidance, defiance and manipulation.

When people deal with other individuals who live by such models, we tend to avoid such people since the ability to create trust is an innate part of the human experience. This need to trust extends beyond person-to-person relationships but extend to defining the relationships between individuals and organizations as well. Much has been written on the importance of trust, including articles such as Grove’s Maslow’s Hierarchy of Needs Method For Trust-Based Relationships^[ix].

When seeds of distrust are planted, an opportunity for tension between participants in a relationship is created. Such distrust can only be nullified through the free exchange of information that, for reasons explained previously, is not permitted when it comes to national security.

The relationship difficulty originated entirely on an assumption – the notion that when someone demands a solution (national security in this case) without identifying the “rules” of the solution, that the solution provided will automatically fit the definition of the person demanding it. In the case of national security, the Government also made an assumption, that they defined the rules by which the solution was provided.

The relationship difficulty is also complicated by the notion that we rely on one of the five relationship maintainers in any relationship (acquiescing, compromising, avoiding, defying or manipulating). Given that the organization that makes the rules (the Government) realized that the first two would not serve their needs, the American people are forced to submit to one or more of the final three, making distrust on both sides inevitable.

The foundation for much of today’s difficulties when it comes to surveillance are contained within these complexities and assumptions that have allowed specific groups to pick and choose their actions at will and for the most part out of sight of the people they claim to serve.

The question of whether conspiracy theory people are right (that groups like the NSA have overstepped their bounds) or that the NSA will ultimately prove to be justified in their actions (creating a verifiable legitimacy within the people) is something that is difficult to answer with our limited access to information.

Moreover, with the continued limited accessibility to information, the answer will probably only be provided by historians who look back upon our past. As to whether such a historical retrospective will be accurate, one should consider the famous words attributed to Winston Churchill when he said, “History is written by the victors.” and this quote from the Yale Book of Quotations^[x] where it was noted, “History is written by the survivors. (Social Forbes, 1931)”.

---

[i] Wikipedia, Nineteen Eighty-Four, Retrieved from URL http://en.wikipedia.org/wiki/Nineteen_Eighty-Four on November 27, 2013

[ii] Scott, Richard., Institutional Theory (pp. 119-120) of Organizations: Rational, Natural and Open Systems, 5th Edition, Prentice-Hall, 2003, Print

[iii] Scott, Richard., Managing Institutional Environment (pp. 213-220) of Organizations: Rational, Natural and Open Systems, 5th Edition, Prentice-Hall, 2003, Print

[iv] J. W. Meyer & B. Rowan, Institutional organizations: formal structure as myth and ceremony, American Journal of Sociology, 83, 1977, 340-63, Print

[v] Wikipedia, Iraq and Weapons of Mass Destruction, Retrieved from URL http://en.wikipedia.org/wiki/Iraq_and_weapons_of_mass_destruction on November 23, 2013

[vi] Huffington Post, Janet Napolitano: Domestic Terrorism is Top Concern, Retrieved from URL http://www.huffingtonpost.com/2010/02/21/janet-napolitano-domestic-terrorism_n_470915.html on November 22, 2013

[vii] Webb, D.C., Echelon and the NSA, Leeds Metropolitan University, UK, 2008, Print

[viii] CNN, NSA Chief: Snooping is crucial to fighting terrorist, Retrieved from URL http://www.cnn.com/2013/07/31/tech/web/nsa-alexander-black-hat/ on November 30, 2013

[ix] Grove, Heidi, Maslow’s Hierarchy Of Needs Method for Trust-Based Relationship Building, Regis University CPS Blog, Retrieved from URL http://cps.regis.edu/blog/maslows-hierarchy-of-needs-method-for-trust-based-relationship-building/ on November 28, 2013 [Editor note: Link has been removed since original paper was published]

[x] Shapiro, Fred R., The Yale Book of Quotations, Yale University Press, 2006, Print

You Have To Trust Someone …. Right?

Let every eye negotiate for itself and trust no agent. - William Shakespeare

The #1206 “fiction” series continues …….

The President rubbed his eyes in the early morning hours as he shuffled in slipper-clad feet down the halls of the White House.  It was early on a Saturday morning and most of his staff had not yet arrived, with Secret Service being his only company this morning.

As he acknowledged the “Good morning, Mr. President” comments from the people he passed, he found himself looking forward to a reasonably quiet day, as quiet as any that the President could imagine anyway.

Stepping into the Oval Office, he noticed his morning briefing notes on his desk.  He sat in his chair and sighed.  “Always more paperwork”, he thought.

As he thumbed through the file, there was an urgent request from one Senator in particular, a Senator who had been a particular pain in his butt for some time. 

As his eyes skimmed over the latest rant from the Senator, his mind thought back over the last couple of years to the many antagonistic exchanges with this Senator.

There was the time when the government had established a connection between electronics, the heavy metals in them and cancer.  It was a proven fact and passing laws limiting electronics manufacturing had been a no-brainer.

The Senator protested vehemently to no avail.

The fact that this law targeted private storage medium such as hard drives, thumb drives and the like was purely coincidence but the Senator whipped up the conspiracy people  with an intention to block such the law.

He failed.

Passing laws requiring the mandatory returning and recycling of this technology had been a hassle as well but made easier using the contact information gathered in the healthcare legislation.

The Senator had yelled and screamed about this also but no one listened.

Giving citizens time to migrate all of their locally stored information to the cloud was also a nuisance but the pain was compensated for by the tens of thousands of jobs that had been created to help people with their data migration.

The Senator screamed much less regarding this when large contracts were awarded in his state.  “Everybody has their price”, thought the President.

In fact, the NSA, the EPA, social media companies, private industry and other groups collaborated in ways he had never seen before in order to get everything done as quickly as possible, with the NSA doing an outstanding job quarterbacking the entire effort.

“Maybe we’re finally learning to work together”, he thought.  “There is hope for us after all”.

The President returned his attention to the Senator’s note and his latest conspiracy-laden rant that with the capture of 99.9% of all privately owned data storage, the American people were putting their trust into agencies that were not to be trusted, either because of their own intentions or their inability to protect the people from the intentions of others.  The Senator also claimed to hear of rumblings of a concern that he needed to speak to the President about immediately and in private.

The President tossed the note onto his desk and leaned back in his chair.

“This is ridiculous”, he thought, “If the President of the United States can trust his information to the cloud, then surely the average American citizen can.”

Feeling agitated, he turned towards his tablet to fire off a note to his Press Secretary to address this matter once and for all.

As his tablet awoke from sleep mode, the President stared at the message displayed on the screen:

Unable to connect to the cloud. Please contact customer support.

Sighing in frustration, he pulled out his cellphone to call his exec for help.  Pressing the contacts button on his cellphone to find the right number, he was surprised to see a message appear on his cellphone screen:

Error: Unable to connect to provider.

Suddenly there was a knock at the door and an urgent voice calling for the President’s attention.

To be continued.

-----------------------

© 2013 – Harry Tucker – All Rights Reserved

Addendum:

This series, a departure from my usual musings,  is inspired as a result of conversations with former senior advisors to multiple Presidents of the United States, senior officers in the US Military and other interesting folks.

While this musing is just “fiction” and a departure from my musings on technology, strategy, politics and society, as a strategy guy, I do everything for a reason and with a measurable outcome in mind. :-)

This “fictional” musing is continued from ……

National Security–Arming Both Sides – October 30, 2013

Be Careful What You Wish For – October 27, 2013

When Avoidance Produces The Unavoidable – September 26, 2013

By Way of Deception, Thou Shalt Do War – August 30, 2013

Serving Two Masters – August 22, 2013

Growing the Rot From Within – August 6, 2013

The Coming Storm – June 8, 2013

The Master of Distraction – May 15, 2013

Living on the Edge – How Close Do You Dare? - March 29, 2013

Preventing A Disaster – Or Preparing To Survive One - November 29, 2012)

Divide and Conquer - August 5, 2012

Financial Crisis – March 11, 2008

There is benefit to reading those first (oldest to newest) but it is not required.

The Downfall of the NSA

A guest post by Gwynne Dyer, author, historian and independent journalist.  Shared with written permission of the author.

Gwynne Dyer
32 Lyme Street
London NW1 0EE
England
26 October 2013

Politicians and government officials rarely tell outright lies; the cost of being caught out in a lie is too high. Instead, they make carefully worded statements that seem to address the issue, but avoid the truth. Like, for example, Caitlin Hayden, the White House spokesperson who replied on 24 October to German Chancellor Angela Merkel’s angry protest at the tapping of her mobile phone by the US National Security Agency.

“The United States is not monitoring and will not monitor the communications of Chancellor Merkel,” she said. Yes, Caitlin, but has the US been listening to Merkel’s mobile phone calls from 2002 until the day before yesterday? “Beyond that, I’m not in a position to comment publicly on every specific alleged intelligence activity.”

By 27 October, the argument had moved on. The question now was: did President Barack Obama know the Chancellor’s phone was bugged? (The German tabloid Bild am Sonntag reported that General Keith Alexander, head of the NSA, told Obama about it in 2010. Obama allegedly said that the surveillance should continue, as “he did not trust her.”)

Now it was the turn of the NSA spokesperson, Vanee Vines, to deny the truth. “(General) Alexander did not discuss with President Obama in 2010 an alleged foreign intelligence operation involving German Chancellor Merkel, nor has he ever discussed alleged operations involving Chancellor Merkel,” she said. But she carefully avoided saying that Obama had not been told at all.

The ridiculous thing about these meticulously crafted pseudo-denials is that they leave a truth-shaped hole for everyone to see. Of course the United States has been listening to Angela Merkel’s phone calls since 2002, and of course Obama knew about it. It would have been quite easy to deny those facts if they were not true.

The NSA is completely out of control. Its German outpost was brazenly located on the fourth floor of the US embassy in Berlin, and leaked documents published by Der Spiegel say that the NSA maintains similar operations in 80 other US embassies and consulates around the world.

The Guardian, also relying on documents provided by whistle-blower Edward Snowden, reported recently that a total of 35 national leaders have been targeted by the NSA. We know that the German, Brazilian and Mexican leaders were bugged, but it’s almost certain that the leaders of France, Spain and Italy, Egypt, Israel and Saudi Arabia, and Japan, India and Indonesia were also targeted. Not to mention Russia and China.

The only one of the NSA’s high-level victims to speak out yet, apart from Angela Merkel, is President Dilma Roussef of Brazil. Last month she told the UN General Assembly: “Personal data of (Brazilian) citizens was intercepted indiscriminately. Corporate information – often of high economic and even strategic value – was at the centre of espionage activity....The office of the president itself had its communications intercepted.”

“Friendly governments and societies that seek to build a true strategic partnership... cannot allow recurring illegal actions to take place as if they were normal,” Roussef concluded. “They are unacceptable.” And you wonder how the brilliant, power-drunk fools at the NSA could possibly have believed they could get away with this kind of behaviour indefinitely.

The 4.9 million (!) Americans with access to classified information include 480,000 civilian contractors with the same “top secret” security clearance as Snowden. Even if all the military and public servants could be trusted to keep the NSA’s guilty secret forever (unlikely) and only one in a hundred of the contractors was outraged by it, then there were still 4,800 potential whistle-blowers waiting to blow. If Snowden hadn’t, somebody else would have.

When the astounding scale and scope of the agency’s operations finally came out, it was bound to create intense pressure on Washington to rein in the NSA. The agency can deflect the domestic pressure, to some extent, by insisting that it’s all being done to keep Americans safe from terrorism, but it can’t persuade the president of South Korea or the prime minister of Bangladesh that she was being bugged because she was a terrorist suspect.

The NSA’s worst abuse has been its violation of the privacy of hundreds of millions of private citizens at home and abroad, but it’s the pressure from furious foreign leaders that will finally force the US government to act. “Trust in our ally the USA has been shattered,” said German Interior Minister Hans-Peter Friedrich on Sunday. “If the Americans have tapped mobile phones in Germany, then they have broken German law on German soil.”

This will end up in the German courts, and probably in those of many other countries as well (and Snowden may well end up being granted asylum in Germany). To rebuild its relations with its key allies, the White House is going to have to radically curb the NSA’s powers. Good.

We don’t have to listen to the spooks and their allies telling us that since the new communications technologies make total surveillance possible, it is therefore inevitable. “If it can be done, it will be done” is a counsel of despair. Most of the NSA’s ever-expanding activities over the past ten years have served no legitimate purpose, and it’s high time that it was forced to obey both the letter and the spirit of the law.

----------------------------

Gwynne Dyer is an independent journalist whose articles are published in 45 countries.

NSA Leaks: Balancing Justice and Indignation

Observing the actions of Edward Snowden in regards to the NSA leaks, I can see why he did what he did but I have to disagree totally with his approach.

Let me explain.

Back in the early 2000’s, I was traveling through one of North America’s top 10 busiest airports and I happened to notice an event that really disturbed me.  Now in fairness to the people I was observing, one of the curses of being a long-time strategy advisor to Wall St. and Fortune 25 organizations is that you are always analyzing everything around you, even when you know you should be relaxing or minding your own business.

As I observed the security personnel in action, I realized that I had just witnessed a way to get an explosive, a gun or some other unwelcome device past airport security.

With a great amount of concern, I dutifully wrote an email to the federal authorities, explaining my credentials including in large-scale security architecture on Wall St., outlining what I witnessed, expressing my concerns about the potential that could be created and so on.

Some time later, I received a very polite but formal dismissal in response, basically suggesting that they were the experts in airport security, I was not and closing with a “thanks for writing anyway” type of closing comment.

In the fall of 2012, I happened to be traveling through the same airport and at the same security gate, I noticed that the same security hole was present. (Don’t bother asking me about it – I will not respond to queries asking what the security concern is.)  I mentioned this scenario to a Chief Security Officer of a major airline and he acknowledged that my concern was legitimate.

Now if I wanted to get all indignant about how no one was paying attention, how people were at risk and such, I could have easily gone to the press and blown the story wide open.

And in the meantime, as the great wheels of bureaucracy churned away, mulling over what to do to address the issue, my righteous indignation would have enabled less-than-desirable individuals or organizations to initiate an action that my righteous indignation was trying to prevent.

So … in this example, it would be open for debate whether a detailed public disclosure would help or hinder efforts to enhance airline security.

Hero or villain status would not be determined by that action but by subsequent actions that took place.

Fast forwarding to today …..

As far as Mr. Snowden is concerned, I agree that the US Federal Government’s surveillance and cyber defense (and attack) programs may seem to be a little over-reaching.  I recently mused about the trouble that these programs could create in my blog entry “The Coming Storm”.

However, for the many people suddenly waking up and fearing surveillance, the development of such programs goes back to the 1960’s and earlier, including programs such as Echelon and others.  To suddenly be startled by such technology is to not be paying attention to what one’s own elected officials have been doing for the past 50 years.

Recognizing that we get the government we deserve can be a difficult pill for many to swallow.

With the long-time existence of such programs, we have to face some basic realities:

1. We can have total freedom from surveillance or we can have total personal security.  We can’t have both without compromise on both sides of the equation and given that many people prefer security over privacy, the use of such technology is inevitable.  Whether or not the use of such technology should be limited requires a detailed analysis of what motivates human beings.

2. Most people who fear such surveillance, if in the same position as the leaders of today and offered the use of technology to do their job, would use it.

3. As long as human beings are involved in the equation of privacy versus security, we will always have the concern of the weakest link, whether it is the occasional person using the information for personal gain, someone selling it to a foreign power or some other compromise of the information being gathered.  Having experienced identity theft multiple times at the hands of bank employees, I still have no choice but to use banks in my day-to-day affairs or withdraw from the world’s financial systems.

4. Any government will take action to protect what it perceives to be its national interests, no matter how legitimate others perceive those interests to be.  Those of us who have signed security clearance covenants know exactly what actions will be taken against us should we violate such covenants.

5. People who exhibit rabid, fanatical stands against such surveillance programs actually expedite the implementation of them.  Take a look at Alex Jones, well known conspiracy guy, and his interview on the BBC last weekend for an example.  If you were responsible for national security, outbursts like this would make you nervous also.

Mr. Snowden’s actions, while understandable from a righteous indignation standpoint, are in defiance of these basic realities.  On the other hand, his actions are a warning to NSA and other groups to tighten up control over access to delicate information (Mr. Snowden had access to a lot of information despite his relatively short time in the intelligence community).  Imagine if his righteous indignation had caused him to sell information over the course of many years instead of releasing it to the press in a big explosion.

As far as the damage potential of his actions is concerned, the amount of damage done will depend on perspective and the events that follow the initial event.

The bottom line

For Mr. Snowden to go public with his info may have seemed like a good idea at first but it does undermine national security and potentially enables enemies of the state to adjust their execution in a manner that circumvents national security programs.

And when (not if) that happens, while one may think one is a hero, one may be inadvertently enabling someone who in the future will compromise the personal safety and security of many people … including people important to you.

Should such an event occur and someone who matters to you is threatened as a result, would you still consider the original person who acted with such indignation a hero or a villain?

Perspective is a powerful force, isn’t it?

When an information compromise or a terrorist act occurs in the future, we will be reminded once again that no matter what approach we take, we will always be faced with the notion of the weakest link – that human frailties will always be present no matter how much we wished they weren’t.

As for the people who are against surveillance, that horse has long since bolted out of the barn.  Surveillance is here to stay and the more people strive to rid the world of it, the more pervasive (and possibly covert) it will become, if for no other reason than out of fear of the people who oppose it.

Do you prefer safety for your family or freedom for them?

The answer is not an either/or - we can have both but to have both will require compromise.

And it will always come with risk.

No other scenario is possible if safety AND freedom are desired and human beings are involved in the mix. 

To expect anything else is to assume that human beings are far more perfect than they are and to assume that such complex, flawed beings can create simple, perfect solutions.

In service and servanthood,

Harry

So How Secure Are We Anyway?

I was in the process of completing my annual report on security vulnerabilities yesterday when the news reported that an explosion in a communication hub in downtown Calgary had compromised landline and 911 service for 30,000 Shaw customers, including some municipal and provincial services.

As I write this this morning, service is almost completely restored.

No biggy …. they only lost service for 12 hours or so, right?

Well, maybe …. but where was the redundancy that should have prevented the failure from impacting those affected?

Here was the cause for the failure:

The system-wide outage was caused when a transformer exploded in an electrical room at Shaw Communications’ downtown headquarters Wednesday afternoon. Although the backup system was activated, when the sprinklers came on, they were also taken out.

I guess they didn’t think of or couldn’t afford a non-water-based fire suppression system, typical for rooms containing mission-critical computer or communication equipment nor did anyone consider the impact of a total site loss, given that they kept the backup system in the same building as the primary system.

Then I think about the time I was in Newfoundland when a fire in a communication hub took out land lines, cell phones, Internet and all forms of communication (thus knocking out any use of debit / credit cards).  The outage was only hours in duration but while the event was in progress, spokespersons for Aliant (the communication company that owned the building) were saying they had no idea when the outage would be corrected, creating extra concern at the time.

Was there redundancy of technology in this situation to protect consumers against a catastrophic failure?

Yes, according to Aliant.  They had full redundancy of all systems.  Unfortunately, the primary and backup systems were in the same building and shared a common power supply.

Where did the failure occur?

You guessed it – the power supply.

So much for redundancy in either of these events.

Ironically, the Aliant redundancy mistake, which occurred six years ago, was studied by information and communication providers across Canada to make sure no one repeated the same mistakes in the future.

Ooops.

When the World Trade Center came down, some of the major communication providers had been using it as a communication hub.  After all, they figured, what are the odds that we could lose the entire site?

Sadly, we know the answer and communication in the NYC area was compromised as a result of the WTC collapse and an excessive number of people using the system in the hours of terror that followed.

When we build communications systems such as these, we strive to strike a balance between need and cost, factoring in the probability of various external factors and events.  We don’t build systems that can handle everyone and everything because, as we like to think, what is the likelihood of a worst case scenario occurring.

As we proved in NYC on 9/11, the likelihood is low but when we need it, the importance of having systems that can handle emergencies is critical.

But alas, I digress ….. on to my originally intended subject.

My Security Report

As part of what I do as a strategy advisor and global technology architect, I provide services to some clients in the areas of assessing security vulnerabilities.

Specifically, how secure are various client’s IT infrastructures, what can be done to enhance their security and should a compromise occur, how quickly can the compromise be neutralized while minimizing the impact of the compromise?

The contents of my report, which will be distributed to specific organizations, shows a number of interesting slices of society that are vulnerable to attack.

The list includes, but is not limited to:

- Specific large-scale banks and credit card providers

- Specific health-care providers

- Specific municipal, state and provincial governments

- Specific airlines

- Specific energy generation / distribution groups

- Specific infrastructure organizations, including some that govern water distribution and public transit

- A specific Roman Catholic Archdiocese that has been rocked by pedophile priest prosecution in the past and is alleged to be hiding a list of known pedophile priests (unknown to the public) who are still active priests

- Other large corporations in manufacturing and retail

- Other entities whose “commercial” nature I am not allowed to mention here.

The vulnerabilities range in nature and scale but the bottom line is this.

There is still way too much vulnerability in our infrastructure, whether it be in our communication infrastructure, in the security and privacy of our data and in national security overall.

Why Is This Happening?

Some folks do the best they can with the limited funding they are given by their leadership - leadership that downplays the risks of not having a thorough solution or who don’t understand the impact to their organization, public or private, and the people they serve should a compromise occur.

Some organizations, governed by greed, pour their efforts into maximizing return, assuming that creating secure, redundant  architecture is just a money-wasting venture that impacts their bottom line unnecessarily.

Some organizations create solutions so complex that obvious vulnerabilities slip by them and they watch in dismay as the seemingly ultimate in technology falls to simple attempts to compromise them.

Some organizations have a lack of knowledge about the threats they face and what is needed to neutralize the threat.  I saw with amusement (and concern) last year when a national retailer placed a classified ad looking for someone to take charge of the design and implementation of a security solution for their entire corporation.

Why was I concerned?  The minimum requirement for the position was a high school diploma.  No other experience, education or security solution background was required.  I guess they will learn on the job.

All of this being said, I still believe that ego and an excessive amount of hubris is responsible for most of the problems we face today.

Beliefs such as “nobody can defeat my security solution” or “the likelihood that compromise or disaster will hit us is minimal” are responsible for many of our compromises, both the ones that make the press and the ones that people on “the outside” never hear about.

How much of a problem is this?

A significant one.

While billions of dollars go into airline security and border control annually, I believe we face a much larger threat when it comes to the security and redundancy of our infrastructure then we do from someone taking a plane out of the sky or sneaking something across the border.

Much of the knowledge of how to compromise, penetrate, steal from or cause the failure of communications and IT infrastructure is available in the public domain.  We face multiple threats ranging from the seemingly benign example of kids trying to hack into the local high school to get the answers to an upcoming exam up to agencies (including foreign governments) attempting,  sometimes successfully, to penetrate our critical corporate, government and military computer systems.

The head of the National Security Agency recently said we need to pour more resources into beefing up our cyber security, causing many people to cry foul that Big Brother was using this as a guise to exert even more control over us.

While I am wary of how much insight government has into our private matters, this is one area where we must not underestimate the need to invest more into protecting our technology assets.

I once asked a well known US / UK military advisor-turned-journalist how he dealt with his knowledge of our vulnerabilities and this was his reply:

“I try not to stay sober”

Now that’s a sobering thought.

The people in my industry (information and communication technology) need to do a much better job at enhancing the security of the citizens of the world at the personal, corporate, national and global levels.

The people who provide funding and make the go / no-go decisions that enable / restrict the people in my industry need to be better informed about the importance and impact of their decisions in supporting such ventures.

And each of us, while varying in levels of technical savvy, must do our best to hold all of these organizations responsible and accountable to do the best they can.

And we’re a long way from doing the best we can.

Many organizations, private and public, have knowingly or unknowingly created ticking time bombs that will impact all of us.

Acknowledging this is not “sky is falling” pessimism.

Acknowledging it is the only way it gets fixed before we get punished for not taking appropriate action.

This is not pessimism.

It is reality.

Most of us say we would do anything to protect the security of our families, our businesses, our nations and the world.

It is time to prove it … with a sense of urgency and appropriate action commensurate with the threats that exist.

In service and servanthood,

Harry

Addendum – July 12, 2012

This news story (about compromised Yahoo accounts) that broke an hour after I wrote the blog is a reminder of our personal responsibility to ensure the integrity of our personal information on the web.

And then a bank went down …..

I noticed that a Canadian bank, more than 24 hours after the previously noted fire in Calgary, still does not have an online presence as a result of this outage in one building.

Here is what Alberta Treasury Branch customers (both personal and corporate accounts) receive if they go to access their online accounts for bill paying and such (emphasis shown is theirs):

We're Sorry...

The fire at the Shaw Court building in Calgary yesterday caused our banking system to go down.

Overnight we moved our system to a back up location. We are working to resume normal services, and anticipate that it will take us a bit of time.

Meanwhile, ABM, debit cards and MasterCards are available, and our branch staff will also be able to assist customers.

We are currently working to restore ATB Online banking and ATB.com as soon as possible, please check back here or on our ATB Financial Twitter account (@atbfinancial) for updates.

We can not access emails right now, so please call your local branch directly if you have questions or require assistance. Our Customer Care Centre associates (1-800-332-8383) are also available to provide more information. And remember, we never contact you via text or email to ask for your personal or banking information.

© 2011 ATB Financial | All Rights Reserved. TM Trademark of Alberta Treasury Branches. Unauthorized access is prohibited. Usage may be monitored. Please visit our website at www.atb.com

So an electrical fire in one building has derailed the online processing for an entire bank for an entire province.

Not comforting nor an unacceptable architecture, in my opinion.

Addendum – 5:40 PM MDT

I received the following note which I couldn’t help but share :-)

Dear Mr. Tucker,

My name is Dxxxxx and I live in xxxxxxx, Alberta.  I am a customer of ATB and because I am on the road, I need to pay some bills today using their online system and of course I cannot. When RIM went down last October, I had to deal with a lot of angry customers and almost lost one because of my inability to respond quickly to them.  With all the firefighting I had to do with my customers because of RIM, I got some free games from RIM for my trouble.

Since I need to explain to some people why I can’t pay my bills today, do you think that ATB will offer me some free games also?

I guess on days like this you need a sense of humour.

Cheers,

Dxxxxx

Dear Dxxxxx,

I hear that the new Angry Birds is pretty cool and might be appropriate. :-)

Thanks for the note!

Harry

Addendum: July 17, 2012

This little ditty was announced on July 17, 2012.  Info about up to 2.4 million voters may be compromised: Elections Ontario.  Preventable and sadly …. predictable.  We can do better and must do better.

Addendum: August 7, 2012

Here’s how easy one can be compromised.  If we are in the IT industry, we need to demand better of ourselves.  If we are not in IT, we need to demand better from those who are.