>Architecting A Secure Society

>

Once again, we are confronted with the basic security question of how much is the right amount?

It’s a classic catch-22 that requires us to architect security to meet opposing ends: we expect security to be as much as necessary to stop the terrorists, but as little as possible to ensure efficient travel and trade and maintain people’s privacy and equality.

In the last decades, we have behaved schizophrenically, calling for more security every time there is an attempted attack, only to withdraw and demand greater privacy protections, speedier security processing, and only random checks when things cool down.

The Wall Street Journal reported in the January 9-10, 2010 edition that the U.S.’s handling of security nowadays is an ever-losing proposition. The article calls it a virtual game of “Terrorball,” in which we cannot win, because there only two perpetual rules:

· “The game lasts as long as there are terrorists who want to harm Americans; and

· If terrorists should manage to kill or injure or seriously frighten any of us, they win.”

Based on the above, I believe that we can only win the game by changing its rules. Rather than being reactive to every terror scare, we are prepared with one approach—one that delivers an optimal level of security based on the current level of risk.

I recall when Michael Chertoff was Secretary of Homeland Security. During that time, he was a strong advocate for a risk-based approach that was multilayered, strong yet flexible enough to accommodate changing circumstances. From that perspective, which I think made a lot of sense: security decisions are made on the basis of objective criteria. These include technical feasibility, maximum effect, cost-benefit analysis, and so on.

A risk-based approach, or what I call “optimal security,” clearly makes a lot of sense. Yet it is tempting, when a security situation actually occurs, to let emotions get the better of us. On the one extreme, sometimes hysteria takes place and everybody seems a potential threat. Other times, we get angry that anyone at all is subjected to scrutiny or questioning.

In order to save the most lives and change the terror game, we have to decide to become more rational about the threat that faces us. This doesn’t mean being cold and calculating, but rather rational and proactive in developing a security architecture and governance that seeks to protect the most with the least negative impacts—but not trying to plug every possible hole at all costs.

In optimal security: sure, there is the ideal where we want to protect every American from every possible threat. However, there is also the reality where, because of competing priorities and scarce resources (to address everything from the deficit, health care, education, social programs, energy, science, defense, and more) we cannot—no matter how much we genuinely want to—prevent every terror instance.

So the terror playbook can and should be transformed. We can recognize there will always be terrorists—enemies of the state—who want to harm us and given enough attempts, no matter how optimal our security, they will occasionally get a sucker punch in on us—and we must be prepared for this. Moreover, rather than “freaking out” about this the terror threat, we can grow and commit to doing the best we can and accepting that we will increase security when information is there to support that need, and we will relax when that becomes possible.

Bottom line: We must move away from hysteria and any other factor that prevents us from being objective and make rational choices to deploy protections that are most effective and simultaneously safeguard our liberty.

“Life, liberty and the pursuit of happiness” captures the security debate well. We want to safeguard lives, but at the same ensure liberty and we want to be happy and not afraid all the time.

To accomplish this balance, our optimal security realization should be based on highly effective intelligence, supported by the very best technology, and a security platform that adjusts to threats in real time.

While our intelligence continues to strengthen and our technology continues to improve, the greatest challenge is our ability as a nation and as individual human beings to cope with the distress caused by terrorism.

We are ambivalent emotionally about the threat and what needs to be done to combat it. However, once we look inside and understand the emotions that this issue raises, and come to terms with reality we face, we will as a nation be more at peace and less likely to jump from one extreme to another in terms of our demands and expectations from those who protect us every day.

>What Hollywood Can Teach Us About Fighting Terrorism

>

U.S. law enforcement officials have thwarted about two dozen known terrorist plots since 9/11 and there are probably lots more that haven’t made the papers. Some of them, like this month’s “Underwear Bomber” have nicknames, like the “Shoe Bomber” (2002), the “Lackawanna Six,” (same year), and the “Virginia Jihad” (2003). Others are known by geographical location, such as Fort Dix (2007) and the foiled plot against synagogues in the Bronx (2009). But one thing they all have in common is their determination to threaten and even destroy our freedom and way of life.

As a person who is deeply dedicated to America’s safety and security, both personally and professionally, I worry about the rise of terrorism that has sprung up in the past few decades. Terrorists are relentlessly determined to destroy our lives even if it means taking their own lives to do it. But what is even more frightening is that despite all the actions we have taken to fight terrorism, our culture remains deeply reactive. Can we really stay one step ahead and lucky forever?

The best example of our relative complacency in the face of a deadly threat is the policy of taking off our shoes for screening only after the case of the Shoe Bomber came to light. Now again, we waited for an Underwear Bomber before talking seriously and publicly about full body screening for all?

There is a saying that you can’t drive a car by looking in the rearview mirror, but unfortunately that seems to be the way our culture approaches the fight against terrorism. The focus should not be on stopping the last threat, but on anticipating and countering the future threat before it ever materializes.

To do this, we need to think like the bad guys do as well as conduct more exercises to expose our own security weaknesses (red teaming), rather than be surprised when the terrorists find our next Achilles heel.

In the particular case of the Underwear Bomber, it was particularly shocking that we knew this person was a threat. His own father warned us, yet we didn’t put him on the terrorist watch list or revoke his visa (as the British did). And just today I read that this individual told investigators there are literally hundreds more just like him, all waiting to strike.

Think about that for a second. There are seemingly endless terrorists out there, and they can have a 99% failure rate and still be “successful.” Yet U.S. and global law enforcement can’t fail at all—not even once—without dire and deadly consequences on a massive scale.

However, instead of gripping that unbelievable reality and treating it as the dire situation it is, there is actually talk about “rehabilitating” the terrorists. As if we have succeeded at rehabilitating “normal” criminals…now we are going to try and “deprogram” people who are religiously “inspired” to commit their diabolical deeds?

To adequately manage the new reality we face today, we must not only stay ahead of known threats, but also proactively envision new potential attack scenarios, prepare for them, and thwart them before they become potentially lethal.

A great place to start would be Hollywood; our entertainment industry has done a pretty good job of imaginatively exposing potential attack scenarios—in dozens of films from Air Force One to The Sum of All Fears, Executive Decision to The Peacemaker, and Arlington Road to The Siege, and many more.

There are also television shows like 24, with now seven seasons and counting, that keep Americans riveted to their seats week after week with terrorism plots that play out before our very eyes. We seem to generally view these as serious threats that are possible in our time.

I respect the President for openly acknowledging the “systematic failure,” but it is going to take all of us to commit and follow through with ongoing security measures. It is not a one month or one year event (or even an 8 year event post 9/11), but rather a complete new security mindset that stays with us always.

We can and should learn from the visionary talent in our vibrant entertainment industry and from wherever else they may reside, and adopt creative and proactive thinking about terrorism and make this a regular part of our security culture. I understand that there are many forces at play here, and that most of us are not privy to some of the more sophisticated ways that we fight terrorism every day. But what I am talking about is our collective, public culture, which still seems to shrug off the seriousness of threats against us. For example, just today, I saw a sign in an airport that directed wheelchairs through security screening. It seemed almost an invitation to sew explosives into a wheelchair (although I understand that these are actually screened).

I have the deepest respect for the men and women who serve to protect us every day. But as a culture, it is long past time to wake up. We don’t have the luxury of collective denial anymore. We must embrace security as a fact of life, fully and in an ongoing manner.

Further, as we approach 2010, let us resolve to learn from the most imaginative people in our society about how we may think out of the box when it comes to combating terrorism.

In the real world, we must act now to quickly deploy new, more advanced screening technologies to our airports, marine ports, and border crossings, and employ our most creative minds to “outwit, outplay, and outlast” the terrorists who plot against us—whether in their shoes, their underwear, or wherever else their evil schemes might lead them.

>Let’s Not Understate the Cyber Threat

>

Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:

“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”

While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.

Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”

Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.

The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.

Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.

While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.

Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?

While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.

Rep. Lamar Smith, R-Texas said “Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”

Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.

This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.

The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:

“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”

We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:

“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”

Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation’s central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”

On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.

>Realistic Optimism and Enterprise Architecture

>

Optimism can be a key to success in your personal and professional life!

The Wall Street Journal reported in Nov. 2007 that optimism leads to action and that “if even half the time our actions work out well, our life is going to turn out for the better…if you are a pessimist, you are unlikely to even try,” says Dr. Phelps an NYU neuroscientist. Similarly, Dr. Martin Seligman of the University of Pennsylvania observes that “optimists tend to do better in life than their talents alone may suggest.”

So while optimism is often “derided as a naïve, soft-soap disposition that distorts the realities of life,” Duke University researchers found that optimists actually lead more productive and by some measures, successful lives. For example, they found that optimists “worked longer hours every week, expected to retire later in life, were less likely to smoke and, when they divorced, were more likely to remarry. They also saved more, had more of their wealth in liquid assets, invested more in individual stocks, and paid credit-card debt bills more frequently.”

At the same time, overly optimistic people behaved in a counter-productive or destructive fashion. “They overestimated their own likely lifespan by 20 years or more…they squandered, they postponed bill paying. Instead of taking the long view, they barely looked past tomorrow.”

Overall though, “the influence of optimism on human behavior is so pervasive that it must have survival value, researchers speculate, and may give us the ability to act in the face of uncertain odds.”

Optimism coupled with a healthy dose of realism is the best way to develop and maintain the organization’s enterprise architecture plans and governance. Optimism leads the organization to “march on” and take prudent action. At the same time, realism keeps the enterprise from making stupid mistakes. An EA that is grounded in “realistic optimism” provides for better, sounder IT investments. Those investments proactively meet business requirements, but are not reliant on bleeding-edge technologies that are overly risky, potentially harmful to mission execution, and wasteful of valuable corporate resources.

>What Not to Tell Your Boss and Enterprise Architecture

>

ComputerWorld Magazine, 20 June 2008, tells us five things you don’t want to tell the CIO and which I believe tracks closely with the enterprise architecture function and goals, as follows:

  1. “All about the technology — and nothing about the business”—just like enterprise architecture is about business driving technology, rather than doing technology for technology’s sake, so too the CIO is interested in aligning business and technology. So don’t just go to the CIO talking technology solutions unless you have a clear understanding and can articulate the business requirements.
  2. “There’s only one solution”—in enterprise architecture and IT governance, we validate requirements against the architecture—the baseline, the target, and the transition plan. It is especially important to check if there are existing systems, products, and standard that can be used to meet user requirements, rather than building or acquiring something from scratch. There is rarely only a single technology solution for a business problem. Therefore, we need to evaluate the proposed new IT investment in terms of the return on investment, risk management, strategic business alignment, and technical compliance. Additionally, we need to review the analysis of alternatives to make sure we are effectively managing our scarce IT resources.
  3. “Bad opinions about your colleagues”—EA planning and governance makes information transparent and enables better decision making. With EA information, vetting of IT investment and collaborative decision making, there is no need to point fingers at each other over failed IT projects. Instead, through sharing information and bringing IT project stakeholders together, we all have input into the decision process and share the project risk.
  4. “There’s no way”—With enterprise architecture, rather than say there’s no way to achieve enterprise goals or overcome technical challenges, we develop a target and plan for how we will do it. No, the goals are not achieved overnight, but rather by following a meticulous and vetted plan, usually over a period of three to five years, we can transform the enterprise.
  5. A surprise”—Bosses don’t like surprises. In a professional setting, we usually like rational thinking, process, structure, and planning, so that we can effectively deal with the chaotic world out there. EA planning and structured governance helps the organization stay on course and not get surprised or thrown. The planning process itself involves looking at our strengths, weaknesses, opportunities, and threats, and makes us more self-aware and proactive as an organization, so there are less surprises waiting to ambush us.

EA helps us to NOT have to tell our boss, the CIO, things he doesn’t want to hear, because we are proactive in our approach to planning and governance.